基于亲缘性分析的恶意代码检测技术研究与实现

发布时间：2018-05-14 03:25

本文选题：恶意代码 + 亲缘性　；参考：《电子科技大学》2014年硕士论文

【摘要】：随着互联网的不断推广和普及,网络安全问题日益严重,恶意代码是互联网中最严重的安全威胁之一。而当前大多数反病毒厂商所使用的检测技术都是基于传统的特征码扫描技术,即使用“扫描引擎+病毒库”的体系结构来构建检测引擎的框架。这种方式虽然对已知病毒的检测率非常高,且误报率极低,但对新出现的恶意代码,或者是采用了加壳、多态、变形等反检测技术的恶意代码变种无法准确、及时地做出检测。同时,随着时间的迁移,特征码扫描技术中所使用的特征库的规模会越来越庞大。本文提出了一种基于亲缘性的恶意代码分析方法,用来提取每一类恶意代码的亲缘性特征,并且使用系统函数集合、相似代码段这2部分来量化的表征这种亲缘性特征(简称MAS)。在此基础上,提出了基于亲缘性分析的恶意代码检测技术(简称MAS检测技术),设计了MAS检测引擎,并将其运用于一个入侵检测系统,同时设计相关实验来验证该检测引擎的工作情况。最终证明,基于亲缘性分析的恶意代码检测技术可以达到较好的检测率,但是误报率略高,还需要进一步改进和完善。同时,MAS检测技术在设计时对于同一类恶意代码只提取一个通用的MAS特征,并且在检测中借鉴了启发式检测技术的思想,设定了检测阈值,所以MAS特征库不需要经常更新,且其检测效率在一段时间内都能保持相对稳定,不会出现大幅度地动荡。
[Abstract]:With the continuous popularization and popularization of the Internet, the problem of network security is becoming more and more serious. Malicious code is one of the most serious security threats in the Internet. And the detection techniques used by most antivirus vendors are based on the traditional feature code scanning technology, that is, using the architecture of "scanning engine + virus library" to construct detection citation. Although the detection rate of the known virus is very high and the false alarm rate is very low, the malware of the new malware, or using the anti detection techniques such as shell, polymorphism, deformation and other anti detection techniques can not be accurate and timely detection. Meanwhile, with the migration of time, the characteristic code scanning technology is used specially. The scale of the levy will be more and more large. In this paper, a kind of malicious code analysis method based on affinity is proposed to extract the genetic characteristics of each kind of malicious code, and the 2 parts of the system function set and similar code segment are used to quantify this kind of affinity characteristics (MAS). On this basis, it is proposed to be based on the affinity. The analysis of malicious code detection technology (MAS detection technology), designed the MAS detection engine, and applied it to an intrusion detection system, and designed the related experiments to verify the work of the detection engine. Finally, it is proved that the malicious code detection technology based on the relative analysis can achieve better detection rate, but the false alarm rate is slightly better. It also needs further improvement and improvement. At the same time, MAS detection technology extracts only a general MAS feature for the same kind of malicious code when it is designed, and uses the idea of heuristic detection technology to set the detection threshold in the detection, so the MAS feature library needs not to be updated frequently, and its detection efficiency can be guaranteed for a period of time. Relatively stable, there will be no big turbulence.

【学位授予单位】：电子科技大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】