Dynamic malicious software detection method based on virtual machine and sensitive Native application programming interface (API) calling perception

Abstract

The invention discloses a dynamic malicious software detection method based on a virtual machine and sensitive Native application programming interface (API) calling perception. The method consists of three parts, namely a Xen secondary development-based analysis and detection environment, a monitoring control program, and a training learning and detection program of a malicious software classifier. A detection model is divided into a training stage and a detection stage, wherein the training stage comprises the following steps of: executing a sample set file in a clean analysis environment for fixed length time, acquiring Native API calling frequencies of process behavior, privilege behavior, memory behavior, registry behavior, file behavior and network behavior of the sample set file, and training the classifier by using the data; and the detection stage comprises the following steps of: executing files to be checked, counting the Native API calling frequencies of six sensitive behaviors in the fixed length time, and classifying the detected files by using the trained classifier to obtain classification results which are malicious software or normal files. The method is still effective for the malicious software with anti-virtual, anti-debugging and anti-tracking capabilities.

Description

technical field [0001] The invention relates to a malicious software detection method in information security, which can detect known and unknown malicious software after being trained by a limited training set. Background technique [0002] According to the monitoring data of Kingsoft Internet Security Global Anti-Virus Monitoring Center, as of June 30, 2008, in the first half of 2008, Kingsoft Antivirus intercepted 1,242,244 new viruses and Trojan horses, an increase of 338% compared with the total number of viruses and Trojan horses in 2007. . The number of computer malicious software has increased sharply, its transmission channels are diversified, and its ability to resist anti-virus software is strong. Computer malicious software has become the biggest security threat to the Internet and the majority of computer users. [0003] Traditional malware detection is mainly based on signature scanning detection technology. It uses characteristic byte sequences (such as stri...

AI Technical Summary

Problems solved by technology

[0005] First, the static detection method has fast detection speed, low false alarm rate and false alarm rate, but is easily affected by evasion techniques such as polymorphism, deformation, confusion, and packing.

The binary code and disassembled code of the packed malware have changed a lot, and the features used to detect it have also changed, which makes the detection accuracy drop. If the malware is detected after unpacking , the detection time of each file will be lengthened, and under the influence of anti-packing technology, general-purpose unpacking software cannot automatically unpack all malicious software.

Malware that uses polymorphism and deformation technology dynamically and randomly changes the binary code every time it spreads, and has no fixed characteristics. Static detection methods are difficult to detect this kind of mal

Images