基于Windows的主机监控与审计产品安全性分析和测试研究

发布时间：2018-05-08 05:51

本文选题：主机监控与审计产品 + 安全分析　；参考：《北京交通大学》2014年硕士论文

【摘要】：随着企事业单位内网安全问题的日益凸显,近年来,主机监控与审计产品越来越受到企事业单位的青睐。该产品能够有效防止企事业单位内部员工对网络资源的滥用,防范机密敏感信息的泄漏,并且能够为事后追查提供审计记录。但是,由于该类产品的设计和实现技术方式较多,应用部署环境复杂多样,产品的部分模块存在安全漏洞,这可能导致该类产品的监控功能失效。因此,该类产品的安全性也渐渐成为了一个亟待解决的问题。本文作者在国家保密科技测评中心实习期间,对20多个国内不同厂商的主机监控与审计产品进行了测试研究,发现该类产品普遍在功能模块和客户端代理程序上存在安全漏洞,利用这些漏洞可以绕过部分监控功能,甚至可以轻易地使客户端代理程序失效。本论文重点介绍了作者对该类产品功能模块和自身安全两个方面安全性分析研究的成果,具体介绍了3个功能模块安全漏洞和3种破坏客户端代理程序安全的手段。该类产品功能模块普遍存在三个安全漏洞：1.通过修改进程的匹配信息,能够绕过进程监控功能；2.通过IP-MAC地址的静态绑定、ARP欺骗包的拦截以及数据包的截取／篡改／发送等手段,能够使非授权接入监控功能失效；3.日志的关联性分析功能缺失,导致主机监控与审计产品只能通过匹配特征库来捕获已知异常,对于未知异常则无能为力。在产品自身安全方面,通过对隐藏进程／文件的检测、破坏双进程保护以及删除自启动项等手段,能够终止客户端代理程序以及篡改本地日志／配置文件,从而使客户端代理程序失效。论文中还介绍了作者开发的一个测试工具,该测试工具的大部分功能已经完成,并已应用于实际测试。该测试工具主要包含了三个模块：进程监控功能测试模块、非授权接入监控功能测试模块以及客户端代理程序安全性测试模块。进程监控功能测试模块主要包括获取／修改EXE文件的版权信息和获取／修改文件的MD5值两个部分；非授权接入监控功能测试模块主要包括IP-MAC地址的绑定、ARP防火墙以及数据包的截取／篡改／发送三个部分；客户端代理程序安全性测试模块主要包括进程／自动项信息的管理。
[Abstract]:With the increasingly prominent security problems in the internal network of enterprises and institutions, the host monitoring and audit products are more and more popular in enterprises and institutions in recent years. The product can effectively prevent the abuse of network resources by employees in enterprises and institutions, prevent the leakage of sensitive confidential information, and provide audit records for subsequent tracing. However, due to the variety of design and implementation techniques, the complex application and deployment environment, and the existence of security vulnerabilities in some modules of the product, this may lead to the failure of the monitoring function of this kind of product. Therefore, the safety of this kind of products has gradually become a problem to be solved. During his internship in the National Security Science and Technology Evaluation Center, the author tested and studied the host monitoring and auditing products of more than 20 different manufacturers in China. It was found that there are some security vulnerabilities in the functional modules and client agent procedures of this kind of products. These vulnerabilities can bypass some monitoring functions and can easily invalidate client agents. In this paper, the author mainly introduces the research results of this kind of product function module and its own security, and introduces the security vulnerabilities of three function modules and three kinds of methods to destroy the security of client agent program. This kind of product function module exists three security vulnerabilities: 1. 1. By modifying the matching information of the process, you can bypass the process monitoring function. Through the static binding of IP-MAC address, the interception of ARP-spoofed packets and the interception / tampering / sending of data packets, the unauthorized access monitoring function can be invalidated. The lack of correlation analysis in the log results in that the host monitoring and auditing products can only catch the known exceptions by matching the signature library, but there is no way to do anything about the unknown exceptions. In terms of the security of the product itself, the client agent can be terminated and the local log / configuration file tampered with by detecting hidden processes / files, breaking the protection of two processes and deleting self-startup items. Thus, the client agent program is invalidated. A testing tool developed by the author is also introduced in this paper. Most of the functions of the testing tool have been completed and have been applied to the actual test. The testing tool mainly includes three modules: process monitoring function test module, unauthorized access monitoring function test module and client agent program security test module. The process monitoring function test module mainly includes two parts: obtaining / modifying the copyright information of the EXE file and obtaining / modifying the MD5 value of the file; The testing module of unauthorized access monitoring includes three parts: the binding of IP-MAC address and the interception / tampering / sending of data packet, while the security test module of client agent mainly includes the management of process / automatic item information.
【学位授予单位】：北京交通大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】