隨著網際網路快速發展,病毒從過去的磁片傳播,演變至今改以網際網路傳播。而以Script腳本語言撰寫的病毒,可以透過HTML網頁以及E-mail電子郵件的方式,在很短的時間散播到世界各地。本研究以VBScript為對象,利用序列樣式資料挖掘的方法,歸納VBScript病毒的行為樣式,透過病毒前處理器和病毒行為分析器兩個單元,將病毒行為建構成病毒行為知識庫。病毒前處理器對VBScript病毒原始碼進行初步整理的動作,將整理後的病毒原始碼進行分群的動作,使得性質相同的病毒歸納成同一群組。病毒行為分析器利用序列樣式資料挖掘方法對每一個病毒群組作行為分析,找尋出屬於每一個群組特有的病毒特徵行為,將病毒特徵行為以規則式法則(rule-base)方式建構在病毒特徵行為知識庫中,另外建立起API函式知識庫,藉由VBScript病毒知識庫與所對應到相同行為API函式知識提供使用者有關API病毒偵測的知識規則。
The viruses were spread through the floppy discs in the past, but now with the de-velopment of the Internet, they can be done through the Internet instead. Many com-mon viruses on the Internet are written using Script. This enables Script viruses to be dispersed extreme fast through HTML and Email. In this research, VBScript is the sub-ject. By way of Mining Sequence Pattern, the patterns of VBScript virus are discovered and a Virus Behavior Knowledge Base, which stores the virus be-haviors, is established.
Two major steps are developed to explore virus behaviors. First, data pre-processor organizes VBScript virus codes and next the well-organized viruses will be grouped so that the viruses with similar characteristics are put in the same group. Second, the virus behavior analyzer concludes the unique behavior of vi-ruses in each virus group with Mining Sequence Pattern. The Rule-base approach is used to describe virus behavior in the Virus Behavior Knowledge Base and create related virus behavior API functions as well. These virus behavior API functions can then be used to establish an effective API virus detector.
