本文選題：程序行為分析 + 隱藏進程檢測��； 參考：《北京郵電大學(xué)》2014年碩士論文

【摘要】：隨著信息技術(shù)的發(fā)展,計算機已經(jīng)成為人們生活中不可或缺的一部分。個人用戶可以使用計算機瀏覽網(wǎng)頁、視頻聊天、網(wǎng)絡(luò)購物,企業(yè)單位可以使用計算機保存業(yè)務(wù)數(shù)據(jù)、進行自動化管理。各種各樣的數(shù)據(jù)從傳統(tǒng)保存方式轉(zhuǎn)向了數(shù)字保存方式,數(shù)字信息已連續(xù)多年呈爆炸式增長。數(shù)字化處理給人們帶來方便的同時,信息安全也逐漸引起人們的注意。近幾年,木馬、間諜軟件等惡意軟件的數(shù)量繼續(xù)呈增長趨勢,已經(jīng)發(fā)生多起用戶數(shù)據(jù)泄露事件。木馬檢測技術(shù)的研究一直是網(wǎng)絡(luò)安全領(lǐng)域中的熱門,并且隨著過去多年的發(fā)展,基于特征碼的木馬檢測技術(shù)已經(jīng)趨于成熟,研究熱點開始轉(zhuǎn)向未知木馬的檢測。而程序行為分析技術(shù)作為一種基礎(chǔ)性的技術(shù),在主機主動防御系統(tǒng)、入侵檢測系統(tǒng)等未知木馬檢測系統(tǒng)中發(fā)揮重要作用。在使用程序行為分析技術(shù)進行未知木馬檢測時,程序行為捕獲是前提,完善的程序行為判定算法是核心,有效清除木馬程序是基礎(chǔ),這三者缺一不可。但是,由于程序行為分析技術(shù)剛剛興起,這三方面關(guān)鍵技術(shù)都還存在不足,因此,研究程序行為分析中的關(guān)鍵技術(shù)對反木馬系統(tǒng)的實現(xiàn)和用戶數(shù)據(jù)的保護具有重要意義。 本文對現(xiàn)有的程序行為捕獲技術(shù)進行了研究,發(fā)現(xiàn)在64位Windows系統(tǒng)中沒有很好的行為捕獲方法。在木馬程序清除方面,當(dāng)前的隱藏進程檢測技術(shù)在穩(wěn)定性和效率方面也存在一些不足。另外,在程序行為判定算法研究方面,對樸素貝葉斯分類算法的改進主要集中于無效樣本的過濾和添加屬性權(quán)值,未曾考慮算法中某類樣本出現(xiàn)的概率這一參數(shù),容易導(dǎo)致分類結(jié)果出現(xiàn)偏差。 本文針對上述三方面缺陷,對intel VT技術(shù)進行了研究,實現(xiàn)了一種64位Windows系統(tǒng)中的程序行為捕獲技術(shù)；在木馬程序清除方面,對當(dāng)前基于內(nèi)存搜索的隱藏進程檢測方法進行了多項改進；研究了多種程序行為判定算法,對樸素貝葉斯分類算法進行了屬性加權(quán)、分類結(jié)果調(diào)整等多項改進,同時為了保證在不同主機環(huán)境下該算法的準(zhǔn)確率,加入了主機安全風(fēng)險評估功能,根據(jù)評估結(jié)果動態(tài)調(diào)整算法參數(shù)。本文的特色在于：第一,對基于內(nèi)存搜索的隱藏進程檢測方法進行了改進,使其可穩(wěn)定運行于多核CPU系統(tǒng)中,能更快、更全面地檢測到隱藏進程；第二,對樸素貝葉斯分類算法進行了多項改進,提出了與訓(xùn)練樣本組成無關(guān)的權(quán)值計算方法,能夠有效避免訓(xùn)練樣本選取缺陷帶來的負面影響；第三,使用基于熵權(quán)的模糊評價法對主機安全風(fēng)險進行評估,并將評估結(jié)果用于調(diào)整樸素貝葉斯分類算法,使其結(jié)果更加準(zhǔn)確。
[Abstract]:With the development of information technology, computer has become an indispensable part of people's life. Personal users can use computers to browse the web, video chat, online shopping, business units can use computers to save business data, automated management. A variety of data from the traditional preservation to digital storage, digital information has been explosive growth for many years. While digital processing brings convenience to people, information security gradually attracts people's attention. In recent years, the number of Trojan horses, spyware and other malware continues to increase, and many user data leaks have occurred. Trojan horse detection technology has always been a hot topic in the field of network security, and with the development of the past years, the Trojan horse detection technology based on signature has become mature, and the research focus began to turn to the detection of unknown Trojan horse. As a basic technology, program behavior analysis plays an important role in host active defense system, intrusion detection system and other unknown Trojan detection systems. When using program behavior analysis technology to detect unknown Trojan horse, program behavior capture is the premise, perfect program behavior judgment algorithm is the core, and the foundation is to clear Trojan horse program effectively. However, due to the rising of program behavior analysis technology, these three key technologies are still insufficient. Therefore, it is of great significance to study the key technologies of program behavior analysis for the realization of anti-Trojan horse system and the protection of user data. In this paper, the existing program behavior capture techniques are studied, and it is found that there is no good behavior capture method in 64-bit Windows system. In the aspect of Trojan program clearance, the current hidden process detection technology also has some shortcomings in terms of stability and efficiency. In addition, in the research of program behavior determination algorithm, the improvement of naive Bayesian classification algorithm is mainly focused on filtering and adding attribute weights of invalid samples, without considering the probability of occurrence of some kind of samples in the algorithm. It is easy to cause deviation of classification results. In this paper, the intel VT technology is studied, and a program behavior capture technology in 64-bit Windows system is realized. Several improvements are made to the current hidden process detection method based on memory search, and a variety of program behavior determination algorithms are studied, and attribute weighting and classification result adjustment are carried out for naive Bayes classification algorithm. At the same time, in order to ensure the accuracy of the algorithm in different host environments, the host security risk assessment function is added, and the algorithm parameters are dynamically adjusted according to the evaluation results. The main features of this paper are as follows: firstly, the method of detecting hidden process based on memory search is improved to make it run stably in multi-core CPU system, which can detect the hidden process more quickly and comprehensively. Several improvements are made to naive Bayesian classification algorithm, and a weight calculation method independent of training sample composition is proposed, which can effectively avoid the negative effects of training sample selection defects. Third, The fuzzy evaluation method based on entropy weight is used to evaluate the host security risk, and the evaluation results are used to adjust the naive Bayes classification algorithm to make the results more accurate.
【學(xué)位授予單位】：北京郵電大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2014
【分類號】：TP393.08

【參考文獻】

相關(guān)期刊論文 前9條

1 秦鋒;任詩流;程澤凱;羅慧;;基于屬性加權(quán)的樸素貝葉斯分類算法[J];計算機工程與應(yīng)用;2008年06期

2 胡和君;范明鈺;;基于內(nèi)存搜索的隱藏進程檢測技術(shù)[J];計算機應(yīng)用;2009年01期

3 王t，

本文編號：1936238