【作者】 姚姜源；

【导师】 周华春；

【作者基本信息】 北京交通大学 ， 信息网络与安全， 2009， 硕士

【摘要】 与信息时代一同到来的,除了互联网应用,还有网络安全威胁。根据统计,木马,正是导致信息破坏与信息窃取的最主要的因素。于是,如何有效的检测与防范木马成为了人们关注的焦点。当前一般的木马检测与防范方法,大都基于单机安全保护,难以在网络层面提供有效的监控,不利于网络监管部门开展工作。基于入侵检测系统的网络检测,大都着眼于通信端口,而未深入通信内容,难以准确认定木马。为了更有效的监控网络中的木马威胁,网络专用木马检测系统势在必行。因此,本文以某网络监管项目为依托,设计并实现了基于网络通信内容的木马检测系统。本文对网络中木马的基本原理及通信机制做了研究,并对现存的木马检测技术及产品加以分析,又比较了基于Berkeley Packet Filter的传统Libpcap、New-API中断减轻、Memory-Map内存映射、PF_RING新型套接字与实时中断等多种数据采集相关技术,以及朴素的模式匹配算法、Knuth-Morris-Pratt算法、Boyer-Moore算法、Boyer-Moore-Horspool算法等模式匹配算法,提出了采用集成PF_RING、New-API、实时中断的数据采集技术,以及Boyer-Moore-Horspool匹配算法的基于网络通信内容的木马检测方法。本文随后详细设计了基于网络通信内容的木马检测系统。本系统使用分布式Client/Server架构,采用数据采集、协议分析、木马检测、响应操作四层结构,实现的功能包括高速数据采集,实时协议分析提取关键信息,高速木马检测及TCP连接检测,将检测结果实时输出到数据库,对指定TCP连接强制阻断等。本文在对系统的结构、功能进行了详细设计后,对系统进行了实现,并给出了服务器、客户端,以及数据采集、协议分析、木马检测、相应操作各模块的实现流程、重要数据结构、模块接口等内容。在完成实现后,本文对系统的关键模块、模式匹配算法、TCP阻断功能分别进行了测试,并进行了整体测试。经过测试,系统的各项功能都能正常使用,且系统具有较好的稳定性。在800Mbit/s-900Mbit/s的大流量网络环境中,提供几乎线速的数据采集性能,并能准确检出ZXShell木马样本。最后,本文进行了总结并提出了展望。希望本文设计并实现的基于网络通信内容的木马检测系统能够为我国的网络安全监管工作提供有益的帮助。更多还原

【Abstract】 Together with the arrival of the information age, network security threats appear as well as Internet applications. According to statistics, the Trojan has become the most serious factor of destruction and theft of information. Consequently, how to effectively detect and prevent the Trojan has become the focus of attention.Nowadays general methods of Trojan detection are based on single-computer security protection and are difficult to provide effective network monitoring for regulatory authorities. Detection methods that based on Intrusion Detection System mostly focus on communication ports and it is difficult to accurately identify Trojan without the deep-level content of communications. In order to provide more effective Trojan detection, it is necessary to develop new dedicated Network Trojan Detection System.This thesis designs and implements a Trojan Detection System Based on Network communication Content which is based on a network security supervision project.In this paper, after research on basic principles and communication mechanisms of Trojan, analyze the Trojan detection products on the market, compare a variety of packet capture technologies ( BPF based Libpcap, New-API, Memory-Map, PF_RING Real-time IRQ ) and pattern matching algorithms (Simple pattern matching algorithm, Knuth-Morris-Pratt algorithm, Boyer-Moore algorithm, Boyer-Moore-Horspool algorithm ), a Trojan detection method based on network communication content is issued with the packet capture technology which integrates PF_RING, NAPI, Real-time IRQ and the pattern matching algorithm which is called BMH algorithm.Subsequently, this thesis detailedly designs a Trojan Detection System Based on Network Communication Content. This system is a distributed C/S system which is composed of four layers, such as packet capture layer, protocol analysis layer, Trojan detection layer and response layer. This system captures packets on 1000Mbit-network in high speed and analysis protocols to get key information in real-time. Then it detects Trojan and checks TCP connection. Last, it outputs results to database or interrupt TCP connections as response.After design the structure and functions of this system in detail, this paper implements this system and describes implementations of server, client, packet capture module, protocol analysis module, Trojan detection module and response module with flow charts, data structures, interfaces.The key modules of this system, the pattern matching algorithm, the TCP interrupt function and the whole system has been tested after implementation. According to the tests, every fuction of this system work normally and stably. This system can capture packets almost in wire-speed and detect Trojan sample which is called ZXShell accurately in the network of 800Mbit/s to 900Mbit/s flow rate.Finally, this thesis summarizes the system and put forward the direction of future work.This Trojan Detection System Based on Network Communication Content is expected to do a good help for network supervision of our nation.更多还原