This paper analyzes the malware behaviors of propagation and damage, including process, privilege, memory, registry, file and network. The malware accomplishes these behaviors by calling the corresponding Application Programming Interface API) functions. It proposes a dynamic malware detection method based on perception of sensitive native API calls frequency. It develops transparent monitoring and analysis environment based on source code of Xen. Experimental results indicate that the method can identify unknown malware.%分析恶意软件传播与破坏的行为特征,包括进程、特权、内存操作、注册表、文件和网络等行为.这些行为通过调用相应的API函数来实现,为此,提出一种基于敏感Native API调用频率的恶意软件检测方法,采用Xen进行二次开发,设计对恶意软件透明的分析监测环境.实验结果表明,使用敏感Native API调用频率能够有效地检测多种未知恶意软件.
展开▼