( 您好!臺灣時間:2022/12/10 09:54
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::


研究生(外文):Wei-Yun Hsiao
論文名稱(外文):A Real-time Defense Mechanism for DKOM-Rootkit
指導教授(外文):Tong-Ying JuangChinyang Henry Tseng
口試委員(外文):Tong-Ying JuangChinyang Henry TsengBor-Shing LinYue-Shan ChangChun-Ying Huang
外文關鍵詞:System securityRootkitMalwareDirect Kernel Object ManipulationKernel mode
  • 被引用被引用:0
  • 點閱點閱:332
  • 評分評分:
  • 下載下載:6
  • 收藏至我的研究室書目清單書目收藏:0
本論文之研究目標是提出一種防禦與偵測Rootkit的方法。首先對Rootkit的攻擊技術進行分析,並針對DKOM-Rootkit技術做深入研究。本論文詳細描述偵測技術和防禦技巧,並分析各種偵測和防禦思路的優點與不足,從這些思路中再抽取其中技術增強並設計來抵禦DKOM-Rootkit的侵擾。為了提高此機制的速度、效能及精準度,本論文提出了一種集成的偵防思路和方法,建立在以DKOM為基底的Windows Rootkit上。透過本論文設計之機制,可以達到不錯的攔截效果,也可以精確指出隱藏的位址所在,讓Rootkit無所遁形,確保電腦系統的安全性。

With the development of computer technology widely applied in every walk of life, all kinds of important information are stored in computer and transported through Internet. So the system security has become a popular research target. As there are so many vulnerabilities exist in modern computer operating system and internet, the operating system is vulnerable to many types of attacks. One of the most popular attack techniques is Rootkit.
Rootkit has a lot of technical tricks, so nowadays no one can claim their antivirus that have ability to understand it and caught Rootkit precisely. Furthermore, it is helpless for unknown Rootkit and complex-type Rootkit.
The goal of this thesis is propose a defense and detection scheme on Rootkit. Analysis the attack techniques of Rootkit firstly, and do in-depth research on DKOM technology. In this thesis, a detailed description on detection technologies and defense techniques is being discussed, and then analysis the advantages and disadvantages. Finally, extract techniques from above mentioned which enhance designed to oppose Rootkit invasion.
In order to improve the capability and hit rate, a new defense and detection method is proposed which is based on Windows DKOM-Rootkit. It’s not only achieve intercept but also point out the hidden address accurately by purpose mechanism. Ensure the security of computer systems.

第 1 章 緒論
1.1 研究背景
1.2 研究動機
1.3 研究目的
1.4 論文架構
第 2 章 相關研究
2.1 ROOTKIT隱藏技巧
2.1.1 修改執行路徑
2.1.2 修改內核對象
2.2 偵測技術探討
2.3 防禦策略探討
第 3 章 防禦與偵測設計機制
3.1.1 核心函數攔截
3.2 針對DRIVER型ROOTKIT之內核偵測設計
3.2.1 遍歷List_Entry鏈表
3.2.2 LDR範圍和特徵檢測法
3.2.3 PS與LDR交叉比對
第 4 章 偵防機制之評估結果
4.1 樣本分析
4.1.1 白名單
4.1.2 黑名單
4.1.3 未知樣本
4.2 效能總評估
4.2.1 原始系統占用資源量
4.2.2 已知名單與未知樣本測試
4.2.3 掃描後效能比較
4.2.4 防禦機制
第 5 章 結論
[1]G. Hoglund, and J. Butler, "Rootkits: Subverting the Windows Kernel," July 22, 2005
[2]Blunden, and Bill, "The Rootkit Arsenal Escape and Evasion in the Dark Corners of the System," pp. 100-123, 243-308, August 31, 2009.
[3]T. M. Arnold, B.S, "A comparative analysis of rootkit detection techniques," thesis, May, 2011.
[4]J. Zhu, T. Zhou, and Q. Wang, "Towards a Novel Approach for Hidden Process Detection based on Physical Memory Scanning," in Proc. Multimedia Information Networking and Security (MINES), 2012.
[5]N. L. Petroni Jr. T. Fraser, A. Walters and W. Arbaugh, "An architecture for specification-based detection of semantic integrity violations in kernel dynamic data," in Proc. the 15th USENIX Security Symposium, pp. 289-304, 2006.
[6]Ries, and Chris. "Inside windows rootkits," VigilantMinds Inc 4736, 2006.
[7]P. Bravo, and F. Daniel. García. "Rootkits Survey," architecture 6: 7.
[8]LU. Zeyong, GAN. Gang, and JIANG. Jun "Analysis and .research on hidden technology based on kernel-level Rootkit process," in Proc. Internet Technology and Applications (iTAP) Aug. 2011
[9]Y. Wang, D. Gu, W. Li, J. Li, and M. Wen "Virus Analysis on IDT Hooks of Rootkits Trojan," Information Engineering and Electronic Commerce, 2009.
[10]D. Quan, L. Guosen, and W. Keliang, "A way to restore the System Service Dispatch Table from user-space," World Automation Congress (WAC), 2012.
[11]Z. Yongqiang, and H. Bi. "Anti-rootkit Technology of Kernel Integrity Detection and Restoration." in Proc. 28th Network Computing and Information Security (NCIS), Vol. 1. IEEE, 2011.
[12]Y. Wu, D. Cui, and Q. Zhang. "A malicious software evaluation system based on behavior association," In Proc. Optics Photonics and Energy Engineering (OPEE), Vol. 1. IEEE, 2010.
[13]J. Zhang, S. Liu, J. Peng, and A. Guan, "Techniques of user-mode detecting system service descriptor table," in Proc. Computer Supported Cooperative Work in Design, CSCWD, 13th International Conference on. IEEE, 2009.
[14]F. Yan, and S. Liu, "Research on monitoring hiding technology in protection system," Web Society (SWS), 3rd Symposium on. IEEE, 2011.
[15]S. Sparks, and J. Butler. "Shadow Walker: Raising the bar for rootkit detection," Black Hat Japan, pp. 504-533, 2005.
[16]Nick L. Petroni, T. Fraser, A. Walters, and William A. Arbaugh, "An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data," Usenix Security. 2006.
[17]A. Bianchi, Y. Shoshitaishvili, C. Kruegel, and G. Vigna, "Blacksheep: Detecting compromised hosts in homogeneous crowds," in Proc. Computer and communications security. ACM, pp.341-352, 2012.
[18]S. Vogl, " A bottom-up Approach to VMI-based Kernel-level Rootkit Detection," October 15, 2010
[19]W. Yan, J. Zhao, and H. Wang. "Implicit detection of hidden processes with a local-booted virtual machine," in Proc. Information Security and Assurance, ISA, 2008.
[20]Y. Chubachi, T. Shinagawa, and Kazuhiko Kato, "Hypervisor-based prevention of persistent rootkits," in Proc. Applied Computing. ACM, 2010.
[21]J. Rhee, R. Riley, D. Xu, and X. Jiang, "Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory," Recent Advances in Intrusion Detection. Springer Berlin Heidelberg, pp. 178-197, 2010.
[22]A. Baliga, L. Iftode, and X. Chen, "Automated containment of rootkits attacks," computers & security Vol.27 Isu.7, pp. 323-334, 2008.
[23]R. Riley, X. Jiang, and D. Xu. “Guest-Transparent Prevention of Kernel Rootkits with VMM-based Memory Shadowing," Recent Advances in Intrusion Detection. Springer Berlin Heidelberg, 2008.
[24]A. Srivastava, and Jonathon Giffin. " Efficient Protection of Kernel Data Structures via Object Partitioning," in Proc Annual Computer Security Applications Conference. ACM, pp. 429-438, 2012.
[25]X. Xiong, D. Tian, and P. Liu. "Practical Protection of Kernel Integrity for Commodity OS from Untrusted Extensions," NDSS Symposium, 2011
[26]J. Rhee, R. Riley, D. Xu, and X. Jiang, “Defeating Dynamic Data Kernel Rootkit Attacks via VMM-Based Guest-Transparent Monitoring," in Proc. Availability, Reliability and Security, 2009.
[27]M. Schmidt, L. Baumgartner, P. Graubner, D. Bock, and B. Freisleben, "Malware Detection and Kernel Rootkit Prevention in Cloud Computing Environments," In Proc. Parallel, Distributed and Network-Based Processing (PDP), 19th Euro micro International, 2011.
[28]W. J. Tsaur, Y. C. Chen, and B. Y. Tsai, “A New Windows Driver-Hidden Rootkit Based on Direct Kernel Object Manipulation,” Lecture Notes in Computer Science, pp. 202-213, 2009.
[29]Margaret Rouse, Rootkit, http://searchmidmarketsecurity.te chtarget.com /definition/rootkit/
[30]安全公司稱Rootkit隱藏惡意軟件將氾濫, http://tech.sina.com.cn/it/2006-04-24/0825914757.shtml/
[31]Sophos Enterprise Solutions 5.0, http://ithome.com.tw/node /31006/

第一頁 上一頁 下一頁 最後一頁 top