Malicious code detection model based on behavior association

Malicious applications can be introduced to attack users and services so as to gain financial rewards, individuals' sensitive information, company and government intellectual property, and to gain remote control of systems. However, traditional methods of malicious code detection, such as signature detection, behavior detection, virtual machine detection, and heuristic detection, have various weaknesses which make them unreliable. This paper presents the existing technologies of malicious code detection and a malicious code detection model is proposed based on behavior association. The behavior points of malicious code are first extracted through API monitoring technology and integrated into the behavior; then a relation between behaviors is established according to data dependence. Next, a behavior association model is built up and a discrimination method is put forth using pushdown automation. Finally, the exact malicious code is taken as a sample to carry out an experiment on the behavior's capture, association, and discrimination, thus proving that the theoretical model is viable.

[1]  Zhitang Li,et al.  A novel technique of recognising multi-stage attack behaviour , 2010, Int. J. High Perform. Comput. Netw..

[2]  James E. Smith,et al.  The architecture of virtual machines , 2005, Computer.

[3]  Salvatore J. Stolfo,et al.  Data mining methods for detection of new malicious executables , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[4]  Yasubumi Sakakibara,et al.  Grammatical inference in bioinformatics , 2005, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[5]  David E. Muller,et al.  Groups, the Theory of Ends, and Context-Free Languages , 1983, J. Comput. Syst. Sci..

[6]  Diomidis Spinellis,et al.  Reliable identification of bounded-length viruses is NP-complete , 2003, IEEE Trans. Inf. Theory.

[7]  Borivoj Melichar,et al.  Subtree oracle pushdown automata for ranked and unranked ordered trees , 2011, 2011 Federated Conference on Computer Science and Information Systems (FedCSIS).

[8]  J.R. Harrald,et al.  The effect of computer virus occurrence and virus threat level on antivirus companies' financial performance , 2004, 2004 IEEE International Engineering Management Conference (IEEE Cat. No.04CH37574).

[9]  Rajiv Gupta,et al.  Detecting virus mutations via dynamic matching , 2009, 2009 IEEE International Conference on Software Maintenance.

[10]  Fatih Murat Porikli,et al.  Multi-Kernel Object Tracking , 2005, 2005 IEEE International Conference on Multimedia and Expo.

[11]  Fu Li Attack and Defence on API HOOK Technology of Trojan Horse , 2007 .

[12]  Fred Cohen,et al.  Computer viruses—theory and experiments , 1990 .

[13]  Christopher Krügel,et al.  Analysis of a Botnet Takeover , 2011, IEEE Security & Privacy.