基于免疫的Rootkit渗透攻击机理分析与检测方法研究

项目名称： 基于免疫的Rootkit渗透攻击机理分析与检测方法研究

项目编号： No.61262077

项目类型： 地区科学基金项目

立项/批准年度： 2013

项目学科： 自动化技术、计算机技术

项目作者： 张瑜

作者单位： 海南师范大学

项目金额： 45万元

中文摘要： 捕获并检测Rootkit动态行为，可有效发现隐形恶意代码，预防网络渗透攻击。本项目在前期研究捕获Rootkit的IRP行为和免疫检测的基础上，进一步研究Rootkit动态行为捕获与特征提取方法和Rootkit免疫检测方法。主要包括：①通过分析Rootkit的指令代码与动态行为，揭示Rootkit渗透攻击机理与规律，为捕获Rootkit行为提供理论支撑；②利用内核驱动编程和Hook技术，捕获Rootkit的系统调用、IRP请求、NDIS请求等动态行为，并提取其行为特征，为进一步的Rootkit检测提供支持；③借鉴计算机免疫系统原理，通过Rootkit检测器动态演化与检测匹配算法设计，研究Rootkit动态检测方法。本项目可促进Rootkit渗透攻击机理分析与捕获技术的进一步发展，拓展Rootkit免疫检测研究的新思路；同时，对于构建具有自主产权的Rootkit安全防御产品具有重要的参考价值。

中文关键词： 计算机免疫系统；Rootkit；渗透攻击检测；行为分析；

英文摘要： A Rootkit, or more generically stealth malware, is designed to hide the existence of certain processes or programs from normal methods of detection and enables continued privileged access to a computer. Once installed it becomes possible to hide the intrusion as well as to maintain privileged access.Generally, Rootkits use different mechanisms to achieve this kind of stealth. Some of the mechanisms that rootkits have used include replacing system binaries, replacing standard system libraries with corresponding trojanised versions and subverting the kernel data structures. The threat of rootkits is even more since the actions of the attacker can go undetected by many detection tools. Therefore, Rootkit detection is an effective way to prevent stealth network intrusion and exploit. However, the fundamental problem with Rootkit detection is the capture of it. Moreover, the mechanism with which Rootkits interact with operating system must be carefully studied before designing effectively approaches to capture them. So, the proposed project will focus primarily on the mechanism of Rootkit, the capture of Rootkit dynamic behavior, the extraction of its behavior features, and the immunity-based Rootkit detection. It mainly includes the follows: ①The mechanism of Rootkits exploit attack. The analysis of Rootkit instruct

英文关键词： Computer Immune System；Rootkit；Exploit Attacks Detection；Behavior Analysis；