多态及变种恶意程序的流行极大地挑战了传统基于静态代码特征的恶意程序检测。动态行为分析通过在受限的环境中运行被分析程序，以相对稳定的程序行为特征检测代码特征多变的恶意程序，对代码混淆免疫，被认为是对抗未知及变种恶意程序最有希望的方法。本项目拟在统一框架下研究恶意程序动态行为分析的三个环节：程序行为数据捕获、行为描述与恶意程序特征行为提取，以及行为检测算法设计。通过虚拟机监控器层的程序行为监控提高程序行为数据捕获的准确性与自动化程度；对多种数据源提取的原始数据设计程序行为特征描述语言兼顾时间效率与对程序行为的理解，提高行为抽象过程对恶意行为描述的能力；最后，利用机器学习从海量数据中学习建立预测模型的能力，结合恶意程序行为检测的代价敏感性，对准确率要求高等特点，使用增强学习技术设计行为检测算法提高对未知及变种恶意程序检测的能力。项目拟实现一套完整的恶意程序行为检测系统。

As technology code obfuscation and automatic malware generator lead to an explosive growth of malware samples and greatly challenge traditional detection methods. To fight back, behavior-based malware analysis is proposed by security analyzers, in which the analysis sample is executed in a controlled environment and the interactions between analysis file and the operation system are monitored. The core idea of behavior analysis is to detect malwares by relatively stable behavioral features instead of easily-changed code characteristics. For it is immune to code obfuscation, dynamic behavior-based malware detection is regarded to be the most promising way to combat with unknown and variant malwares. In this research, we unify three essential parts of behavior based malware detection: capturing raw data, abstracting behavioral features and detection algorithm design into one framework. We propose to implement behavior data capturing automatically at virtual machine monitor layer to improve data accuracy. A new algorithm to abstract discriminant features of malwares is planned to be researched, which takes raw data from multiple sources and strike a balance between time efficiency and interpretability of extracted features. Finally, we plan to use machine learning techniques which is the most popular method to build prediction model from massive data and to design unknown and variant malware detection algorithms. Cost sensitivity, high accuracy etc. are taken into considerations at the design of the behavior-based malware detection algorithm. This research will implement a complete behavior-based malware detection system.