隨著科技的進步和網路應用的發展,病毒和蠕蟲的行為和種類也不斷的更新;病毒和蠕蟲隱藏在正常程式之中,趁機感染、散播、或破壞,到今日尚無一有效的方法可以絕對防堵病毒和蠕蟲造成之危害。病毒、蠕蟲程式和一般正常程式比較時,病毒和蠕蟲程式中所用到的程式碼,每一個單獨指令亦會出現在一般正常程式中,造成偵測病毒和蠕蟲行為時,難以靠其指令動作來分辨;而這些病毒、蠕蟲和正常程式主要的差異是在它們的整體行為有所不同,病毒、蠕蟲程式的行為會造成系統的破壞等等,但正常程式則不會如此。
在本研究中,以Linux作業系統為對象,收集了63隻病毒和蠕蟲的程式,以及許多的正常程式;經過第一個前處理步驟,可以反組譯出程式執行順序之程式碼;第二步驟經由比較和分析前階段的程式碼可以建立行為區塊;第三步驟則產生病毒案例,利用案例式推理建構病毒和蠕蟲的知識庫。為了證明本方法有效,論文中共抽取20隻病毒以及10隻正常程式實驗,根據本研究的成果顯示,運用所發展的電腦病毒推理式案例庫,可以成功的偵測出帶有病毒和蠕蟲的電腦程式,跟傳統病毒碼偵測方法比較,可以有效減少病毒資料的容量,更可以分析往後的病毒來增加電腦病毒案例庫內容的完整度。
Rapid development of technology and internet yields behaviors of viruses and worms varied from time to time. It does not have any efficient method which can both effectively detect viruses and/or worms and also prevent damages caused by viruses and/or worms nowadays. Virus and/or worm programs, just like other ordi-nary programs, have many instructions in each program. All the instructions in the specific program are executed in sequence. The major difference between virus and/or worm programs and ordinary programs is that the behaviors of instructions in virus and/or worm programs can harm the host system but the behaviors of in-structions in ordinary programs will not.
Linux is an open system, not like in closed system, virus and/or worm pro-grams can easily be created and metamorphic virus and/or worm programs can also be easily developed. In the research, 63 networked Linux virus and/or worm pro-grams are collected and analyzed to explore the behaviors of viruses and worms. Knowledge of virus and/or worm behaviors is used to develop a knowledge base which can be applied to detect networked virus and/or worm programs.
There are there steps to develop the knowledge base. The first is reverse engi-neering step which disassembles virus and/or worm programs and discovers all in-struction codes and their execution sequences of these programs. The second step builds behavior segments by analyzing instruction codes from the first step. The third step generates virus and/or worm cases and develops the knowledge base. The case-based reasoning technique along with the knowledge base is applied to detect virus and/or worm programs. In order to prove the efficiency of the method, a set of 20 virus and/or worm programs and a set of 10 ordinary programs are em-ployed. The outcome is quite convincible.
The approach presented in this research can reduce the quantity of virus and/or data comparing with other traditional methods. The self-learning method allows the enhancement of the knowledge base form time to time.
