基于P2P的恶意代码检测及防御技术研究

发布时间：2019-04-16 09:03

【摘要】：随着信息技术的发展,各种形式的恶意代码日益增多,现在已经渗透到我们生活的各个方面。现有的安全软件大多需要依赖服务器的支持来更新病毒库,而且对于这些安全软件一直有盗取用户隐私数据的担心。为了解决这些问题,本课题将P2P技术与恶意代码检测及防御技术相结合,建立一种新的机制来对抗恶意代码。本课题研究的内容主要包括三个部分,分别是检测、防御和响应,其中检测技术就像是矛,防御技术就像是盾,而响应网络就是使用矛和盾来进行战斗的战士。这三个部分相辅相成,缺一不可。检测关键技术包括两点内容,第一点是分布式代码行为监控,将对代码的监控分散到P2P网络中的一个个节点上,各节点协同监控共同“作战”。第二点是针对恶意代码的挑战测试,为了检测处于潜伏期的恶意代码,采用挑战测试来尽早暴露恶意代码的真实面目。防御关键技术包括三个部分,第一部分是静态数据扫描,与一般的扫描相比,基于数据差异的扫描更加高效,避免了很多重复、无用的扫描。第二部分是动态数据保护,根据响应网络对恶意代码分析的结果,来决定保护哪些地方,再以重要指数来分层次进行保护。第三部分是自动修复,一方面通过记录文件等修改的差异数据来进行版本回溯,另一方面通过使用P2P网络中分布式的数据来进行修复。通过建立不依赖操作系统运行的PDP-outer,即使操作系统崩溃也可以进行自动修复。响应关键技术主要包括基于P2P的基础网络的构建和恶意代码的识别及处理两部分。响应网络是由包含众多节点的P2P网络构成,通过节点认证协议、数据传输协议、可信度等安全机制来保证基础网络的安全。通过同步各节点上的分布式的数据来保证黑名单、白名单等数据的一致,这是恶意代码识别和处理数据的前提。通过行为监控响应网络中的节点可以不停地产生行为日志等等数据,课题中讨论了包括使用神经网络在内的几种方法对这些数据进行处理,并且据此来进行自主学习和决策。经过一年多时间的研究和实验,本课题取得了多项研究成果,主要包括以下三个方面:1.建立了一种新型的恶意代码检测及防御的方法,解决了需要依赖服务器更新的问题。由于是无中心的,而且开放源代码,解决了隐私数据可被窃取的问题;2.为了对比本课题提出的检测及防御方法和一般的方法,开发了一个仿真验证程序,可以仿真模拟安全软件与恶意代码对抗的过程;3.申请了一个以本课题提出的检测及防御方法为核心的发明专利——《一种恶意代码检测及防御的方法》,目前处于受理状态。
[Abstract]:With the development of information technology, various forms of malicious code are increasing, and now it has penetrated into every aspect of our life. Most of the existing security software relies on the support of servers to update the virus library, and these security software has always been concerned about stealing users' privacy data. In order to solve these problems, this paper combines P2P technology with malicious code detection and defense technology, and establishes a new mechanism to combat malicious code. The research includes three parts: detection, defense and response, in which the detection technology is like a spear, the defense technology is like a shield, and the response network is a warrior who uses a spear and shield to fight. These three parts complement each other and are indispensable to each other. The key technology of detection includes two points. The first point is distributed code behavior monitoring, which distributes the code monitoring to one node in P2P network, and each node cooperates with each other to "fight". The second point is the challenge test for malicious code. In order to detect the malicious code in latent period, the challenge test is used to expose the true face of malicious code as soon as possible. The key technology of defense consists of three parts. The first part is static data scanning. Compared with general scanning, the scanning based on data difference is more efficient and avoids a lot of repeated and useless scans. The second part is dynamic data protection. According to the result of response network analysis of malicious code, we can decide where to protect, and then take important index to protect it at different levels. The third part is automatic repair, on the one hand, the version is traced back by recording the modified differential data such as files, on the other hand, it is repaired by using the distributed data in P2P network. An automatic fix can be performed by creating a PDP-outer, that does not depend on the operating system to run, even if the operating system crashes. The key technologies of response include the construction of P2P-based basic network and the identification and processing of malicious code. Response network is composed of P2P network which contains many nodes. It can guarantee the security of basic network through node authentication protocol, data transmission protocol, credibility and other security mechanisms. It is the premise of malicious code to identify and process data by synchronizing distributed data on each node to ensure the consistency of data such as black list and white list. The nodes in the behavior monitoring response network can generate the behavior log and so on. In this paper, several methods including neural network are discussed to process these data, and then the autonomous learning and decision-making are carried out. After more than a year of research and experiments, many research results have been achieved in this subject, including the following three aspects: 1. In this paper, a new malicious code detection and defense method is proposed, which solves the problem of relying on the update of server. Because it is central and open source, it solves the problem that privacy data can be stolen; 2. In order to compare the detection and defense methods proposed in this paper with the general methods, a simulation verification program is developed, which can simulate the process of antagonism between security software and malicious code. In this paper, we apply for an invention patent based on the detection and defense method proposed in this paper, a malicious code detection and defense method, which is in the state of acceptance at present.
【学位授予单位】：电子科技大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【共引文献】