基于非包还原的恶意代码检测技术研究

发布时间：2018-06-04 06:55

本文选题：非包还原 + 检测　；参考：《电子科技大学》2014年硕士论文

【摘要】：在面对单个对象文件时,基于主机的检测系统拥有着更强的检测能力,可是每台检测设备的安装运行的开销和成本过于高昂,不便于在网络环境中大量布置,所以在实际的应用当中,基于网络的检测系统拥有更加广泛的应用场景,可部署到更多的网络节点之上,基于这种情况,针对网络恶意代码检测系统,提升其单台设备的检测能力能够使系统在面对恶意代码入侵时作出更好的表现,在网络安全防御的领域达到更佳的性能。基于网络的恶意代码检测系统有着数量繁多的前端检测设备,但是他们却相对低端,单台成本较低,无法像主机检测一样将在网络中捕获到的通信数据流进行还原,就算行,也费时费力,一旦处理速度跟不上网络流量,就会丢失大量的已截取到的数据包。现在的网络级恶意代码检测系统只能针对行为规则模式进行匹配,所探测的攻击内容要么是已经种植在网段内的恶意软件的恶意行为,要么就是外网向内网的攻击行为,和主机检测一样不能对病毒种植过程做出反应。如果能结合二者优点,将主机能对文件进行检测的功能应用到网络检测对网络数据包的分析当中,就能实现对病毒种植过程的探测。前面提到前端设备因为自身局限不能进行数据还原,因此如果能让检测系统的前端主机在能够不重组数据包就检测出数据包是否为恶意代码有着重大的意义,在不进行数据包还原的前提条件下,利用直接对单包的内容进行特征匹配进而对可疑的数据包产生告警信息,可以显著增强基于网络的恶意代码检测系统前端主机的检测能力,最终达到在病毒传播过程中就能探测到异常的目的。实现该方案最关键的技术难点在于如何设计出适用于基于非包还原的恶意代码检测技术的特征码扫描检测引擎,一套特征码扫描检测引擎包括特征码选取,构建特征库,实现高效的特征匹配算法等关键点。虽然目前已有多种相关特征码扫描的全套技术,但是应用场景都是基于主机的恶意代码检测系统,这些技术普遍选取特征码较长,匹配精确但并不太要求匹配速度,若是将这些技术生搬硬套,将导致在网络环境中特征码容易被截断,匹配效率不够令系统丢弃大量数据包等问题。本文会将研究重心放在设计实现适用于基于非包还原的恶意代码检测系统的特征码扫描技术,打通关键环节并实现系统,最后经过测试来进行验证。
[Abstract]:In the face of a single object file, the host-based detection system has a stronger detection ability, but the overhead and cost of the installation and operation of each detection device is too high to facilitate a large number of arrangements in the network environment. Therefore, in the actual application, the network-based detection system has more extensive application scenarios and can be deployed to more network nodes. Based on this situation, the detection system for network malicious code is aimed at the network malicious code detection system. Improving the detection ability of its single device can make the system perform better in the face of malicious code intrusion and achieve better performance in the field of network security defense. The malicious code detection system based on the network has a large number of front-end detection devices, but they are relatively low end, the cost of a single system is relatively low, and can not restore the traffic stream captured in the network like host detection, even if the line. It also takes time and effort, once processing speed can not keep up with network traffic, a large number of intercepted data packets will be lost. The current network level malicious code detection system can only match the pattern of behavior rules. The detected attack content is either the malicious behavior of malware that has been planted in the network segment or the attack behavior of the outer network to the intranet. As with host testing, it does not respond to the virus cultivation process. If we can combine the advantages of the two methods and apply the function of the host computer to the analysis of network data packets, we can realize the detection of virus planting process. As mentioned earlier, the front-end device cannot restore data because of its limitations, so it is of great significance if the front-end host of the detection system can detect whether the packet is malicious code without reorganizing the packet. Without the premise of packet restoration, the detection ability of the front-end host of the malicious code detection system based on the network can be significantly enhanced by directly matching the features of the single packet and generating alarm information on the suspicious packet. Finally, we can detect anomalies in the course of virus transmission. The key technical difficulty to realize this scheme lies in how to design a signature scanning detection engine suitable for malicious code detection technology based on non-packet restore. A set of signature scanning detection engine includes signature selection, construction of signature library. To achieve efficient feature matching algorithm and other key points. Although there are a variety of related signature scanning technology, but the application scenarios are based on the host malicious code detection system, these technologies generally select long signature, matching accuracy but not too much matching speed. If these technologies are mechanically applied, the signature will be easily truncated in the network environment, and the matching efficiency will not be enough to make the system discard a large number of data packets. This paper will focus on the design and implementation of the signature scanning technology suitable for malicious code detection system based on non-packet restore.
【学位授予单位】：电子科技大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】