Netinfo Security ›› 2020, Vol. 20 ›› Issue (11): 32-42.doi: 10.3969/j.issn.1671-1122.2020.11.005

Previous Articles     Next Articles

Malicious Code Forensics Method Based on Hidden Behavior Characteristics of Rootkit on Linux

WEN Weiping(), CHEN Xiarun, YANG Fachang   

  1. School of Software and Microelectronics, Peking University, Beijing 102600, China
  • Received:2020-07-08 Online:2020-11-10 Published:2020-12-31
  • Contact: WEN Weiping E-mail:weipingwen@ss.pku.edu.cn

Abstract:

In recent years, with the continuous development of the Internet, network security problems emerge endlessly. When fighting against network security threats, forensics has always been a big problem. Especially for Linux platform, most mainstream Linux open source forensics tools are currently lagging behind, inefficient and unable to obtain evidence from the hidden Trojans. In the research of Linux forensics, because the Rootkit Trojan has the characteristics of strong concealment and great harm, traditional detection methods are difficult to carry out effective detection. In order to solve the above problems, starting from the behavior and implementation technology of Rootkit, this paper studies and analyzes its startup mechanism and memory resident mechanism, extracts malicious code behaviors as detection features, and proposes a Linux malicious code forensics method based on Rootkit hidden behavior characteristics. The experimental results show that the forensics method proposed in this paper has a good detection effect and forensics effect for various types of Linux malicious code, and has obvious advantages in detection effect compared with traditional forensics methods.

Key words: computer forensics, Rootkit, malicious code, Linux system

CLC Number: