基于可信基的恶意代码诊断技术研究
|
摘要
统计数据表明,恶意代码已经成为目前计算机系统面临的主要威胁之一。随着网络行为同社会行为联系的进一步密切,恶意代码的编写目的从最初的技术炫耀转向获得经济或政治利益,攻击的针对性进一步明确,给信息系统带来更大的安全隐患。
现有的恶意代码检测产品大多以特征码匹配为技术基础,查杀恶意代码的有效性取决于病毒库的更新速度,对于未知恶意代码的检测效果欠佳。并且,随着互连网的普及和新技术的不断应用,恶意代码的变种速度不断加快,杀毒软件病毒库的升级速度难以适应这种快速的变化。
论文针对恶意代码发展趋势以及目前检测技术的不足,在充分总结与分析恶意代码的共性及其工作机理的基础上,提出了一种基于可信基的恶意代码检测方案。该方案主要从恶意代码入侵后会改变原有系统的完整性角度出发,以恶意代码经常利用并可能引起改变的系统状态、配置建立检测的基准数据库,称之为可信基,并论证了在计算机系统未被恶意代码攻击的前提下建立可信基库的可行性。另外,在对恶意代码理论分析与实验的基础之上,从进程隐藏、通信连接、自动加载、文件名称相似度等几个方面建立了可疑文件恶意权重表。通过将被检测计算机系统状态与对应可信数据进行比较分析,再结合可疑数据恶意权重表,最后得出检测结论。
依照本文提出的检测方案,实现了一个基于可信基的恶意代码诊断原型系统,能够通过进程、进程调用的模块、系统服务描述符表、系统加载的驱动对恶意代码进行检测。利用原型系统进行了实际的恶意代码入侵检测与模拟实验,实验结果表明,在Windows操作系统下,原型系统能够有效的检测出已知和未知的恶意代码,尤其在未知恶意代码检测方面,检测效果优于基于特征码的检测产品。
本文对恶意代码工作机理以及共性的分析总结,为今后研究防御恶意代码的方法和技术提供了理论依据。提出的基于可信基的恶意代码检测方法,能够有效的对恶意代码进行检测,尤其是针对性较强、未进行广泛传播的恶意代码。若将其与现有的恶意代码检测产品结合使用,能够实现快速、有效的恶意代码检测目的。
另外,可将本文研究的基于可信基的检测思想,进一步扩展应用到恶意代码的防御上,形成具有检测和阻断双重功能的系统,从而能够更好的保护计算机系统不被恶意代码攻击。
Statistics indicate that the malicious code have become one of the main threat for computer system. With the deep contact between network and society, the purpose of malicious code released turns from showing off to obtaining economic or political benefits. The aim of attack become more clearly, it brings more security-hidden trouble to the information system.
Most of the present products of detecting malicious code based on signature matching technology, the validity of detected and killed relies on its virus database update speed. Furthermore, these products can't work well when dealing with unknown malicious code. With the prevalence of Internet and application of new technique, the update speed of malicious code becomes more faster, while the update speed of virus database can't catch up with this change.
Aimed at the trend of malicious code and the shortage of present detect technology, the commonness of malicious code is summarized, and its mechanism is analyzed, and then a detect scheme of malicious code based on the Trusted Computed-Based (TCB) is proposed. The foundation of this detect scheme is that the integrality of operation system (OS) will be changed when it attacked by malicious code. The fiducial database called TCB for diagnosing is built, which include OS states and its configures that malicious code always changed. The feasibility of setting up the database-TCB at the OS unattacked by malicious code is demonstrated. In addition, the weight table of malicious for suspicious files from hidden process, communications and auto load is built, which work is based on the malicious code mechanism analyzed and experiment. Finally, the detect conclusion is educed by comparing the OS state of object computer with corresponding data in TCB database and consider the weight table of malicious.
According to the aforementioned detecting means, we achieved an archetypal diagnose system based on TCB This archetypal system can detect the malicious code from the process, the modules of process loaded, the Service Descriptor Table(SDT) and the drive program of computer loaded. At last ,we make some simulative experiments to evaluate the system by using our approach, the related experimental data and results of analysis demonstrate it is an effective method to detect malicious code under Windows OS, especially in detecting unknown malicious code is much more effective than the current detection product based on signature matching.
In a word, the work of this thesis analyzed malicious code mechanism and explored their commonness, also provides theoretical foundation to develop the method and technique for prevention against malicious code. It can be an effective work that we presented the new approach to detecting the malicious code based on TCB. Particularly, it much more effective in detecting the malicious code which has clearly attack object and doesn't spread large-scale. It would achieve high efficiency to detecting malicious code if we take good use of the approach and current virus detecting products.
In addition, the idea of detecting malicious code based on TCB in this thesis can be applied to prevent malicious code, and make a system with both detection and prevention functions. Thus it can better protect the computer against being attacked by the malicious code.
现有的恶意代码检测产品大多以特征码匹配为技术基础,查杀恶意代码的有效性取决于病毒库的更新速度,对于未知恶意代码的检测效果欠佳。并且,随着互连网的普及和新技术的不断应用,恶意代码的变种速度不断加快,杀毒软件病毒库的升级速度难以适应这种快速的变化。
论文针对恶意代码发展趋势以及目前检测技术的不足,在充分总结与分析恶意代码的共性及其工作机理的基础上,提出了一种基于可信基的恶意代码检测方案。该方案主要从恶意代码入侵后会改变原有系统的完整性角度出发,以恶意代码经常利用并可能引起改变的系统状态、配置建立检测的基准数据库,称之为可信基,并论证了在计算机系统未被恶意代码攻击的前提下建立可信基库的可行性。另外,在对恶意代码理论分析与实验的基础之上,从进程隐藏、通信连接、自动加载、文件名称相似度等几个方面建立了可疑文件恶意权重表。通过将被检测计算机系统状态与对应可信数据进行比较分析,再结合可疑数据恶意权重表,最后得出检测结论。
依照本文提出的检测方案,实现了一个基于可信基的恶意代码诊断原型系统,能够通过进程、进程调用的模块、系统服务描述符表、系统加载的驱动对恶意代码进行检测。利用原型系统进行了实际的恶意代码入侵检测与模拟实验,实验结果表明,在Windows操作系统下,原型系统能够有效的检测出已知和未知的恶意代码,尤其在未知恶意代码检测方面,检测效果优于基于特征码的检测产品。
本文对恶意代码工作机理以及共性的分析总结,为今后研究防御恶意代码的方法和技术提供了理论依据。提出的基于可信基的恶意代码检测方法,能够有效的对恶意代码进行检测,尤其是针对性较强、未进行广泛传播的恶意代码。若将其与现有的恶意代码检测产品结合使用,能够实现快速、有效的恶意代码检测目的。
另外,可将本文研究的基于可信基的检测思想,进一步扩展应用到恶意代码的防御上,形成具有检测和阻断双重功能的系统,从而能够更好的保护计算机系统不被恶意代码攻击。
Statistics indicate that the malicious code have become one of the main threat for computer system. With the deep contact between network and society, the purpose of malicious code released turns from showing off to obtaining economic or political benefits. The aim of attack become more clearly, it brings more security-hidden trouble to the information system.
Most of the present products of detecting malicious code based on signature matching technology, the validity of detected and killed relies on its virus database update speed. Furthermore, these products can't work well when dealing with unknown malicious code. With the prevalence of Internet and application of new technique, the update speed of malicious code becomes more faster, while the update speed of virus database can't catch up with this change.
Aimed at the trend of malicious code and the shortage of present detect technology, the commonness of malicious code is summarized, and its mechanism is analyzed, and then a detect scheme of malicious code based on the Trusted Computed-Based (TCB) is proposed. The foundation of this detect scheme is that the integrality of operation system (OS) will be changed when it attacked by malicious code. The fiducial database called TCB for diagnosing is built, which include OS states and its configures that malicious code always changed. The feasibility of setting up the database-TCB at the OS unattacked by malicious code is demonstrated. In addition, the weight table of malicious for suspicious files from hidden process, communications and auto load is built, which work is based on the malicious code mechanism analyzed and experiment. Finally, the detect conclusion is educed by comparing the OS state of object computer with corresponding data in TCB database and consider the weight table of malicious.
According to the aforementioned detecting means, we achieved an archetypal diagnose system based on TCB This archetypal system can detect the malicious code from the process, the modules of process loaded, the Service Descriptor Table(SDT) and the drive program of computer loaded. At last ,we make some simulative experiments to evaluate the system by using our approach, the related experimental data and results of analysis demonstrate it is an effective method to detect malicious code under Windows OS, especially in detecting unknown malicious code is much more effective than the current detection product based on signature matching.
In a word, the work of this thesis analyzed malicious code mechanism and explored their commonness, also provides theoretical foundation to develop the method and technique for prevention against malicious code. It can be an effective work that we presented the new approach to detecting the malicious code based on TCB. Particularly, it much more effective in detecting the malicious code which has clearly attack object and doesn't spread large-scale. It would achieve high efficiency to detecting malicious code if we take good use of the approach and current virus detecting products.
In addition, the idea of detecting malicious code based on TCB in this thesis can be applied to prevent malicious code, and make a system with both detection and prevention functions. Thus it can better protect the computer against being attacked by the malicious code.
引文
1.E.H.Spafford.The Intemet Worm Program;An Analysis[A].TechnicaI Report CSD-TR-82 3,Department of Computer Science,Purdue University.1988.1-29.
2.CERT.CERT?.Incident Note IN-99-03.1999.via URL;http;//www.cert.org/incident_notes/IN-94)3.html.
3.CERT.Computer Emergency Response Team.via URL;http;//www.cert.org/advisories/
4.有针对性的木马攻击将成为主要威胁.via URL;http;//www.cert.org.cn/articles/news/common/2007030123227.shtml.
5.友亚.利用木马程序窃取商业机密,18名涉案人员被捕.via URL;http;//tcch.sina.com.cn/it/2005-05-30-1040621292.shtml.
6.2006年全国信息网络安全状况及计算机病毒疫情调查分析报告.via URL;http;//www.antivirus-china.org.cn/content/report2006.doc.
7.美国信用卡失窃案带来的沉重教训.via URL;http;//db.kingsoft.com/news/seeure/2005/06/22/47128.shtml
8.数据窃取目标攻击日益增多.赛门铁克安全报告.via URL;http;//news.zdnet.com.cn/zdnetnews/200710322/382834.shtml
9.Steve Lipner Twenty Years of Evaluation Criteria and Commercial Technology.Proceed ings of the 1999 IEEE Symposium on Security and Privacy,Oakland,California May 1999.
10.Jean E.Smith,Fred W.Weingarten.Research Challenges for the Next Generation Inteme t[J].Workshop on Research Direction for the Next Generation Internet,Computing Resea rch Association,Washington,DC,USA,May 1997.
11.Sarah Gordon and David M Chess.Attitude Adjustment;Trojans and Malware on the In temet[J].Proceedings of the EICAR Conference,February/M arch 1999.
12.K.AnuP,Ghosh and Matt Schmid.Execution Control Lists;An Approach to Defending Against New and Unknown Malicious Software.The third Information Survivability Wor kshop,October 24-26,2000.
13.F.Cohen.Computer Viruses[D].Univcrsity of Southern California,1985.
14.U.Grenander General Pattern Theory;a Mathematical Study of Regular Structures[J].Clar endon Press,oxford.1993.
15.F Cohen.A Crytographic Checksum for Integrity protection in Untrusted Computer Syste ms[J].Computers and Security V6(1987).
16.F.Cohen.Integrity Protection in a Radon Measurement System[J].IEEE Tram on Reliabi lity,1987.
17.卿斯汉,刘海峰,刘文清.操作系统安全导论[M].科学出版社.2003;108-113.
18.A.Somayaji,S.Forrest.Autonlated Respose Using System-Call Delays[J].Proceedings of 9th Usenix Security Symposium,Denver,Colorado 2000.
19.M.M.Williamson.Throttling Vires;Restricting propagation to defeat malicious mobile cod e,URL;http;//www.hpI.hp.com/techreports/2002HPL-2002-172.Pdf
20.F.Cohen.ComPuter Viruses-Theory and Expcrimcnts[J].In;DOD/NBS 7~(th)Conference on Computer Security,originally aPPearing in IFIP-sec 84,also appearing in,"ComPu ters and Security" V6(1987),pp22" -35 and other Publications in several languages.
21.L.M Adleman.An Abstract Theory of Computer Virus[J].Lecturc Notes in Computer Sci ence,Vo1403,Springer-Verlag1990.
22.R,A Grimes.Malicious Mobile Code,Virus Protection for Windows[A].In;l~(st)ed.,O'Reill y & Associates.2001;2-3.
23.Ed Skoudis Lenny Zelter.陈贵敏等译.Malware;figIlting malicious code[M].北京;电子工业出版社,2005.4.
24.McGraw,G.,Morisett,G.;Attacking malicious code;A report to the Infosec Research
25.Joanna Rutkowska.Detection Windows Server Compromises.Available via URL;www.root kit.com/vault/joanna/hivercon03_joanna.ppt,2003-11-06.
26.fuzen_op.Fu rootldt.https;//www.rootkit.com/vault/fuzen_op/FU_Rootldt.zip,2003-05.
27.kdm.NTIlllusion;A Portable win32 userland rootldt.http;//www.phrack.org/,2004-07-13.
28.Holy_Father.Hooking Windows API.Available via URL;http;//rootkit.host.sk/knowhow/hookingen.txt,2002-06-10.
29.Microsoft Research.Detours.http;//research.microsoft.com/sn/detours/,1999.
30.unknown,He4Hook.http;// www.rootldt.corn/vault/hoglund/He4Hook215b6.zip,2001-08.
31.Grey Hoglund.Loading Rootldt using SystemLoadAndCalllmage.
32.JIURL.Hook系统服务隐藏端口.Available via URL;http;//www.xfocus.net/articles/200404/686.html,2004-03-10.
33.Joanna Rutkowska..Klister Project.Available via URL;http;//www.rootkit.com/vault/joarma/klister-0.4.zip,2003-11.
34.kkaslin kimmo.Detecting Hidden Process by Hooking the SwapContext Function.http;//www.rootldt.com/newsread_print.php?newsid= 170,2004-08-03
35.文伟平.恶意代码机理与防范技术分析[D].博士学位论文.北京;中国科学院软件研究所,2004.
36.梁彬.可信进程机制及其相关问题研究[D].博士学位论文.北京;中国科学院软件研究所,2004.
37.韩筱卿,王建锋,钟玮等.计算机病毒分析与防范大全[M].电子工业出版社,北京;2006;449-463.
38.陶莉,郭承霞,曹奇英.普适计算中基于贝叶斯分类的安全检测的研究[J].计算机应用研究,2006;128-130.
39.张焕国,罗捷,金刚等.可信计算机技术和应用综述[J].计算机安全,2006.6.
2.CERT.CERT?.Incident Note IN-99-03.1999.via URL;http;//www.cert.org/incident_notes/IN-94)3.html.
3.CERT.Computer Emergency Response Team.via URL;http;//www.cert.org/advisories/
4.有针对性的木马攻击将成为主要威胁.via URL;http;//www.cert.org.cn/articles/news/common/2007030123227.shtml.
5.友亚.利用木马程序窃取商业机密,18名涉案人员被捕.via URL;http;//tcch.sina.com.cn/it/2005-05-30-1040621292.shtml.
6.2006年全国信息网络安全状况及计算机病毒疫情调查分析报告.via URL;http;//www.antivirus-china.org.cn/content/report2006.doc.
7.美国信用卡失窃案带来的沉重教训.via URL;http;//db.kingsoft.com/news/seeure/2005/06/22/47128.shtml
8.数据窃取目标攻击日益增多.赛门铁克安全报告.via URL;http;//news.zdnet.com.cn/zdnetnews/200710322/382834.shtml
9.Steve Lipner Twenty Years of Evaluation Criteria and Commercial Technology.Proceed ings of the 1999 IEEE Symposium on Security and Privacy,Oakland,California May 1999.
10.Jean E.Smith,Fred W.Weingarten.Research Challenges for the Next Generation Inteme t[J].Workshop on Research Direction for the Next Generation Internet,Computing Resea rch Association,Washington,DC,USA,May 1997.
11.Sarah Gordon and David M Chess.Attitude Adjustment;Trojans and Malware on the In temet[J].Proceedings of the EICAR Conference,February/M arch 1999.
12.K.AnuP,Ghosh and Matt Schmid.Execution Control Lists;An Approach to Defending Against New and Unknown Malicious Software.The third Information Survivability Wor kshop,October 24-26,2000.
13.F.Cohen.Computer Viruses[D].Univcrsity of Southern California,1985.
14.U.Grenander General Pattern Theory;a Mathematical Study of Regular Structures[J].Clar endon Press,oxford.1993.
15.F Cohen.A Crytographic Checksum for Integrity protection in Untrusted Computer Syste ms[J].Computers and Security V6(1987).
16.F.Cohen.Integrity Protection in a Radon Measurement System[J].IEEE Tram on Reliabi lity,1987.
17.卿斯汉,刘海峰,刘文清.操作系统安全导论[M].科学出版社.2003;108-113.
18.A.Somayaji,S.Forrest.Autonlated Respose Using System-Call Delays[J].Proceedings of 9th Usenix Security Symposium,Denver,Colorado 2000.
19.M.M.Williamson.Throttling Vires;Restricting propagation to defeat malicious mobile cod e,URL;http;//www.hpI.hp.com/techreports/2002HPL-2002-172.Pdf
20.F.Cohen.ComPuter Viruses-Theory and Expcrimcnts[J].In;DOD/NBS 7~(th)Conference on Computer Security,originally aPPearing in IFIP-sec 84,also appearing in,"ComPu ters and Security" V6(1987),pp22" -35 and other Publications in several languages.
21.L.M Adleman.An Abstract Theory of Computer Virus[J].Lecturc Notes in Computer Sci ence,Vo1403,Springer-Verlag1990.
22.R,A Grimes.Malicious Mobile Code,Virus Protection for Windows[A].In;l~(st)ed.,O'Reill y & Associates.2001;2-3.
23.Ed Skoudis Lenny Zelter.陈贵敏等译.Malware;figIlting malicious code[M].北京;电子工业出版社,2005.4.
24.McGraw,G.,Morisett,G.;Attacking malicious code;A report to the Infosec Research
25.Joanna Rutkowska.Detection Windows Server Compromises.Available via URL;www.root kit.com/vault/joanna/hivercon03_joanna.ppt,2003-11-06.
26.fuzen_op.Fu rootldt.https;//www.rootkit.com/vault/fuzen_op/FU_Rootldt.zip,2003-05.
27.kdm.NTIlllusion;A Portable win32 userland rootldt.http;//www.phrack.org/,2004-07-13.
28.Holy_Father.Hooking Windows API.Available via URL;http;//rootkit.host.sk/knowhow/hookingen.txt,2002-06-10.
29.Microsoft Research.Detours.http;//research.microsoft.com/sn/detours/,1999.
30.unknown,He4Hook.http;// www.rootldt.corn/vault/hoglund/He4Hook215b6.zip,2001-08.
31.Grey Hoglund.Loading Rootldt using SystemLoadAndCalllmage.
32.JIURL.Hook系统服务隐藏端口.Available via URL;http;//www.xfocus.net/articles/200404/686.html,2004-03-10.
33.Joanna Rutkowska..Klister Project.Available via URL;http;//www.rootkit.com/vault/joarma/klister-0.4.zip,2003-11.
34.kkaslin kimmo.Detecting Hidden Process by Hooking the SwapContext Function.http;//www.rootldt.com/newsread_print.php?newsid= 170,2004-08-03
35.文伟平.恶意代码机理与防范技术分析[D].博士学位论文.北京;中国科学院软件研究所,2004.
36.梁彬.可信进程机制及其相关问题研究[D].博士学位论文.北京;中国科学院软件研究所,2004.
37.韩筱卿,王建锋,钟玮等.计算机病毒分析与防范大全[M].电子工业出版社,北京;2006;449-463.
38.陶莉,郭承霞,曹奇英.普适计算中基于贝叶斯分类的安全检测的研究[J].计算机应用研究,2006;128-130.
39.张焕国,罗捷,金刚等.可信计算机技术和应用综述[J].计算机安全,2006.6.