èŠ‚ç‚¹æ–‡çŒ®

åŸºäºŽå¯ä¿¡åŸºçš„æ¶æ„ä»£ç è¯Šæ–æŠ€æœ¯ç ”ç©¶

åˆ†é¡µä¸‹è½½
åˆ†ç« ä¸‹è½½
æ•´æœ¬ä¸‹è½½
åœ¨çº¿é˜…è¯»
ä¸æ”¯æŒè¿…é›·ç‰ä¸‹è½½å·¥å…·ï¼Œè¯·å–æ¶ˆåŠ é€Ÿå·¥å…·åŽä¸‹è½½ã€‚

ã€ä½œè€…ã€‘ éƒå‘ä¸œï¼›

ã€ä½œè€…åŸºæœ¬ä¿¡æ¯ã€‘ ä¸å›½å·¥ç¨‹ç‰©ç†ç ”ç©¶é™¢ ï¼Œ è®¡ç®—æœºåº”ç”¨æŠ€æœ¯ï¼Œ 2007ï¼Œ ç¡•å£«

ã€æ‘˜è¦ã€‘ ç»Ÿè®¡æ•°æ®è¡¨æ˜Ž,æ¶æ„ä»£ç å·²ç»æˆä¸ºç›®å‰è®¡ç®—æœºç³»ç»Ÿé¢ä¸´çš„ä¸»è¦å¨èƒä¹‹ä¸€ã€‚éšç€ç½‘ç»œè¡Œä¸ºåŒç¤¾ä¼šè¡Œä¸ºè”ç³»çš„è¿›ä¸€æ¥å¯†åˆ‡,æ¶æ„ä»£ç çš„ç¼–å†™ç›®çš„ä»Žæœ€åˆçš„æŠ€æœ¯ç‚«è€€è½¬å‘èŽ·å¾—ç»æµŽæˆ–æ”¿æ²»åˆ©ç›Š,æ”»å‡»çš„é’ˆå¯¹æ€§è¿›ä¸€æ¥æ˜Žç¡®,ç»™ä¿¡æ¯ç³»ç»Ÿå¸¦æ¥æ›´å¤§çš„å®‰å…¨éšæ‚£ã€‚çŽ°æœ‰çš„æ¶æ„ä»£ç æ£€æµ‹äº§å“å¤§å¤šä»¥ç‰¹å¾ç åŒ¹é…ä¸ºæŠ€æœ¯åŸºç¡€,æŸ¥æ€æ¶æ„ä»£ç çš„æœ‰æ•ˆæ€§å–å†³äºŽç—…æ¯’åº“çš„æ›´æ–°é€Ÿåº¦,å¯¹äºŽæœªçŸ¥æ¶æ„ä»£ç çš„æ£€æµ‹æ•ˆæžœæ¬ ä½³ã€‚å¹¶ä¸”,éšç€äº’è¿žç½‘çš„æ™®åŠå’Œæ–°æŠ€æœ¯çš„ä¸æ–åº”ç”¨,æ¶æ„ä»£ç çš„å˜ç§é€Ÿåº¦ä¸æ–åŠ å¿«,æ€æ¯’è½¯ä»¶ç—…æ¯’åº“çš„å‡çº§é€Ÿåº¦éš¾ä»¥é€‚åº”è¿™ç§å¿«é€Ÿçš„å˜åŒ–ã€‚è®ºæ–‡é’ˆå¯¹æ¶æ„ä»£ç å‘å±•è¶‹åŠ¿ä»¥åŠç›®å‰æ£€æµ‹æŠ€æœ¯çš„ä¸è¶³,åœ¨å……åˆ†æ€»ç»“ä¸Žåˆ†æžæ¶æ„ä»£ç çš„å…±æ€§åŠå…¶å·¥ä½œæœºç†çš„åŸºç¡€ä¸Š,æå‡ºäº†ä¸€ç§åŸºäºŽå¯ä¿¡åŸºçš„æ¶æ„ä»£ç æ£€æµ‹æ–¹æ¡ˆã€‚è¯¥æ–¹æ¡ˆä¸»è¦ä»Žæ¶æ„ä»£ç å…¥ä¾µåŽä¼šæ”¹å˜åŽŸæœ‰ç³»ç»Ÿçš„å®Œæ•´æ€§è§’åº¦å‡ºå‘,ä»¥æ¶æ„ä»£ç ç»å¸¸åˆ©ç”¨å¹¶å¯èƒ½å¼•èµ·æ”¹å˜çš„ç³»ç»ŸçŠ¶æ€ã€é…ç½®å»ºç«‹æ£€æµ‹çš„åŸºå‡†æ•°æ®åº“,ç§°ä¹‹ä¸ºå¯ä¿¡åŸº,å¹¶è®ºè¯äº†åœ¨è®¡ç®—æœºç³»ç»Ÿæœªè¢«æ¶æ„ä»£ç æ”»å‡»çš„å‰æä¸‹å»ºç«‹å¯ä¿¡åŸºåº“çš„å¯è¡Œæ€§ã€‚å¦å¤–,åœ¨å¯¹æ¶æ„ä»£ç ç†è®ºåˆ†æžä¸Žå®žéªŒçš„åŸºç¡€ä¹‹ä¸Š,ä»Žè¿›ç¨‹éšè—ã€é€šä¿¡è¿žæŽ¥ã€è‡ªåŠ¨åŠ è½½ã€æ–‡ä»¶åç§°ç›¸ä¼¼åº¦ç‰å‡ ä¸ªæ–¹é¢å»ºç«‹äº†å¯ç–‘æ–‡ä»¶æ¶æ„æƒé‡è¡¨ã€‚é€šè¿‡å°†è¢«æ£€æµ‹è®¡ç®—æœºç³»ç»ŸçŠ¶æ€ä¸Žå¯¹åº”å¯ä¿¡æ•°æ®è¿›è¡Œæ¯”è¾ƒåˆ†æž,å†ç»“åˆå¯ç–‘æ•°æ®æ¶æ„æƒé‡è¡¨,æœ€åŽå¾—å‡ºæ£€æµ‹ç»“è®ºã€‚ä¾ç…§æœ¬æ–‡æå‡ºçš„æ£€æµ‹æ–¹æ¡ˆ,å®žçŽ°äº†ä¸€ä¸ªåŸºäºŽå¯ä¿¡åŸºçš„æ¶æ„ä»£ç è¯Šæ–åŽŸåž‹ç³»ç»Ÿ,èƒ½å¤Ÿé€šè¿‡è¿›ç¨‹ã€è¿›ç¨‹è°ƒç”¨çš„æ¨¡å—ã€ç³»ç»ŸæœåŠ¡æè¿°ç¬¦è¡¨ã€ç³»ç»ŸåŠ è½½çš„é©±åŠ¨å¯¹æ¶æ„ä»£ç è¿›è¡Œæ£€æµ‹ã€‚åˆ©ç”¨åŽŸåž‹ç³»ç»Ÿè¿›è¡Œäº†å®žé™…çš„æ¶æ„ä»£ç å…¥ä¾µæ£€æµ‹ä¸Žæ¨¡æ‹Ÿå®žéªŒ,å®žéªŒç»“æžœè¡¨æ˜Ž,åœ¨Windowsæ“ä½œç³»ç»Ÿä¸‹,åŽŸåž‹ç³»ç»Ÿèƒ½å¤Ÿæœ‰æ•ˆçš„æ£€æµ‹å‡ºå·²çŸ¥å’ŒæœªçŸ¥çš„æ¶æ„ä»£ç ,å°¤å…¶åœ¨æœªçŸ¥æ¶æ„ä»£ç æ£€æµ‹æ–¹é¢,æ£€æµ‹æ•ˆæžœä¼˜äºŽåŸºäºŽç‰¹å¾ç çš„æ£€æµ‹äº§å“ã€‚æœ¬æ–‡å¯¹æ¶æ„ä»£ç å·¥ä½œæœºç†ä»¥åŠå…±æ€§çš„åˆ†æžæ€»ç»“,ä¸ºä»ŠåŽç ”ç©¶é˜²å¾¡æ¶æ„ä»£ç çš„æ–¹æ³•å’ŒæŠ€æœ¯æä¾›äº†ç†è®ºä¾æ®ã€‚æå‡ºçš„åŸºäºŽå¯ä¿¡åŸºçš„æ¶æ„ä»£ç æ£€æµ‹æ–¹æ³•,èƒ½å¤Ÿæœ‰æ•ˆçš„å¯¹æ¶æ„ä»£ç è¿›è¡Œæ£€æµ‹,å°¤å…¶æ˜¯é’ˆå¯¹æ€§è¾ƒå¼ºã€æœªè¿›è¡Œå¹¿æ³›ä¼ æ’çš„æ¶æ„ä»£ç ã€‚è‹¥å°†å…¶ä¸ŽçŽ°æœ‰çš„æ¶æ„ä»£ç æ£€æµ‹äº§å“ç»“åˆä½¿ç”¨,èƒ½å¤Ÿå®žçŽ°å¿«é€Ÿã€æœ‰æ•ˆçš„æ¶æ„ä»£ç æ£€æµ‹ç›®çš„ã€‚å¦å¤–,å¯å°†æœ¬æ–‡ç ”ç©¶çš„åŸºäºŽå¯ä¿¡åŸºçš„æ£€æµ‹æ€æƒ³,è¿›ä¸€æ¥æ‰©å±•åº”ç”¨åˆ°æ¶æ„ä»£ç çš„é˜²å¾¡ä¸Š,å½¢æˆå…·æœ‰æ£€æµ‹å’Œé˜»æ–åŒé‡åŠŸèƒ½çš„ç³»ç»Ÿ,ä»Žè€Œèƒ½å¤Ÿæ›´å¥½çš„ä¿æŠ¤è®¡ç®—æœºç³»ç»Ÿä¸è¢«æ¶æ„ä»£ç æ”»å‡»ã€‚æ›´å¤š è¿˜åŽŸ

ã€Abstractã€‘ Statistics indicate that the malicious code have become one of the main threat for computer system. With the deep contact between network and society, the purpose of malicious code released turns from showing off to obtaining economic or political benefits. The aim of attack become more clearly, it brings more security-hidden trouble to the information system.Most of the present products of detecting malicious code based on signature matching technology, the validity of detected and killed relies on its virus database update speed. Furthermore, these products canâ€™t work well when dealing with unknown malicious code. With the prevalence of Internet and application of new technique, the update speed of malicious code becomes more faster, while the update speed of virus database canâ€™t catch up with this change.Aimed at the trend of malicious code and the shortage of present detect technology, the commonness of malicious code is summarized, and its mechanism is analyzed, and then a detect scheme of malicious code based on the Trusted Computed-Based (TCB) is proposed. The foundation of this detect scheme is that the integrality of operation system (OS) will be changed when it attacked by malicious code. The fiducial database called TCB for diagnosing is built, which include OS states and its configures that malicious code always changed. The feasibility of setting up the database-TCB at the OS unattacked by malicious code is demonstrated. In addition, the weight table of malicious for suspicious files from hidden process, communications and auto load is built, which work is based on the malicious code mechanism analyzed and experiment. Finally, the detect conclusion is educed by comparing the OS state of object computer with corresponding data in TCB database and consider the weight table of malicious.According to the aforementioned detecting means, we achieved an archetypal diagnose system based on TCB This archetypal system can detect the malicious code from the process, the modules of process loaded, the Service Descriptor Table(SDT) and the drive program of computer loaded. At last ,we make some simulative experiments to evaluate the system by using our approach, the related experimental data and results of analysis demonstrate it is an effective method to detect malicious code under Windows OS, especially in detecting unknown malicious code is much more effective than the current detection product based on signature matching. In a word, the work of this thesis analyzed malicious code mechanism and explored their commonness, also provides theoretical foundation to develop the method and technique for prevention against malicious code. It can be an effective work that we presented the new approach to detecting the malicious code based on TCB. Particularly, it much more effective in detecting the malicious code which has clearly attack object and doesnâ€™t spread large-scale. It would achieve high efficiency to detecting malicious code if we take good use of the approach and current virus detecting products.In addition, the idea of detecting malicious code based on TCB in this thesis can be applied to prevent malicious code, and make a system with both detection and prevention functions. Thus it can better protect the computer against being attacked by the malicious code.æ›´å¤š è¿˜åŽŸ

ã€å…³é”®è¯ã€‘ æ¶æ„ä»£ç ï¼› æœºç†åˆ†æžï¼› å¯ä¿¡åŸºï¼› æ£€æµ‹ï¼› æ¶æ„æƒé‡è¡¨ï¼›
ã€Key wordsã€‘ Malicious codeï¼› Mechanism analyzingï¼› Trusted Computed-Basedï¼› Detectingï¼› The weight table of maliciousï¼›

ã€ç½‘ç»œå‡ºç‰ˆæŠ•ç¨¿äººã€‘ ä¸å›½å·¥ç¨‹ç‰©ç†ç ”ç©¶é™¢

ã€åˆ†ç±»å·ã€‘TP309.5
ã€è¢«å¼•é¢‘æ¬¡ã€‘3
ã€ä¸‹è½½é¢‘æ¬¡ã€‘209

çŸ¥ç½‘èŠ‚ä¸‹è½½

èŠ‚ç‚¹æ–‡çŒ®ä¸ï¼š

æœ¬æ–‡é“¾æŽ¥çš„æ–‡çŒ®ç½‘ç»œå›¾ç¤º:

æœ¬æ–‡çš„å¼•æ–‡ç½‘ç»œ

èŠ‚ç‚¹æ–‡çŒ®

èŠ‚ç‚¹æ–‡çŒ®

åŸºäºŽå¯ä¿¡åŸºçš„æ¶æ„ä»£ç è¯Šæ–­æŠ€æœ¯ç ”ç©¶

æœ¬æ–‡é“¾æŽ¥çš„æ–‡çŒ®ç½‘ç»œå›¾ç¤º:

åŸºäºŽå¯ä¿¡åŸºçš„æ¶æ„ä»£ç è¯Šæ–æŠ€æœ¯ç ”ç©¶