木马攻击及检测系统的研究与实现

发布时间：2019-01-03 19:14

【摘要】：随着网络的发展,网络信息安全问题日益成为人们关注的话题。从过去病毒猖獗到现在的木马泛滥,以窃取信息为目标的木马开始替代病毒成为网络安全的头号敌人,它已经成为幕后灰色利益集团“互联网转型”的重要工具,制造,传播,盗窃账户信息,获取非法利益,洗钱,分成,形成了一条以木马为轴心,以窃取用户财产为目的的完整的“黑客经济链条”。本文工作如下：一、梳理了木马的分类,介绍了木马发展中历经的五代技术及今后的发展趋势。具体分析了木马的工作原理,以及在植入、启动、隐蔽、建立通信等四个方面运用到的各种具体技术,详细的分析了木马隐藏自身资源方面所用到的挂钩技术,远程线程插入技术,端口复用技术等,同时介绍了动态链接库的具体使用原理。二、具体介绍了现阶段已有的五种反木马技术：特征码技术、虚拟机技术、静态启发式技术、动态启发式技术(行为检测技术)、入侵检测技术,比较了每种技术的优缺点,以及各自的优势领域。三、针对现阶段主流的木马种类,分析操作系统的服务流程,在内核态和用户态切换的方法以及API函数的使用,在此基础上针对现在主流的高隐藏性的Rootkit木马,提出自己的检测思路：从底层直接解析系统资源来获取所有的信息,再与用户态的资源对比从而检测出隐藏资源。利用上述思路建立起一个木马检测系统模型,将内存完整性检测和进程、注册表、文件隐藏检测结合起来,并在章节中阐述每种检测模块的思路和具体步骤。四、对木马检测系统进行测试,结果表明对于高隐藏性的Rootkit木马具有较好的检测效果,对比同类检测软件有一定的优势,但也发现了本检测系统的不足之处。
[Abstract]:With the development of network, network information security has become a topic of concern. From the rampant virus in the past to the current proliferation of Trojan horses, the Trojan horse, which aims to steal information, has begun to replace the virus as the number one enemy of network security. It has become an important tool for the "Internet transformation" of the grey interest group behind the scenes. Stealing account information, obtaining illegal profit, money laundering, dividing, forming a complete "hacker economic chain" which takes the Trojan horse as the axis and takes stealing the user's property as the purpose. The main work of this paper is as follows: firstly, the classification of Trojan horse is combed, and the five generation technology and the development trend of Trojan horse are introduced. The working principle of Trojan horse is analyzed in detail, as well as the specific techniques used in four aspects, such as implantation, startup, concealment, establishment of communication, etc., and the hook technology used by Trojan horse in concealing its own resources is analyzed in detail. The technology of remote thread insertion, port reuse and so on are introduced, and the principle of dynamic link library is also introduced. Secondly, it introduces five kinds of anti-Trojan techniques: signature technology, virtual machine technology, static heuristic technology, dynamic heuristic technology (behavior detection technology), intrusion detection technology, and compares the advantages and disadvantages of each technology. And their respective areas of advantage. Third, aiming at the current mainstream Trojan horse, this paper analyzes the service flow of the operating system, the method of switching between kernel and user and the use of API function. On this basis, it aims at the current mainstream Rootkit Trojan with high concealment. This paper proposes its own detection idea: directly parse the system resources from the bottom to obtain all the information, and then compare with the resources in the user state to detect hidden resources. A Trojan horse detection system model is established by using the above ideas, which combines memory integrity detection with process, registry and file hiding detection, and explains the ideas and concrete steps of each detection module in the chapter. Fourth, the Trojan horse detection system is tested, the results show that the Rootkit Trojan horse with high concealment has better detection effect, compared with the similar detection software, it has some advantages, but also found the shortcomings of this detection system.
【学位授予单位】：内蒙古大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】