基于PE文件的加壳检测与木马识别技术
发布时间:2018-07-24 22:06
【摘要】:网络安全是信息学中不可分割的组成部分,而木马的分析和检测技术又是网络安全领域的重中之重。如今绝大多数的计算机甚至手机都安装了各式各样的木马检测和查杀软件。 本文主要针对Windows系统下的木马分析和检测方法作研究。而在Windows系统下木马必须以PE文件形式存在,才有可能进一步的入侵计算机从而达到非法的目的。通常在木马检测过程中判断PE文件是否加壳这一点不可忽视,所以文中对于PE文件的加壳检测方法也作了一系列研究。 文中首先对国内外木马检测的研究现状作了详细的介绍和分析,提出了木马检测的基本方法,既动态检测和静态检测方法。 其次文中详细的介绍了PE文件的组织结构,分析方法和区块特性。为进一步的从PE文件中提取各类有效信息和分类特征做准备。 接着介绍了一种识别加壳PE文件的方法,此方法主要基于计算PE文件特定属性的明可夫斯基距离。因为在特定的一些属性特征上加壳PE文件与非加壳的PE文件有着显著的区别。实验结果表明此方法能有效的检测加壳PE文件。 最后文中提出了一种基于C5.0决策树算法的木马静态检测方法,该算法以从PE文件中提取出的各种属性作为分类特征,并结合了高效的boosting算法。而对PE文件首先用PEid软件进行去壳操作,再进行进一步处理以提高性能指标。实验结果表明此方法在不少方面都取得了一定的进步。
[Abstract]:Network security is an integral part of informatics, and the analysis and detection technology of Trojan horse is the most important in the field of network security. Today, most computers and even mobile phones are equipped with a variety of Trojan detection and kill software. This paper mainly focuses on the analysis and detection methods of Trojan horse under Windows system. In Windows system, the Trojan horse must exist in the form of PE file in order to further invade the computer to achieve the illegal purpose. It can not be ignored to judge whether the PE file is shell or not in the detection process of Trojan horse, so a series of research on the method of shell detection of PE file is also made in this paper. In this paper, the current situation of Trojan horse detection at home and abroad is introduced and analyzed in detail, and the basic method of Trojan horse detection is put forward, that is, dynamic detection and static detection. Secondly, the organization structure, analysis method and block characteristics of PE file are introduced in detail. For the further extraction of all kinds of valid information and classification features from PE files. Then a method to identify the PE file is introduced, which is mainly based on the Minkowski distance of the specific attributes of the PE file. Because there are significant differences between PE files and non-hulled PE files on certain attribute characteristics. Experimental results show that this method can effectively detect PE files. In the end, a method of static Trojan detection based on C5.0 decision tree algorithm is proposed. The algorithm takes various attributes extracted from PE file as classification features and combines efficient boosting algorithm. The PE file is firstly de-hulled with PEid software, and then further processed to improve the performance index. The experimental results show that this method has made some progress in many aspects.
【学位授予单位】:广西大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
本文编号:2142802
[Abstract]:Network security is an integral part of informatics, and the analysis and detection technology of Trojan horse is the most important in the field of network security. Today, most computers and even mobile phones are equipped with a variety of Trojan detection and kill software. This paper mainly focuses on the analysis and detection methods of Trojan horse under Windows system. In Windows system, the Trojan horse must exist in the form of PE file in order to further invade the computer to achieve the illegal purpose. It can not be ignored to judge whether the PE file is shell or not in the detection process of Trojan horse, so a series of research on the method of shell detection of PE file is also made in this paper. In this paper, the current situation of Trojan horse detection at home and abroad is introduced and analyzed in detail, and the basic method of Trojan horse detection is put forward, that is, dynamic detection and static detection. Secondly, the organization structure, analysis method and block characteristics of PE file are introduced in detail. For the further extraction of all kinds of valid information and classification features from PE files. Then a method to identify the PE file is introduced, which is mainly based on the Minkowski distance of the specific attributes of the PE file. Because there are significant differences between PE files and non-hulled PE files on certain attribute characteristics. Experimental results show that this method can effectively detect PE files. In the end, a method of static Trojan detection based on C5.0 decision tree algorithm is proposed. The algorithm takes various attributes extracted from PE file as classification features and combines efficient boosting algorithm. The PE file is firstly de-hulled with PEid software, and then further processed to improve the performance index. The experimental results show that this method has made some progress in many aspects.
【学位授予单位】:广西大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
【参考文献】
相关期刊论文 前10条
1 丁姗;;浅谈木马文件特征码的定位[J];河南纺织高等专科学校学报;2007年02期
2 方滨兴;崔翔;王威;;僵尸网络综述[J];计算机研究与发展;2011年08期
3 杨平;罗红;乔向东;;Windows Rootkit隐藏技术研究[J];计算机与信息技术;2009年03期
4 颜会娟;秦杰;;基于非线性SVM模型的木马检测方法[J];计算机工程;2011年08期
5 嵇海明,杨宗源;PE文件格式剖析[J];计算机应用研究;2004年03期
6 杨彦;黄皓;;基于攻击树的木马检测方法[J];计算机工程与设计;2008年11期
7 张新宇,卿斯汉,马恒太,张楠,孙淑华,蒋建春;特洛伊木马隐藏技术研究[J];通信学报;2004年07期
8 李军丽;;特洛伊木马病毒的隐藏技术[J];网络安全技术与应用;2008年01期
9 雷校勇;黄小平;;Windows RootKit技术原理及防御策略[J];微型电脑应用;2006年07期
10 彭国军;王泰格;邵玉如;刘梦冷;;基于网络流量特征的未知木马检测技术及其实现[J];信息网络安全;2012年10期
,本文编号:2142802
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2142802.html
