本文選題：數(shù)字腳印 + 虛擬環(huán)境內(nèi)存取證�。� 參考：《四川師范大學(xué)》2017年碩士論文

【摘要】：摘要隨著虛擬化技術(shù)的迅猛發(fā)展,越來越多的企業(yè)、高校、政府的業(yè)務(wù)應(yīng)用轉(zhuǎn)移至虛擬環(huán)境中。虛擬化技術(shù)應(yīng)用業(yè)務(wù)的激增,針對(duì)虛擬環(huán)境的網(wǎng)絡(luò)攻擊也日漸劇增。這些針對(duì)虛擬環(huán)境的攻擊活動(dòng),對(duì)國(guó)家、企業(yè)的經(jīng)濟(jì)及安全等造成嚴(yán)重威脅。而虛擬環(huán)境網(wǎng)絡(luò)攻擊技術(shù)的隱蔽化(如:反取證技術(shù)),使傳統(tǒng)內(nèi)存取證技術(shù)不能有效應(yīng)對(duì)虛擬環(huán)境下的取證工作。因此研究虛擬環(huán)境內(nèi)存證據(jù)無(wú)損提取,惡意軟件攻擊行為還原,對(duì)幫助政法機(jī)關(guān)完成事后證據(jù)重建,打擊網(wǎng)絡(luò)犯罪意義重大。本文研究并實(shí)現(xiàn)虛擬環(huán)境內(nèi)存取證專用系統(tǒng),主要包含以下三個(gè)創(chuàng)新點(diǎn)。第一,本文提出針對(duì)VMware虛擬環(huán)境的內(nèi)存取證模型,該模型改進(jìn)了已有內(nèi)存取證模型的取證流程,具有取證過程可重復(fù)、內(nèi)存獲取準(zhǔn)確性高、取證效率高、抗干擾性強(qiáng)等優(yōu)點(diǎn)。第二,本文提出虛擬環(huán)境“數(shù)字腳印”,將傳統(tǒng)內(nèi)存取證提取的數(shù)字特征定義為“數(shù)字紋路”,其在時(shí)間序列上構(gòu)成的動(dòng)態(tài)行為特征定義為“數(shù)字腳印”,比傳統(tǒng)“數(shù)字紋路”捕獲的行為信息更全面。第三,本文提出改進(jìn)的K-means惡意進(jìn)程多源關(guān)聯(lián)性分析算法,該算法把進(jìn)程關(guān)系擴(kuò)展到父子、名稱、時(shí)間、文件、通信、賬戶六元關(guān)系,六元關(guān)系關(guān)聯(lián)度代替?zhèn)鹘y(tǒng)K-means算法的余弦距離,惡意進(jìn)程初始化規(guī)則代替?zhèn)鹘y(tǒng)K-means算法隨機(jī)初始化,具有穩(wěn)定性高、關(guān)聯(lián)完整性高等優(yōu)點(diǎn)。本文通過研究虛擬環(huán)境內(nèi)存管理與地址轉(zhuǎn)換機(jī)制,重構(gòu)內(nèi)存易失性數(shù)據(jù),完成虛擬環(huán)境“數(shù)字腳印”提取、惡意行為檢測(cè)、惡意進(jìn)程關(guān)聯(lián)性分析,最終實(shí)現(xiàn)惡意軟件行為重建,滿足政法機(jī)關(guān)在業(yè)務(wù)應(yīng)用、深度分析、線索追蹤等方面的業(yè)務(wù)需求。測(cè)試結(jié)果表明,本文提出的虛擬環(huán)境內(nèi)存取證模型對(duì)惡意軟件易失性內(nèi)存數(shù)據(jù)的提取精確性與準(zhǔn)確性較高;虛擬環(huán)境內(nèi)存取證系統(tǒng)對(duì)虛擬環(huán)境“數(shù)字腳印”提取完整率較高;改進(jìn)的K-means多源關(guān)聯(lián)性分析算法能夠完善惡意軟件行為分析圖,關(guān)聯(lián)完整率較高。但本文對(duì)“數(shù)字腳印”提取仍未完整,惡意軟件行為還原誤報(bào)率稍高,服務(wù)器版本內(nèi)存提取業(yè)務(wù)中斷問題未解決,以上三點(diǎn)可作為未來的研究方向。
[Abstract]:With the rapid development of virtualization technology, more and more enterprises, universities, and government business applications are transferred to virtual environment. Virtualization technology application business proliferation, virtual environment network attacks are also increasing. These attacks against the virtual environment pose a serious threat to the economy and security of countries and enterprises. However, because of the covert of network attack technology in virtual environment, such as anti-forensics technology, the traditional memory forensics technology can not effectively deal with the work of forensics in virtual environment. Therefore, it is of great significance to study the memory evidence extraction in virtual environment and the malicious software attack behavior reduction to help the political and legal organs to rebuild the evidence after the event and to crack down on the network crime. This paper studies and implements a special memory forensics system in virtual environment, which mainly includes the following three innovations. Firstly, this paper proposes a memory forensics model for VMware virtual environment. The model improves the evidence flow of the existing memory forensics model and has the advantages of repeatable process, high accuracy of memory acquisition, high efficiency of evidence collection and strong anti-interference. Secondly, this paper proposes a virtual environment called "digital footprint", which defines the digital feature extracted by traditional memory forensics as "digital pattern", and its dynamic behavior feature in time series is defined as "digital footprint". It is more comprehensive than the traditional "digital pattern" to capture behavior information. Third, this paper proposes an improved K-means malicious process multi-source association analysis algorithm, which extends the process relationship to parent-son, name, time, file, communication, account six-element relationship. The correlation degree of six variables replaces the cosine distance of traditional K-means algorithm and the initialization rule of malicious process replaces the random initialization of traditional K-means algorithm which has the advantages of high stability and high association integrity. This paper studies memory management and address translation mechanism of virtual environment, reconstructs memory volatile data, completes virtual environment "digital footprint" extraction, malicious behavior detection, malicious process correlation analysis, and finally realizes malicious software behavior reconstruction. To meet the business needs of the political and legal authorities in business applications, in-depth analysis, clue tracking and so on. The test results show that the proposed virtual environment memory forensics model has higher accuracy and accuracy in extracting volatile memory data from malware, and the virtual environment memory forensics system has a higher integrity rate for virtual environment "digital footprint" extraction. The improved K-means multi-source association analysis algorithm can improve the malware behavior analysis graph, and the correlation integrity rate is higher. However, the extraction of "digital footprint" in this paper is still incomplete, malware behavior restore false alarm rate is slightly higher, server version memory extraction business interruption problem has not been resolved, the above three points can be taken as the future research direction.
【學(xué)位授予單位】：四川師范大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2017
【分類號(hào)】：TP309

【參考文獻(xiàn)】

相關(guān)期刊論文 前5條

1 張瑜;劉慶中;李濤;吳麗華;石春;;內(nèi)存取證研究與進(jìn)展[J];軟件學(xué)報(bào);2015年05期

2 何祥;周安民;蒲偉;周妍;;基于vmem文件的隱藏信息檢測(cè)研究[J];信息安全與通信保密;2012年10期

3 殷聯(lián)甫;;計(jì)算機(jī)取證中的物理內(nèi)存取證分析方法研究[J];計(jì)算機(jī)應(yīng)用與軟件;2010年12期

4 陳陽(yáng);鄭新廣;;商業(yè)銀行經(jīng)濟(jì)資本“組合效應(yīng)”與分配方法研究[J];金融論壇;2009年05期

5 丁麗萍,王永吉;多維計(jì)算機(jī)取證模型研究[J];信息網(wǎng)絡(luò)安全;2005年10期

相關(guān)博士學(xué)位論文 前2條

1 王連海;基于物理內(nèi)存分析的在線取證模型與方法的研究[D];山東大學(xué);2014年

2 楊s，

本文編號(hào)：2035200