基于行为关联分析的异常文件管理活动识别系统

摘要

An approach to identify abnormal file management activities based on the association analysis of file and network be-haviors was proposed,and the prototype system F-Sensor was implemented.Behavior sequences consisting of the API functions were generated according to the temporal characteristics of abnormal file management activities,and then file and network beha-viors were associated to analyze and identify suspected abnormal behaviors based on implementation characteristics of abnormal file management activities.True abnormal file management behaviors were determined by combining white list and the dependency between the abnormal file management behaviors.Experimental results show that the method can well identify the abnormal file manage-ment behaviors with low rate of false positives.The identification result generated from F-Sensor can detect malware and make for the analysis of the attacker’s control intention.%提出一种基于文件和网络行为关联分析的异常文件管理活动识别方法，并实现原型系统 F-Sensor。根据异常文件管理活动的时序特征，生成由 API 函数组成的行为序列；依据异常文件管理活动的实现特点，关联分析文件和网络行为以识别疑似异常的行为；结合白名单机制和异常文件管理行为间的依存关系，识别真正的异常文件管理活动。实验结果表明，F-Sensor 能较好地识别异常文件管理行为，误报率较低，利用其识别结果可检测恶意软件，有助于分析攻击者的控制意图。