基于分类的未知病毒检测技术研究与实现
|
摘要
在这个信息爆炸的时代,Internet带给人们丰富的资讯,提供方便的同时也推动了经济的发展。但是许多非法组织和个人通过传播计算机病毒来窃取信息并从中获取经济利益,给信息和网络安全带来极大隐患。随着网络技术的发展,计算机病毒以更快的速度传播,同时新病毒不断出现,危害性也更大,病毒研究逐渐成为人们关注的的热点问题。
特征码扫描是当前计算机病毒检测所采用的最主要方式,其特点是维护一个能唯一识别各类病毒的特征码库,在对文件进行检测时扫描文件中是否有匹配特征码的代码段,从而发现病毒文件。这种方法存在很大缺陷,即只能检测己知的病毒而对新出现的病毒无能为力,同时很多病毒采取指令演化技术进行变形来逃避杀毒软件的识别。为了解决新型病毒和变形病毒检测问题,本文采用数据挖掘技术中的分类方法对未知病毒进行检测,对病毒的静态结构特征、行为特征、如何提取特征向量以及数据分类算法等因素进行了分析。该方法以病毒变种之间的相似性及其与正常程序之间的差异性为基础,实现对未知病毒的识别,该方法具有可扩展性。
本文提出的基于分类的未知病毒检测方法可以对已知病毒的变种进行检测,也具有学习未知新病毒的能力。相对于特征码扫描技术,该模型省去反病毒人员许多重复性的分析工作,不需要频繁更新病毒特征库,更易于维护和升级。通过实验验证表明,该方法能有效识别未知病毒,系统设计方案是可行的。
In the era of information explosion, the Internet brings people rich information. It provides convenience and promotes economic development. But many illegal organizations or individuals steal information for benefits through viruses'dissemination, which brings risks to network security. With the development of network technology, viruses have higher spread of dissemination and diversification. Viruses' research is now the hotspot of computer security technology.
Signature scanning is the most important way for computer virus detection. The basic idea of signature scanning is to find the known virus' signature then add the data to virus signature database. The process of the virus scanning is to check for the presence of virus signatures in the PE file. But this method can only detect known viruses and becomes powerless when dealing with new viruses. At the same time, lots of viruses take instructions deformed technology to evade anti-virus software identification. In order to solve the problem, this paper take data mining classification method to detect unknown viruses, it also discuss the static structural and behavioral characteristics of viruses, and how to extract feature vector data. The method classifies the PE files through their difference, it is scalable.
In this paper, the detection methods can identify new viruses, and it has well performance with virus variants. Relative to signature scanning, the model eliminates the work of many repetitive analyses. It doesn't need frequent update of virus signature database either. All it need is to update the system detection rules at the appropriate time, and then the new viruses can be detected. Experimental results show that this method can effectively identify unknown viruses, the system design and implementation is feasible.
特征码扫描是当前计算机病毒检测所采用的最主要方式,其特点是维护一个能唯一识别各类病毒的特征码库,在对文件进行检测时扫描文件中是否有匹配特征码的代码段,从而发现病毒文件。这种方法存在很大缺陷,即只能检测己知的病毒而对新出现的病毒无能为力,同时很多病毒采取指令演化技术进行变形来逃避杀毒软件的识别。为了解决新型病毒和变形病毒检测问题,本文采用数据挖掘技术中的分类方法对未知病毒进行检测,对病毒的静态结构特征、行为特征、如何提取特征向量以及数据分类算法等因素进行了分析。该方法以病毒变种之间的相似性及其与正常程序之间的差异性为基础,实现对未知病毒的识别,该方法具有可扩展性。
本文提出的基于分类的未知病毒检测方法可以对已知病毒的变种进行检测,也具有学习未知新病毒的能力。相对于特征码扫描技术,该模型省去反病毒人员许多重复性的分析工作,不需要频繁更新病毒特征库,更易于维护和升级。通过实验验证表明,该方法能有效识别未知病毒,系统设计方案是可行的。
In the era of information explosion, the Internet brings people rich information. It provides convenience and promotes economic development. But many illegal organizations or individuals steal information for benefits through viruses'dissemination, which brings risks to network security. With the development of network technology, viruses have higher spread of dissemination and diversification. Viruses' research is now the hotspot of computer security technology.
Signature scanning is the most important way for computer virus detection. The basic idea of signature scanning is to find the known virus' signature then add the data to virus signature database. The process of the virus scanning is to check for the presence of virus signatures in the PE file. But this method can only detect known viruses and becomes powerless when dealing with new viruses. At the same time, lots of viruses take instructions deformed technology to evade anti-virus software identification. In order to solve the problem, this paper take data mining classification method to detect unknown viruses, it also discuss the static structural and behavioral characteristics of viruses, and how to extract feature vector data. The method classifies the PE files through their difference, it is scalable.
In this paper, the detection methods can identify new viruses, and it has well performance with virus variants. Relative to signature scanning, the model eliminates the work of many repetitive analyses. It doesn't need frequent update of virus signature database either. All it need is to update the system detection rules at the appropriate time, and then the new viruses can be detected. Experimental results show that this method can effectively identify unknown viruses, the system design and implementation is feasible.
引文
[1]王倍昌.计算机病毒揭秘与对抗.电子工业出版社.2011:5-10
[2]G.McGraw,GMorrisett. Attacking malicious code[R].The info sec research council,IEEESoftware,2000,17(5):33-41.
[3]张仁斌,李刚,侯整风等编著.计算机病毒与发病毒技术.北京.清华大学出版社,2006.
[4]Wenke Lee,Sal Stolfo,Kui Mok. A Data Mining Framework for Building Intrusion DetectionModels[J].IEEE Symposium on Security and Privacy,1999,18(6):15-17.
[5]高阳.计算机网络原理与应用技术.电子工业出版社.2005:23-40
[6]张凡.面向未知病毒检测方法与系统实现技术研究.[学位论文].西安.西北工业大学:2003.
[7]傅建明,彭国军,张焕国.计算机病毒分析与对抗.武汉大学出版社.2000:23-98
[8]Gerald Tesauro, Jeffrey O. Kephart, and Gregory B.Sorkin, Neural Networks for Computer Virus Recognition. IEEE Expert,1996
[9]Wenke Lee, Sal Stolfo, and Kui Mok, A Dae Mining Framework for Building Intrusion Detection Models, IEEE Symposium on Security and Privacy,1999
[10]T.Abou-Assaleh, N.Cercone, V.Keselj, and R.Sweidan, N-gram-based Detection of New Malicious Code, In Proceedings of the 24th Annual International Computer Software and Applications Conference,2004
[11]张波云,殷建平等.基于多重朴素贝叶斯算法的未知病毒检测.计算机工程.2006,32(10):18-21.
[12]张波云,殷建平,蒿敬波.基于SVM的计算机病毒检测系统.计算机工程与科学.2007,29(9):19-22.
[13]陈恒,刘晓洁等.一种基于免疫的计算机病毒检测方法.计算机应用研究.2005,9:111-114.
[14]计算机病毒及防病毒技术的发展趋势,中国电子商务,2012.3
[15]吴晓丹.反病毒虚拟机关键技术研究.[硕士学位论文].安徽.中国科学技术大学:2009.
[16]敬锐.恶意代码检测系统的研究与实现.[硕士学位论文].成都.电子科技大学:2007.
[17]沙盒技术加强安全性的利与弊,http://security.ctocio.com.cn/199/9476199.shtml
[18]毛麾民.浅谈反病毒软件的工作原理.技术与市场.2011.9
[19]A.Kapoor,J.Spurlock.Binary feature extraction and comparison[J].AVAR 2006,Auckland,2006,12:35.
[20]樊震,杨秋翔.基于PE文件结构异常的未知病毒检测.计算机技术与发展.2009,10:160-163
[21]Chris Eagle(石华耀,段桂菊译).IDA Pro权威指南.人民邮电出版社.2010:23-44
[22]杨阳.基于模糊分类算法的计算机病毒检测技术研究.[硕士学位论文].西安.电子科技大学:2009
[23]Jiawei Han(范明、孟小峰译).数据挖掘:概念与技术.机械工业出版社.2012:8:172-175
[25]田大东.支持向量机学习算法研究.[硕士学位论文].苏州.苏州大学:2009
[26]李新良,陈湘涛.数据挖掘中关联规则算法的研究.计算机工程与科学.2007年第12期:111-113
[27]S.Peisert,M.Bishop,S.Karin.Analysis of computer intrusions using sequences of functioncalls[J].IEEE Transactions on dependable and secure computing,2007,4:315.
[28]庄蔚蔚.基于增量学习关联分类规则的病毒检测方法研究.[硕士学位论文].厦门.厦门大学.2009.
[29]徐文华,覃征,常扬.基于半监督学习的数据流集成分类算法.模式识别与人工智能.2012.4vo1.25:292-299
[30]谢金晶,张艺濒.基于改进的K-最近邻算法的病毒检测方法.现代电子技术.2007第3期:51-53
[31]朱红斌,蔡郁.基于进化半监督模糊聚类算法的病毒检测研究.计算机技术与自动化.2008年3月Vo1.27:104-106
[32]唐树刚.基于文件静态特征的木马检测研究.[硕士学位论文]天津.天津大学.2005.
[33]彭国军,张焕国,王丽娜等Windows PE病毒中的关键技术分析.计算机应用研究.2006.5:93-95
[34]Szo r P. The Art of Computer Virus Research and Defense[M]. [s.1.]:Addison Wesley Professional,2006.
[35]Robert Moskovitch, Ido Gus, Detection of Unknown Computer Worms Activity Based on Computer Behavior using Data Mining. Proceedings of the 2007 IEEE Symposium on CISDA:169-177.
[36]刘涛,邓璐娟,丁孟宝.计算机反病毒技术及预防新对策.计算机技术与发展.2007.17(5):104-106.
[37]秦志光,张凤荔.计算机病毒原理与防范.北京.人民邮电出版社.2007
[38]王海峰,夏洪雷,孙冰.基于程序行为特征的病毒检测技术与应用.计算机系统应用.2006.5:29-31
[39]段刚编著.加密与解密(第二版)[M].电子工业出版社,2007.
[40]Lyda.R,Hamrock.J.Using entropy analysis to find encrypted malware[J].IEEE Security Privacy,2007,5(2):40-45.
[41]Lan H.Witen,Eibe Frank.;董琳,邱泉,于晓峰等译.数据挖掘实用机器学习技术[M].北京:机械工业出版社,2006.
[42]Ronghua Tian,Batten.L,IsIam.R.Automated Classification System Based on the Strings of Trojan and Virus Families[J].Malicious and Unwanted Software(MALWARE),2009 4thInternational Conference on Digital Object Identifier,2009:23-30.
[43]K.Rieck,T.Holz,C.Willems.Learningand classification of malware behavior[J].Springer-Verlag,LNCS5137,2008:108-125.
[44]M.Bailey,J.Oberheide,J.Andersen.Automated classification and analysis of Internetmalware[J].Springer-Verlag,LNCS4637,2007:178-197.
[45]朱明,徐蓦,刘春明.木马病毒分析及其检测方法研究.计算机工程与应用.2003.28:176
[46]何长龙,林蓉.如何检测和删除系统中的木马.信息安全与通信保密.2000.44
[47]SimonHaykin,Neural Network Comprehensive Foundation.机械工业出版社.2004
[48]李志圣.孙越恒.何丕廉等.基于K-Means和半监督机制的单类中心学习算法.计算机应用.2008.28(10):2513-2517.
[49]Witten H.Frank E.Data Miiling:Practical Machine Learning and Teachniques[M].Seomd Edition.Singapore:ElsevierPte Ltd,2006.
[50]韩筱卿.计算机病毒分析与防范大全[M].北京.电子工业出版社.2006.
[51]Gregory P.Computer Viruses For Dummies[M].[S.l.]:Wiley Pub II shing,Inc,2004.
[2]G.McGraw,GMorrisett. Attacking malicious code[R].The info sec research council,IEEESoftware,2000,17(5):33-41.
[3]张仁斌,李刚,侯整风等编著.计算机病毒与发病毒技术.北京.清华大学出版社,2006.
[4]Wenke Lee,Sal Stolfo,Kui Mok. A Data Mining Framework for Building Intrusion DetectionModels[J].IEEE Symposium on Security and Privacy,1999,18(6):15-17.
[5]高阳.计算机网络原理与应用技术.电子工业出版社.2005:23-40
[6]张凡.面向未知病毒检测方法与系统实现技术研究.[学位论文].西安.西北工业大学:2003.
[7]傅建明,彭国军,张焕国.计算机病毒分析与对抗.武汉大学出版社.2000:23-98
[8]Gerald Tesauro, Jeffrey O. Kephart, and Gregory B.Sorkin, Neural Networks for Computer Virus Recognition. IEEE Expert,1996
[9]Wenke Lee, Sal Stolfo, and Kui Mok, A Dae Mining Framework for Building Intrusion Detection Models, IEEE Symposium on Security and Privacy,1999
[10]T.Abou-Assaleh, N.Cercone, V.Keselj, and R.Sweidan, N-gram-based Detection of New Malicious Code, In Proceedings of the 24th Annual International Computer Software and Applications Conference,2004
[11]张波云,殷建平等.基于多重朴素贝叶斯算法的未知病毒检测.计算机工程.2006,32(10):18-21.
[12]张波云,殷建平,蒿敬波.基于SVM的计算机病毒检测系统.计算机工程与科学.2007,29(9):19-22.
[13]陈恒,刘晓洁等.一种基于免疫的计算机病毒检测方法.计算机应用研究.2005,9:111-114.
[14]计算机病毒及防病毒技术的发展趋势,中国电子商务,2012.3
[15]吴晓丹.反病毒虚拟机关键技术研究.[硕士学位论文].安徽.中国科学技术大学:2009.
[16]敬锐.恶意代码检测系统的研究与实现.[硕士学位论文].成都.电子科技大学:2007.
[17]沙盒技术加强安全性的利与弊,http://security.ctocio.com.cn/199/9476199.shtml
[18]毛麾民.浅谈反病毒软件的工作原理.技术与市场.2011.9
[19]A.Kapoor,J.Spurlock.Binary feature extraction and comparison[J].AVAR 2006,Auckland,2006,12:35.
[20]樊震,杨秋翔.基于PE文件结构异常的未知病毒检测.计算机技术与发展.2009,10:160-163
[21]Chris Eagle(石华耀,段桂菊译).IDA Pro权威指南.人民邮电出版社.2010:23-44
[22]杨阳.基于模糊分类算法的计算机病毒检测技术研究.[硕士学位论文].西安.电子科技大学:2009
[23]Jiawei Han(范明、孟小峰译).数据挖掘:概念与技术.机械工业出版社.2012:8:172-175
[25]田大东.支持向量机学习算法研究.[硕士学位论文].苏州.苏州大学:2009
[26]李新良,陈湘涛.数据挖掘中关联规则算法的研究.计算机工程与科学.2007年第12期:111-113
[27]S.Peisert,M.Bishop,S.Karin.Analysis of computer intrusions using sequences of functioncalls[J].IEEE Transactions on dependable and secure computing,2007,4:315.
[28]庄蔚蔚.基于增量学习关联分类规则的病毒检测方法研究.[硕士学位论文].厦门.厦门大学.2009.
[29]徐文华,覃征,常扬.基于半监督学习的数据流集成分类算法.模式识别与人工智能.2012.4vo1.25:292-299
[30]谢金晶,张艺濒.基于改进的K-最近邻算法的病毒检测方法.现代电子技术.2007第3期:51-53
[31]朱红斌,蔡郁.基于进化半监督模糊聚类算法的病毒检测研究.计算机技术与自动化.2008年3月Vo1.27:104-106
[32]唐树刚.基于文件静态特征的木马检测研究.[硕士学位论文]天津.天津大学.2005.
[33]彭国军,张焕国,王丽娜等Windows PE病毒中的关键技术分析.计算机应用研究.2006.5:93-95
[34]Szo r P. The Art of Computer Virus Research and Defense[M]. [s.1.]:Addison Wesley Professional,2006.
[35]Robert Moskovitch, Ido Gus, Detection of Unknown Computer Worms Activity Based on Computer Behavior using Data Mining. Proceedings of the 2007 IEEE Symposium on CISDA:169-177.
[36]刘涛,邓璐娟,丁孟宝.计算机反病毒技术及预防新对策.计算机技术与发展.2007.17(5):104-106.
[37]秦志光,张凤荔.计算机病毒原理与防范.北京.人民邮电出版社.2007
[38]王海峰,夏洪雷,孙冰.基于程序行为特征的病毒检测技术与应用.计算机系统应用.2006.5:29-31
[39]段刚编著.加密与解密(第二版)[M].电子工业出版社,2007.
[40]Lyda.R,Hamrock.J.Using entropy analysis to find encrypted malware[J].IEEE Security Privacy,2007,5(2):40-45.
[41]Lan H.Witen,Eibe Frank.;董琳,邱泉,于晓峰等译.数据挖掘实用机器学习技术[M].北京:机械工业出版社,2006.
[42]Ronghua Tian,Batten.L,IsIam.R.Automated Classification System Based on the Strings of Trojan and Virus Families[J].Malicious and Unwanted Software(MALWARE),2009 4thInternational Conference on Digital Object Identifier,2009:23-30.
[43]K.Rieck,T.Holz,C.Willems.Learningand classification of malware behavior[J].Springer-Verlag,LNCS5137,2008:108-125.
[44]M.Bailey,J.Oberheide,J.Andersen.Automated classification and analysis of Internetmalware[J].Springer-Verlag,LNCS4637,2007:178-197.
[45]朱明,徐蓦,刘春明.木马病毒分析及其检测方法研究.计算机工程与应用.2003.28:176
[46]何长龙,林蓉.如何检测和删除系统中的木马.信息安全与通信保密.2000.44
[47]SimonHaykin,Neural Network Comprehensive Foundation.机械工业出版社.2004
[48]李志圣.孙越恒.何丕廉等.基于K-Means和半监督机制的单类中心学习算法.计算机应用.2008.28(10):2513-2517.
[49]Witten H.Frank E.Data Miiling:Practical Machine Learning and Teachniques[M].Seomd Edition.Singapore:ElsevierPte Ltd,2006.
[50]韩筱卿.计算机病毒分析与防范大全[M].北京.电子工业出版社.2006.
[51]Gregory P.Computer Viruses For Dummies[M].[S.l.]:Wiley Pub II shing,Inc,2004.