2011-基于行为分析和特征码的恶意代码检测技术.pdfVIP

第28卷第 3期 计 算 机 应 用 研 究 Vo.l 28 No. 3 2011年 3月 ApplicationResearch of Computers M ar. 2011 * 1, 2 3 1 3 , , , ( 1. 清华大学计算机科学与技术系, 北京 100084; 2. 78155部队, 成都 610036; 3. 电子科技大学计算机科学与 工程学院, 成都 611731) : 提出一种新的恶意代码检测技术, 能自动检测和遏制(未知) 恶意代码, 并实现了原型系统首先用支 持向量机对恶意代码样本的行为构造分类器, 来判断样本是否是恶意代码, 同时对恶意代码提取出特征码运 行在主机的代理利用特征码识别恶意代码并阻断运行为了精确分析程序行为, 将程序放入虚拟机运行实验 结果表明, 相对于朴素贝叶斯和决策树, 系统误报率和漏报率均较低, 同时分布式的系统架构加快了遏制速度 : 恶意代码; 行为分析; 特征码; 虚拟机 : P3095 : A : 2011) doi: 10. 3969 /j. issn. 2011. 03. 094 echnique of detecting malicious executables via behavioral and binary signatures 1, 2 3 1 3 LIHua , LIU Zhi , Q IN Zheng , ZHANG X iaosong ( 1. Dep t. of Computer Science Technology, Tsinghua University, B eij ing 100084, Ch ina; 2. Unit 78155 of P A, Chengdu 610036, Ch ina; 3. Colleg e of Computer Science Eng ineering, University of E lectronic Science Technology of Ch ina, Chengdu 611731, Ch ina) Ab stract: his paper proposed a new approach thatcould effectively detect and restrict ( unknown) mawl are, and mi plemented a prototype system. First, used support vectormachine to build classifier, which could judge whether a program w asmalicious or not, and extracted themawl are! s signature. Agents running in hostcould detectmawl are and stop its execution. o analyze precise behaviors, put samples in virtualmachines for executions. Expermi ent results show comparedw ith naive Bayes and decision tree, our system yields low false positives aswell false negatives, and the distributed architecture accelerates restriction.