信息网络安全 ›› 2020, Vol. 20 ›› Issue (11): 32-42.doi: 10.3969/j.issn.1671-1122.2020.11.005

• 技术研究 • 上一篇    下一篇

基于Rootkit隐藏行为特征的Linux恶意代码取证方法

文伟平(), 陈夏润, 杨法偿   

  1. 北京大学软件与微电子学院,北京 102600
  • 收稿日期:2020-07-08 出版日期:2020-11-10 发布日期:2020-12-31
  • 通讯作者: 文伟平 E-mail:weipingwen@ss.pku.edu.cn
  • 作者简介:文伟平(1976—),男,湖南,教授,博士,主要研究方向为系统与网络安全、大数据与云安全、智能计算安全|陈夏润(1997—),男,江西,硕士研究生,主要研究方向为网络与系统安全、漏洞挖掘|杨法偿(1995—),男,河南,硕士研究生,主要研究方向为系统安全、计算机取证
  • 基金资助:
    国家自然科学基金(61872011)

Malicious Code Forensics Method Based on Hidden Behavior Characteristics of Rootkit on Linux

WEN Weiping(), CHEN Xiarun, YANG Fachang   

  1. School of Software and Microelectronics, Peking University, Beijing 102600, China
  • Received:2020-07-08 Online:2020-11-10 Published:2020-12-31
  • Contact: WEN Weiping E-mail:weipingwen@ss.pku.edu.cn

摘要:

近年来,在互联网不断发展的同时,网络安全问题也层出不穷,而在对抗网络安全威胁时,取证问题一直是个难题。尤其是针对Linux平台,目前主流的Linux开源取证工具多数存在滞后、效率低、无法对隐蔽性强的木马进行取证等问题。在Linux取证研究中,Rootkit木马具有隐蔽性强、危害性大的特点,传统检测方法难以进行有效检测。为解决上述问题,文章从Rootkit的行为和实现技术出发,对其启动机制和内存驻留机制进行研究分析,提炼恶意代码行为作为检测特征,提出一种基于Rootkit隐藏行为特征的Linux恶意代码取证方法。实验表明,文章提出的取证方法对各类Linux恶意代码具有很好的检出效果和取证效果,相较传统取证方法在检测效果上具有明显优势。

关键词: 计算机取证, Rootkit, 恶意代码, Linux系统

Abstract:

In recent years, with the continuous development of the Internet, network security problems emerge endlessly. When fighting against network security threats, forensics has always been a big problem. Especially for Linux platform, most mainstream Linux open source forensics tools are currently lagging behind, inefficient and unable to obtain evidence from the hidden Trojans. In the research of Linux forensics, because the Rootkit Trojan has the characteristics of strong concealment and great harm, traditional detection methods are difficult to carry out effective detection. In order to solve the above problems, starting from the behavior and implementation technology of Rootkit, this paper studies and analyzes its startup mechanism and memory resident mechanism, extracts malicious code behaviors as detection features, and proposes a Linux malicious code forensics method based on Rootkit hidden behavior characteristics. The experimental results show that the forensics method proposed in this paper has a good detection effect and forensics effect for various types of Linux malicious code, and has obvious advantages in detection effect compared with traditional forensics methods.

Key words: computer forensics, Rootkit, malicious code, Linux system

中图分类号: