基于行为分析的恶意代码检测系统的研究与实现

发布时间：2018-03-19 10:43

本文选题：恶意代码　切入点：多路径执行　出处：《南昌大学》2014年硕士论文　论文类型：学位论文

【摘要】：随着互联网的飞速发展和社会生活信息化的深入，人们越来越依赖于互联网带来的方便和快捷。与此同时，恶意代码也在与时俱进不断发展和壮大。在利益的驱动下出现了黑色产业链，黑色产业链的出现极大地加快了恶意代码的生产速度和传播速度。为了避免遭受恶意代码的侵害，对恶意代码的检测也就变得十分有意义。目前恶意代码的行为分析技术中还存在很多的不足之处，，本文主要针对其中的两点作为本文重点研究对象。其一：动态分析中的多路径执行方法在实际应用中存在路径覆盖率低的问题，进而出现对恶意代码的漏报；其二：以往在基于系统调用的特征表示与提取过程中，只把单个的系统调用作为一个特征，这种特征表示方法忽略了相邻系统调用之间的顺序关系，而相邻系统调用间的顺序信息对于行为的判定有积极的作用。针对上述的不足，本文试图解决以上的两个问题，本文的主要工作如下：（1）提出基于高语句覆盖率的多路径执行方法，用于提高路径覆盖率。（2）提出系统调用部分有序的特征表示和提取方法，强调相邻系统调用之间的顺序关系。（3）研究支持向量机的原理及其在恶意代码检测方面的应用。（4）完成基于行为分析的恶意代码检测系统的设计和初步实现，并通过实验验证上述方法的有效性。
[Abstract]:With the rapid development of the Internet and the deepening of the informatization of social life, people rely more and more on the convenience and rapidity brought by the Internet. The emergence of black industry chain greatly speeds up the production speed and spread speed of malicious code. In order to avoid being infringed by malicious code, the black industry chain has emerged under the driving of interests, and the emergence of the black industry chain has greatly accelerated the production speed and spread speed of malicious code, in order to avoid being infringed by malicious code, The detection of malicious code becomes very meaningful. At present, there are still many shortcomings in the behavior analysis technology of malicious code. This paper mainly focuses on two of them as the focus of this study. First, the multi-path execution method in dynamic analysis has the problem of low path coverage in practical application, and then the malicious code is not reported; Secondly, in the process of feature representation and extraction based on system call, only a single system call is considered as a feature, which ignores the sequential relation between adjacent system calls. The sequence information between adjacent system calls has a positive effect on the determination of behavior. In view of the above shortcomings, this paper tries to solve the above two problems, the main work of this paper is as follows:. A multipath execution method based on high statement coverage is proposed to improve the path coverage. (2) A partial ordered feature representation and extraction method of system call is proposed, and the sequential relation between adjacent system calls is emphasized. The principle of support vector machine (SVM) and its application in malicious code detection are studied. Finally, the design and preliminary implementation of the malicious code detection system based on behavior analysis are completed, and the effectiveness of the above method is verified by experiments.
【学位授予单位】：南昌大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】