面向智能建筑管理系统的木马检测技术研究

发布时间：2018-06-15 12:57

本文选题：智能建筑管理系统 + 木马　；参考：《哈尔滨工程大学》2014年硕士论文

【摘要】：随着计算机、控制与通讯技术的提高,智能建筑已经成为成熟的可以实现的目标。采用一个统一的管理平台对智能建筑的各个子系统实现统一管理已经势在必行。对于与互联网相连接的智能建筑管理系统的内部安全问题,针对内部网络的主机和服务器存在可能被植入木马的安全隐患问题,本文提出了相应的检测方法,主要做了以下几个方面的工作:首先,阐述了智能建筑管理系统信息安全研究背景,包括智能建筑管理系统的基本概念和现在信息网络环境下信息安全的应用范围,同时说明了木马检测技术在国内外的研究现状以及发展趋势,重点论述现代木马病毒技术在互联网上的工作机制和对互联网空间安全产生的影响。然后,具体分析了智能建筑管理系统安全与特洛伊木马工作机制。在论述了智能建筑管理系统的内涵和外延的基础上,深入分析了智能建筑管理系统的安全问题,说明了恶意程序在智能建筑管理系统中可能的存在形式;介绍了特洛伊木马的通信体系结构,分析特洛伊木马已知的伪装方法,在此基础上分析了特洛伊木马的工作原理,从而从总体上说明了特洛伊木马的工作机制。重点研究了特洛伊木马的网络通信行为,分析了网络恶意代码常用的网络通信协议,论述了现代木马病毒在互联网环境下的工作模式,尤其是对现在的主流木马,端口反弹式木马的通信连接方式和通信模式做了重点的分析,包括半反弹型通信连接架构、全反弹型通信连接架构以及两种通信连接架构的比较。基于以上的理解,提取了木马在互联网模式下的基本工作模式中表现出的网络行为特征。其次,在现代互联网环境中,对广泛分布的智能建筑管理系统的安全问题做了阐述。引入C-F模型,对C-F模型的基本概念,C-F模型的原理,C-F模型产生的应用都做了说明和阐述。同时,根据提取的C-F模型的特征,对智能建筑管理系统中可能存在的特洛伊木马,建立检测系统,实现检测机制。检测特洛伊木马网络行为的识别系统架构,为已经选定的各特征,建立木马远控软件网络行为特征的不确定表述,同时建立特洛伊木马通信行为特征的知识库,根据C-F模型理论的推理过程,建立检测特洛伊木马网络行为的推理策略,建立迁移识别推理策略,并给出最终的推理结果。最后,为了验证本文提出的在智能建筑管理系统网络环境下,从网关处获取网络流量,并分析识别网络流量中是否木马远程控制软件的通信行为方法的有效性,选取真实的智能建筑管理系统网络内部和外部互联网通信的流量数据,同时采用真实的特洛伊木马恶意软件进行木马的通信行为数据的模拟。并将这两类数据混合,从混合数据中识别出木马恶意软件的通信行为的数据。同时,采用典型特洛伊木马程序样本,采集其通信流量进行检测分析,取得良好实验结果。
[Abstract]:With the improvement of computer, control and communication technology, intelligent building has become a mature and achievable goal. It is imperative to use a unified management platform to realize the unified management of each subsystem of intelligent building. For the internal security problem of the intelligent building management system connected with the Internet, aiming at the problem that the host and server of the internal network may be implanted into the Trojan horse, this paper puts forward the corresponding detection method. The main work is as follows: firstly, the research background of information security in intelligent building management system is expounded, including the basic concept of intelligent building management system and the application scope of information security under the information network environment. At the same time, the present situation and development trend of Trojan horse detection technology at home and abroad are explained, and the working mechanism of modern Trojan horse virus technology on the Internet and its influence on the security of Internet space are discussed. Then, the security of intelligent building management system and Trojan horse working mechanism are analyzed concretely. Based on the discussion of the connotation and extension of the intelligent building management system, the security problems of the intelligent building management system are deeply analyzed, and the possible forms of malicious programs in the intelligent building management system are explained. This paper introduces the communication system structure of the Trojan horse, analyzes the known camouflage method of the Trojan horse, analyzes the working principle of the Trojan horse on this basis, and explains the working mechanism of the Trojan horse in general. This paper mainly studies the network communication behavior of Trojan horse, analyzes the network communication protocol commonly used in network malicious code, and discusses the working mode of modern Trojan horse virus in Internet environment, especially for the current mainstream Trojan horse. The communication connection mode and communication mode of port rebound Trojan are analyzed, including the semi-rebound communication connection architecture, the full bounce communication connection architecture and the comparison between the two communication connection architectures. Based on the above understanding, the characteristics of network behavior of Trojan horse in the basic working mode of Internet mode are extracted. Secondly, in the modern Internet environment, the security of the widely distributed intelligent building management system is expounded. With the introduction of C-F model, the basic concept of C-F model and the principle of C-F model are introduced. At the same time, according to the features of the C-F model extracted, the Trojan horse which may exist in the intelligent building management system is used to establish the detection system and realize the detection mechanism. To detect the network behavior recognition system architecture of Trojan Horse, to establish the uncertain expression of network behavior characteristics of Trojan Horse remote control software, and to establish the knowledge base of the communication behavior characteristics of Trojan Horse, According to the reasoning process of C-F model theory, the inference strategy to detect the network behavior of Trojan horse is established, and the inference strategy of migration identification is established, and the final inference result is given. Finally, in order to verify the effectiveness of the method proposed in this paper to obtain the network traffic from the gateway under the network environment of intelligent building management system, and to analyze the effectiveness of the communication behavior method to identify whether the Trojan horse remote control software in the network traffic. The internal and external Internet traffic data of real intelligent building management system are selected, and the real malware of Trojan horse is used to simulate the communication behavior data of Trojan horse. The two kinds of data are mixed to identify the communication behavior data of Trojan malware from the mixed data. At the same time, the sample of Trojan horse program is used to detect and analyze its communication flow, and good experimental results are obtained.
【学位授予单位】：哈尔滨工程大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP309;TU855

【参考文献】