信息网络安全 ›› 2015, Vol. 15 ›› Issue (2): 57-65.doi: 10.3969/j.issn.1671-1122.2015.02.010

• 技术研究 • 上一篇    下一篇

基于特征分析和行为监控的未知木马检测系统研究与实现

郝增帅1, 郭荣华2, 文伟平1(), 孟正1   

  1. 1.北京大学软件与微电子学院,北京 102600
    2.洛阳电子装备试验中心,河南洛阳 471003
  • 收稿日期:2014-12-12 出版日期:2015-02-10 发布日期:2015-07-05
  • 作者简介:

    作者简介: 郝增帅(1976-),男,山东,工程师,硕士,主要研究方向:信息安全测评、软件工程;郭荣华(1972-),男,湖北,副研究员,博士,主要研究方向:信息安全;文伟平(1976-),男,湖南,副教授,博士,主要研究方向:网络攻击与防范、恶意代码研究、信息系统逆向工程和可信计算技术;孟正(1990-),男,河北,硕士研究生,主要研究方向:系统与网络安全、漏洞分析。

  • 基金资助:
    国家自然科学基金[61170282]

Research and Implementation on Unknown Trojan Detection System Based on Feature Analysis and Behavior Monitoring

HAO Zeng-shuai1, GUO Rong-hua2, WEN Wei-ping1(), MENG Zheng1   

  1. 1. School of Software & Microelectronics, Peking University, Beijing 102600, China
    2.LEETC, Luoyang Henan 471003, China
  • Received:2014-12-12 Online:2015-02-10 Published:2015-07-05

摘要:

木马是以盗取用户个人信息和文件数据,甚至是以远程控制用户计算机为主要目的并尽可能隐藏自身的恶意程序。近年来,随着黑客行为的职业化、利益化和集团化,网络入侵与攻击手段日新月异,木马等恶意代码已成为我国网络安全的重要威胁。现阶段,木马检测通常依赖于病毒软件的检测能力,防病毒软件一般采用特征码比对和行为识别的方式进行木马查杀,这种方式需要防病毒软件拦截木马样本进行分析,提取木马样本,对木马特种库进行升级后对木马进行识别,滞后性很强,无法对新出现的或无已知特征的木马进行查杀。文章对木马反杀毒技术、隐藏技术、突破主动防御技术进行探讨,并以此为基础,提出基于特征分析和行为监控的木马检测技术,完成了未知木马检测系统的设计与实现,能够在一定程度上弥补现有防病毒软件及安全措施只能查杀和监测已知木马而不能识别和查杀未知木马的不足。

关键词: 木马检测, 木马查杀, 特征分析, 行为监控

Abstract:

Trojan is a malicious program that exists mainly to steal user’s personal information and file data, and even to control user’s computer remotely, while hides itself as far as possible. In recent years, the hacker’s behavior has become more professional, interest-oriented, and group-organized, and network intrusion and attacking means have experienced daily changes. Nowadays, Trojan detection depends on the ability of anti-virus software in general, anti-virus software executes Trojan killing usually by using characteristic codes comparison and behavior recognition technology. This way needs anti-virus software to intercept the Trojan samples for analysis, extract the Trojan samples, and identify Trojan after upgrading the Trojan special library. So the hysteresis is very strong, which can’t kill the new Trojans and the Trojans without known characteristics. This paper discusses technology against anti-virus, hiding technology and active defense breakthrough technology, puts forward the Trojan detection method based on feature analysis and behavior monitoring, and completes the design and realization of the unknown Trojan detection system. The system covers the shortage that the existing anti-virus software and security measures can only kill and monitor the known Trojans but can’t identify and kill the unknown Trojans.

Key words: Trojan detection, Trojan killing, feature analysis, behavior monitoring

中图分类号: