【摘要】：隨著計(jì)算機(jī)技術(shù)和通訊技術(shù)的飛速發(fā)展,網(wǎng)絡(luò)正逐步改變著人們的工作方式和生活方式,成為當(dāng)今社會(huì)發(fā)展的一個(gè)主題。隨著網(wǎng)絡(luò)使用范圍的擴(kuò)大,惡意代碼的攻擊目的,也由破壞能力炫耀轉(zhuǎn)向了經(jīng)濟(jì)利益的獲取和政治破壞的目的。特別的,當(dāng)惡意程序在內(nèi)網(wǎng)中對(duì)內(nèi)網(wǎng)終端進(jìn)行大規(guī)模感染的時(shí)候,它的破壞力和持久性就會(huì)成倍的增加。內(nèi)網(wǎng)終端安全主要是針對(duì)系統(tǒng)消息的過(guò)濾及其處理,內(nèi)網(wǎng)終端安全技術(shù)主要分為用戶模式的消息過(guò)濾技術(shù)和內(nèi)核模式的消息過(guò)濾技術(shù)。本文分別研究了用戶模式的Windows鉤子技術(shù)和內(nèi)核模式中的文件過(guò)濾驅(qū)動(dòng)以及磁盤過(guò)濾驅(qū)動(dòng),解決了內(nèi)網(wǎng)終端安全面臨最大的問(wèn)題,即惡意程序防控問(wèn)題,實(shí)現(xiàn)了內(nèi)網(wǎng)終端安全中的系統(tǒng)固化和惡意程序檢測(cè),主要研究?jī)?nèi)容如下:1.研究并分析了在內(nèi)網(wǎng)安全管理系統(tǒng)中,內(nèi)網(wǎng)終端安全在針對(duì)惡意程序防控所涉及的兩個(gè)方面,包括惡意程序的防護(hù)和惡意程序檢測(cè),并針對(duì)這兩個(gè)方面各自分析了在高安全需求的內(nèi)網(wǎng)中需要達(dá)到的要求。2.研究了 Windows驅(qū)動(dòng)開發(fā)技術(shù)和磁盤過(guò)濾驅(qū)動(dòng)技術(shù),這其中,重點(diǎn)研究了三個(gè)關(guān)鍵性難題:在磁盤過(guò)濾驅(qū)動(dòng)中得到磁盤物理文件扇區(qū)地址的問(wèn)題、獲取物理文件在系統(tǒng)中的簇列表的問(wèn)題和文件的簇地址與扇區(qū)地址建立對(duì)應(yīng)關(guān)系的問(wèn)題,并在此研究基礎(chǔ)上,實(shí)現(xiàn)了基于磁盤過(guò)濾驅(qū)動(dòng)的操作系統(tǒng)固化方案,實(shí)現(xiàn)了磁盤與內(nèi)存的注冊(cè)表單向數(shù)據(jù)單向傳遞,從而避免了注冊(cè)表重定向帶來(lái)的注冊(cè)表項(xiàng)鏈接破壞問(wèn)題。3.研究了 Windows內(nèi)核設(shè)備通信機(jī)制和文件系統(tǒng)過(guò)濾驅(qū)動(dòng)技術(shù),這其中,解決了在創(chuàng)建文件時(shí)文件系統(tǒng)過(guò)濾驅(qū)動(dòng)如何獲取準(zhǔn)確的創(chuàng)建文件名稱的問(wèn)題、文件系統(tǒng)過(guò)濾驅(qū)動(dòng)的派遣函數(shù)與完成函數(shù)不在同一線程導(dǎo)致緩沖區(qū)失效問(wèn)題以及跨卷重命名文件時(shí)文件系統(tǒng)過(guò)濾驅(qū)動(dòng)無(wú)法捕獲到重命名消息的問(wèn)題。并在此研究基礎(chǔ)上,實(shí)現(xiàn)了基于文件系統(tǒng)過(guò)濾驅(qū)動(dòng)的操作系統(tǒng)固化方案。4.提出了低漏檢率的惡意程序檢測(cè)方案。該方案利用Windows鉤子技術(shù)提取程序的運(yùn)行序列,并進(jìn)行抽象化處理,以此為程序特征,減少了特征中冗余信息的含有量,并且創(chuàng)新的引入了原本是計(jì)算相似度的k-gram算法,將此算法的計(jì)算結(jié)果作為SVM分類算法輸入,與其他利用SVM分類算法進(jìn)行檢測(cè)的方案相比,不僅降低了輸入的向量維度提高了檢測(cè)方案的計(jì)算效率,而且達(dá)到了漏檢率最低為1.91%的效果。
[Abstract]:With the rapid development of computer technology and communication technology, the network is gradually changing the way of work and life of people, and has become a theme of social development. With the expansion of the scope of use of the network, the purpose of malicious code attack has also changed from showing off its destructive ability to the purpose of obtaining economic benefits and political destruction. In particular, when malicious programs intranet terminal mass infection, its destructive power and durability will multiply. The security of intranet terminal is mainly aimed at the filtering and processing of system message. The security technology of intranet terminal is mainly divided into user mode message filtering technology and kernel mode message filtering technology. In this paper, the Windows hook technology in user mode and file filter driver and disk filter driver in kernel mode are studied respectively, which solves the biggest problem of the security of intranet terminal, that is, the prevention and control of malicious program. The system solidification and malicious program detection in the intranet terminal security are realized. The main research contents are as follows: 1. This paper studies and analyzes two aspects of intranet security management system, including the protection of malicious programs and the detection of malicious programs. According to these two aspects, the requirements of the inner network with high security requirements are analyzed. 2. 2. In this paper, the Windows driver development technology and disk filter driver technology are studied. Among them, three key problems are emphatically studied: the problem of getting the disk physical file sector address in the disk filter drive. The problem of obtaining the cluster list of the physical files in the system and the problem of establishing the corresponding relationship between the cluster address and the sector address of the file are discussed. On the basis of this research, the operating system solidification scheme based on the disk filter driver is realized. Realized disk and memory registry one-way data transfer, thus avoiding registry key link damage caused by registry redirection. 3. 3. This paper studies the communication mechanism of Windows kernel device and the file system filter driver technology, which solves the problem of how to obtain the exact file name when the file system filter driver is creating the file. The dispatch function of the file system filter driver is not in the same thread as the completion function, which results in the buffer failure and the problem that the file system filter driver cannot capture the rename message when the file is renamed across the volume. On the basis of this research, the operating system curing scheme based on file system filter driver. 4. 4. A detection scheme for malicious programs with low miss detection rate is proposed. This scheme uses Windows hook technology to extract the running sequence of the program, and carries on the abstract processing, takes this as the program characteristic, reduces the content of redundant information in the feature, and innovatively introduces the k-gram algorithm which is originally used to calculate the similarity degree. Compared with other detection schemes using SVM classification algorithm, the calculation results of this algorithm are input as SVM classification algorithm, which not only reduces the vector dimension input, but also improves the computational efficiency of the detection scheme. Moreover, the lowest rate of missing detection was 1.91%.
【學(xué)位授予單位】：北京郵電大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2016
【分類號(hào)】：TP316.7;TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前10條

1 于航;劉麗敏;高能;李紅達(dá);;基于模擬器的沙箱系統(tǒng)研究[J];信息網(wǎng)絡(luò)安全;2015年09期

2 陳珂;柯文德;王愛國(guó);鄭捷;張良均;;基于沙盒技術(shù)的行為分析系統(tǒng)研究[J];計(jì)算機(jī)技術(shù)與發(fā)展;2015年08期

3 劉敬;谷利澤;鈕心忻;楊義先;李忠獻(xiàn);;基于神經(jīng)網(wǎng)絡(luò)和遺傳算法的網(wǎng)絡(luò)安全事件分析方法[J];北京郵電大學(xué)學(xué)報(bào);2015年02期

4 任偉;柳坤;周金;;AnDa:惡意代碼動(dòng)態(tài)分析系統(tǒng)[J];信息網(wǎng)絡(luò)安全;2014年08期

5 朱平;杜彥輝;;基于虛擬機(jī)與API調(diào)用監(jiān)控技術(shù)的APT木馬取證研究[J];信息網(wǎng)絡(luò)安全;2014年04期

6 黃麗冰;;淺析內(nèi)網(wǎng)安全管理[J];信息安全與技術(shù);2014年01期

7 張小川;陳最;涂飛;;基于過(guò)濾驅(qū)動(dòng)的透明加密文件系統(tǒng)研究與實(shí)現(xiàn)[J];計(jì)算機(jī)應(yīng)用與軟件;2013年04期

8 苗啟廣;王蘊(yùn);曹瑩;劉文闖;;面向最小行為的惡意程序檢測(cè)研究[J];系統(tǒng)工程與電子技術(shù);2012年08期

9 李詩(shī)松;陳偉;陳運(yùn);;Windows平臺(tái)下軟件自身防護(hù)關(guān)鍵技術(shù)[J];計(jì)算機(jī)系統(tǒng)應(yīng)用;2012年04期

10 陳林;劉粉林;蘆斌;謝鑫;;基于k-gram頻數(shù)的靜態(tài)軟件胎記[J];計(jì)算機(jī)工程;2011年04期

相關(guān)會(huì)議論文 前1條

1 陳云超;馬兆豐;;基于API函數(shù)攔截技術(shù)的跨進(jìn)程攻擊防護(hù)研究[A];2011年通信與信息技術(shù)新進(jìn)展——第八屆中國(guó)通信學(xué)會(huì)學(xué)術(shù)年會(huì)論文集[C];2011年

相關(guān)博士學(xué)位論文 前1條

1 張一弛;程序惡意行為識(shí)別及其惡意性判定研究[D];解放軍信息工程大學(xué);2012年

相關(guān)碩士學(xué)位論文 前10條

1 謝錦彪;內(nèi)網(wǎng)安全態(tài)勢(shì)感知技術(shù)的研究與實(shí)現(xiàn)[D];廣東工業(yè)大學(xué);2015年

2 韓奕;基于行為分析的惡意代碼檢測(cè)與評(píng)估研究[D];北京交通大學(xué);2014年

3 張文雯;基于狀態(tài)圖和語(yǔ)義分析的軟件行為建模與檢測(cè)研究[D];北京工業(yè)大學(xué);2013年

4 張立建;Windows內(nèi)核關(guān)鍵技術(shù)研究及其在內(nèi)網(wǎng)安全中的應(yīng)用[D];北京郵電大學(xué);2013年

5 吳俁;基于沙盒技術(shù)的Windows文件系統(tǒng)虛擬化實(shí)現(xiàn)[D];華中科技大學(xué);2013年

6 鄭春陽(yáng);惡意程序檢測(cè)與分類系統(tǒng)的設(shè)計(jì)與實(shí)現(xiàn)[D];西安電子科技大學(xué);2013年

7 鄭興艷;安全虛擬桌面系統(tǒng)的設(shè)計(jì)與實(shí)現(xiàn)[D];北京交通大學(xué);2012年

8 肖哲;軍工企業(yè)內(nèi)網(wǎng)主機(jī)信息安全管理系統(tǒng)設(shè)計(jì)與實(shí)現(xiàn)[D];西安電子科技大學(xué);2012年

9 姜輝;基于虛擬化技術(shù)的惡意代碼行為分析系統(tǒng)的研究與實(shí)現(xiàn)[D];濟(jì)南大學(xué);2012年

10 雷遲駿;基于啟發(fā)式算法的惡意代碼檢測(cè)系統(tǒng)研究與實(shí)現(xiàn)[D];南京郵電大學(xué);2012年

，

本文編號(hào)：2181528