节点文献
僵尸工具类恶意代码的检测研究
【作者】 陈兆冲;
【导师】 秦志光;
【作者基本信息】 电子科技大学 , 信息与通信工程, 2009, 硕士
【摘要】 随着互联网技术及应用的不断发展,企业和用户面临着越来越多的信息安全问题。近年来,特别是恶意代码在网络中的泛滥,对网络安全造成了很大的威胁,也造成了很大的经济损失。特别是僵尸工具类的恶意代码融合了许多病毒,木马,蠕虫的特性,并且可以接受攻击者的控制命令,控制成千上万台主机同时向一个目标发动攻击,对安全的威胁极大。这类恶意代码也引起了网络安全领域的广泛关注。本文针对恶意代码的安全威胁和当前检测技术存在的问题,提出了基于BP网络的恶意代码行为特征检测方法。该方法弥补了当前检测方法存在的一些问题,包括特征码匹配检测方法不能检测未知恶意代码,行为分析方法不能有效判断恶意代码,以及模式识别方法会遭遇一些反检测方法的影响。然后利用这种方法实现了恶意代码检测系统,最后测试了检测恶意代码样本的准确性。本文在方法研究和系统实现过程中完成了以下工作:(1)收集了大量的僵尸工具类以及其他类型恶意代码的样本。研究了恶意代码的样本收集技术,并搭建样本收集平台来收集恶意代码样本,然后建立恶意代码特征库。(2)重点分析了几种典型的僵尸工具样本,对于其他类型的恶意代码也做了一些分析,并按照恶意代码的行为在传播,控制,攻击等各个阶段的特征进行分类分析,并建立基于自动状态机的恶意代码特征模型。(3)研究BP网络和机器学习的方法,对分析出来的僵尸工具特征进行定义和量化,然后设计出针对恶意代码检测的BP网络结构。输入学习样本让检测网络进行学习,得出理想的网络模型。该恶意代码监测网络除了可以检测出僵尸工具类恶意代码以外,还可以对一部分木马和蠕虫进行检测。(4)根据上述的研究结果设计恶意代码的检测系统,实现了恶意代码的分类和识别功能。在恶意代码检测系统的实现中,解决了2个关键的问题,分析样本在运行过程中对系统影响的行为特征,以及捕获样本在网络传输中的控制信息和攻击信息。该系统主要实现了行为监控,网络监控和系统恢复这三个模块。对恶意代码系统进行功能测试,测试样本检测的准确率,并进行结果分析。
【Abstract】 With the popularization and application of computers and networks, enterprises and users are faced with a growing number of security issues. Recently, more and more malicious code which spread in the network, has a great threat in network security, and caused great economic losses. Bot integrate of a number of viruses, trojans, worms characteristics, and accept the control command, control thousands of hosts to simultaneously attack a target. It has a great threat to security. This type of malicious code has aroused widespread concern in the field of network security.To response security threats of malicious code and current detection technology problems, the paper proposed the malicious code detection method which based on behavioral characteristics BP network. The method make up such problems which exist in current detection methods, such as signature matching detection method should not detect unknown malicious code, behavior analysis methods can not effectively judge the malicious code, and pattern recognition methods encounter some anti-detection methods. Then, the paper implements the malicious code detection system with such method. Finally, test the samples detection.In this paper, the work in research method and implement system such as:(1) Many types of bot and other types of malicious code samples are collected. The techniques of collect malicious code samples are studied and the sample collection platform is built. Then the malicious code samples database is set up.(2) Several typical bot samples and some other types of malicious code are analysis. Some behavior characteristics at the stages of spread control and attacks are collected. Final state machine feature model are set up.(3) BP network and machine learning methods are researched. The behavior characteristics of bot are defined and quantified. Then the BP network structure of detection is designed and input samples to allow detection of the network study, and get an ideal network model. The model not only can detect bot, but also can detect trojans and worms.(4)Malicious code detection system is designed based on the above findings. The main function of system is malicious code classification and recognition. There are two key questions that are solved in our system. One is analysis samples’behavior which impact on the system. The other is capture samples’control information and attack information at the network transmission. The three modules are implemented in our system, include conduct monitor, network monitor and system restore. The function of the detect system is test, the accuracy of samples detect is test, and the result of test is analysis.
【Key words】 malicious code; bot; botnet; BP network; behavior character; detection;