| 引用本文: | 李晓勇,周丽涛,石勇,等.虚拟行为机制下的恶意代码检测与预防.[J].国防科技大学学报,2010,32(1):101-106.[点击复制] |
| LI Xiaoyong,ZHOU Litao,SHI Yong,et al.Malicious Code Detection and Prevention in Virtual Behavior Mechanism[J].Journal of National University of Defense Technology,2010,32(1):101-106[点击复制] |
|
| |
|
|
| 本文已被:浏览 6902次 下载 6265次 |
| 虚拟行为机制下的恶意代码检测与预防 |
| 李晓勇1, 周丽涛2, 石勇1, 郭煜1 |
|
(1.北京交通大学 计算机信息与技术学院,北京 100044;2.国防科技大学 计算机学院,湖南 长沙 410073)
|
| 摘要: |
| Cohen证明了不存在一个算法可以精确地检测出所有可能的计算机病毒。MCDPM是一种基于虚拟行为机制的恶意代码检测方法,其目的是避开Cohen结论的限制,从而实现对恶意代码的有效检测和预防。MCDPM将传统的代码行为过程分解为虚拟行为发生和实际行为发生两个部分,通过对虚拟行为及其结果的监视和分析,实现对代码行为的精确检测。由于MCDPM的分析结果是建立在代码的确切行为之上,因此其判断结果是真实和准确的。对于非恶意代码,MCDPM则可以通过实际行为发生函数将其运行结果反映到系统真实环境,保持系统状态的一致性。MCDPM可以用于对未知恶意代码的检测,并为可信计算平台技术的信任传递机制提供可信来源支持。 |
| 关键词: 计算机病毒 恶意代码 行为特征 检测 预防 |
| DOI: |
| 投稿日期:2009-09-16 |
| 基金项目:国家重点基础研究发展计划支持项目(2007CB311100) |
|
| Malicious Code Detection and Prevention in Virtual Behavior Mechanism |
| LI Xiaoyong1, ZHOU Litao2, SHI Yong1, GUO Yu1 |
|
(1.Beijing Jiaotong University, Beijing 100044, China;2.College of Computer, National Univ. of Defense Technology, Changsha 410073,China)
|
| Abstract: |
| Cohen proved that there was no algorithm that can perfectly detect all possible viruses. Malicious Code Detection and Prevention Model (MCDPM) is a behavior-based malicious code detection mechanism, and its purpose is to get rid of the limitation of Cohen's findings. MCDPM disassembles program behaviors into virtual behavior parts and actual behavior parts, and monitors the virtual behaviors as well as the results of these behaviors. MCDPM determines whether an executable is malicious by analyzing the virtual behaviors of a program. Since the determination is made upon unchangeable program behaviors, it has a low false positive rate and a low false negative rate as well. To those non-malicious programs, MCDPM will perform their behavior results really taken place in the platform by the actual behavior function, so that the consistency of system is assured. MCDPM is effective in detecting unknown malicious codes, and it also supplies an accurate approach to clean the viruses in the system. MCDPM can also be used to provide the assurance to the transitive trust mechanism in trusted computing platform technology. |
| Keywords: computer virus malicious code behavior detection prevention |
|
|
|
|
|
