节点文献
基于分类的未知病毒检测技术研究与实现
Study on Unknown Virus Detection Technology Based on Classification
【作者】 余晓姿;
【导师】 白中英;
【作者基本信息】 北京邮电大学 , 计算机科学与技术, 2013, 硕士
【摘要】 在这个信息爆炸的时代,Internet带给人们丰富的资讯,提供方便的同时也推动了经济的发展。但是许多非法组织和个人通过传播计算机病毒来窃取信息并从中获取经济利益,给信息和网络安全带来极大隐患。随着网络技术的发展,计算机病毒以更快的速度传播,同时新病毒不断出现,危害性也更大,病毒研究逐渐成为人们关注的的热点问题。特征码扫描是当前计算机病毒检测所采用的最主要方式,其特点是维护一个能唯一识别各类病毒的特征码库,在对文件进行检测时扫描文件中是否有匹配特征码的代码段,从而发现病毒文件。这种方法存在很大缺陷,即只能检测己知的病毒而对新出现的病毒无能为力,同时很多病毒采取指令演化技术进行变形来逃避杀毒软件的识别。为了解决新型病毒和变形病毒检测问题,本文采用数据挖掘技术中的分类方法对未知病毒进行检测,对病毒的静态结构特征、行为特征、如何提取特征向量以及数据分类算法等因素进行了分析。该方法以病毒变种之间的相似性及其与正常程序之间的差异性为基础,实现对未知病毒的识别,该方法具有可扩展性。本文提出的基于分类的未知病毒检测方法可以对已知病毒的变种进行检测,也具有学习未知新病毒的能力。相对于特征码扫描技术,该模型省去反病毒人员许多重复性的分析工作,不需要频繁更新病毒特征库,更易于维护和升级。通过实验验证表明,该方法能有效识别未知病毒,系统设计方案是可行的。
【Abstract】 In the era of information explosion, the Internet brings people rich information. It provides convenience and promotes economic development. But many illegal organizations or individuals steal information for benefits through viruses’dissemination, which brings risks to network security. With the development of network technology, viruses have higher spread of dissemination and diversification. Viruses’ research is now the hotspot of computer security technology.Signature scanning is the most important way for computer virus detection. The basic idea of signature scanning is to find the known virus’ signature then add the data to virus signature database. The process of the virus scanning is to check for the presence of virus signatures in the PE file. But this method can only detect known viruses and becomes powerless when dealing with new viruses. At the same time, lots of viruses take instructions deformed technology to evade anti-virus software identification. In order to solve the problem, this paper take data mining classification method to detect unknown viruses, it also discuss the static structural and behavioral characteristics of viruses, and how to extract feature vector data. The method classifies the PE files through their difference, it is scalable.In this paper, the detection methods can identify new viruses, and it has well performance with virus variants. Relative to signature scanning, the model eliminates the work of many repetitive analyses. It doesn’t need frequent update of virus signature database either. All it need is to update the system detection rules at the appropriate time, and then the new viruses can be detected. Experimental results show that this method can effectively identify unknown viruses, the system design and implementation is feasible.
【Key words】 unknown virus detection; K-means cluster; staticinformation of PE files;