基于行为分析和特征码的计算机病毒检测技术

发布时间：2018-03-27 22:18

本文选题：计算机病毒　切入点：病毒特征码　出处：《南京邮电大学》2017年硕士论文

【摘要】：随着计算机技术的发展和普及,计算机病毒带来的危害日趋严重。为了对抗病毒的威胁,反病毒技术应运而生。基于特征码扫描的静态检测是当前使用最广泛的检测已知病毒的反病毒技术,该技术对已知病毒的检测效果较好,但无法检测到未知病毒,且发现和判定病毒的时间周期过长。基于行为检测的动态检测技术,可以检测到未知计算机病毒,但是该技术存在高误报率和高漏报率的缺陷。本文在特征码扫描技术与行为检测技术的基础上,研究并设计了一个基于行为分析和特征码的计算机病毒检测系统。该系统相比于之前的系统具有高检测率、低误报率等优点。本文的创新工作主要包括以下几个方面:1.在病毒程序的特征码提取研究中,提出了变长N-Gram特征码提取的改进算法。利用特征有向选择,提取有效特征以构建病毒特征库。将待测样本程序转化为十六进制格式,提取样本程序的特征,将其与病毒特征库进行匹配分析,借助N-Gram统计语言模型,提取出最能代表该样本程序的特征码。实验结果表明,与其他特征码提取算法相比,本文提出的方法具有高准确率、低误报率的优势。2.在特征码检测研究中,引入特征码扫描技术。通过网站收集病毒程序与合法程序作为测试数据,对样本程序的特征码进行测试评估。将样本程序与病毒特征码库进行匹配检测样本程序是否为计算机病毒。实验结果表明,与其他检测算法相比,本文提出的方法具有较高的检出率和较低的误报率。3.在病毒行为分析研究中,设计并实现了样本行为自动分析功能。通过分析病毒的行为划分恶意行为,在恶意行为所调用的API函数入口处设置断点。在虚拟机中运行并监控样本程序,利用自定义函数记录API函数相关信息。根据API调用信息与病毒程序的恶意行为之间的联系,分析样本程序的动态行为,初步判断样本程序是否为计算机病毒。实验结果表明,样本行为自动分析与其他杀毒软件相比较,具有较高的检出率。
[Abstract]:With the development and popularization of computer technology, the harm brought by computer virus is becoming more and more serious. Anti-virus technology emerges as the times require. Static detection based on signature scanning is the most widely used anti-virus technology to detect known viruses, which has a good effect on the detection of known viruses, but can not detect unknown viruses. And the time period for detecting and judging viruses is too long. Based on the dynamic detection technology of behavior detection, unknown computer viruses can be detected. However, this technique has the defects of high false alarm rate and high false alarm rate. A computer virus detection system based on behavior analysis and signature is studied and designed. The innovation work of this paper mainly includes the following aspects: 1. In the study of signature extraction of virus program, an improved algorithm of variable length N-Gram signature extraction is proposed. In order to construct the virus signature library, we can transform the sample program to hexadecimal format, extract the feature of the sample program, match it with the virus signature library, and make use of the N-Gram statistical language model. The experimental results show that the proposed method has the advantages of high accuracy and low false alarm rate compared with other signature extraction algorithms. Introduction of signature scanning technology. Collection of virus programs and legal procedures through the website as test data, The characteristic code of the sample program is tested and evaluated. The sample program is matched with the virus signature library to detect whether the sample program is a computer virus. The experimental results show that, compared with other detection algorithms, The method proposed in this paper has higher detection rate and lower false alarm rate. 3. In the research of virus behavior analysis, the automatic analysis function of sample behavior is designed and realized. Set breakpoint at the entrance of API function called by malicious act. Run and monitor sample program in virtual machine, record relevant information of API function with custom function. According to the relation between API call information and malicious behavior of virus program, The dynamic behavior of the sample program is analyzed and whether the sample program is a computer virus is preliminarily judged. The experimental results show that the automatic analysis of sample behavior has a higher detection rate than other antivirus software.
【学位授予单位】：南京邮电大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP309.5

【参考文献】