僵尸工具类恶意代码的检测研究
摘要
随着互联网技术及应用的不断发展,企业和用户面临着越来越多的信息安全问题。近年来,特别是恶意代码在网络中的泛滥,对网络安全造成了很大的威胁,也造成了很大的经济损失。特别是僵尸工具类的恶意代码融合了许多病毒,木马,蠕虫的特性,并且可以接受攻击者的控制命令,控制成千上万台主机同时向一个目标发动攻击,对安全的威胁极大。这类恶意代码也引起了网络安全领域的广泛关注。
本文针对恶意代码的安全威胁和当前检测技术存在的问题,提出了基于BP网络的恶意代码行为特征检测方法。该方法弥补了当前检测方法存在的一些问题,包括特征码匹配检测方法不能检测未知恶意代码,行为分析方法不能有效判断恶意代码,以及模式识别方法会遭遇一些反检测方法的影响。然后利用这种方法实现了恶意代码检测系统,最后测试了检测恶意代码样本的准确性。
本文在方法研究和系统实现过程中完成了以下工作:
(1)收集了大量的僵尸工具类以及其他类型恶意代码的样本。研究了恶意代码的样本收集技术,并搭建样本收集平台来收集恶意代码样本,然后建立恶意代码特征库。
(2)重点分析了几种典型的僵尸工具样本,对于其他类型的恶意代码也做了一些分析,并按照恶意代码的行为在传播,控制,攻击等各个阶段的特征进行分类分析,并建立基于自动状态机的恶意代码特征模型。
(3)研究BP网络和机器学习的方法,对分析出来的僵尸工具特征进行定义和量化,然后设计出针对恶意代码检测的BP网络结构。输入学习样本让检测网络进行学习,得出理想的网络模型。该恶意代码监测网络除了可以检测出僵尸工具类恶意代码以外,还可以对一部分木马和蠕虫进行检测。
(4)根据上述的研究结果设计恶意代码的检测系统,实现了恶意代码的分类和识别功能。在恶意代码检测系统的实现中,解决了2个关键的问题,分析样本在运行过程中对系统影响的行为特征,以及捕获样本在网络传输中的控制信息和攻击信息。该系统主要实现了行为监控,网络监控和系统恢复这三个模块。对恶意代码系统进行功能测试,测试样本检测的准确率,并进行结果分析。
With the popularization and application of computers and networks, enterprises and users are faced with a growing number of security issues. Recently, more and more malicious code which spread in the network, has a great threat in network security, and caused great economic losses. Bot integrate of a number of viruses, trojans, worms characteristics, and accept the control command, control thousands of hosts to simultaneously attack a target. It has a great threat to security. This type of malicious code has aroused widespread concern in the field of network security.
To response security threats of malicious code and current detection technology problems, the paper proposed the malicious code detection method which based on behavioral characteristics BP network. The method make up such problems which exist in current detection methods, such as signature matching detection method should not detect unknown malicious code, behavior analysis methods can not effectively judge the malicious code, and pattern recognition methods encounter some anti-detection methods. Then, the paper implements the malicious code detection system with such method. Finally, test the samples detection.
In this paper, the work in research method and implement system such as:
(1) Many types of bot and other types of malicious code samples are collected. The techniques of collect malicious code samples are studied and the sample collection platform is built. Then the malicious code samples database is set up.
(2) Several typical bot samples and some other types of malicious code are analysis. Some behavior characteristics at the stages of spread control and attacks are collected. Final state machine feature model are set up.
(3) BP network and machine learning methods are researched. The behavior characteristics of bot are defined and quantified. Then the BP network structure of detection is designed and input samples to allow detection of the network study, and get an ideal network model. The model not only can detect bot, but also can detect trojans and worms.
(4)Malicious code detection system is designed based on the above findings. The main function of system is malicious code classification and recognition. There are two key questions that are solved in our system. One is analysis samples’behavior which impact on the system. The other is capture samples’control information and attack information at the network transmission. The three modules are implemented in our system, include conduct monitor, network monitor and system restore. The function of the detect system is test, the accuracy of samples detect is test, and the result of test is analysis.
本文针对恶意代码的安全威胁和当前检测技术存在的问题,提出了基于BP网络的恶意代码行为特征检测方法。该方法弥补了当前检测方法存在的一些问题,包括特征码匹配检测方法不能检测未知恶意代码,行为分析方法不能有效判断恶意代码,以及模式识别方法会遭遇一些反检测方法的影响。然后利用这种方法实现了恶意代码检测系统,最后测试了检测恶意代码样本的准确性。
本文在方法研究和系统实现过程中完成了以下工作:
(1)收集了大量的僵尸工具类以及其他类型恶意代码的样本。研究了恶意代码的样本收集技术,并搭建样本收集平台来收集恶意代码样本,然后建立恶意代码特征库。
(2)重点分析了几种典型的僵尸工具样本,对于其他类型的恶意代码也做了一些分析,并按照恶意代码的行为在传播,控制,攻击等各个阶段的特征进行分类分析,并建立基于自动状态机的恶意代码特征模型。
(3)研究BP网络和机器学习的方法,对分析出来的僵尸工具特征进行定义和量化,然后设计出针对恶意代码检测的BP网络结构。输入学习样本让检测网络进行学习,得出理想的网络模型。该恶意代码监测网络除了可以检测出僵尸工具类恶意代码以外,还可以对一部分木马和蠕虫进行检测。
(4)根据上述的研究结果设计恶意代码的检测系统,实现了恶意代码的分类和识别功能。在恶意代码检测系统的实现中,解决了2个关键的问题,分析样本在运行过程中对系统影响的行为特征,以及捕获样本在网络传输中的控制信息和攻击信息。该系统主要实现了行为监控,网络监控和系统恢复这三个模块。对恶意代码系统进行功能测试,测试样本检测的准确率,并进行结果分析。
With the popularization and application of computers and networks, enterprises and users are faced with a growing number of security issues. Recently, more and more malicious code which spread in the network, has a great threat in network security, and caused great economic losses. Bot integrate of a number of viruses, trojans, worms characteristics, and accept the control command, control thousands of hosts to simultaneously attack a target. It has a great threat to security. This type of malicious code has aroused widespread concern in the field of network security.
To response security threats of malicious code and current detection technology problems, the paper proposed the malicious code detection method which based on behavioral characteristics BP network. The method make up such problems which exist in current detection methods, such as signature matching detection method should not detect unknown malicious code, behavior analysis methods can not effectively judge the malicious code, and pattern recognition methods encounter some anti-detection methods. Then, the paper implements the malicious code detection system with such method. Finally, test the samples detection.
In this paper, the work in research method and implement system such as:
(1) Many types of bot and other types of malicious code samples are collected. The techniques of collect malicious code samples are studied and the sample collection platform is built. Then the malicious code samples database is set up.
(2) Several typical bot samples and some other types of malicious code are analysis. Some behavior characteristics at the stages of spread control and attacks are collected. Final state machine feature model are set up.
(3) BP network and machine learning methods are researched. The behavior characteristics of bot are defined and quantified. Then the BP network structure of detection is designed and input samples to allow detection of the network study, and get an ideal network model. The model not only can detect bot, but also can detect trojans and worms.
(4)Malicious code detection system is designed based on the above findings. The main function of system is malicious code classification and recognition. There are two key questions that are solved in our system. One is analysis samples’behavior which impact on the system. The other is capture samples’control information and attack information at the network transmission. The three modules are implemented in our system, include conduct monitor, network monitor and system restore. The function of the detect system is test, the accuracy of samples detect is test, and the result of test is analysis.
引文
[1] M.Christodorescu, s.Jha. Testing malware detectors [C]. In Proceeding of the ACM SIGSOFT International Symposium on Software Testing and Analysis 2004 (ISSTA’04), Boston, MA, USA, July 2004. ACM SIGSOFT, ACM Press:34-44
[2]吴世忠/马芳译..网络信息安全的真相. (Schneier, B.. Secrets and Lies: Digital Security in a Network World).北京机械工业出版社. 2001.
[3] Symantec Internet Security Threat Report Trends for July 05–December 05. Volume IX. 2006.3.
[4] CNCERTCC2008年网络安全工作报告. http://www.cert.org.cn/upload/2008CNCERTC CAnnualReport_Chinese.pdf. 2008.
[5]“熊猫烧香”病毒肆虐互联网http://news.sina.com.cn/c/2007-01-28/020111103763s.shtml 2007
[6] Douligeris, C., Mitrokotsa, A.. DDoS attacks and defense mechanisms classify- cation and state-of-the-art. Journal of Computer Networks, 44, pp. 643-666, Elsevier. 2004.
[7] CNCERT/CC.“僵尸”集群施暴网络黑客军团扫荡互联网. http://www.cert.org.cn/articl es/tabloid/common/2005082422418.shtml. 2005.
[8] Barford, P., Yegneswaran, V.. An inside look at Botnets. To appear in Series: Advances in Information Security, Springer, 2006.
[9] Dagon, D., Guofei,G., Zou, C.. A Taxonomy of Botnets. Manuscript. http://www.math. tulane.edu/~tcsem/Botnets/ndss_Botax.pdf. 2006.
[10]卢浩,胡华平,刘波,恶意软件分类方法研究,计算机应用研究,2006年
[11]仁云涛,基于二进制多态变形的恶意代码反检测技术研究,电子科技大学学位论文
[12]蠕虫病毒传播模式分析. http://cnbie.net/commerce/forums/82147/ShowPost.aspx. 2005.
[13] Dagon, D. Zou, C., Lee, W.. Modeling Botnet propagation using time zones. Proceedings of the IEEE Network and Distributed System Security, pp.21-35. 2005.
[14]刘颖, Windows环境恶意代码检测技术研究,电子科技大学学位论文
[15] A.H.Sung, J.Xu,P.Chavez, S.Mukkamala.Static Analyzer of Vicious Executables(SAVE). In:Proc of the 20th Annual Computer Security Applications Conference(ACSAC’04),2004 IEEE
[16]陈月玲,贾小珠,基于程序行为的计算机病毒检测方法,青岛大学学报“自然科学版”Vol.19 No.2 Jun.2006
[17] Carsten, Willems, Thorsten, Holz, and Felix Freiling, Toward Automated Dynamic Malware Analysis Using CWSandbox, Security&Privacy IEEE
[18]张波云,殷建平,唐文胜,篙敬波,基于模糊模式识别的未知病毒检测,计算机应用, Vol. 25 No.9 Sept.2005
[19]叶艳芳,基于数据挖掘技术的病毒主动防御系统,福州大学研究生学位论文
[20] In Seon Yoo Non-signature based virus detection, J Comput Virol (2006) 2:163–186
[21]李旭华.计算机病毒[M].重庆:重庆大学出版社,2002.2~3.
[22] Robert Lyda, Sparta, James, Hamrock, McDonald and Bradley, Code Normalization for Self-Mutating Malware, Security&Privacy IEEE
[23]慈庆玉.计算机变形病毒技术探讨[J].中国数据通讯,2005,1(1):37-40.
[24]张雅静,候朝桢.一种基于生物免疫原理的计算机抗病毒策略[J].计算机工程, 2003, 4(29):30-31.
[25] Freiling, F. C., Holz, T., Wicherski, G.. Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks. ESORICS 2005, LNCS 3679, pp.319-335, Springer-Verlag, 2005.
[26] Dagon, D. Zou, C., Lee, W.. Modeling Botnet propagation using time zones. Proceedings of the IEEE Network and Distributed System Security, pp.21-35. 2005.
[27] Cooke, E., Jahanian, F., McPherson, D.. The zombie roundup:Understanding, detecting, and disrupting Botnets. In Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI'05), pp. 39-44. 2005.
[28] Kandula, S., Katabi, D., Jacob, M., et al.. Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds. USENIX NSDI’05. 2004.
[29]胡定文,朱俊虎,吴灏,基于有限状态自动机的漏洞检测模型,计算机工程与设计,第28卷,第8期
[30]张仰森,人工智能原理与应用,高等教育出版社,2005.5
[31] Quinlan J R. Induction of decision trees [J]. Machine Learning, 1986,(1): 81-106. Schlimmer J C, Fisher D. A case study of incremental concept induction[A]. In Proceedings of AAAI-86[C]. 1986.
[32]林坤辉,息晓静,周目乐.基于HMM与神经网络的声学模型研究[J].厦门大学学报:自然科学版,2006,45(1):43—46.
[33]韩旭明,Elman神经网络的应用研究,天津大学硕士学位论文
[34] Sarkav D.Methods to Speed up Error BP Learning Algoritmn.ACM Computing Su~er,1995,27:519—592.
[35] Yi S,et a1.Global Optimization for NN Training.IEEE Computer.1996,3:45—54.
[36]岳昊,邵春福,赵熠,基于BP神经网络的行人和自行车交通识别方法,北京交通大学学报V01.32 No.3
[37]董长虹.MATLAB神经网络与应用[M].北京:国防工业出版社,2007.
[38]许东,吴铮.基于MATLAB6.x的系统分析与设计一神经网络[M].西安:西安电子科技大学出版社,2003,10:19—28.
[39]诸葛建伟. Botnet简介.狩猎女神项目/The Artemis Project. Manuscript. http://www.icst.P ku.edu.cn/honeynetweb/honeynetcn/TechnicalReports.htm. 2005.
[40]诸葛建伟.韩心慧.叶志远等..僵尸网络的发现与跟踪.全国网络与信息安全技术研讨会'2005(NetSec2005). 2005.
[41] http://www.diybl.com/course/6_system/linux/Linuxjs/200881/134381.html
[2]吴世忠/马芳译..网络信息安全的真相. (Schneier, B.. Secrets and Lies: Digital Security in a Network World).北京机械工业出版社. 2001.
[3] Symantec Internet Security Threat Report Trends for July 05–December 05. Volume IX. 2006.3.
[4] CNCERTCC2008年网络安全工作报告. http://www.cert.org.cn/upload/2008CNCERTC CAnnualReport_Chinese.pdf. 2008.
[5]“熊猫烧香”病毒肆虐互联网http://news.sina.com.cn/c/2007-01-28/020111103763s.shtml 2007
[6] Douligeris, C., Mitrokotsa, A.. DDoS attacks and defense mechanisms classify- cation and state-of-the-art. Journal of Computer Networks, 44, pp. 643-666, Elsevier. 2004.
[7] CNCERT/CC.“僵尸”集群施暴网络黑客军团扫荡互联网. http://www.cert.org.cn/articl es/tabloid/common/2005082422418.shtml. 2005.
[8] Barford, P., Yegneswaran, V.. An inside look at Botnets. To appear in Series: Advances in Information Security, Springer, 2006.
[9] Dagon, D., Guofei,G., Zou, C.. A Taxonomy of Botnets. Manuscript. http://www.math. tulane.edu/~tcsem/Botnets/ndss_Botax.pdf. 2006.
[10]卢浩,胡华平,刘波,恶意软件分类方法研究,计算机应用研究,2006年
[11]仁云涛,基于二进制多态变形的恶意代码反检测技术研究,电子科技大学学位论文
[12]蠕虫病毒传播模式分析. http://cnbie.net/commerce/forums/82147/ShowPost.aspx. 2005.
[13] Dagon, D. Zou, C., Lee, W.. Modeling Botnet propagation using time zones. Proceedings of the IEEE Network and Distributed System Security, pp.21-35. 2005.
[14]刘颖, Windows环境恶意代码检测技术研究,电子科技大学学位论文
[15] A.H.Sung, J.Xu,P.Chavez, S.Mukkamala.Static Analyzer of Vicious Executables(SAVE). In:Proc of the 20th Annual Computer Security Applications Conference(ACSAC’04),2004 IEEE
[16]陈月玲,贾小珠,基于程序行为的计算机病毒检测方法,青岛大学学报“自然科学版”Vol.19 No.2 Jun.2006
[17] Carsten, Willems, Thorsten, Holz, and Felix Freiling, Toward Automated Dynamic Malware Analysis Using CWSandbox, Security&Privacy IEEE
[18]张波云,殷建平,唐文胜,篙敬波,基于模糊模式识别的未知病毒检测,计算机应用, Vol. 25 No.9 Sept.2005
[19]叶艳芳,基于数据挖掘技术的病毒主动防御系统,福州大学研究生学位论文
[20] In Seon Yoo Non-signature based virus detection, J Comput Virol (2006) 2:163–186
[21]李旭华.计算机病毒[M].重庆:重庆大学出版社,2002.2~3.
[22] Robert Lyda, Sparta, James, Hamrock, McDonald and Bradley, Code Normalization for Self-Mutating Malware, Security&Privacy IEEE
[23]慈庆玉.计算机变形病毒技术探讨[J].中国数据通讯,2005,1(1):37-40.
[24]张雅静,候朝桢.一种基于生物免疫原理的计算机抗病毒策略[J].计算机工程, 2003, 4(29):30-31.
[25] Freiling, F. C., Holz, T., Wicherski, G.. Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks. ESORICS 2005, LNCS 3679, pp.319-335, Springer-Verlag, 2005.
[26] Dagon, D. Zou, C., Lee, W.. Modeling Botnet propagation using time zones. Proceedings of the IEEE Network and Distributed System Security, pp.21-35. 2005.
[27] Cooke, E., Jahanian, F., McPherson, D.. The zombie roundup:Understanding, detecting, and disrupting Botnets. In Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI'05), pp. 39-44. 2005.
[28] Kandula, S., Katabi, D., Jacob, M., et al.. Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds. USENIX NSDI’05. 2004.
[29]胡定文,朱俊虎,吴灏,基于有限状态自动机的漏洞检测模型,计算机工程与设计,第28卷,第8期
[30]张仰森,人工智能原理与应用,高等教育出版社,2005.5
[31] Quinlan J R. Induction of decision trees [J]. Machine Learning, 1986,(1): 81-106. Schlimmer J C, Fisher D. A case study of incremental concept induction[A]. In Proceedings of AAAI-86[C]. 1986.
[32]林坤辉,息晓静,周目乐.基于HMM与神经网络的声学模型研究[J].厦门大学学报:自然科学版,2006,45(1):43—46.
[33]韩旭明,Elman神经网络的应用研究,天津大学硕士学位论文
[34] Sarkav D.Methods to Speed up Error BP Learning Algoritmn.ACM Computing Su~er,1995,27:519—592.
[35] Yi S,et a1.Global Optimization for NN Training.IEEE Computer.1996,3:45—54.
[36]岳昊,邵春福,赵熠,基于BP神经网络的行人和自行车交通识别方法,北京交通大学学报V01.32 No.3
[37]董长虹.MATLAB神经网络与应用[M].北京:国防工业出版社,2007.
[38]许东,吴铮.基于MATLAB6.x的系统分析与设计一神经网络[M].西安:西安电子科技大学出版社,2003,10:19—28.
[39]诸葛建伟. Botnet简介.狩猎女神项目/The Artemis Project. Manuscript. http://www.icst.P ku.edu.cn/honeynetweb/honeynetcn/TechnicalReports.htm. 2005.
[40]诸葛建伟.韩心慧.叶志远等..僵尸网络的发现与跟踪.全国网络与信息安全技术研讨会'2005(NetSec2005). 2005.
[41] http://www.diybl.com/course/6_system/linux/Linuxjs/200881/134381.html