基于模糊识别和支持向量机的联合Rootkit动态检测技术研究

 针对Rootkit恶意代码动态检测技术进行研究.总结出典型Rootkit恶意程序动态行为所调用的系统API函数.实时统计API调用序列生成元并形成特征向量,通过模糊隶属函数和模糊权向量,采用加权平均法得到模糊识别的评估结果;基于层次的多属性支持向量机分析法构建子任务;基于各个动态行为属性的汉明距离定位Rootkit的类型.提出的动态检测技术提高了自动检测Rootkit的准确率,也可以用于检测未知类型恶意代码.     

基于客户端蜜罐的木马隐蔽通信检测

当今流行的木马程序开始采用隐蔽通信技术绕过蜜罐系统的检测。首先介绍木马常用的隐蔽通信技术以及越来越流行的内核层Rootkit隐蔽通信技术,并讨论了现阶段客户端蜜罐对于恶意程序的检测方式。针对蜜罐网络通信检测机制的不足,提出了一种有效的改进方案,使用基于NDIS中间层驱动的网络数据检测技术来获取木马通信数据包。该方案能够有效检测基于网络驱动的Rootkit隐蔽通信,提取木马关键通信信息,以进行对木马行为的跟踪和分析。     

基于句柄分析的Windows Rootkit检测技术研究

作为网络入侵领域的一种新兴技术,Rootkit能隐藏入侵痕迹、阻止用户和检测软件发现恶意代码的存在,具有隐蔽性好、难以检测等特点。根据对Rootkit行为的分析,提出了一种基于句柄分析的Rootkit检测技术,该方法通过遍历内核句柄表,得到系统中运行的所有进程,再与调用API得到的进程列表对比,发现Rootkit隐藏的进程。实验证明,该方法对于Rootkit具有良好的检测效果。     

基于NDIS的恶意程序通信隐藏检测方法

通过研究当今恶意程序的发展趋势,系统比较在通信隐藏和检测方面的诸多技术和方法,综合分析它们存在的不足,提出了一种基于NDIS来进行恶意程序隐藏检测的方法,很好的补充了恶意程序检测体系,实验表明该方法可以检测出当前所有进行通信隐藏的恶意程序。     

基于SDN的一种隐藏端口检测方法北大核心CSCD

考虑基于SDN架构的网络环境,并针对当前检测隐藏端口的方法的不足,提出一种全新的基于SDN架构的隐藏端口检测方法.利用SDN集中控制的特性,通过内存映射流表项的方法来实时提取主机的连接信息,并结合主机代理的信息进行交叉视图检测,同时在检测过程中引入检测状态机,使得准确检测出部署环境下所有主机的隐藏端口.实验结果表明,该方法能高效地检测主机恶意程序隐藏的端口,并具有良好的兼容性和系统性能.     

基于NTFS磁盘解析的Rootkit检测技术

木马程序尤其是Rootkit的安全威胁越来越大,如何消除此类威胁成为当今安全研究的重点之一。丈中引入了交叉检测思想,采用了NTFS文件系统磁盘解析技术检测隐藏文件,从而有助于Rootkit类木马程序的检测。在此基础上,给出了完整的设计方案及评估方法,对于加固系统安全具有重要意义。     

Win32 Rootkit的进程隐藏检测技术

Rootkit是现今一种越来越流行的系统底层隐蔽机制及其相应的实现程序,能够让攻击者长期保持对系统的最高控制权限,其中,实现进程的隐藏是Rootkit的最常见功能之一。论文针对Win32 Rootkit的进程隐藏检测的若干技术方法进行了深入研究和实现,分析比较了各自的优缺点,并最终提出了这项技术在未来的展望。     

Rootkit木马隐藏技术分析与检测技术综述

对Rootkit技术和Windows操作系统内核工作流程作了简要介绍,对Rootkit木马的隐藏技术进行了分析,内容包括删除进程双向链表中的进程对象实现进程隐藏、SSDT表内核挂钩实现进程、文件和注册表键值隐藏和端口隐藏等Rootkit木马的隐藏机理,同时还对通过更改注册表和修改寄存器CR0的写保护位两种方式屏蔽WindowsXP和2003操作系统SSDT表只读属性的技术手段做了简要分析。最后对采用删除进程双项链表上的进程对象、更改内核执行路径和SSDT表内核调用挂钩3种Rootkit隐藏木马的检测技术作了概要性综述。     

Windows Rootkit实现及其检测技术分析

Rootkit是恶意软件用于隐藏自身及其它特定资源和活动的程序集合。本文针对windows Rootkit的启动方式,将Rootkit归为先于操作系统启动和伴随操作系统启动两类,详细分析了这两类windows Rootkit的启动方式、实现原理及隐藏技术,并对现有的检测方法的原理进行了深入的分析。     

Rootkit攻防机制与实现方法

Rootkit是一类能够攻击系统内核且实现深度隐藏的恶意代码,已对网络安全造成了严重威胁。首先,介绍了Rootkit/Bootkit的基本特征,对比分析了用户模式和内核模式下Rootkit攻击的特点;接着,重点剖析了 Rootkit 攻击涉及的挂钩、DKOM 和虚拟化技术的实现原理及工作机制;最后,结合具体的攻击行为讨论了针对Rootkit攻击的主要检测方法和防御技术。     

一种恶意软件分析中检测虚拟环境的方法

安全厂商普遍使用虚拟环境来分析恶意软件,但是很多恶意软件都使用了检测虚拟机的技术来对抗对其的分析。文章介绍了3种主要的检测虚拟环境方法,给出了相应的对抗措施来防止对虚拟环境的检测。设计了一种新的基于性能比较的检查虚拟机和模拟器的方法,实验结果表明,该方法能够有效地检测出虚拟机和模拟器,如VMware软件和模拟器Qemu。     

“In-VM”模型的隐藏代码检测模型

Security tools are rapidly developed as network security threat is becoming more and more serious. To overcome the fundamental limitation of traditional host based anti malware system which is likely to be deceived and attacked by malicious codes, VMM based anti malware systems have recently become a hot research field. In this article, the existing malware hiding technique is analyzed, and a detecting model for hidden process based on “In VM” idea is also proposed. Based on this detecting model, a hidden process detection technology which is based on HOOK SwapContext on the VMM platform is also implemented successfully. This technology can guarantee the detecting method not to be attacked by malwares and also resist all the current process hiding technologies. In order to detect the malwares which use remote injection method to hide themselves, a method by hijacking sysenter instruction is also proposed. Experiments show that the proposed methods guarantee the isolation of virtual machines, can detect all malware samples, and just bring little performance loss.     

VMScan: an out-of-VM malware scanner

The harm caused by malware in cloud computing environment is more and more serious. Traditional anti-virus software is in danger of being attacked when it is deployed in virtual machine on a large scale, and it tends not to be accepted by tenants in terms of performance. In this paper, a method of scanning malicious programs outside the virtual machine is proposed, and the prototype is implemented. This method transforms the memory of the virtual machine to the host machine so that the latter can access it. The user space and kernel space of virtual machine memory are analyzed via semantics, and suspicious processes are scanned by signature database. Experimental results show that malicious programs can be effectively scanned outside the virtual machine, and the performance impact on the virtual machine is low, meeting the needs of tenants.     

Static and Dynamic Integrated Analysis Scheme for Android Malware

The Android platform is the most popular mobile operating system. With the increase of the number of Android users, a lot of security issues have occurred. In order to detect the malicious behaviors for the installed Android Apps, in this paper, we propose an Android malware detecting scheme by integrating static and dynamic analysis methods. We use Androguard and DroidBox to extract the features, and then remove the irrelevant features. Then we employ the support vector machine (SVM) to classify the Android malware and benignware. From the result of our proposed scheme, the proposed integrated static and dynamic analysis scheme with SVM can effectively detect the Android malware.     

虚拟机自省中一种消除语义鸿沟的方法

虚拟机自省技术已经广泛应用于入侵检测和恶意软件分析等领域。但是由于语义鸿沟的存在,获取虚拟机内部信息时会导致其通用性和执行效率降低。通过分析现有语义鸿沟修复技术的不足,提出了一种称为ModSG的语义鸿沟消除方法。ModSG是一个模块化系统,将语义修复分为2部分：与用户直接交互的在线语义视图构建和与操作系统知识交互的离线高级语义解析。二者以独立的模块实现且后者为前者提供语义重构时必要的内核语义信息。针对不同虚拟机状态和不同内核版本操作系统的实验表明,ModSG在消除语义鸿沟上是准确和高效的。模块化设计和部署也使ModSG容易扩展到其他操作系统和虚拟化平台上。     

Trusted auditing method of virtual machine based on improved expectation decision method

Whether the cloud computing environment is credible is the key factor in the promotion and effective use of cloud computing.For this reason,the expected value decision method in risk decision-making was improved.The usage scenarios was redefined,the cost and benefit of audit scheme was digitized,and a virtual machine trusted auditing strategy based on improved expectation decision method was proposed.Several levels of security protection for the user virtual machine was provided,and the optimal audit scheme was selected autonomously according to the security protection level chosen by the user for the virtual machine.The virtual machine introspection (VMI) technology was used to obtain the virtual machine information that needs to be audited.The designed encryption mechanism was used to protect the security of users selected security protection level,so as to ensure the security of user virtual machine selection audit strategy.Finally,the simulation results show that the scheme has good performance and validity.     

Mobile malware traffic detection approach based on value-derivative GRU

For the dramatic increase in the number and variety of mobile malware had created enormous challenge for information security of mobile network users,a value-derivative GRU-based mobile malware traffic detection approach was proposed in order to solve the problem that it was difficult for a RNN-based mobile malware traffic detection approach to capture the dynamic changes and critical information of abnormal network traffic.The low-order and high-order dynamic change information of the malicious network traffic could be described by the value-derivative GRU approach at the same time by introducing the concept of “accumulated state change”.In addition,a pooling layer could ensure that the algorithm can capture key information of malicious traffic.Finally,simulation were performed to verify the effect of accumulated state changes,hidden layers,and pooling layers on the performance of the value-derivative GRU algorithm.Experiments show that the mobile malware traffic detection approach based on value-derivative GRU has high detection accuracy.     

基于快速语义修复的操作系统隐藏对象检测技术

与传统的入侵检测系统相比,基于虚拟机自省的入侵检测系统的抗干扰性更强.但由于存在语义鸿沟问题,即低层的硬件字节信息与操作系统级语义之间的差异,导致入侵检测系统的通用性和实时性下降.针对此问题,本文提出了Vlhd,一种基于语义鸿沟修复方法的rootkit隐藏对象检测技术.Vlhd将系统分离成离线和在线模块两部分.在线模块用于即时地在虚拟机外部重构虚拟机语义视图;离线模块用于离线地提取操作系统语义知识,并向在线模块提供语义服务.通过对各类Linux操作系统和多种rootkit进行入侵检测试验,发现Vlhd对rootkit的隐藏对象检测效果良好,通用性强.Vlhd的单次扫描时间为34ms,对系统引入了1.1%（扫描周期设置为8s时）的性能开销.     

以太网控制器虚拟化模块结构设计

针对虚拟机监视器采用软件模拟来实现I/O虚拟化所造成CPU负担重和网络I/O效率低的问题,文中基于硬件辅助I/O虚拟化的思想,提出了一种以太网控制器虚拟化模块结构设计方案。设计方案中的虚拟信息处理模块根据解析数据帧得到的信息,完成数据帧的虚拟机队列决策;分页式内存管理单元则实现数据帧内存动态管理和创建描述符队列。二者联合将数据帧分类到正确的虚拟机收发队列。实验结果表明,文中设计的以太网控制器虚拟化模块结构方案,在硬件上实现单个端口支持多个虚拟机拥有独享的数据收发通路,从而减轻CPU的负担,提高虚拟机的网络I/O效率。