基于行为分析的恶意代码检测与评估研究

发布时间：2018-03-10 05:26

本文选题：恶意代码　切入点：自动分析　出处：《北京交通大学》2014年硕士论文　论文类型：学位论文

【摘要】：随着震网、火焰病毒等一系列震惊全球的重大网络安全事件的发生,信息安全已经上升到国家战略层面的高度。在此背景下,我国也面临着敌对势力恶意网络攻击的严重威胁。在信息网络安全的诸多威胁中,恶意代码的危害无疑最大,这也成为网络安全研究领域的焦点。针对恶意代码的研究工作也从各个方面展开。本文主要关注于恶意代码行为分析技术与评估方面的研究。目前,在恶意代码研究方面,国内反病毒厂商大多集中研发应用层面的产品,基础技术研究的精力相对较少；国外反病毒厂商在恶意代码检测方面的技术比较成熟,但涉及商业利益,很难从公开渠道获取相关信息。通过调研多款恶意代码在线分析沙箱,大多数服务侧重展示恶意代码的恶意行为和家族分类,报告可读性差且缺少威胁度评估,而恶意代码威胁度评估是信息安全风险评估的重要环节之一。因此,本文的研究目标是：构建一个分析过程自动化、分析环境健壮、分析结果全面的恶意代码检测平台,并最终提供包含恶意代码功能、行为和威胁度的综合分析报告。首先,在研究检测技术和评估方法发展现状的基础上,对恶意代码本身进行了深入学习。熟悉病毒行为,总结恶意代码特征,包括文件结构、字符串特征、主机行为特征(进程行为、注册表行为、文件行为)和网络行为。然后,建立基于行为分析的恶意代码威胁度评估模型,提出了基于互信息的恶意行为基本危害值计算方法,依据层次分析法的思想,利用特征矩阵计算各指标权重。在此基础上,设计并实现基于行为分析的恶意代码检测与评估的自动分析系统,该系统由数据预处理模块、虚拟机执行模块、综合评估模块三个主要功能模块,以及行为指标体系和权重库两个数据模块组成。最后,分别对自动分析系统的有效性和评估体系及实施方法的合理性进行测试,并与国内外多个检测平台的分析报告做比较,实验结果证明本文设计并研发的系统能够较好的实现预期目标。
[Abstract]:With the occurrence of a series of major cyber security incidents that have shocked the world, such as earthquake net, flame virus, and so on, information security has risen to the height of national strategy. Our country is also facing a serious threat from hostile forces' malicious network attacks. Among the many threats to information network security, malicious code is undoubtedly the most harmful. This also becomes the focus of network security research field. The research work on malicious code is also carried out from various aspects. This paper mainly focuses on the research of malicious code behavior analysis technology and evaluation. At present, in the area of malicious code research, domestic anti-virus manufacturers mostly focus on the research and development of products at the application level, with relatively little energy in basic technology research; foreign anti-virus manufacturers have relatively mature technology in malicious code detection. However, because of commercial interests, it is difficult to obtain relevant information from public sources. By investigating multiple malicious code online analysis sandboxes, most services focus on displaying malicious acts and family classification of malicious code. The report is poor in readability and lack of threat evaluation, and malicious code threat assessment is one of the important links of information security risk assessment. Therefore, the research goal of this paper is to construct an analysis process automation and a robust analysis environment. The analysis results are comprehensive malicious code detection platform, and finally provide a comprehensive analysis report including malicious code function, behavior and threat degree. First of all, on the basis of studying the present situation of detection technology and evaluation methods, we have studied the malicious code itself deeply, familiar with the virus behavior, summarized the malicious code features, including file structure, string characteristics, Host behavior characteristics (process behavior, registry behavior, file behavior) and network behavior. Then, the threat degree evaluation model of malicious code based on behavior analysis is established, and the method of calculating the basic harm value of malicious act based on mutual information is proposed. According to the idea of analytic hierarchy process (AHP), the weight of each index is calculated by using characteristic matrix. On this basis, an automatic analysis system for malicious code detection and evaluation based on behavior analysis is designed and implemented. The system consists of three main functional modules: data preprocessing module, virtual machine execution module and comprehensive evaluation module. And the behavior index system and the weight database two data modules. Finally, the validity of the automatic analysis system and the rationality of the evaluation system and the implementation method are tested, and compared with the analysis reports of many domestic and foreign test platforms. Experimental results show that the system designed and developed in this paper can achieve the desired goals.
【学位授予单位】：北京交通大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】