计算机病毒检测技术研究与实现
|
摘要
随着计算机病毒越来越猖獗,计算机安全越来越受到人们的重视,计算机反病毒技术也发展得越来越快。当今最新最先进的讨算机反病毒技术,有实时扫描技术、启发式代码扫描技术、虚拟机技术和主动内核技术等。这些技术各有特点,但是应用起来仍然不够成熟。现有计算机反病毒软件虽然在对抗病毒方面发挥了巨大的作用,但是仍有不尽人意之处,尤其是对付未知病毒缺乏足够有效的方法。
本文透彻分析了计算机病毒的本质特征和传播手段,提出了一些未知病毒检测方法。在综合研究了PE文件格式和操作系统Ring 0代码执行技术的基础上,作者提出了一种检测Windows平台下文件型病毒的方案,并给出了具体实现,得到了比较好的测试结果。该方案具有不需要计算机病毒特征库、实时检测和可防范未知病毒等技术特点。
本文还研究了入侵检测技术和程序演化技术等信息安全领域内的其他技术,它们可以为计算机病毒检测和防范提供很好的借鉴。作者总结了两种基本的入侵检测方法,并提出了入侵检测技术所需解决的一些问题;总结了各种程序演化技术,阐述了这项技术应用在信息安全领域的原理,并说明了几个实例,最后指出了它在实际应用中存在的问题。
With computer viruses being more and more rampant,computer security has been paid more attention. And anti-virus techniques are developed more rapidly too. Nowadays there are some new and advanced anti-virus techniques,such as real-time scanning,heuristic code scanning,virtual machine and active kernel technique etc. The application of these techniques is not mature enough even if each of them has its characteristics. New anti-virus technique is updated as new virus appears constantly. The existing anti-virus software plays an important role to deal with computer viruses. But it still has not satisfied the security requirements and lacks effective methods to deal with unknown viruses especially.
The essential characteristics and propagating principles of computer viruses are analyzed thoroughly in this thesis. And some detection methods to unknown viruses are presented. After studying the form of PE files and the execution technique of Ring 0 codes in operating system synthetically,a scheme to detect viruses of file type under Windows platform has been put forward. The implementation and performance are also mentioned here in detail. This scheme does not need the characteristic database of computer viruses,and can take precautions against some unknown viruses in real time.
The intrusion detection technique and program evolution technique that can provide reference for the detection and cleaning of viruses have also been studied. There are two kinds of intrusion detection systems used in computer systems and LANs today. Some difficult challenges in intrusion detection systems are pointed out. The program evolution technique and its application in information security are summarized later. And some problems in the practical application of this technique are indicated at last.
本文透彻分析了计算机病毒的本质特征和传播手段,提出了一些未知病毒检测方法。在综合研究了PE文件格式和操作系统Ring 0代码执行技术的基础上,作者提出了一种检测Windows平台下文件型病毒的方案,并给出了具体实现,得到了比较好的测试结果。该方案具有不需要计算机病毒特征库、实时检测和可防范未知病毒等技术特点。
本文还研究了入侵检测技术和程序演化技术等信息安全领域内的其他技术,它们可以为计算机病毒检测和防范提供很好的借鉴。作者总结了两种基本的入侵检测方法,并提出了入侵检测技术所需解决的一些问题;总结了各种程序演化技术,阐述了这项技术应用在信息安全领域的原理,并说明了几个实例,最后指出了它在实际应用中存在的问题。
With computer viruses being more and more rampant,computer security has been paid more attention. And anti-virus techniques are developed more rapidly too. Nowadays there are some new and advanced anti-virus techniques,such as real-time scanning,heuristic code scanning,virtual machine and active kernel technique etc. The application of these techniques is not mature enough even if each of them has its characteristics. New anti-virus technique is updated as new virus appears constantly. The existing anti-virus software plays an important role to deal with computer viruses. But it still has not satisfied the security requirements and lacks effective methods to deal with unknown viruses especially.
The essential characteristics and propagating principles of computer viruses are analyzed thoroughly in this thesis. And some detection methods to unknown viruses are presented. After studying the form of PE files and the execution technique of Ring 0 codes in operating system synthetically,a scheme to detect viruses of file type under Windows platform has been put forward. The implementation and performance are also mentioned here in detail. This scheme does not need the characteristic database of computer viruses,and can take precautions against some unknown viruses in real time.
The intrusion detection technique and program evolution technique that can provide reference for the detection and cleaning of viruses have also been studied. There are two kinds of intrusion detection systems used in computer systems and LANs today. Some difficult challenges in intrusion detection systems are pointed out. The program evolution technique and its application in information security are summarized later. And some problems in the practical application of this technique are indicated at last.
引文
[1] Fred Cohen.Computer Virus—Theory and Experiments.Computer&Security,vol.6,1987,22-35
[2] F.Cohen,"On the Implications of Computer Viruses and Methods of Defense",Computers and Security, V7(2)April,1988
[3] Fred Cohen. Operating System Protection Through Program Evolution,http://www.all.net/,1988,Feb,28
[4] Charles P.Pfleeger. Security in Computing. Prentice Hall PTR.1997
[5] Lawrence Livermore National Laboratory.Intrusion Detection and Response.December,1996
[6] Halvar.Going RingO in Windows 9x.Assembly Programming Journal,1998[1], 14-20
[7] Mark Russinovich,Bryce Cogswell.Examining the Windows 95 Layered File System.Dr.Dobb's Journal,1995,Dec
[8] Walter Oney.System Programming for Windows 95.1996
[9] Peter G.Viscarola,W.Anthony Mason. Windows NT Device Driver Development.Beijing:Publishing House of Electronics Industry,2000
[10] 祝恩.计算机病毒与反病毒技术的研究[硕士学位论文].湖南,长沙,国防科学技术大学研究生院,2000年12月
[11] 刘尊全.计算机病毒防范与信息对抗技术.北京:清华大学出版社,1991
[12] 殷伟.计算机安全与病毒防治.合肥:安徽科学技术出版社,1994
[13] 朱传乃.386/486微型计算机系统原理与维修.北京:人民邮电出版社,1995
[14] 袁忠良.计算机病毒防治实用技术.北京:清华大学出版社,1998
[15] 杨强等.Win9X虚拟设备驱动程序编程指南.北京:清华大学出版社,1999
[16] 孙守阁等.Windows设备驱动程序技术内幕.北京:清华大学出版社,2000
[17] 刘润东.UML对象设计与编程.北京:北京希望电子出版社,2001
[18] James Rumbaugh,Ivar Jacobson,Grady Booch.UML参考手册.北京:机械工业出版社,2001
[19] 蔡志平,殷建平,祝恩,等.一种防范Win9X下文件型病毒的方案.计算机工程与科学,2001,23(4):90-92.
[20] 蔡志平,殷建平,祝恩,等.入侵检测技术及待解决的一些问题.计算机科学,2001,28(9.增刊),238—240.
[21] 祝恩,殷建平,蔡志平,等.计算机病毒的本质特征分析及检测.计算机科学,2001,28(9.增刊),192-194.
[22] 蔡志平,殷建平,祝恩,等.程序演化技术及其在信息安全中的应用.计算机工程与科学,2002.
[23] 蔡志平,殷建平,祝恩.在Windows中执行Ring 0特权级代码的几种方法.计算机应用,2001,21(6):97-98.
[24] 祝恩,殷建平,蔡志平,等.计算机病毒自动变形机理的分析.
计算机工程与科学,2002。
[25] http://www.all.net
[26] http://www.sysinternals.com
[27] http://it.rising.com.cn
[28] http://www.driverdevelop.com
[29] http://webcrazy.yeah.net
[2] F.Cohen,"On the Implications of Computer Viruses and Methods of Defense",Computers and Security, V7(2)April,1988
[3] Fred Cohen. Operating System Protection Through Program Evolution,http://www.all.net/,1988,Feb,28
[4] Charles P.Pfleeger. Security in Computing. Prentice Hall PTR.1997
[5] Lawrence Livermore National Laboratory.Intrusion Detection and Response.December,1996
[6] Halvar.Going RingO in Windows 9x.Assembly Programming Journal,1998[1], 14-20
[7] Mark Russinovich,Bryce Cogswell.Examining the Windows 95 Layered File System.Dr.Dobb's Journal,1995,Dec
[8] Walter Oney.System Programming for Windows 95.1996
[9] Peter G.Viscarola,W.Anthony Mason. Windows NT Device Driver Development.Beijing:Publishing House of Electronics Industry,2000
[10] 祝恩.计算机病毒与反病毒技术的研究[硕士学位论文].湖南,长沙,国防科学技术大学研究生院,2000年12月
[11] 刘尊全.计算机病毒防范与信息对抗技术.北京:清华大学出版社,1991
[12] 殷伟.计算机安全与病毒防治.合肥:安徽科学技术出版社,1994
[13] 朱传乃.386/486微型计算机系统原理与维修.北京:人民邮电出版社,1995
[14] 袁忠良.计算机病毒防治实用技术.北京:清华大学出版社,1998
[15] 杨强等.Win9X虚拟设备驱动程序编程指南.北京:清华大学出版社,1999
[16] 孙守阁等.Windows设备驱动程序技术内幕.北京:清华大学出版社,2000
[17] 刘润东.UML对象设计与编程.北京:北京希望电子出版社,2001
[18] James Rumbaugh,Ivar Jacobson,Grady Booch.UML参考手册.北京:机械工业出版社,2001
[19] 蔡志平,殷建平,祝恩,等.一种防范Win9X下文件型病毒的方案.计算机工程与科学,2001,23(4):90-92.
[20] 蔡志平,殷建平,祝恩,等.入侵检测技术及待解决的一些问题.计算机科学,2001,28(9.增刊),238—240.
[21] 祝恩,殷建平,蔡志平,等.计算机病毒的本质特征分析及检测.计算机科学,2001,28(9.增刊),192-194.
[22] 蔡志平,殷建平,祝恩,等.程序演化技术及其在信息安全中的应用.计算机工程与科学,2002.
[23] 蔡志平,殷建平,祝恩.在Windows中执行Ring 0特权级代码的几种方法.计算机应用,2001,21(6):97-98.
[24] 祝恩,殷建平,蔡志平,等.计算机病毒自动变形机理的分析.
计算机工程与科学,2002。
[25] http://www.all.net
[26] http://www.sysinternals.com
[27] http://it.rising.com.cn
[28] http://www.driverdevelop.com
[29] http://webcrazy.yeah.net