虚拟环境“数字脚

发布时间：2018-06-18 10:40

本文选题：数字脚印 + 虚拟环境内存取证　；参考：《四川师范大学》2017年硕士论文

【摘要】：摘要随着虚拟化技术的迅猛发展,越来越多的企业、高校、政府的业务应用转移至虚拟环境中。虚拟化技术应用业务的激增,针对虚拟环境的网络攻击也日渐剧增。这些针对虚拟环境的攻击活动,对国家、企业的经济及安全等造成严重威胁。而虚拟环境网络攻击技术的隐蔽化(如:反取证技术),使传统内存取证技术不能有效应对虚拟环境下的取证工作。因此研究虚拟环境内存证据无损提取,恶意软件攻击行为还原,对帮助政法机关完成事后证据重建,打击网络犯罪意义重大。本文研究并实现虚拟环境内存取证专用系统,主要包含以下三个创新点。第一,本文提出针对VMware虚拟环境的内存取证模型,该模型改进了已有内存取证模型的取证流程,具有取证过程可重复、内存获取准确性高、取证效率高、抗干扰性强等优点。第二,本文提出虚拟环境“数字脚印”,将传统内存取证提取的数字特征定义为“数字纹路”,其在时间序列上构成的动态行为特征定义为“数字脚印”,比传统“数字纹路”捕获的行为信息更全面。第三,本文提出改进的K-means恶意进程多源关联性分析算法,该算法把进程关系扩展到父子、名称、时间、文件、通信、账户六元关系,六元关系关联度代替传统K-means算法的余弦距离,恶意进程初始化规则代替传统K-means算法随机初始化,具有稳定性高、关联完整性高等优点。本文通过研究虚拟环境内存管理与地址转换机制,重构内存易失性数据,完成虚拟环境“数字脚印”提取、恶意行为检测、恶意进程关联性分析,最终实现恶意软件行为重建,满足政法机关在业务应用、深度分析、线索追踪等方面的业务需求。测试结果表明,本文提出的虚拟环境内存取证模型对恶意软件易失性内存数据的提取精确性与准确性较高;虚拟环境内存取证系统对虚拟环境“数字脚印”提取完整率较高;改进的K-means多源关联性分析算法能够完善恶意软件行为分析图,关联完整率较高。但本文对“数字脚印”提取仍未完整,恶意软件行为还原误报率稍高,服务器版本内存提取业务中断问题未解决,以上三点可作为未来的研究方向。
[Abstract]:With the rapid development of virtualization technology, more and more enterprises, universities, and government business applications are transferred to virtual environment. Virtualization technology application business proliferation, virtual environment network attacks are also increasing. These attacks against the virtual environment pose a serious threat to the economy and security of countries and enterprises. However, because of the covert of network attack technology in virtual environment, such as anti-forensics technology, the traditional memory forensics technology can not effectively deal with the work of forensics in virtual environment. Therefore, it is of great significance to study the memory evidence extraction in virtual environment and the malicious software attack behavior reduction to help the political and legal organs to rebuild the evidence after the event and to crack down on the network crime. This paper studies and implements a special memory forensics system in virtual environment, which mainly includes the following three innovations. Firstly, this paper proposes a memory forensics model for VMware virtual environment. The model improves the evidence flow of the existing memory forensics model and has the advantages of repeatable process, high accuracy of memory acquisition, high efficiency of evidence collection and strong anti-interference. Secondly, this paper proposes a virtual environment called "digital footprint", which defines the digital feature extracted by traditional memory forensics as "digital pattern", and its dynamic behavior feature in time series is defined as "digital footprint". It is more comprehensive than the traditional "digital pattern" to capture behavior information. Third, this paper proposes an improved K-means malicious process multi-source association analysis algorithm, which extends the process relationship to parent-son, name, time, file, communication, account six-element relationship. The correlation degree of six variables replaces the cosine distance of traditional K-means algorithm and the initialization rule of malicious process replaces the random initialization of traditional K-means algorithm which has the advantages of high stability and high association integrity. This paper studies memory management and address translation mechanism of virtual environment, reconstructs memory volatile data, completes virtual environment "digital footprint" extraction, malicious behavior detection, malicious process correlation analysis, and finally realizes malicious software behavior reconstruction. To meet the business needs of the political and legal authorities in business applications, in-depth analysis, clue tracking and so on. The test results show that the proposed virtual environment memory forensics model has higher accuracy and accuracy in extracting volatile memory data from malware, and the virtual environment memory forensics system has a higher integrity rate for virtual environment "digital footprint" extraction. The improved K-means multi-source association analysis algorithm can improve the malware behavior analysis graph, and the correlation integrity rate is higher. However, the extraction of "digital footprint" in this paper is still incomplete, malware behavior restore false alarm rate is slightly higher, server version memory extraction business interruption problem has not been resolved, the above three points can be taken as the future research direction.
【学位授予单位】：四川师范大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP309

【参考文献】