惡意軟體(Malware) 是指具某些攻擊意圖的軟體,近年來惡意程式的大量增加,以及多型、模糊化、加密等惡意程式自我防護技術,使得傳統惡意程式靜態分析方式效果有所限制,因此目前許多研究著重在惡意程式的行為偵測。然而先前惡意程式行為偵測研究大部分以程序(process)為導向,意即只監控單一程序的行為,忽略了惡意程式可能利用多個共犯程序相互合作以完成其目的,甚至利用合法程序來掩飾本身的惡意行為。本研究提出以相依矩陣來記錄系統中所有程序的相依關係,並提出演算法偵測惡意程式由多個程序所共同產生自我複製、存活意圖等行為特徵,達到以聚合式多模組方法來關聯系統中所有程序,藉此以改善傳統惡意程式行為偵測的缺陷。我們在虛擬機器上執行惡意程式後利用微軟process monitor記錄系統中所有模組的行為,再以聚合技術偵測系統中是否有自我複製以及存活意圖等惡意行為特徵,本研究中實驗了140支惡意程,其中有11%惡意程式具有利用多模組來完成自我複製行為,在J.A.Mories以及V.Skormin等研究中將會對該類型惡意程式都會產生漏報,本研究採聚合偵測技術克服此缺點並成功偵測出此類型惡意程式,此外在惡意程式存活行為偵測改善了先前研究須採用白名單的缺點,降低了誤報的情形。 Malware is one kind of software which has intention to attack computer systems. In recent years there has significant increase in the number of malware, in addition malware also use polymorphism, obfuscation and packing technologies to protect itself. For the above reason, the effect of traditional static malware detection technology is restricted, as a result in recent years many studies focused on dynamic malware detection technology. However most of the previous studies are process center oriented, which mean these studies only monitor one process’s behavior, ignoring the possibility of malware using multiple process to complete malicious intent, or control legal process to hide their malicious behavior. In this paper we propose the use of dependency structure matrix to record the behavior of all process in user’s system and also propose an algorithm to detect multiple process’s self-replication and survival behavior, find the relations of the system processes by using the aggregation technology to improve the detection rate of traditional dynamic malware detection. As an evaluation of our proposes system. We execute the malware samples in the virtual machine and using process monitor tool to recorded system processes, and then detect whether our system can detect the malware or not. Experimental results show that we can detect 11% malware used the multiple processes to complete malicious intent in the 140 malware samples, and improve the weakness of previous studies which must used white list to avoid false positive.
