本文選題：非包還原 + 檢測(cè)�。� 參考：《電子科技大學(xué)》2014年碩士論文

【摘要】：在面對(duì)單個(gè)對(duì)象文件時(shí),基于主機(jī)的檢測(cè)系統(tǒng)擁有著更強(qiáng)的檢測(cè)能力,可是每臺(tái)檢測(cè)設(shè)備的安裝運(yùn)行的開(kāi)銷(xiāo)和成本過(guò)于高昂,不便于在網(wǎng)絡(luò)環(huán)境中大量布置,所以在實(shí)際的應(yīng)用當(dāng)中,基于網(wǎng)絡(luò)的檢測(cè)系統(tǒng)擁有更加廣泛的應(yīng)用場(chǎng)景,可部署到更多的網(wǎng)絡(luò)節(jié)點(diǎn)之上,基于這種情況,針對(duì)網(wǎng)絡(luò)惡意代碼檢測(cè)系統(tǒng),提升其單臺(tái)設(shè)備的檢測(cè)能力能夠使系統(tǒng)在面對(duì)惡意代碼入侵時(shí)作出更好的表現(xiàn),在網(wǎng)絡(luò)安全防御的領(lǐng)域達(dá)到更佳的性能�；诰W(wǎng)絡(luò)的惡意代碼檢測(cè)系統(tǒng)有著數(shù)量繁多的前端檢測(cè)設(shè)備,但是他們卻相對(duì)低端,單臺(tái)成本較低,無(wú)法像主機(jī)檢測(cè)一樣將在網(wǎng)絡(luò)中捕獲到的通信數(shù)據(jù)流進(jìn)行還原,就算行,也費(fèi)時(shí)費(fèi)力,一旦處理速度跟不上網(wǎng)絡(luò)流量,就會(huì)丟失大量的已截取到的數(shù)據(jù)包�，F(xiàn)在的網(wǎng)絡(luò)級(jí)惡意代碼檢測(cè)系統(tǒng)只能針對(duì)行為規(guī)則模式進(jìn)行匹配,所探測(cè)的攻擊內(nèi)容要么是已經(jīng)種植在網(wǎng)段內(nèi)的惡意軟件的惡意行為,要么就是外網(wǎng)向內(nèi)網(wǎng)的攻擊行為,和主機(jī)檢測(cè)一樣不能對(duì)病毒種植過(guò)程做出反應(yīng)。如果能結(jié)合二者優(yōu)點(diǎn),將主機(jī)能對(duì)文件進(jìn)行檢測(cè)的功能應(yīng)用到網(wǎng)絡(luò)檢測(cè)對(duì)網(wǎng)絡(luò)數(shù)據(jù)包的分析當(dāng)中,就能實(shí)現(xiàn)對(duì)病毒種植過(guò)程的探測(cè)。前面提到前端設(shè)備因?yàn)樽陨砭窒薏荒苓M(jìn)行數(shù)據(jù)還原,因此如果能讓檢測(cè)系統(tǒng)的前端主機(jī)在能夠不重組數(shù)據(jù)包就檢測(cè)出數(shù)據(jù)包是否為惡意代碼有著重大的意義,在不進(jìn)行數(shù)據(jù)包還原的前提條件下,利用直接對(duì)單包的內(nèi)容進(jìn)行特征匹配進(jìn)而對(duì)可疑的數(shù)據(jù)包產(chǎn)生告警信息,可以顯著增強(qiáng)基于網(wǎng)絡(luò)的惡意代碼檢測(cè)系統(tǒng)前端主機(jī)的檢測(cè)能力,最終達(dá)到在病毒傳播過(guò)程中就能探測(cè)到異常的目的。實(shí)現(xiàn)該方案最關(guān)鍵的技術(shù)難點(diǎn)在于如何設(shè)計(jì)出適用于基于非包還原的惡意代碼檢測(cè)技術(shù)的特征碼掃描檢測(cè)引擎,一套特征碼掃描檢測(cè)引擎包括特征碼選取,構(gòu)建特征庫(kù),實(shí)現(xiàn)高效的特征匹配算法等關(guān)鍵點(diǎn)。雖然目前已有多種相關(guān)特征碼掃描的全套技術(shù),但是應(yīng)用場(chǎng)景都是基于主機(jī)的惡意代碼檢測(cè)系統(tǒng),這些技術(shù)普遍選取特征碼較長(zhǎng),匹配精確但并不太要求匹配速度,若是將這些技術(shù)生搬硬套,將導(dǎo)致在網(wǎng)絡(luò)環(huán)境中特征碼容易被截?cái)?匹配效率不夠令系統(tǒng)丟棄大量數(shù)據(jù)包等問(wèn)題。本文會(huì)將研究重心放在設(shè)計(jì)實(shí)現(xiàn)適用于基于非包還原的惡意代碼檢測(cè)系統(tǒng)的特征碼掃描技術(shù),打通關(guān)鍵環(huán)節(jié)并實(shí)現(xiàn)系統(tǒng),最后經(jīng)過(guò)測(cè)試來(lái)進(jìn)行驗(yàn)證。
[Abstract]:In the face of a single object file, the host-based detection system has a stronger detection ability, but the overhead and cost of the installation and operation of each detection device is too high to facilitate a large number of arrangements in the network environment. Therefore, in the actual application, the network-based detection system has more extensive application scenarios and can be deployed to more network nodes. Based on this situation, the detection system for network malicious code is aimed at the network malicious code detection system. Improving the detection ability of its single device can make the system perform better in the face of malicious code intrusion and achieve better performance in the field of network security defense. The malicious code detection system based on the network has a large number of front-end detection devices, but they are relatively low end, the cost of a single system is relatively low, and can not restore the traffic stream captured in the network like host detection, even if the line. It also takes time and effort, once processing speed can not keep up with network traffic, a large number of intercepted data packets will be lost. The current network level malicious code detection system can only match the pattern of behavior rules. The detected attack content is either the malicious behavior of malware that has been planted in the network segment or the attack behavior of the outer network to the intranet. As with host testing, it does not respond to the virus cultivation process. If we can combine the advantages of the two methods and apply the function of the host computer to the analysis of network data packets, we can realize the detection of virus planting process. As mentioned earlier, the front-end device cannot restore data because of its limitations, so it is of great significance if the front-end host of the detection system can detect whether the packet is malicious code without reorganizing the packet. Without the premise of packet restoration, the detection ability of the front-end host of the malicious code detection system based on the network can be significantly enhanced by directly matching the features of the single packet and generating alarm information on the suspicious packet. Finally, we can detect anomalies in the course of virus transmission. The key technical difficulty to realize this scheme lies in how to design a signature scanning detection engine suitable for malicious code detection technology based on non-packet restore. A set of signature scanning detection engine includes signature selection, construction of signature library. To achieve efficient feature matching algorithm and other key points. Although there are a variety of related signature scanning technology, but the application scenarios are based on the host malicious code detection system, these technologies generally select long signature, matching accuracy but not too much matching speed. If these technologies are mechanically applied, the signature will be easily truncated in the network environment, and the matching efficiency will not be enough to make the system discard a large number of data packets. This paper will focus on the design and implementation of the signature scanning technology suitable for malicious code detection system based on non-packet restore.
【學(xué)位授予單位】：電子科技大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類(lèi)號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前1條

1 吳冰;云曉春;高琪;;基于網(wǎng)絡(luò)的惡意代碼檢測(cè)技術(shù)[J];通信學(xué)報(bào);2007年11期

，

本文編號(hào)：1976427