跳到主要內容

臺灣博碩士論文加值系統

(44.201.99.222) 您好!臺灣時間:2022/12/10 09:54
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

: 
twitterline
研究生:蕭維昀
研究生(外文):Wei-Yun Hsiao
論文名稱:基於DKOM-Rootkit之即時防禦機制
論文名稱(外文):A Real-time Defense Mechanism for DKOM-Rootkit
指導教授:莊東穎莊東穎引用關係曾俊元
指導教授(外文):Tong-Ying JuangChinyang Henry Tseng
口試委員:莊東穎曾俊元林伯星張玉山黃俊穎
口試委員(外文):Tong-Ying JuangChinyang Henry TsengBor-Shing LinYue-Shan ChangChun-Ying Huang
口試日期:2014-07-28
學位類別:碩士
校院名稱:國立臺北大學
系所名稱:資訊工程學系
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2014
畢業學年度:102
語文別:中文
論文頁數:43
中文關鍵詞:系統安全惡意軟件直接內核對象修改內核模式Rootkit
外文關鍵詞:System securityRootkitMalwareDirect Kernel Object ManipulationKernel mode
相關次數:
  • 被引用被引用:0
  • 點閱點閱:332
  • 評分評分:
  • 下載下載:6
  • 收藏至我的研究室書目清單書目收藏:0
隨著電腦在各行各業的普及、普遍下,許多重要訊息大量的儲存於電腦系統中和用於網路中傳輸,而系統安全的研究議題也成為熱門研究方向。由於現在的網路以及操作系統存在很多安全漏洞在,因此操作系統很容易遭受各式各樣的攻擊,其中被廣泛使用的一種技術就是Rootkit。Rootkit的技術變化多端,如今沒有任何一家防毒能宣稱對它瞭若指掌並且百分之百抓出Rootkit,且對於未知型和複合型之Rootkit更是束手無策。
本論文之研究目標是提出一種防禦與偵測Rootkit的方法。首先對Rootkit的攻擊技術進行分析,並針對DKOM-Rootkit技術做深入研究。本論文詳細描述偵測技術和防禦技巧,並分析各種偵測和防禦思路的優點與不足,從這些思路中再抽取其中技術增強並設計來抵禦DKOM-Rootkit的侵擾。為了提高此機制的速度、效能及精準度,本論文提出了一種集成的偵防思路和方法,建立在以DKOM為基底的Windows Rootkit上。透過本論文設計之機制,可以達到不錯的攔截效果,也可以精確指出隱藏的位址所在,讓Rootkit無所遁形,確保電腦系統的安全性。

With the development of computer technology widely applied in every walk of life, all kinds of important information are stored in computer and transported through Internet. So the system security has become a popular research target. As there are so many vulnerabilities exist in modern computer operating system and internet, the operating system is vulnerable to many types of attacks. One of the most popular attack techniques is Rootkit.
Rootkit has a lot of technical tricks, so nowadays no one can claim their antivirus that have ability to understand it and caught Rootkit precisely. Furthermore, it is helpless for unknown Rootkit and complex-type Rootkit.
The goal of this thesis is propose a defense and detection scheme on Rootkit. Analysis the attack techniques of Rootkit firstly, and do in-depth research on DKOM technology. In this thesis, a detailed description on detection technologies and defense techniques is being discussed, and then analysis the advantages and disadvantages. Finally, extract techniques from above mentioned which enhance designed to oppose Rootkit invasion.
In order to improve the capability and hit rate, a new defense and detection method is proposed which is based on Windows DKOM-Rootkit. It’s not only achieve intercept but also point out the hidden address accurately by purpose mechanism. Ensure the security of computer systems.

目錄
ABSTRACT
目錄
表目錄
圖目錄
第 1 章 緒論
1.1 研究背景
1.2 研究動機
1.3 研究目的
1.4 論文架構
第 2 章 相關研究
2.1 ROOTKIT隱藏技巧
2.1.1 修改執行路徑
2.1.2 修改內核對象
2.2 偵測技術探討
2.3 防禦策略探討
第 3 章 防禦與偵測設計機制
3.1 WINDOWS ROOTKIT之防禦機制設計
3.1.1 核心函數攔截
3.2 針對DRIVER型ROOTKIT之內核偵測設計
3.2.1 遍歷List_Entry鏈表
3.2.2 LDR範圍和特徵檢測法
3.2.3 PS與LDR交叉比對
3.3 修復KERNEL OBJECT LINK
第 4 章 偵防機制之評估結果
4.1 樣本分析
4.1.1 白名單
4.1.2 黑名單
4.1.3 未知樣本
4.2 效能總評估
4.2.1 原始系統占用資源量
4.2.2 已知名單與未知樣本測試
4.2.3 掃描後效能比較
4.2.4 防禦機制
第 5 章 結論
參考文獻
[1]G. Hoglund, and J. Butler, "Rootkits: Subverting the Windows Kernel," July 22, 2005
[2]Blunden, and Bill, "The Rootkit Arsenal Escape and Evasion in the Dark Corners of the System," pp. 100-123, 243-308, August 31, 2009.
[3]T. M. Arnold, B.S, "A comparative analysis of rootkit detection techniques," thesis, May, 2011.
[4]J. Zhu, T. Zhou, and Q. Wang, "Towards a Novel Approach for Hidden Process Detection based on Physical Memory Scanning," in Proc. Multimedia Information Networking and Security (MINES), 2012.
[5]N. L. Petroni Jr. T. Fraser, A. Walters and W. Arbaugh, "An architecture for specification-based detection of semantic integrity violations in kernel dynamic data," in Proc. the 15th USENIX Security Symposium, pp. 289-304, 2006.
[6]Ries, and Chris. "Inside windows rootkits," VigilantMinds Inc 4736, 2006.
[7]P. Bravo, and F. Daniel. García. "Rootkits Survey," architecture 6: 7.
[8]LU. Zeyong, GAN. Gang, and JIANG. Jun "Analysis and .research on hidden technology based on kernel-level Rootkit process," in Proc. Internet Technology and Applications (iTAP) Aug. 2011
[9]Y. Wang, D. Gu, W. Li, J. Li, and M. Wen "Virus Analysis on IDT Hooks of Rootkits Trojan," Information Engineering and Electronic Commerce, 2009.
[10]D. Quan, L. Guosen, and W. Keliang, "A way to restore the System Service Dispatch Table from user-space," World Automation Congress (WAC), 2012.
[11]Z. Yongqiang, and H. Bi. "Anti-rootkit Technology of Kernel Integrity Detection and Restoration." in Proc. 28th Network Computing and Information Security (NCIS), Vol. 1. IEEE, 2011.
[12]Y. Wu, D. Cui, and Q. Zhang. "A malicious software evaluation system based on behavior association," In Proc. Optics Photonics and Energy Engineering (OPEE), Vol. 1. IEEE, 2010.
[13]J. Zhang, S. Liu, J. Peng, and A. Guan, "Techniques of user-mode detecting system service descriptor table," in Proc. Computer Supported Cooperative Work in Design, CSCWD, 13th International Conference on. IEEE, 2009.
[14]F. Yan, and S. Liu, "Research on monitoring hiding technology in protection system," Web Society (SWS), 3rd Symposium on. IEEE, 2011.
[15]S. Sparks, and J. Butler. "Shadow Walker: Raising the bar for rootkit detection," Black Hat Japan, pp. 504-533, 2005.
[16]Nick L. Petroni, T. Fraser, A. Walters, and William A. Arbaugh, "An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data," Usenix Security. 2006.
[17]A. Bianchi, Y. Shoshitaishvili, C. Kruegel, and G. Vigna, "Blacksheep: Detecting compromised hosts in homogeneous crowds," in Proc. Computer and communications security. ACM, pp.341-352, 2012.
[18]S. Vogl, " A bottom-up Approach to VMI-based Kernel-level Rootkit Detection," October 15, 2010
[19]W. Yan, J. Zhao, and H. Wang. "Implicit detection of hidden processes with a local-booted virtual machine," in Proc. Information Security and Assurance, ISA, 2008.
[20]Y. Chubachi, T. Shinagawa, and Kazuhiko Kato, "Hypervisor-based prevention of persistent rootkits," in Proc. Applied Computing. ACM, 2010.
[21]J. Rhee, R. Riley, D. Xu, and X. Jiang, "Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory," Recent Advances in Intrusion Detection. Springer Berlin Heidelberg, pp. 178-197, 2010.
[22]A. Baliga, L. Iftode, and X. Chen, "Automated containment of rootkits attacks," computers & security Vol.27 Isu.7, pp. 323-334, 2008.
[23]R. Riley, X. Jiang, and D. Xu. “Guest-Transparent Prevention of Kernel Rootkits with VMM-based Memory Shadowing," Recent Advances in Intrusion Detection. Springer Berlin Heidelberg, 2008.
[24]A. Srivastava, and Jonathon Giffin. " Efficient Protection of Kernel Data Structures via Object Partitioning," in Proc Annual Computer Security Applications Conference. ACM, pp. 429-438, 2012.
[25]X. Xiong, D. Tian, and P. Liu. "Practical Protection of Kernel Integrity for Commodity OS from Untrusted Extensions," NDSS Symposium, 2011
[26]J. Rhee, R. Riley, D. Xu, and X. Jiang, “Defeating Dynamic Data Kernel Rootkit Attacks via VMM-Based Guest-Transparent Monitoring," in Proc. Availability, Reliability and Security, 2009.
[27]M. Schmidt, L. Baumgartner, P. Graubner, D. Bock, and B. Freisleben, "Malware Detection and Kernel Rootkit Prevention in Cloud Computing Environments," In Proc. Parallel, Distributed and Network-Based Processing (PDP), 19th Euro micro International, 2011.
[28]W. J. Tsaur, Y. C. Chen, and B. Y. Tsai, “A New Windows Driver-Hidden Rootkit Based on Direct Kernel Object Manipulation,” Lecture Notes in Computer Science, pp. 202-213, 2009.
[29]Margaret Rouse, Rootkit, http://searchmidmarketsecurity.te chtarget.com /definition/rootkit/
[30]安全公司稱Rootkit隱藏惡意軟件將氾濫, http://tech.sina.com.cn/it/2006-04-24/0825914757.shtml/
[31]Sophos Enterprise Solutions 5.0, http://ithome.com.tw/node /31006/

QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
無相關期刊