基于启发式算法的恶意代码检测系统研究与实现
|
摘要
随着计算机技术的发展,尤其是计算机网络的发展,恶意代码也在不断的发展中。当前的恶意代码的数量比起过去有着呈几何增长。传统的恶意代码基本都以病毒形式出现,而当前恶意代码形式多种多样,如蠕虫、病毒、木马、恶意插件等。从功能上分析,传统的恶意代码一般功能单一,大多以数据破坏为主,而当前的恶意代码还具有数据窃取、篡改等功能,并且运用了大量的反调试、反跟踪、反检测等技术来保护自身。由此可见,当前恶意代码对计算机发展的危害已经越来越显著,同时也是检测越来越困难。
在检测恶意代码方面,传统的杀毒软件仅仅采用的是二进制特征代码匹配技术来进行检测。由于该方法必须要得到恶意代码的二进制特征代码,一旦恶意代码通过加密等方式改变了其二进制特征代码,该方法将彻底失效。传统的杀毒软件面对当前的恶意代码已经显得力不从心。
本论文在阐述模式匹配算法、启发式扫描算法以及虚拟机技术等的基本理论及关键技术的基础上,研究了目前恶意代码检测引擎的模式匹配算法的不足,提出改进的方案。此外在基于启发式扫描算法和虚拟机技术的特征行为引擎研究下,本论文建立了一个结合二进制特征匹配、行为特征匹配以及云端检测的新型恶意代码检测方法的原型系统。
本文的研究成果能有效提高系统资源,并且充分利用网络资源,抵御恶意代码入侵,对维护互联网的健康环境,进而营造出一个和谐的网络社会有着积极意义。
Nowadays, with the development of computer technology, especially computer networks, malicious code are constantly developing. The number of current malicious code has exponential growth than in the past. The traditional malicious code are basically in the form of the virus, but the current malicious code are all kinds of forms, such as worms, viruses, Trojan horses, malicious plug-ins. From the functional analysis, the traditional malicious code generally functioned specially on data breaches, but the current malicious code function on data theft, tampering and other functions, and also use of a large number of anti-debugging, anti-tracking , anti-detection techniques to the protect themselves. Evidently, the development of malicious code on computers has become increasingly significant harm and makes it more and more difficult to detecting them.
To detect the malicious code, traditional anti-virus software only uses the method of binary characteristics of the code-matching techniques. Since the method must get the binary characteristics code of the malicious code, once the malicious code changes the characteristics code by encrypting its binary code, the method will completely fail. The traditional anti-virus software seems powerless to the current malicious code.
Based on the very explanation of basic theory and key technology, such as pattern matching algorithm, heuristic scanning algorithms and virtual machine technology, the paper has researched deeply on the shortages of pattern matching algorithm of the current malicious code detection engine, and put forward the improved method. In addition, based on the research of heuristic algorithms and the engine using virtual machine technology to match the behavior characteristics, the paper set up a prototype system which combined the binary feature matching, feature matching and the method of behavioral detection of cloud.
This research can improve the system resources and make full use of network resources to defend against malicious code intrusion, maintain a healthy environment of the Internet, thus and make positive sense to creating a harmonious network social.
在检测恶意代码方面,传统的杀毒软件仅仅采用的是二进制特征代码匹配技术来进行检测。由于该方法必须要得到恶意代码的二进制特征代码,一旦恶意代码通过加密等方式改变了其二进制特征代码,该方法将彻底失效。传统的杀毒软件面对当前的恶意代码已经显得力不从心。
本论文在阐述模式匹配算法、启发式扫描算法以及虚拟机技术等的基本理论及关键技术的基础上,研究了目前恶意代码检测引擎的模式匹配算法的不足,提出改进的方案。此外在基于启发式扫描算法和虚拟机技术的特征行为引擎研究下,本论文建立了一个结合二进制特征匹配、行为特征匹配以及云端检测的新型恶意代码检测方法的原型系统。
本文的研究成果能有效提高系统资源,并且充分利用网络资源,抵御恶意代码入侵,对维护互联网的健康环境,进而营造出一个和谐的网络社会有着积极意义。
Nowadays, with the development of computer technology, especially computer networks, malicious code are constantly developing. The number of current malicious code has exponential growth than in the past. The traditional malicious code are basically in the form of the virus, but the current malicious code are all kinds of forms, such as worms, viruses, Trojan horses, malicious plug-ins. From the functional analysis, the traditional malicious code generally functioned specially on data breaches, but the current malicious code function on data theft, tampering and other functions, and also use of a large number of anti-debugging, anti-tracking , anti-detection techniques to the protect themselves. Evidently, the development of malicious code on computers has become increasingly significant harm and makes it more and more difficult to detecting them.
To detect the malicious code, traditional anti-virus software only uses the method of binary characteristics of the code-matching techniques. Since the method must get the binary characteristics code of the malicious code, once the malicious code changes the characteristics code by encrypting its binary code, the method will completely fail. The traditional anti-virus software seems powerless to the current malicious code.
Based on the very explanation of basic theory and key technology, such as pattern matching algorithm, heuristic scanning algorithms and virtual machine technology, the paper has researched deeply on the shortages of pattern matching algorithm of the current malicious code detection engine, and put forward the improved method. In addition, based on the research of heuristic algorithms and the engine using virtual machine technology to match the behavior characteristics, the paper set up a prototype system which combined the binary feature matching, feature matching and the method of behavioral detection of cloud.
This research can improve the system resources and make full use of network resources to defend against malicious code intrusion, maintain a healthy environment of the Internet, thus and make positive sense to creating a harmonious network social.
引文
[1] S. Shanbhag, T. Wolf, Accurate anomaly detection through parallelism, IEEE Network Special Issue on Recent Developments in Network Intrusion Detection 23 (1) (2009) 22-29.
[2] I. Sourdis, V. Dimopoulos, D. Pnevmatikatos, S. Vassiliadis, Packet pre-filtering for network intrusion detection, in: Proceedings of the 2006 ACM/IEEE Symposium on Architecture for Networking and Communications Systems, 2006, pp. 183-192.
[2] S. Acharya, B.N. Mills, M. Abliz, T. Znati, J. Wang, Z. Ge, A.G.Greenberg, Optwall: a hierarchical traffic-aware firewall, in: NDSS,2007, pp. 528-533.
[3]边肇祺,阎平凡,杨存荣.模式识别(第一版)[M].北京:清华大学出版社,1988.
[4] Bilke A,Nauman F.Schema matching using duplicates. In:Kitagawa H,Ishikawa,eds.Proc.of the 18th Int?l Conf.on Data Engineering. Los Alarnitos:IEEE ComputerSociety,2005.69-80.
[5] S.-G.M. Hamid Sarbazi-Azad, Behrooz Parhami, S. Hessabi, A multi- Gb/s parallel string matching engine for intrusion detection systems, in: Advances in Computer Science and Engineering, vol. 6, 2008, pp.847-851.
[6]陈慧南,数据结构—使用C++语言描述[M].人民邮电出版社,2006.
[7]李伟男,鄂跃鹏,葛敬国,钱华林.多模式匹配算法及硬件实现[J].软件学报.2006,12期,2403-2411
[8]孙钦东,黄新波,王倩.面向中英文混合环境的多模式匹配算法[J].软件学报. 2008,3期,674-686.
[9]董迎亮,玄雪花,王德民.基于WM算法改进的多模式匹配算法
[10] N. Hua, H. Song, T. Lakshman, Variable-stride multi-pattern matching for scalable deep packet inspection, in: INFOCOM 2009,IEEE, 2009, pp. 415-423.
[11] L. Vespa, N. Weng, B. Soewito, Optimized memory based accelerator for scalable pattern matching, Microprocessesors and Microsystems 33 (7-8) (2009) 469-482.
[12] J. Hrisson, G. Payen, R. Gherbi, A 3d pattern matching algorithm for dna sequences, Bioinformatics 23 (6) (2007) 680-686.
[13]刘真.虚拟机技术的复兴[J].计算机工程与科学.2008,2期,105-109.
[14]叶海波.SMART-VMM:基于VT-x的虚拟机监控器设计与实现[D].浙江大学.
[15]孟江涛.Xen虚拟机研究[D].上海:上海交通大学.
[16]时卫东.基于内核的虚拟机的研究[D].吉林大学.
[17]邵时.微机接口技术[M].清华大学出版社,2000.
[18]居晓波,李志斌,宁兆熙,程君侠,王永流.一种新型CISC微处理器指令译码设计方法[J].微电子学报.2003,2期,154-156.
[19]董渊,任恺,王生原,张素琴.字节码虚拟机的构造和验证[J].软件学报, 2010,02期.
[20]张昊.基于虚拟机扩展的软件调试技术研究[D].浙江大学.
[21]李杰聪.可移植动态翻译技术研究和实现[D].浙江大学.
[22]程芳.轻量级操作系统内核研究[D].重庆大学.
[23]吴浩.二进制翻译系统QEMU的优化技术[D].上海交通大学.
[24]刘安战.二进制翻译中自修改代码的缓存策略研究[D].华中科技大学.
[25]柏志文.基于动态二进制翻译的污点检测设计和实现[D].西安电子科技大学.
[26]刘涛.基于动态二进制翻译的逆向调试器的设计与实现[D].西安电子科技大学.
[27] Tang Jiafu, Pan Zhendong, Gong Jun, Liu Shixin Combined heuristics for determining order quantity under time-varying demands , Journal of Systems Engineering and Electronics, Volume 19, Issue 1, February 2008, Pages 99-111
[28] J. Caballero, Z. Liang, P. Poosankam, D. Song, Towards generating high coverage vulnerability-based signatures with protocol-level constraint-guided exploration, in: RAID’09, 2009, pp. 161-181.
[29] D. Tao, H. Ma. Coverage-Enhancing algorithm for directional sensor networks [C]. Proc. of the 2nd Int?l Conf. on Mobile Ad-Hoc and Sensor Networks. Berlin: Springer-Verlag, 2006, 256-267.
[30]苏璞睿,杨轶.基于可执行文件静态分析的入侵检测模型. 2006,9期,1570—1576
[31]陈友,沈华伟,李洋,程学旗.一种高效的面向轻量级入侵检测系统的特征选择算法.计算机学报2007,8期,1398-1408.
[32]田新广,段洣毅,程学旗.基于shell命令和多重行为模式挖掘的用户伪装攻击检测.计算机学报2010,4期,697-705.
[33]沈昌祥.可信计算平台与安全操作系统[J].网络安全技术与应用. 2005, 4.5(4):P8~9.
[34]王斌,谢小权.可信计算机BIOS系统安全模块的设计[J].计算机安全.2006 09. 35-40.
[35] R. Sailer, X. Zhang, T. Jaeger, and L. van Doorn. Design and implementation of TCG-based integrity measurement architecture. In Proceedings of the 13th USENIX Security Symposium, 2004, P223~238.
[36]王军选,田小平,曹红梅.信息论基础与编码[M].人民邮电出版社,2011.
[37] G. Wei, X. Zhou, and H. Zhang,“A trusted computing model based on code authorization,”in ISIP ?08: Proceedings of the 2008 International Symposiums on Information Processing.Washington, DC, USA: IEEE Computer Society, 2008, P495~499.
[38] Clause J, Li W, Orso A. Dytan: a generic dynamic taint analysis framework[C]. Proceedings of ISSTA. 2007, P191~203.
[39]刘鹏.云计算(第一版)[M].电子工业出版社.2010.
[40]任泰明. TCP/IP网络编程[M].人民邮电出版社,2009.
[41]恽如伟,董浩.网络游戏编程教程[M].机械工业出版社,2009.
[42]张晓明.计算机网络编程技术[M].中国铁道出版社,2009.
[2] I. Sourdis, V. Dimopoulos, D. Pnevmatikatos, S. Vassiliadis, Packet pre-filtering for network intrusion detection, in: Proceedings of the 2006 ACM/IEEE Symposium on Architecture for Networking and Communications Systems, 2006, pp. 183-192.
[2] S. Acharya, B.N. Mills, M. Abliz, T. Znati, J. Wang, Z. Ge, A.G.Greenberg, Optwall: a hierarchical traffic-aware firewall, in: NDSS,2007, pp. 528-533.
[3]边肇祺,阎平凡,杨存荣.模式识别(第一版)[M].北京:清华大学出版社,1988.
[4] Bilke A,Nauman F.Schema matching using duplicates. In:Kitagawa H,Ishikawa,eds.Proc.of the 18th Int?l Conf.on Data Engineering. Los Alarnitos:IEEE ComputerSociety,2005.69-80.
[5] S.-G.M. Hamid Sarbazi-Azad, Behrooz Parhami, S. Hessabi, A multi- Gb/s parallel string matching engine for intrusion detection systems, in: Advances in Computer Science and Engineering, vol. 6, 2008, pp.847-851.
[6]陈慧南,数据结构—使用C++语言描述[M].人民邮电出版社,2006.
[7]李伟男,鄂跃鹏,葛敬国,钱华林.多模式匹配算法及硬件实现[J].软件学报.2006,12期,2403-2411
[8]孙钦东,黄新波,王倩.面向中英文混合环境的多模式匹配算法[J].软件学报. 2008,3期,674-686.
[9]董迎亮,玄雪花,王德民.基于WM算法改进的多模式匹配算法
[10] N. Hua, H. Song, T. Lakshman, Variable-stride multi-pattern matching for scalable deep packet inspection, in: INFOCOM 2009,IEEE, 2009, pp. 415-423.
[11] L. Vespa, N. Weng, B. Soewito, Optimized memory based accelerator for scalable pattern matching, Microprocessesors and Microsystems 33 (7-8) (2009) 469-482.
[12] J. Hrisson, G. Payen, R. Gherbi, A 3d pattern matching algorithm for dna sequences, Bioinformatics 23 (6) (2007) 680-686.
[13]刘真.虚拟机技术的复兴[J].计算机工程与科学.2008,2期,105-109.
[14]叶海波.SMART-VMM:基于VT-x的虚拟机监控器设计与实现[D].浙江大学.
[15]孟江涛.Xen虚拟机研究[D].上海:上海交通大学.
[16]时卫东.基于内核的虚拟机的研究[D].吉林大学.
[17]邵时.微机接口技术[M].清华大学出版社,2000.
[18]居晓波,李志斌,宁兆熙,程君侠,王永流.一种新型CISC微处理器指令译码设计方法[J].微电子学报.2003,2期,154-156.
[19]董渊,任恺,王生原,张素琴.字节码虚拟机的构造和验证[J].软件学报, 2010,02期.
[20]张昊.基于虚拟机扩展的软件调试技术研究[D].浙江大学.
[21]李杰聪.可移植动态翻译技术研究和实现[D].浙江大学.
[22]程芳.轻量级操作系统内核研究[D].重庆大学.
[23]吴浩.二进制翻译系统QEMU的优化技术[D].上海交通大学.
[24]刘安战.二进制翻译中自修改代码的缓存策略研究[D].华中科技大学.
[25]柏志文.基于动态二进制翻译的污点检测设计和实现[D].西安电子科技大学.
[26]刘涛.基于动态二进制翻译的逆向调试器的设计与实现[D].西安电子科技大学.
[27] Tang Jiafu, Pan Zhendong, Gong Jun, Liu Shixin Combined heuristics for determining order quantity under time-varying demands , Journal of Systems Engineering and Electronics, Volume 19, Issue 1, February 2008, Pages 99-111
[28] J. Caballero, Z. Liang, P. Poosankam, D. Song, Towards generating high coverage vulnerability-based signatures with protocol-level constraint-guided exploration, in: RAID’09, 2009, pp. 161-181.
[29] D. Tao, H. Ma. Coverage-Enhancing algorithm for directional sensor networks [C]. Proc. of the 2nd Int?l Conf. on Mobile Ad-Hoc and Sensor Networks. Berlin: Springer-Verlag, 2006, 256-267.
[30]苏璞睿,杨轶.基于可执行文件静态分析的入侵检测模型. 2006,9期,1570—1576
[31]陈友,沈华伟,李洋,程学旗.一种高效的面向轻量级入侵检测系统的特征选择算法.计算机学报2007,8期,1398-1408.
[32]田新广,段洣毅,程学旗.基于shell命令和多重行为模式挖掘的用户伪装攻击检测.计算机学报2010,4期,697-705.
[33]沈昌祥.可信计算平台与安全操作系统[J].网络安全技术与应用. 2005, 4.5(4):P8~9.
[34]王斌,谢小权.可信计算机BIOS系统安全模块的设计[J].计算机安全.2006 09. 35-40.
[35] R. Sailer, X. Zhang, T. Jaeger, and L. van Doorn. Design and implementation of TCG-based integrity measurement architecture. In Proceedings of the 13th USENIX Security Symposium, 2004, P223~238.
[36]王军选,田小平,曹红梅.信息论基础与编码[M].人民邮电出版社,2011.
[37] G. Wei, X. Zhou, and H. Zhang,“A trusted computing model based on code authorization,”in ISIP ?08: Proceedings of the 2008 International Symposiums on Information Processing.Washington, DC, USA: IEEE Computer Society, 2008, P495~499.
[38] Clause J, Li W, Orso A. Dytan: a generic dynamic taint analysis framework[C]. Proceedings of ISSTA. 2007, P191~203.
[39]刘鹏.云计算(第一版)[M].电子工业出版社.2010.
[40]任泰明. TCP/IP网络编程[M].人民邮电出版社,2009.
[41]恽如伟,董浩.网络游戏编程教程[M].机械工业出版社,2009.
[42]张晓明.计算机网络编程技术[M].中国铁道出版社,2009.