發(fā)布時間：2018-06-04 06:55

  本文選題：非包還原 + 檢測��； 參考：《電子科技大學》2014年碩士論文

【摘要】：在面對單個對象文件時,基于主機的檢測系統(tǒng)擁有著更強的檢測能力,可是每臺檢測設備的安裝運行的開銷和成本過于高昂,不便于在網(wǎng)絡環(huán)境中大量布置,所以在實際的應用當中,基于網(wǎng)絡的檢測系統(tǒng)擁有更加廣泛的應用場景,可部署到更多的網(wǎng)絡節(jié)點之上,基于這種情況,針對網(wǎng)絡惡意代碼檢測系統(tǒng),提升其單臺設備的檢測能力能夠使系統(tǒng)在面對惡意代碼入侵時作出更好的表現(xiàn),在網(wǎng)絡安全防御的領(lǐng)域達到更佳的性能。基于網(wǎng)絡的惡意代碼檢測系統(tǒng)有著數(shù)量繁多的前端檢測設備,但是他們卻相對低端,單臺成本較低,無法像主機檢測一樣將在網(wǎng)絡中捕獲到的通信數(shù)據(jù)流進行還原,就算行,也費時費力,一旦處理速度跟不上網(wǎng)絡流量,就會丟失大量的已截取到的數(shù)據(jù)包�，F(xiàn)在的網(wǎng)絡級惡意代碼檢測系統(tǒng)只能針對行為規(guī)則模式進行匹配,所探測的攻擊內(nèi)容要么是已經(jīng)種植在網(wǎng)段內(nèi)的惡意軟件的惡意行為,要么就是外網(wǎng)向內(nèi)網(wǎng)的攻擊行為,和主機檢測一樣不能對病毒種植過程做出反應。如果能結(jié)合二者優(yōu)點,將主機能對文件進行檢測的功能應用到網(wǎng)絡檢測對網(wǎng)絡數(shù)據(jù)包的分析當中,就能實現(xiàn)對病毒種植過程的探測。前面提到前端設備因為自身局限不能進行數(shù)據(jù)還原,因此如果能讓檢測系統(tǒng)的前端主機在能夠不重組數(shù)據(jù)包就檢測出數(shù)據(jù)包是否為惡意代碼有著重大的意義,在不進行數(shù)據(jù)包還原的前提條件下,利用直接對單包的內(nèi)容進行特征匹配進而對可疑的數(shù)據(jù)包產(chǎn)生告警信息,可以顯著增強基于網(wǎng)絡的惡意代碼檢測系統(tǒng)前端主機的檢測能力,最終達到在病毒傳播過程中就能探測到異常的目的。實現(xiàn)該方案最關(guān)鍵的技術(shù)難點在于如何設計出適用于基于非包還原的惡意代碼檢測技術(shù)的特征碼掃描檢測引擎,一套特征碼掃描檢測引擎包括特征碼選取,構(gòu)建特征庫,實現(xiàn)高效的特征匹配算法等關(guān)鍵點。雖然目前已有多種相關(guān)特征碼掃描的全套技術(shù),但是應用場景都是基于主機的惡意代碼檢測系統(tǒng),這些技術(shù)普遍選取特征碼較長,匹配精確但并不太要求匹配速度,若是將這些技術(shù)生搬硬套,將導致在網(wǎng)絡環(huán)境中特征碼容易被截斷,匹配效率不夠令系統(tǒng)丟棄大量數(shù)據(jù)包等問題。本文會將研究重心放在設計實現(xiàn)適用于基于非包還原的惡意代碼檢測系統(tǒng)的特征碼掃描技術(shù),打通關(guān)鍵環(huán)節(jié)并實現(xiàn)系統(tǒng),最后經(jīng)過測試來進行驗證。
[Abstract]:In the face of a single object file, the host-based detection system has a stronger detection ability, but the overhead and cost of the installation and operation of each detection device is too high to facilitate a large number of arrangements in the network environment. Therefore, in the actual application, the network-based detection system has more extensive application scenarios and can be deployed to more network nodes. Based on this situation, the detection system for network malicious code is aimed at the network malicious code detection system. Improving the detection ability of its single device can make the system perform better in the face of malicious code intrusion and achieve better performance in the field of network security defense. The malicious code detection system based on the network has a large number of front-end detection devices, but they are relatively low end, the cost of a single system is relatively low, and can not restore the traffic stream captured in the network like host detection, even if the line. It also takes time and effort, once processing speed can not keep up with network traffic, a large number of intercepted data packets will be lost. The current network level malicious code detection system can only match the pattern of behavior rules. The detected attack content is either the malicious behavior of malware that has been planted in the network segment or the attack behavior of the outer network to the intranet. As with host testing, it does not respond to the virus cultivation process. If we can combine the advantages of the two methods and apply the function of the host computer to the analysis of network data packets, we can realize the detection of virus planting process. As mentioned earlier, the front-end device cannot restore data because of its limitations, so it is of great significance if the front-end host of the detection system can detect whether the packet is malicious code without reorganizing the packet. Without the premise of packet restoration, the detection ability of the front-end host of the malicious code detection system based on the network can be significantly enhanced by directly matching the features of the single packet and generating alarm information on the suspicious packet. Finally, we can detect anomalies in the course of virus transmission. The key technical difficulty to realize this scheme lies in how to design a signature scanning detection engine suitable for malicious code detection technology based on non-packet restore. A set of signature scanning detection engine includes signature selection, construction of signature library. To achieve efficient feature matching algorithm and other key points. Although there are a variety of related signature scanning technology, but the application scenarios are based on the host malicious code detection system, these technologies generally select long signature, matching accuracy but not too much matching speed. If these technologies are mechanically applied, the signature will be easily truncated in the network environment, and the matching efficiency will not be enough to make the system discard a large number of data packets. This paper will focus on the design and implementation of the signature scanning technology suitable for malicious code detection system based on non-packet restore.
【學位授予單位】：電子科技大學
【學位級別】：碩士
【學位授予年份】：2014
【分類號】：TP393.08

【參考文獻】

相關(guān)期刊論文 前1條

1 吳冰;云曉春;高琪;;基于網(wǎng)絡的惡意代碼檢測技術(shù)[J];通信學報;2007年11期

，

本文編號：1976427