The Research of Malware Detection Technology Based on Active Mode
|School||Harbin Institute of Technology|
|Course||Computer Science and Technology|
|Keywords||Actively-detecting Honeypot Malware collection Network security|
With the extensive and deep use of computer networks, network security has been a key problem,and malware is one of the worst menaces to network. Now the malware’s transmission and attack mode are becoming more and more complicated and diversified, which makes many new menaces and challenges to network security. Using new transmission methods, those already exist malwares changes their transmission method and begin to use client software such as browser to transmit. There are also appearing many new transmission methods such as P2P download- transmission、Trojan downloader and Google Hacking using search engine. Following a lot of new methods, there appears new attack method such as using client software’s vulnerability to attack. Client applications’conspicuous appearing conduces more and more baleful attacks aiming at client software, such as web browser and Email client applications. Now the kind of malware transmitted by client applications is malware’s main development trend, including passive-spreading malwares such as script virus included in web pages.As a newly arisen trap technique, Honeypot is widely used in network security’s threats detection. But honypot can only monitor and analyze those attacks aiming at honey pot itself, which limits the view. Traditional malware detection systems such as Nepenthes just uses honey pot technique to attract malware and waits malware’s attack passively.Due to the traditional malware detection technique which depends on passive detecting can’t satisfy the network security’s requirement, malware detection technique changes from passive technique to active technique. This paper gives a detailed analysis about malware’s transmission and operation characteristics, and on this foundation, the paper proposes a model based on active technique. The fundamental difference between this model and the traditional malware detection model is that the former adds mechanisms about active search and visit those targets which are suspected including malware. Those mechanisms can actively badger the malware to attack honerpot, then it can detect these malware. According to the model, this paper proposes a malware detection method based on active technique、high-interaction honeypot and behavior monitoring.After detailed analysis of those malwares’ spreading process which spread by IE browser, this paper proposes to make active visit to doubtful aims using IE browser as client. On the basis of the detailed analysis of those malwares’ spreading methods and operation way, the paper proposes an extendable monitoring method based on aims set monitoring and behavior monitoring. At the same time this paper designed an extendable structure and some interfaces.On the basis of those theories, this paper designs and implements a malware detection system based on IE browser, which is named as Decoy. Besides traditional detection tool’s functions, Decoy actively visit aims which maybe include malware, trigger the passive-spreading malwares and badger malwares to attack, using real-time inspecting method. As a result, Decoy can rise the coverage of malware’s kind. Traditional detection system need to be deployed on the public network’s export which is a higher requirement for the deploy environment. Decoy just need to be deployed on LAN, this makes Decoy has a strong availability. The experiment’s results validated that Decoy meets the design requirements, and the experimental data validated that the theoretical analysis is practical and correct.In the end of the paper, it analyzed the achievement of my research and the problems that emerged in the realization process. Then the writer gave some proposals for researchers who are interested in this research to have further study.