电子学报 ›› 2012, Vol. 40 ›› Issue (1): 115-120.DOI: 10.3969/j.issn.0372-2112.2012.01.019

• 学术论文 • 上一篇    下一篇

基于模糊识别和支持向量机的联合Rootkit动态检测技术研究

李鹏1,2,3, 王汝传1,2,3, 高德华1   

  1. 1. 南京邮电大学计算机学院,江苏南京 210003;2. 江苏省无线传感网高技术研究重点实验室,江苏南京 210003;3. 宽带无线通信与传感网技术教育部重点实验室,江苏南京 210003
  • 收稿日期:2011-04-19 修回日期:2011-07-18 出版日期:2012-01-25 发布日期:2012-01-25

Research on Rootkit Dynamic Detection Based on Fuzzy Pattern Recognition and Support Virtual Machine Technology

LI Peng1,2,3, WANG Ru-chuan1,2,3, GAO De-hua1   

  1. 1. College of Computer,Nanjing University of Posts and Telecommunications,Nanjing,Jiangsu 210003,China;2. Jiangsu High Technology Research Key Laboratory for Wireless Sensor Networks,Jiangsu Province,Nanjing,Jiangsu 210003,China;3. Key Lab of Broadband Wireless Communication and Sensor Network Technology (Nanjing University of Posts and Telecommunications), Ministry of Education,Jiangsu Province,Nanjing,Jiangsu 210003,China
  • Received:2011-04-19 Revised:2011-07-18 Online:2012-01-25 Published:2012-01-25

摘要: 针对Rootkit恶意代码动态检测技术进行研究.总结出典型Rootkit恶意程序动态行为所调用的系统API函数.实时统计API调用序列生成元并形成特征向量,通过模糊隶属函数和模糊权向量,采用加权平均法得到模糊识别的评估结果;基于层次的多属性支持向量机分析法构建子任务;基于各个动态行为属性的汉明距离定位Rootkit的类型.提出的动态检测技术提高了自动检测Rootkit的准确率,也可以用于检测未知类型恶意代码.

关键词: 网络安全, 恶意代码, 模糊识别, 支持向量机, API系统调用

Abstract: Dynamic detection technology of Rootkit malicious code has been studied.It summarizes typical dynamic system API functions which are called by Rootkit malicious codes.It extracts behavioural characters of the typical system API functional series accompany with the running of malicious code,forms feature vectors by counting up the generating elements important degree of system call series,uses fuzzy membership function and normalization fuzzy weights vector,and comes to the fuzzy pattern recognition conclusion with the use of weighted averaging method.It exactly locates the types of Rootkit malicious code based on the analysis method of layered multi-attributes support virtual machine,according to the subtasks constructed by the independent API system call behaviours,and with the calculation of hamming distance of dynamic behaviour properties.Experiments indicates the proposed dynamic detection method of combining fuzzy pattern recognition with support virtual machine technology not only improves the accuracy rate of Rootkit automatic detection but also has the ability of detecting the previous unknown type malicious code.

Key words: network security, malicious code, fuzzy pattern recognition, support virtual machine, application programming interface system call

中图分类号: