利用行為比對分類之加殼病毒偵測

Abstract

有鑑於近年來惡意程式成長速度驚人，而在2009年病毒暴增量更創歷史新高，因此如何讓防毒軟體變得更有效率，是目前資安界最重要的課題之一。 現有的比對技術是利用特徵比對來偵測惡意程式，而這樣的比對方式常常只要病毒加殼或是修改特徵碼就能躲過特徵比對的偵測。因此如何有效的提高惡意程式的比對效率就成了我們的研究目標。 根據Cisco的研究，惡意程式中加殼程式大概佔了70-80%的比例，因此我們針對加殼變種程式提出更有效的偵測方式 – 行為比對。也就是利用病毒行為不變的原理，在病毒產生特殊作用時，加以防範並且提醒使用者電腦已經遭到不明的更改。 我們透過一種稱為Profile的方式，將病毒的行為分類，並且利用數字編號的方法來加速系統的執行。最後則是透過與Virus Total比較的實驗，證明我們的系統能有效的監看惡意程式的行為，並且能防範加殼類的變種病毒。

Anti-malware companies receive thousands of malware samples every day. And the malware increase kept surging in 2009 for historical new high. So, how to let the antivirus program more effective is an important and urgent problem. Traditionally, people detect malware by signature. However, if the malware is packed or the signature is changed, the antivirus program will not be able to find the malware. So we want to provide a new way to solve this problem. By Cisco’s research, 70%-80% malwares are packed. In this thesis, we provide a new way for detecting packed malwares. When a malware does something special to a user’s computer, we can detect the behavior and tell the user this is a suspicious behavior by malware. We propose a scalable clustering approach to identify and group malware samples that exhibit similar behaviors. And we use the number register to let our system be more effective. The result of our extensive experiment shows that our system can find the malware more effective than the existing tools.