反木马系统中程序行为分析关键技术研究与实现

发布时间：2018-05-26 06:13

本文选题：程序行为分析 + 隐藏进程检测　；参考：《北京邮电大学》2014年硕士论文

【摘要】：随着信息技术的发展,计算机已经成为人们生活中不可或缺的一部分。个人用户可以使用计算机浏览网页、视频聊天、网络购物,企业单位可以使用计算机保存业务数据、进行自动化管理。各种各样的数据从传统保存方式转向了数字保存方式,数字信息已连续多年呈爆炸式增长。数字化处理给人们带来方便的同时,信息安全也逐渐引起人们的注意。近几年,木马、间谍软件等恶意软件的数量继续呈增长趋势,已经发生多起用户数据泄露事件。木马检测技术的研究一直是网络安全领域中的热门,并且随着过去多年的发展,基于特征码的木马检测技术已经趋于成熟,研究热点开始转向未知木马的检测。而程序行为分析技术作为一种基础性的技术,在主机主动防御系统、入侵检测系统等未知木马检测系统中发挥重要作用。在使用程序行为分析技术进行未知木马检测时,程序行为捕获是前提,完善的程序行为判定算法是核心,有效清除木马程序是基础,这三者缺一不可。但是,由于程序行为分析技术刚刚兴起,这三方面关键技术都还存在不足,因此,研究程序行为分析中的关键技术对反木马系统的实现和用户数据的保护具有重要意义。本文对现有的程序行为捕获技术进行了研究,发现在64位Windows系统中没有很好的行为捕获方法。在木马程序清除方面,当前的隐藏进程检测技术在稳定性和效率方面也存在一些不足。另外,在程序行为判定算法研究方面,对朴素贝叶斯分类算法的改进主要集中于无效样本的过滤和添加属性权值,未曾考虑算法中某类样本出现的概率这一参数,容易导致分类结果出现偏差。本文针对上述三方面缺陷,对intel VT技术进行了研究,实现了一种64位Windows系统中的程序行为捕获技术；在木马程序清除方面,对当前基于内存搜索的隐藏进程检测方法进行了多项改进；研究了多种程序行为判定算法,对朴素贝叶斯分类算法进行了属性加权、分类结果调整等多项改进,同时为了保证在不同主机环境下该算法的准确率,加入了主机安全风险评估功能,根据评估结果动态调整算法参数。本文的特色在于：第一,对基于内存搜索的隐藏进程检测方法进行了改进,使其可稳定运行于多核CPU系统中,能更快、更全面地检测到隐藏进程；第二,对朴素贝叶斯分类算法进行了多项改进,提出了与训练样本组成无关的权值计算方法,能够有效避免训练样本选取缺陷带来的负面影响；第三,使用基于熵权的模糊评价法对主机安全风险进行评估,并将评估结果用于调整朴素贝叶斯分类算法,使其结果更加准确。
[Abstract]:With the development of information technology, computer has become an indispensable part of people's life. Personal users can use computers to browse the web, video chat, online shopping, business units can use computers to save business data, automated management. A variety of data from the traditional preservation to digital storage, digital information has been explosive growth for many years. While digital processing brings convenience to people, information security gradually attracts people's attention. In recent years, the number of Trojan horses, spyware and other malware continues to increase, and many user data leaks have occurred. Trojan horse detection technology has always been a hot topic in the field of network security, and with the development of the past years, the Trojan horse detection technology based on signature has become mature, and the research focus began to turn to the detection of unknown Trojan horse. As a basic technology, program behavior analysis plays an important role in host active defense system, intrusion detection system and other unknown Trojan detection systems. When using program behavior analysis technology to detect unknown Trojan horse, program behavior capture is the premise, perfect program behavior judgment algorithm is the core, and the foundation is to clear Trojan horse program effectively. However, due to the rising of program behavior analysis technology, these three key technologies are still insufficient. Therefore, it is of great significance to study the key technologies of program behavior analysis for the realization of anti-Trojan horse system and the protection of user data. In this paper, the existing program behavior capture techniques are studied, and it is found that there is no good behavior capture method in 64-bit Windows system. In the aspect of Trojan program clearance, the current hidden process detection technology also has some shortcomings in terms of stability and efficiency. In addition, in the research of program behavior determination algorithm, the improvement of naive Bayesian classification algorithm is mainly focused on filtering and adding attribute weights of invalid samples, without considering the probability of occurrence of some kind of samples in the algorithm. It is easy to cause deviation of classification results. In this paper, the intel VT technology is studied, and a program behavior capture technology in 64-bit Windows system is realized. Several improvements are made to the current hidden process detection method based on memory search, and a variety of program behavior determination algorithms are studied, and attribute weighting and classification result adjustment are carried out for naive Bayes classification algorithm. At the same time, in order to ensure the accuracy of the algorithm in different host environments, the host security risk assessment function is added, and the algorithm parameters are dynamically adjusted according to the evaluation results. The main features of this paper are as follows: firstly, the method of detecting hidden process based on memory search is improved to make it run stably in multi-core CPU system, which can detect the hidden process more quickly and comprehensively. Several improvements are made to naive Bayesian classification algorithm, and a weight calculation method independent of training sample composition is proposed, which can effectively avoid the negative effects of training sample selection defects. Third, The fuzzy evaluation method based on entropy weight is used to evaluate the host security risk, and the evaluation results are used to adjust the naive Bayes classification algorithm to make the results more accurate.
【学位授予单位】：北京邮电大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】