基于模糊行为分析的木马检测技术

发布时间：2018-03-06 00:16

本文选题：行为分析库　切入点：专家系统　出处：《河南工业大学》2014年硕士论文　论文类型：学位论文

【摘要】：随着计算机网络技术的飞速发展，信息网络已经成为社会发展的重要支柱力量，由于网络信息中有很多是敏感信息，甚至是国家机密，所以难免会吸引来自世界各地的木马程序的攻击，从而窃取用户的重要信息，传统的木马检测技术在许多方面都有不足和缺陷，尤其是针对未知木马的检测难度更是不言而喻。传统检测模型在检测过程中更是没有考虑到网络攻击的不确定性因素，从而导致误报率的增加。而滥用检测系统的专家知识库具有的自学习性和自适应性可以很好的弥补传统检测技术的缺陷。模糊行为库的建立也在一定程度上考虑了攻击行为的不确定性，从而提升检测能力。本文在深入研究行为分析算法的基础上，，将模糊行为分析库应用到木马检测过程中，主要做了如下研究工作：（1）研究木马发展历史以及国内外现状，阐释木马检测原理与工作机制，对常见木马程序的攻击特点进行分类，对比静态检测技术与动态检测技术之间的区别，并分析优缺点。（2）阐释滥用检测是针对已知（类似）的攻击行为和间接违背系统安全策略行为的检测，攻击系统缺陷知识库往往是是滥用检测的基础。结合基于行为分析的木马检测技术的常见原理和算法，设计实现模糊行为库，分析这些算法在木马检测中的重要性和实用性。（3）研究模糊行为规则的建立的过程，在传统的基于特征码的检测算法的基础上提出了基于行为分析的木马检测模式，对模糊行为分析模块分析的结果进行去模糊化，最终使检测模型性能得到提升。（4）构建一个虚拟的网络环境，对整体模型进行实验测试。证明模糊行为分析算法在提高检测正确率和降低误报率两个方面都能取得较好效果。
[Abstract]:With the rapid development of computer network technology, information network has become an important pillar of social development. Therefore, it will inevitably attract attacks from Trojan programs from all over the world, thereby stealing important information from users. The traditional Trojan detection technology has shortcomings and defects in many aspects. Especially the difficulty of detecting the unknown Trojan horse is self-evident. The traditional detection model does not take into account the uncertain factors of network attack in the detection process. The self-study habit and self-adaptability of the expert knowledge base of misuse detection system can make up the defects of traditional detection technology. The establishment of fuzzy behavior database is also considered to a certain extent. The uncertainty of the attack, In order to improve the detection ability. Based on the in-depth study of behavior analysis algorithm, this paper applies fuzzy behavior analysis library to Trojan horse detection process, mainly do the following research work:. 1) studying the history of Trojan horse development and the present situation at home and abroad, explaining the detection principle and working mechanism of Trojan horse, classifying the attack characteristics of common Trojan horse programs, comparing the differences between static detection technology and dynamic detection technology, and analyzing the advantages and disadvantages. (2) to illustrate that abuse detection is the detection of known (similar) attacks and indirect breaches of system security policies, The knowledge base of attacking system defects is often the basis of abuse detection. Combined with the common principles and algorithms of Trojan horse detection technology based on behavior analysis, the fuzzy behavior library is designed and implemented, and the importance and practicability of these algorithms in Trojan horse detection are analyzed. Thirdly, the process of establishing fuzzy behavior rules is studied. Based on the traditional signature based detection algorithm, the Trojan horse detection mode based on behavior analysis is proposed, and the results of fuzzy behavior analysis module are de-fuzzied. Finally, the performance of the detection model is improved. Finally, a virtual network environment is constructed to test the whole model. It is proved that the fuzzy behavior analysis algorithm can achieve good results in both improving the detection accuracy and reducing the false alarm rate.
【学位授予单位】：河南工业大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】