一种新的恶意代码检测方法

基于主机的检测系统对文件检测能力更强．但是因为开销，成本过高，因此实际中基于网络的检测系统应用场景更广泛，可以部署的节点更多，提升网络恶意代码检测系统的检测能力可以更有效地为之后的恶意代码防御做出支持。但是其节点设备数量虽然多，却相对低端，单台成本更低，不能像主机检测一样将捕捉到的网络数据包还原，即使可以，也费时费力，处理速度跟不上网络流量，将会造成大量的丢包。因此，如果能让检测系统的前端主机在能够不重组数据包就检测出数据包是否为恶意代码意义重大，在不还原数据包的情况下，通过对单包的内容进行检测从而对有问题的包产生告警信息，可以显著增强基于网络的恶意代码检测系统前端主机的检测能力，使其在病毒种植过程中就能探测到异常。

An New Method of Malicious Code Detection

Although the HIDS has strong detection capability for documents, its cost of economy and system overhead are too high.Actualiy the NIDS＇ s application scenario is more widely, and more detecting nodes can be deployed, so that enhance detection capabilities of NIDS can support malicious code defense more effectively. However, the number of NIDS multi node devices is huge. but the devices are low-end relatively, lower unit costs, for these reasons the NIDS can not be the same as the HIDS to do the recombination for captured network packets . Even if you can, but also time-consuming, and processing speed can not keep up with network traffic speed. That will cause a lot of packets loss. So find a way to make the front end hosts in NIDS detect malicious code without doing data packets recombination is signality. In the case of not to restructuring the packets, through the way of detecting single packages＇ contents to find the questionable packages and produce alarm information, can significantly enhance the detection capacity of front end hosts in NIDS, and make the NIDS have the ability to detect abnormality in the process of viral transmission.