【作者】 安亮；

【导师】 李国强； 苏会明；

【作者基本信息】 上海交通大学 ， 软件工程（专业学位）， 2015， 硕士

【摘要】 随着网络及信息技术的迅速发展,给人们生活和工作带来了翻天覆地的变化及诸多方便。越来越多的个人和单位正在大量的使用计算机代替传统的纸质文件来存储文件和处理文件。计算机给文件的处理、传输和存储带来了巨大的方便。大量的文件数据也因此产生,同时带来了文件数据的安全问题,种类繁多的恶意软件或者用户的操作都可能威胁到文件的安全。当用户在访问网络资源时,可能会接触到一些不安全的网站并在毫不知情的情况下自动下载一些恶意软件,它们会在计算机上潜伏下来并在用户不知道的情况下在计算机中创建文件、篡改文件、删除文件和盗取文件。或者由于用户的有意操作,没经过授权访问机密文件,导致机密文件的泄露。这些都严重了威胁了计算机的安全,尤其是一些重要部门,一旦有恶意行为发生导致机密文件泄密,造成的损失不可估量。因此文件的安全存储成为实现信息安全的首要条件。目前市场上出现的文件监控系统虽然层出不穷,但是由于采用的核心技术和运行状态的限制,它们或多或少都存在着一些问题。所以本文研究了一种文件监控系统,吸取当前市场上的文件监控系统的精华,去其糟粕,有效的实现文件监控,保护计算机的文件安全。本文首先介绍了Windows的总体架构和讲解了一些基础知识,接着分析了当前市场上出现的文件监控系统主要采用的三种技术:第一种技术是采用Windows提供的API(Application Programming Interface),优点是简单,缺点监控覆盖面较窄,能获取的I/O信息有限。第二种是钩子技术,钩子技术是对文件操作函数进行修改。优点是能有效获取I/O信息,缺点是文件操作函数较多,所以复杂程度很高,并且不稳定,很容易丢掉I/O和被恶意软件欺骗。传统文件过滤驱动作为第三种技术,它能正确的拦截I/O操作,缺点就是开发过程复杂,兼容性差。然后提出了一种新的监控技术:文件微过滤驱动。最后本文研究了文件微过滤驱动的实现和原理,以及整个监控系统的设计。微过滤驱动相比于传统的过滤驱动具有很大的差别,比传统的文件过滤驱动简单,兼容性高但同时拥有的功能却不比传统的文件过滤驱动差。当然也比处在用户态的文件监控系统高具有高效性,防止欺骗行为,不容易被绕过等特点。本文件监控系统通过在驱动层拦截I/0操作,对I/0操作进行分析,并与监控设置进行比对,确定此I/0操作是否经过授权。而且此系统还拥有写日志功能,对I/0操作解析记录到日志文件,方便用户查找安全漏洞,或发现一些异常行为。经过试验测试,本文件监控系统的效率是以前监控系统的1.5倍,平衡了用户态和内核态的文件监控系统优点和缺点,能有效的实现文件的监控。更多还原

【Abstract】 With the rapid development of network and information technology,it brought dramatic changes and many convenient to peoples life and work.More and more individuals and units are using computers instead of the traditional paper documents to store files and process documents.The computer has brought great convenience to process,transfer and store documents.While it also brings some security risks,both a wide range of malware and the operation of users may threaten the security of the file.When using the network resource,users may access some unsafe sites so that they inadvertently download malware;Malware can be lurking in the computer,and in the case of user doesn’t know it which creates files,tamper with files,delete files and steal files in the computer.Or because users are intentional to read the confidential documents without authorization so that confidential information is leaked.These are serious threats to the computer’s security,malicious behavior happens in some of the important department,resulting in confidential documents disclosure so that it can cause large economic loss.So the security of the file becomes to be the primary condition of information security.Although there are many file monitoring system on the market at present,they have some problems but due to core technology and running status constraints.So this article absorb wisdom of the file monitoring system on the market,cast away their indifference,research a new file monitoring system to put effective file monitor and protect the security of computer files.This paper first introduces the overall architecture of Windows and explains some basic knowledge,then analyzes three core technology that the file monitoring system uses.The first technology uses Windows API(Programming Interface Application),the advantages are simple,the disadvantage is that it only get limited the I/O information.The second is the hook technique,hook technique is to modify the file operation function.The advantage is that it can effectively acquire the I/O information,but because the file operation function is more,so it has disadvantages of high complexity and instability,and it is easy to lose I/O operation and be deceived by malware.The third technology uses traditional file filter driver,the technology can effectively capture I/O operation,but it has some problems,such as the poor compatibility and difficulty to achieve and the complex workflow process and so on,so a new monitoring technology is proposed.Finally,we study the document micro filter driver implementations and principles,as well as the design of the monitoring system.Minifiter is different from the traditional file filter driver,it is more simple and higher compatibility,and its advantages is more than the traditional file filter driver.Of course,it is more efficient than File monitoring system in user-state,and to prevent fraud,and not easy to be bypassed and so on.And this system also has the function to write the log,analysis of the I/0 operation is written to the log file which facilitate users to find security vulnerabilities,or find some abnormal behavior.Having run some tests,the efficiency of this file monitoring system is 1.5 times that of the previous monitoring system,and the advantages and disadvantages of file monitoring system are balanced.it can effectively monitor the file.更多还原