支持恶意代码行为分析的行为捕获系统的设计与实现

发布时间：2018-04-07 00:22

  本文选题：行为捕获　切入点：恶意代码　出处：《国防科学技术大学》2014年硕士论文

【摘要】：恶意代码行为捕获是开展恶意代码行为分析,提高恶意代码防御能力的基础。当前,随着恶意代码技术的发展,恶意代码结构及其通信活动变的日益复杂,使得传统的恶意代码行为捕获技术难以有效应对恶意代码的攻击与破坏。如何更加有效地捕获恶意代码行为成了目前信息安全领域的研究热点。众所周知,恶意代码行为捕获关注的是恶意行为本身,如能对恶意行为进行全面准确描述,必将有效提高行为捕获效率与准确率。基于此目的,本文以全面描述恶意代码行为特征为切入点,设计并实现了恶意代码行为捕获原型系统,试图为恶意代码行为分析提供支持,主要做了以下几方面工作:第一,分析和研究了恶意代码相关技术,从恶意代码定义着手,重点介绍了典型恶意行为、已有行为分析方法及行为捕获技术,为行为捕获系统的设计奠定了基础。第二,提出一种基于多维特征的恶意代码行为描述方法,从恶意代码行为时序、行为类型、依赖特征等多个维度来描述恶意代码特征,更加有效地描述了恶意代码的本质特征,并将此方法应用于恶意代码检测。通过实例检测表明,该方法能有效降低恶意干扰的影响,提高恶意行为捕获效率和准确率。第三,提出一种基于多Agent的恶意代码行为捕获方案,充分利用agent的自主性和适应性,实时采集目标系统的状态信息,为行为捕获系统的实现提供了架构支撑。最后,设计并实现了恶意代码行为捕获原型系统。通过对代表性恶意代码样本进行捕获分析,从恶意行为捕获的准确率和AUC曲线精度两个角度,验证了本文方法优于已有的基于平均距离的恶意代码检测法。
[Abstract]:Malicious code behavior capture is the basis for developing malicious code behavior analysis and improving malicious code defense ability.At present, with the development of malicious code technology, the structure of malicious code and its communication activities become more and more complex, which makes it difficult for traditional malicious code behavior capture technology to deal with the attack and destruction of malicious code.How to capture malicious code behavior more effectively has become a hot topic in the field of information security.As we all know, malicious code behavior capture is concerned with malicious behavior itself. If the malicious behavior can be described accurately, it will effectively improve the efficiency and accuracy of behavior capture.Based on this purpose, this paper designs and implements a malicious code behavior capture prototype system based on the comprehensive description of malicious code behavior characteristics, and tries to provide support for malicious code behavior analysis. The main work is as follows: first,This paper analyzes and studies the related technologies of malicious code, starting with the definition of malicious code, focusing on the introduction of typical malicious acts, existing behavior analysis methods and behavior capture techniques, which lays a foundation for the design of behavior capture system.Secondly, a method of describing malicious code behavior based on multi-dimension features is proposed, which describes malicious code features from several dimensions, such as time sequence, behavior type, dependency feature and so on, and describes the essential features of malicious code more effectively.This method is applied to malicious code detection.The method can effectively reduce the influence of malicious interference and improve the efficiency and accuracy of malicious behavior acquisition.Thirdly, a malicious code behavior capture scheme based on multiple Agent is proposed, which makes full use of the autonomy and adaptability of agent to collect the state information of the target system in real time, which provides the framework support for the implementation of the behavior capture system.Finally, the prototype system of malicious code behavior capture is designed and implemented.Through the capture analysis of representative malicious code samples, from the two angles of malicious behavior acquisition accuracy and AUC curve accuracy, it is verified that the proposed method is superior to the existing malicious code detection method based on average distance.
【学位授予单位】：国防科学技术大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08
，

本文编号：1719580