System and method for automatically analyzing, detecting and classifying malicious program behavior

Abstract

The invention discloses a system and a method for automatically analyzing, detecting and classifying a malicious program behavior. The system comprises a static analysis module, a sandbox dispatching management module, a sandbox monitoring module, a behavior abstraction module and a detection and classification module. Compared with the prior art, the system has the advantages that 1, the system is based on a behavior monitoring technology in an instruction set simulation environment; and 2, a virtual Internet is established in a sandbox through means of environment configuration, server program modification and the like, and a common network service is simulated, so that operations such as domain name server (DNS) resolution, http access, file download, Email login and mailing initiated by a malicious program can be successfully executed, the malicious program is inveigled to generate a malicious network behavior, the network behaviors are prevented from damaging a host machine and a real network, and the defects that the malicious program network behavior cannot be fully expressed during dynamic behavior analysis of a malicious program and the like are overcome.

Description

technical field [0001] The invention belongs to the related fields of system security and network security, and further relates to a method for automatic analysis of dynamic behavior of malicious programs. The invention is used for establishing dynamic behavior rules of known malicious programs and high-accuracy judgment of dynamic behaviors of unknown malicious programs. Background technique [0002] In the field of malicious program analysis, in order to obtain the behavioral characteristics of malicious programs more accurately, comprehensively and quickly, the dynamic behavior automatic analysis method is adopted. [0003] The University of Electronic Science and Technology of China's patent application "Automated Analysis System and Method for Dynamic Behavior of Malicious Programs" (publication number: CN101154258, application date: 2007.08.14) discloses a method for dynamic analysis of malicious programs. The specific steps of this dynamic analysis include: (1) the i...

AI Technical Summary

Problems solved by technology

[0005] The present invention realizes automatic analysis and accurate classification of malicious programs through a complete set of systematic methods of sandbox monitoring realized by virtualization technology, obtaining static information of malicious programs and capturing malicious program behavior characteristics, malicious program detection and classification based on behavior characteristics, In order to solve the shortcomings of the existing technology, such as the difficulty of feature code extraction, difficulty in dealing with complex malicious programs of packing, polymorphism and deformation technologies, incomplete capture of malicious program behavior, and unclear behavior abstraction and detection and classification methods, etc., the malicious program has been improved. The detection rate and classification accuracy of

Images