本文選題：主機監(jiān)控與審計產(chǎn)品 + 安全分析　； 參考：《北京交通大學(xué)》2014年碩士論文

【摘要】：隨著企事業(yè)單位內(nèi)網(wǎng)安全問題的日益凸顯,近年來,主機監(jiān)控與審計產(chǎn)品越來越受到企事業(yè)單位的青睞。該產(chǎn)品能夠有效防止企事業(yè)單位內(nèi)部員工對網(wǎng)絡(luò)資源的濫用,防范機密敏感信息的泄漏,并且能夠為事后追查提供審計記錄。但是,由于該類產(chǎn)品的設(shè)計和實現(xiàn)技術(shù)方式較多,應(yīng)用部署環(huán)境復(fù)雜多樣,產(chǎn)品的部分模塊存在安全漏洞,這可能導(dǎo)致該類產(chǎn)品的監(jiān)控功能失效。因此,該類產(chǎn)品的安全性也漸漸成為了一個亟待解決的問題。本文作者在國家保密科技測評中心實習(xí)期間,對20多個國內(nèi)不同廠商的主機監(jiān)控與審計產(chǎn)品進(jìn)行了測試研究,發(fā)現(xiàn)該類產(chǎn)品普遍在功能模塊和客戶端代理程序上存在安全漏洞,利用這些漏洞可以繞過部分監(jiān)控功能,甚至可以輕易地使客戶端代理程序失效。 本論文重點介紹了作者對該類產(chǎn)品功能模塊和自身安全兩個方面安全性分析研究的成果,具體介紹了3個功能模塊安全漏洞和3種破壞客戶端代理程序安全的手段。該類產(chǎn)品功能模塊普遍存在三個安全漏洞：1.通過修改進(jìn)程的匹配信息,能夠繞過進(jìn)程監(jiān)控功能；2.通過IP-MAC地址的靜態(tài)綁定、ARP欺騙包的攔截以及數(shù)據(jù)包的截取／篡改／發(fā)送等手段,能夠使非授權(quán)接入監(jiān)控功能失效；3.日志的關(guān)聯(lián)性分析功能缺失,導(dǎo)致主機監(jiān)控與審計產(chǎn)品只能通過匹配特征庫來捕獲已知異常,對于未知異常則無能為力。在產(chǎn)品自身安全方面,通過對隱藏進(jìn)程／文件的檢測、破壞雙進(jìn)程保護(hù)以及刪除自啟動項等手段,能夠終止客戶端代理程序以及篡改本地日志／配置文件,從而使客戶端代理程序失效。 論文中還介紹了作者開發(fā)的一個測試工具,該測試工具的大部分功能已經(jīng)完成,并已應(yīng)用于實際測試。該測試工具主要包含了三個模塊：進(jìn)程監(jiān)控功能測試模塊、非授權(quán)接入監(jiān)控功能測試模塊以及客戶端代理程序安全性測試模塊。進(jìn)程監(jiān)控功能測試模塊主要包括獲取／修改EXE文件的版權(quán)信息和獲�。薷奈募腗D5值兩個部分；非授權(quán)接入監(jiān)控功能測試模塊主要包括IP-MAC地址的綁定、ARP防火墻以及數(shù)據(jù)包的截取／篡改／發(fā)送三個部分；客戶端代理程序安全性測試模塊主要包括進(jìn)程／自動項信息的管理。
[Abstract]:With the increasingly prominent security problems in the internal network of enterprises and institutions, the host monitoring and audit products are more and more popular in enterprises and institutions in recent years. The product can effectively prevent the abuse of network resources by employees in enterprises and institutions, prevent the leakage of sensitive confidential information, and provide audit records for subsequent tracing. However, due to the variety of design and implementation techniques, the complex application and deployment environment, and the existence of security vulnerabilities in some modules of the product, this may lead to the failure of the monitoring function of this kind of product. Therefore, the safety of this kind of products has gradually become a problem to be solved. During his internship in the National Security Science and Technology Evaluation Center, the author tested and studied the host monitoring and auditing products of more than 20 different manufacturers in China. It was found that there are some security vulnerabilities in the functional modules and client agent procedures of this kind of products. These vulnerabilities can bypass some monitoring functions and can easily invalidate client agents. In this paper, the author mainly introduces the research results of this kind of product function module and its own security, and introduces the security vulnerabilities of three function modules and three kinds of methods to destroy the security of client agent program. This kind of product function module exists three security vulnerabilities: 1. 1. By modifying the matching information of the process, you can bypass the process monitoring function. Through the static binding of IP-MAC address, the interception of ARP-spoofed packets and the interception / tampering / sending of data packets, the unauthorized access monitoring function can be invalidated. The lack of correlation analysis in the log results in that the host monitoring and auditing products can only catch the known exceptions by matching the signature library, but there is no way to do anything about the unknown exceptions. In terms of the security of the product itself, the client agent can be terminated and the local log / configuration file tampered with by detecting hidden processes / files, breaking the protection of two processes and deleting self-startup items. Thus, the client agent program is invalidated. A testing tool developed by the author is also introduced in this paper. Most of the functions of the testing tool have been completed and have been applied to the actual test. The testing tool mainly includes three modules: process monitoring function test module, unauthorized access monitoring function test module and client agent program security test module. The process monitoring function test module mainly includes two parts: obtaining / modifying the copyright information of the EXE file and obtaining / modifying the MD5 value of the file; The testing module of unauthorized access monitoring includes three parts: the binding of IP-MAC address and the interception / tampering / sending of data packet, while the security test module of client agent mainly includes the management of process / automatic item information.
【學(xué)位授予單位】：北京交通大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2014
【分類號】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前6條

1 王全民;劉宇明;朱二夫;周清;;基于Windows NT平臺的進(jìn)程監(jiān)控系統(tǒng)研究與設(shè)計[J];計算機安全;2009年10期

2 王雷;凌翔;;Windows Rootkit進(jìn)程隱藏與檢測技術(shù)[J];計算機工程;2010年05期

3 陳曉蘇;黃文超;肖道舉;;一種基于交叉視圖的Windows Rootkit檢測方法[J];計算機工程與科學(xué);2007年07期

4 蔡洪民;黎慶龍;黃俊;李華集;;基于SNMP的ARP攻擊檢測系統(tǒng)設(shè)計與實現(xiàn)[J];計算機應(yīng)用與軟件;2012年02期

5 徐江峰;邵向陽;;基于HOOK API技術(shù)的進(jìn)程監(jiān)控系統(tǒng)設(shè)計與實現(xiàn)[J];計算機工程與設(shè)計;2011年04期

6 高東懷,許衛(wèi)中,許浩;802.1X認(rèn)證技術(shù)分析及應(yīng)用[J];醫(yī)學(xué)信息;2004年05期

相關(guān)博士學(xué)位論文 前1條

1 劉蘭;網(wǎng)絡(luò)安全事件管理關(guān)鍵技術(shù)研究[D];華中科技大學(xué);2007年

，

本文編號：1860211