主机型恶意程序运行行为监控技术研究
|
摘要
随着互联网迅猛发展,网络应用日益广泛与深入,恶意软件也不断发展,严重威胁广大用户的隐私与财产安全,对互联网安全问题的关注也日益增强。传统的防病毒软件都是采用预先定义好的二进制特征码[1][2][3]对目标程序进行判断的,对于变种极多的病毒,防病毒软件基本失去了防御作用。而且,二进制特征码的提取需要样本,这在互联网如此发达的今天,在特征码提取并更新了防病毒软件的特征库后,新病毒可能已经大规模爆发。为了弥补杀毒软件在时效性和可靠性上的不足,基于主机的入侵防御系统(Host Intrusion Prevention System,HIPS)被提出来,并且受到越来越多的关注和应用。
HIPS基于运行行为监控技术,是安装在受保护的系统上,与操作系统紧密结合,监视系统的各种行为,防止对系统的非法更改和破坏的一种主动的、积极的入侵防范与阻止系统,它会实时地中断违反安全策略的操作,保护用户免受已知威胁和未知的新威胁的感染,大大地提高主机系统对未知威胁的免疫能力。虽然HIPS有诸多优点,但其误报率高,操作繁琐,太过于专业化,也大大阻碍了它的普及与实际运用。
本文对HIPS中的几个关键技术进行了讨论,并且详细描述了一个HIPS在Windows平台的设计,并且实现了一个原型系统。本文试图通过对HIPS讨论,提高HIPS的实际使用效率。
对于HIPS的关键技术,本文主要讨论了可疑行为的捕获、分析、处理,并逐一给出了在Windows平台下可行的技术方案,在此基础上分析比较了各方案之间的优劣。在规则库构建上,提出了通过验证代码数字签名来构建白名单,自动更新规则库,引入学习模式等来降低HIPS的误报率。最后本文详细描述了一个HIPS系统在Windows平台的设计。包括概要设计,接口设计以及详细设计。为了便于读者理解课题的设计,本文还简要介绍了Windows内核的一些相关概念。
在本课题中,作者参与了课题的理论研究与分析工作,并独立负责系统架构的设计,接口设计,合作完成系统的详细设计,并独立完成进程监控,注册表监控以及网络监控的设计与实现。
With the rapid development of Internet, the application of network is becoming more versatile and deeper. At the same time, malware is also progressing a lot, threatening the privacy and property of individuals, hence the Internet security problem is in focus. Traditional anti-virus software depends on the predefined binary signature to detect an un-known file, which is useless against the vast variations. What is worse, the extraction of binary signature require the specimen, hence a lot of time, the new virus may break out before the anti-virus signature base been updated. To defeat these defects, the Host Intrusion Prevention System(HIPS) has been proposed, with more and more adoption.
HIPS is an pro-active intrusion prevention system based on run-time behavior monitoring, which is installed on top of the Operating System(OS), connecting tightly with the OS, monitoring various behaviors, blocking any intrusion to the OS. It will block the operation which break the safety policy in real time, protecting the user from known and new threat, thus greatly improve the system’s immunity to compromise. Although many advantage it has, it got high false-alarm rate, requires fussy operation and knowledge of OS, which hampered its prevalence.
Several critical technologies are discussed in this paper, both design and implementation of HIPS on Windows platform is also presented, in order to improve the application of HIPS.
The capture, analysis and disposal of behavior are discussed, which include various schemes to implement these technologies and the advantage and disadvantage for each. We proposed three new ideas to construct the rule base. At last, we described the general design, interface design and detailed design of HIPS. Some concepts of Windows kernel is introduced for reader’s convenience.
In this project, the author took part in the research of the subject, and took charge of the design of system architecture, the process, registry, network behavior monitoring.
HIPS基于运行行为监控技术,是安装在受保护的系统上,与操作系统紧密结合,监视系统的各种行为,防止对系统的非法更改和破坏的一种主动的、积极的入侵防范与阻止系统,它会实时地中断违反安全策略的操作,保护用户免受已知威胁和未知的新威胁的感染,大大地提高主机系统对未知威胁的免疫能力。虽然HIPS有诸多优点,但其误报率高,操作繁琐,太过于专业化,也大大阻碍了它的普及与实际运用。
本文对HIPS中的几个关键技术进行了讨论,并且详细描述了一个HIPS在Windows平台的设计,并且实现了一个原型系统。本文试图通过对HIPS讨论,提高HIPS的实际使用效率。
对于HIPS的关键技术,本文主要讨论了可疑行为的捕获、分析、处理,并逐一给出了在Windows平台下可行的技术方案,在此基础上分析比较了各方案之间的优劣。在规则库构建上,提出了通过验证代码数字签名来构建白名单,自动更新规则库,引入学习模式等来降低HIPS的误报率。最后本文详细描述了一个HIPS系统在Windows平台的设计。包括概要设计,接口设计以及详细设计。为了便于读者理解课题的设计,本文还简要介绍了Windows内核的一些相关概念。
在本课题中,作者参与了课题的理论研究与分析工作,并独立负责系统架构的设计,接口设计,合作完成系统的详细设计,并独立完成进程监控,注册表监控以及网络监控的设计与实现。
With the rapid development of Internet, the application of network is becoming more versatile and deeper. At the same time, malware is also progressing a lot, threatening the privacy and property of individuals, hence the Internet security problem is in focus. Traditional anti-virus software depends on the predefined binary signature to detect an un-known file, which is useless against the vast variations. What is worse, the extraction of binary signature require the specimen, hence a lot of time, the new virus may break out before the anti-virus signature base been updated. To defeat these defects, the Host Intrusion Prevention System(HIPS) has been proposed, with more and more adoption.
HIPS is an pro-active intrusion prevention system based on run-time behavior monitoring, which is installed on top of the Operating System(OS), connecting tightly with the OS, monitoring various behaviors, blocking any intrusion to the OS. It will block the operation which break the safety policy in real time, protecting the user from known and new threat, thus greatly improve the system’s immunity to compromise. Although many advantage it has, it got high false-alarm rate, requires fussy operation and knowledge of OS, which hampered its prevalence.
Several critical technologies are discussed in this paper, both design and implementation of HIPS on Windows platform is also presented, in order to improve the application of HIPS.
The capture, analysis and disposal of behavior are discussed, which include various schemes to implement these technologies and the advantage and disadvantage for each. We proposed three new ideas to construct the rule base. At last, we described the general design, interface design and detailed design of HIPS. Some concepts of Windows kernel is introduced for reader’s convenience.
In this project, the author took part in the research of the subject, and took charge of the design of system architecture, the process, registry, network behavior monitoring.
引文
[1]金山毒霸. 2007年中国电脑病毒疫情及互联网安全报告. http://www.duba.net/zt/2007report/
[2] J. Lyman. In Search of the World's Costliest Computer Virus.Factor 2002(2),78-81
[3] Steve Robben. White Open Problems in Computer Vinis Research.Virus Bulletin Conference, 2001(10.22), 101-105
[4]金晶,何昆,张世永.基于智能扫描的病毒监视器研究.计算机工程, 1999(12): 86-88
[5]尹传勇,刘寿强,蒋建勋.从IDS到IPS的主动防御体系研究.计算机安全, 2003(9): 22-24
[6]胡英. IPS构造主动防御核心.计算机世界报, 2003(14): 19-20
[7] Mark Russinovich, David Solomon. Microsoft Windows Internals, Fourth Edition: Microsoft Windows Server 2003, Windows XP, and Windows 2000. WA, USA:Microsoft Press, 2004, 23-80.
[8] Prasad Dabak, Sandeep Phadke, Milind Borate. Undocumented Windows NT. Hungry Minds, 1999, 115-116
[9] Intel. Intel Architecture Software Developer’s Manual Volume 3: System Programming. Intel Press, 1999, 3-681—3-684
[10] Sven Schreiber. Undocumented Windows 2000 Secrets, A Programmer's Cookbook. Addison-Wesley, 2001, 265-306
[11] Greg Hoglund, Jamie Butler. Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, 2006
[12] Metasploit. Windows System Call Table (NT/2000/XP/2003/Vista). http://www.metasploit.com/users/opcode/syscalls.html
[13]尤晋元,史美林. Windows操作系统原理.北京:机械工业出版社,2001, 301-304
[14] Art Baker. The Windows 2000 Device Driver Book, A Guide for Programmers, Second Edition. Prentice Hall PTR, 2000
[15] Walter Oney. Programming the Microsoft Windows Driver Model. Microsoft Press, 2000, 32-53
[16] Chris Cant. Writing Windows WDM Device Drivers. CMP Books, 1999,8-21
[17] Microsoft. Locks, Deadlocks, and Synchronization. http://www.microsoft.com/whdc/driver/kernel/locks.mspx
[18] Microsoft. Scheduling, Thread Context, and IRQL. http://www.microsoft.com/whdc/driver/kernel/IRQL.mspx
[19]武安河. Windows 2000/XP WDM设备驱动程序开发(第2版).北京:电子工业出版社,2005
[20] Microsoft. Memory Management: What Every Driver Writer Needs to Know. http://www.microsoft.com/whdc/driver/kernel/mem-mgmt.mspx
[21] Peter Viscarola, et al. Windows NT Device Driver Development. New Riders Press, 1998
[22] Microsoft. Windows 2000 DDK Document. 2000
[23]张建新. Windows2000内核结构的分析及驱动程序的编制.计算机工程与应用,2002(10):121-123
[24] Edward Dekker, Joseph Newcomer. Developing Windows NT Device Drivers: A Programmer's Handbook. Addison-Wesley Professional, 1999
[25] Microsoft. Network Driver Interface Specification - NDIS 5.0 Overview. http://www.microsoft.com/whdc/archive/ndis5.mspx
[26] Microsoft. Windows Security Model: What Every Driver Writer Needs to Know. http://www.microsoft.com/whdc/driver/security/drvsecure.mspx
[27] Microsoft. User Account Control Overview. http://technet.microsoft.com/en-us/windowsvista/aa906021.aspx
[28] Microsoft. Patching Policy for x64-Based Systems. http://www.microsoft.com/whdc/driver/kernel/64bitpatching.mspx
[29] Gary Nebbett.Windows NT/2000 Native API Reference. Sams,2000, 133-174
[30] Sekar R, Bowen T, Segal M. On preventing intrusions by process behavior monitoring. Usenix Intrusion Detection Workshop, 1999:10
[31] Yona Hollander, Romain Agostini. Stop hacker attacks at the OS level. Internet Security Advisor Magazine, 2000(3): 9-10
[32] Mark Russinovich, David Solomon.深入解析Windows操作系统(潘爱民).北京:电子工业出版社, 2007, 450-457
[33] WebCrazy. Windows NT/2000下不用驱动的Ring0代码实现. http://www.infosecurity.org.cn/article/ossec/nt2000/22595.html
[34] Jeffrey Richter. Programming Application for Windows, Fourth Edition. Microsoft Press, 1999, 531-544
[35]陈向群,马洪兵. Windows内核实验教程.北京:机械工业出版社, 2002
[36] Rajeev Nagar. Windows NT File System Internals. O'Reilly, 1997
[37] California Software Laboratories. I/O File System Filter Driver For Windows NT. 2002
[38]冯德旺,兰建容,谢纯柏.基于Windows NT主机入侵检测系统的文件和进程监控.计算机系统应用, 2001(12): 20-23
[39]杨深,杨寿保.基于Windows2000的防火墙设计.计算机科学, 2002(29.12):80-82
[40] Pcausa. Windows Network Data and Packet Filtering. http://www.ndis.com/papers/winpktfilter.htm
[41]朱雁辉. Windows防火墙与网络封包截获技术.北京:电子工业出版社, 2002
[42] Pcausa. Answers to TDI Frequently Asked Questions. http://www.pcausa.com/resources/tdifaq.htm
[43] Ric Vieler. Professional Rootkits. Wrox, 2007
[44] Microsoft. Introduction to Code Signing. http://msdn2.microsoft.com/en-us/library/ms537361.aspx
[45] Microsoft. Code-Signing Best Practices. http://www.microsoft.com/whdc/winlogo/drvsign/best_practices.mspx
[46] Microsoft. User-Mode Interactions: Guidelines for Kernel-Mode Drivers. http://www.microsoft.com/whdc/driver/kernel/KM-UMGuide.mspx
[47] Microsoft. Flow of Control for Cancel-Safe IRP Queuing. http://www.microsoft.com/whdc/driver/kernel/IoCsq.mspx
[48] Microsoft. I/O Completion/Cancellation Guidelines. http://www.microsoft.com/whdc/driver/kernel/Iocancel.mspx
[49] Microsoft. Cancel Logic in Windows Drivers. http://www.microsoft.com/whdc/driver/kernel/cancel_logic.mspx
[50] Anthony Jones,Jim Ohlund.Network Programming for Windows, Second Edition. Microsoft Press, 2002, 8-29
[51] Microsoft. Handling IRPs: What Every Driver Writer Needs to Know. http://www.microsoft.com/whdc/driver/kernel/IRPs.mspx
[2] J. Lyman. In Search of the World's Costliest Computer Virus.Factor 2002(2),78-81
[3] Steve Robben. White Open Problems in Computer Vinis Research.Virus Bulletin Conference, 2001(10.22), 101-105
[4]金晶,何昆,张世永.基于智能扫描的病毒监视器研究.计算机工程, 1999(12): 86-88
[5]尹传勇,刘寿强,蒋建勋.从IDS到IPS的主动防御体系研究.计算机安全, 2003(9): 22-24
[6]胡英. IPS构造主动防御核心.计算机世界报, 2003(14): 19-20
[7] Mark Russinovich, David Solomon. Microsoft Windows Internals, Fourth Edition: Microsoft Windows Server 2003, Windows XP, and Windows 2000. WA, USA:Microsoft Press, 2004, 23-80.
[8] Prasad Dabak, Sandeep Phadke, Milind Borate. Undocumented Windows NT. Hungry Minds, 1999, 115-116
[9] Intel. Intel Architecture Software Developer’s Manual Volume 3: System Programming. Intel Press, 1999, 3-681—3-684
[10] Sven Schreiber. Undocumented Windows 2000 Secrets, A Programmer's Cookbook. Addison-Wesley, 2001, 265-306
[11] Greg Hoglund, Jamie Butler. Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, 2006
[12] Metasploit. Windows System Call Table (NT/2000/XP/2003/Vista). http://www.metasploit.com/users/opcode/syscalls.html
[13]尤晋元,史美林. Windows操作系统原理.北京:机械工业出版社,2001, 301-304
[14] Art Baker. The Windows 2000 Device Driver Book, A Guide for Programmers, Second Edition. Prentice Hall PTR, 2000
[15] Walter Oney. Programming the Microsoft Windows Driver Model. Microsoft Press, 2000, 32-53
[16] Chris Cant. Writing Windows WDM Device Drivers. CMP Books, 1999,8-21
[17] Microsoft. Locks, Deadlocks, and Synchronization. http://www.microsoft.com/whdc/driver/kernel/locks.mspx
[18] Microsoft. Scheduling, Thread Context, and IRQL. http://www.microsoft.com/whdc/driver/kernel/IRQL.mspx
[19]武安河. Windows 2000/XP WDM设备驱动程序开发(第2版).北京:电子工业出版社,2005
[20] Microsoft. Memory Management: What Every Driver Writer Needs to Know. http://www.microsoft.com/whdc/driver/kernel/mem-mgmt.mspx
[21] Peter Viscarola, et al. Windows NT Device Driver Development. New Riders Press, 1998
[22] Microsoft. Windows 2000 DDK Document. 2000
[23]张建新. Windows2000内核结构的分析及驱动程序的编制.计算机工程与应用,2002(10):121-123
[24] Edward Dekker, Joseph Newcomer. Developing Windows NT Device Drivers: A Programmer's Handbook. Addison-Wesley Professional, 1999
[25] Microsoft. Network Driver Interface Specification - NDIS 5.0 Overview. http://www.microsoft.com/whdc/archive/ndis5.mspx
[26] Microsoft. Windows Security Model: What Every Driver Writer Needs to Know. http://www.microsoft.com/whdc/driver/security/drvsecure.mspx
[27] Microsoft. User Account Control Overview. http://technet.microsoft.com/en-us/windowsvista/aa906021.aspx
[28] Microsoft. Patching Policy for x64-Based Systems. http://www.microsoft.com/whdc/driver/kernel/64bitpatching.mspx
[29] Gary Nebbett.Windows NT/2000 Native API Reference. Sams,2000, 133-174
[30] Sekar R, Bowen T, Segal M. On preventing intrusions by process behavior monitoring. Usenix Intrusion Detection Workshop, 1999:10
[31] Yona Hollander, Romain Agostini. Stop hacker attacks at the OS level. Internet Security Advisor Magazine, 2000(3): 9-10
[32] Mark Russinovich, David Solomon.深入解析Windows操作系统(潘爱民).北京:电子工业出版社, 2007, 450-457
[33] WebCrazy. Windows NT/2000下不用驱动的Ring0代码实现. http://www.infosecurity.org.cn/article/ossec/nt2000/22595.html
[34] Jeffrey Richter. Programming Application for Windows, Fourth Edition. Microsoft Press, 1999, 531-544
[35]陈向群,马洪兵. Windows内核实验教程.北京:机械工业出版社, 2002
[36] Rajeev Nagar. Windows NT File System Internals. O'Reilly, 1997
[37] California Software Laboratories. I/O File System Filter Driver For Windows NT. 2002
[38]冯德旺,兰建容,谢纯柏.基于Windows NT主机入侵检测系统的文件和进程监控.计算机系统应用, 2001(12): 20-23
[39]杨深,杨寿保.基于Windows2000的防火墙设计.计算机科学, 2002(29.12):80-82
[40] Pcausa. Windows Network Data and Packet Filtering. http://www.ndis.com/papers/winpktfilter.htm
[41]朱雁辉. Windows防火墙与网络封包截获技术.北京:电子工业出版社, 2002
[42] Pcausa. Answers to TDI Frequently Asked Questions. http://www.pcausa.com/resources/tdifaq.htm
[43] Ric Vieler. Professional Rootkits. Wrox, 2007
[44] Microsoft. Introduction to Code Signing. http://msdn2.microsoft.com/en-us/library/ms537361.aspx
[45] Microsoft. Code-Signing Best Practices. http://www.microsoft.com/whdc/winlogo/drvsign/best_practices.mspx
[46] Microsoft. User-Mode Interactions: Guidelines for Kernel-Mode Drivers. http://www.microsoft.com/whdc/driver/kernel/KM-UMGuide.mspx
[47] Microsoft. Flow of Control for Cancel-Safe IRP Queuing. http://www.microsoft.com/whdc/driver/kernel/IoCsq.mspx
[48] Microsoft. I/O Completion/Cancellation Guidelines. http://www.microsoft.com/whdc/driver/kernel/Iocancel.mspx
[49] Microsoft. Cancel Logic in Windows Drivers. http://www.microsoft.com/whdc/driver/kernel/cancel_logic.mspx
[50] Anthony Jones,Jim Ohlund.Network Programming for Windows, Second Edition. Microsoft Press, 2002, 8-29
[51] Microsoft. Handling IRPs: What Every Driver Writer Needs to Know. http://www.microsoft.com/whdc/driver/kernel/IRPs.mspx