摘要
近几年计算机病毒以惊人速度蔓延,计算机安全越来越受到人们的重视,计算机反病毒技术也发展的越来越快。当今最新最先进的计算机反病毒技术,有主动内核技术、启发式代码扫描技术、虚拟机技术、基于免疫原理的病毒检测技术等。这些技术各有特点,但是应用起来仍然不够成熟。现有计算机反病毒软件虽然在对抗病毒方面发挥了巨大的作用,但是仍有不尽人意之处,尤其是对付未知病毒缺乏足够有效的方法。
本文对Windows操作系统下各种病毒的作用机理及当前病毒采用的各种新技术进行了深入的研究。并提出了基于程序语义的计算机病毒检测方法。
首先,深入剖析了不同病毒代码的结构特点,总结出了不同病毒程序传染行为模式的典型语义特征,形成了描述其典型语义特征的语义关系框架。最后,进行了数据结构设计,模式库采用层次化的框架结构。这种存储方法完整、准确地描述了病毒程序传染行为的典型语义特征。具有较好的继承性、可扩展性和知识的一致性。
其次,研究了如何抽取蕴涵在程序中的语义,进而形成描述程序语义的语义关系框架。从原程序到语义关系框架转换系统的算法和工作流程进行了详细设计。最后,对病毒检测系统的核心——检测引擎进行了较为详细的设计与分析。
最后,进行了病毒检测实验,结果表明该检测方法是一种较为有效的未知病毒检测方法。
Recently years, the computer viruses spread with astonishing speed. Computersecurity has been paid more attention. And anti-virus techniques are developed morerapidly too. Nowadays there are some new and advanced anti-virus techniques, suchas active kernel technique, heuristic code scanning, virtual machine and the principleof immunity etc. The application of these techniques is not mature enough even ifeach of them has its characteristics. New anti-virus technique is updated as new virusappears constantly. The existing anti-virus software plays an important role to dealwith computer viruses. But it still has not satisfied the security requirements and lackseffective methods to deal with unknown viruses especially.
Each kind of virus's action mechanism and the current virus using of newtechnology are analyzed thoroughly under Windows operating system. And a newvirus detection method was proposed based on program semantic.
First, the thesis analyzed the code unique feature of different viruses andsummed up the typical semantic characteristics in the module of infection. Semanticrelations frame, which can describe the semantic characteristics, was formed. Thepattern database uses hierarchical framework. This frame offers full specification ofthe typical semantic characteristics in the module of infection. Its greatest merit lies insuccession, extensibility, uniformity of knowledge.
Second, the thesis researched how to extract program semantic that is implied inthe program. Semantic relations frame, which can describe the program semantic, wasformed. Algorithm and the work flow of transformation system from the originalprocedure to the semantic relations frame are given a detailed description. Then thisthesis introduces the virus detection engine which is the most important component inthis system.
Last, the experiment of virus detection is carried. The result of the experimentindicates that it is a feasible way for unknown virus detection.
引文
[1] 2006年全国信息网络安全状况与计算机病毒疫情调查分析报告.http://blog.51cto.com/blog.php?do=showone&tid=16000
[2] CERT. CERT Incident Note IN-99-03. 1999. URL: http://www.cert.org/incident_notes/IN-99-03.html.
[3] 卓新建.计算机病毒原理及防治[M].北京:北京邮电大学出版社,2004.4
[4] 傅建明,彭国军,张焕国.计算机病毒分析与对抗[M].武汉:武汉大学出版社,2004.
[5] Ronald B. Standle. Computer Virus Hoaxes. htp://www.rbs2.com/hoax.htm. 2002(2)
[6] F. Cohen. Computer Viruses[Ph.D. thesis]. University of Southern California, 1985.
[7] L. M. Adleman. An Abstract Theory of Computer Virus, Lecture Notes in Computer Science, Vol. 403, Springer-Yerlag, 1990.
[8] 田畅,郑少仁.计算机病毒计算模型的研究[J].计算机学报,2001,24(2):158-163.
[9] R.A. Grimes. Malicious Mobile Code, Virus Protection for Windows. 1st ed., O' Reilly&Associates. 2001:2-3.
[10] 中华人民共和国计算机信息系统安全保护条例.中华人民共和国国务院令第147号,1994.2.18
[11] 刘成光.基于木马的网络攻击技术研究[D].西北工业大学,2004.
[12] 王业君.网络蠕虫的机理与防范[D].中国科学院软件研究所,2005.
[13] 文伟平.恶意代码机理与防范技术研究[D].中国科学院研究生院,2004
[14] S. R. White, J. Thomas Virus Bulletin 2010: A Retrospective. Waston Research Center, Virus Bulletin Conference, 2001,9:1-3
[15] A. Mackie, J. Roculan, R. Russell and M. Van Velzen. Nimda Worm Analysis, Security Focus, 2001:16
[16] D. Moore. The Spread of the Code-Red Worm(CRy2). CAIDA, http://www.caida.org,2001, 231—239
[17] ″安哥″恶性病毒突袭局域网http://industry.ccidnet.com/art/1155/20030124/702719_1.html
[18] 怪物(Worm.BugBear—A)病毒档案http://hi.baidu.com/168free/blog/item/d1449c18398ef90634fa4163.html
[19] lovegate爱情后门病毒介绍http://hi.baidu.com/ljq1217/blog/item/e4bbdfef3e250636acafd527.html
[20] 李柳柏.引导型计算机病毒剖析[J].重庆工学院学报,2001(10),39.4
[21] 程胜利,谈冉,熊文龙等.计算机病毒及其防治技术[M].北京:清华大学出版社,2003.
[22] 杨大全.大麻病毒彻底剖析[J].微处理机,1990(4),62-64
[23] 杨大全.YANKEE DOODLE病毒的剖析与诊治[J].沈阳工业大学学报,1991(4),55-58
[24] Virus Library http://www.viruslibrary.com/virusinfo
[25] 杨宏宇.计算机病毒技术的发展与趋势[J].计算机工程,1992(9).3—6
[26] 徐殿军,王秀敏.PE文件简析[J].锦州师范学院学报(自然版),2002(12),45-46
[27] V. Anupam, A. Mayer. Security of Web Browser Scripting Language: Vulnerabilities, A ttacks, a ndR emedies. T heP roceedingso fth e7 thU SENIX Security Symposium, 19 98:35-45
[28] Arnold D. Chess, J. Morar and A. Segal. An Environment for Controlled Worm Replication and Analysis. Virus Bulletin Conference, IBM TJ Research Center, 2000:3-5
[29] Z. Chen, L. Gao, K. Kwiat. Modeling the spread of Active Worms. IEEE INFOCOM 2003, April 2003
[30] 张友生,米安然.计算机病毒与木马程序剖析[M].北京:北京科海电子出版社,2003.3.102-177
[31] 栗新民,廖闻剑.“Nimda”蠕虫分析与防范[J].计算机应用研究,2002(11):155-158
[32] 韩筱卿,王建锋,钟玮等.计算机病毒分析与防范大全[M].北京:电子工业出版社,2006
[33] 李旭华.计算机病毒—病毒机制与防范技术[M].重庆:重庆大学出版社,2002.4
[34] 毕建平.病毒与反病毒概述[J].信息技术,2002,12,36-38
[35] 王建兵.计算机病毒与反病毒技术发展简述[J].国土资源信息化,2003,23:35
[36] 陈立新,张世永.主动内核技术(Active K)[J].电脑爱好者,2002(8).368-369
[37] 刘松鹏.基于网络的病毒防杀体系一智能反病毒虚拟机框架.中国优秀博硕士学位论文全文数据库,2000
[38] 金晶,何昆,张世永.基于智能扫描的病毒监视器研究[J].计算机工程,1999(12),86-88
[39] 蔡志平.计算病毒检测技术研究与实现.中国优秀博硕士学位论文全文数据库,2001
[40] Jeffrey O. Kephart, Gregory B. Sorkin, Morton Swimmer, Steve R. White Blueprint for a Computer Immune System. Proceedings of the Virus Bulletin International Conference, 2002(10. 1-10.3),25-37
[41] 宋程,李涛,陈桓,许春.基于人工免疫原理的未知病毒检测方法[J].计算机工程与设计.2005年第26卷第3期
[42] Singh P K, Lakhotin A. Static Verification of worm and Virus behavior in Binary Executables using Model Checking[C]. In:information Assurance Workshop, IEEE System, Man and Cybemetics Society, 2003-06:298~300
[43] Understanding Virus Behavior in 32-bit Operating Environments. Symantec, 1997
[44] 郑辉,李冠一,涂生.蠕虫的行为特征描述和工作原理分析[C].第三届中国信息和通信安 全学术会论文集,2003.3,168-172
[45] 屈蕴茜、陆建德.“木马”病毒的分析、检测与防治[J].苏州大学学报(:[学版),Vol.22 No.1 P.43-48.2002
[46] 王万诚,李伟华,陈吴鹏.基于语义层软件理解的形式化格局识别技术[J].计算机工程,2004,30(23).
[47] 张有为,罗君宏,汪永红.通用的汇编源程序框架分析技术研究[J].计算机工程与设计,2006,27(2).
[48] Hsieh W C, Engler D, Back G. Reverse-engineering instruction encodings[C]. Boston:USENIX Annual Technical Conference, 2001, 133~146