摘要
随着网络及应用技术的不断发展,恶意代码的问题日益突出。目前大多数反病毒措施都是基于传统的基于特征码的扫描技术,使用"扫描引擎+病毒库"的结构方式虽然对已知病毒的检测相对准确,但对新出现的恶意代码无法准确、及时地做出检测。本文提出了一种基于亲缘性恶意代码分析方法,使用系统函数集合、行为特征、相似代码特征这三个方面来表征一类恶意代码的特征,以达到缩小特征库规模,快速检测未知恶意代码的目的,特别是变种恶意代码。实验结果表明本文所提出的方法可以取得良好的检测结果。
With the development of IT technology, the malicious code is becoming increasingly prominent. Currently most antivirus company adopts traditional scanning technology based on signature, and use "scanning engine + virus database" structure. This way is relatively accurate for known viruses, but not accurately and timely for new malicious code. This paper presents a malicious code analysis method based on affinity, using the system functions, behavioral characteristics, similar codes to characterize a class of malicious code, for reducing the scale of signature database and rapid detecting unknown malicious code, especially for Malicious code variants. And the experimental results showed that this method can achieve a good result.
关键词
亲缘性
恶意代码
恶意代码亲缘性特征
系统函数
行为
相似代码
affinity
malicious code
malicious code affinity signature(mas)
system functions
behavior
similar code
