本文選題：數(shù)字腳印 + 虛擬環(huán)境內(nèi)存取證��； 參考：《四川師范大學》2017年碩士論文

【摘要】：摘要隨著虛擬化技術(shù)的迅猛發(fā)展,越來越多的企業(yè)、高校、政府的業(yè)務應用轉(zhuǎn)移至虛擬環(huán)境中。虛擬化技術(shù)應用業(yè)務的激增,針對虛擬環(huán)境的網(wǎng)絡攻擊也日漸劇增。這些針對虛擬環(huán)境的攻擊活動,對國家、企業(yè)的經(jīng)濟及安全等造成嚴重威脅。而虛擬環(huán)境網(wǎng)絡攻擊技術(shù)的隱蔽化(如:反取證技術(shù)),使傳統(tǒng)內(nèi)存取證技術(shù)不能有效應對虛擬環(huán)境下的取證工作。因此研究虛擬環(huán)境內(nèi)存證據(jù)無損提取,惡意軟件攻擊行為還原,對幫助政法機關(guān)完成事后證據(jù)重建,打擊網(wǎng)絡犯罪意義重大。本文研究并實現(xiàn)虛擬環(huán)境內(nèi)存取證專用系統(tǒng),主要包含以下三個創(chuàng)新點。第一,本文提出針對VMware虛擬環(huán)境的內(nèi)存取證模型,該模型改進了已有內(nèi)存取證模型的取證流程,具有取證過程可重復、內(nèi)存獲取準確性高、取證效率高、抗干擾性強等優(yōu)點。第二,本文提出虛擬環(huán)境“數(shù)字腳印”,將傳統(tǒng)內(nèi)存取證提取的數(shù)字特征定義為“數(shù)字紋路”,其在時間序列上構(gòu)成的動態(tài)行為特征定義為“數(shù)字腳印”,比傳統(tǒng)“數(shù)字紋路”捕獲的行為信息更全面。第三,本文提出改進的K-means惡意進程多源關(guān)聯(lián)性分析算法,該算法把進程關(guān)系擴展到父子、名稱、時間、文件、通信、賬戶六元關(guān)系,六元關(guān)系關(guān)聯(lián)度代替?zhèn)鹘y(tǒng)K-means算法的余弦距離,惡意進程初始化規(guī)則代替?zhèn)鹘y(tǒng)K-means算法隨機初始化,具有穩(wěn)定性高、關(guān)聯(lián)完整性高等優(yōu)點。本文通過研究虛擬環(huán)境內(nèi)存管理與地址轉(zhuǎn)換機制,重構(gòu)內(nèi)存易失性數(shù)據(jù),完成虛擬環(huán)境“數(shù)字腳印”提取、惡意行為檢測、惡意進程關(guān)聯(lián)性分析,最終實現(xiàn)惡意軟件行為重建,滿足政法機關(guān)在業(yè)務應用、深度分析、線索追蹤等方面的業(yè)務需求。測試結(jié)果表明,本文提出的虛擬環(huán)境內(nèi)存取證模型對惡意軟件易失性內(nèi)存數(shù)據(jù)的提取精確性與準確性較高;虛擬環(huán)境內(nèi)存取證系統(tǒng)對虛擬環(huán)境“數(shù)字腳印”提取完整率較高;改進的K-means多源關(guān)聯(lián)性分析算法能夠完善惡意軟件行為分析圖,關(guān)聯(lián)完整率較高。但本文對“數(shù)字腳印”提取仍未完整,惡意軟件行為還原誤報率稍高,服務器版本內(nèi)存提取業(yè)務中斷問題未解決,以上三點可作為未來的研究方向。
[Abstract]:With the rapid development of virtualization technology, more and more enterprises, universities, and government business applications are transferred to virtual environment. Virtualization technology application business proliferation, virtual environment network attacks are also increasing. These attacks against the virtual environment pose a serious threat to the economy and security of countries and enterprises. However, because of the covert of network attack technology in virtual environment, such as anti-forensics technology, the traditional memory forensics technology can not effectively deal with the work of forensics in virtual environment. Therefore, it is of great significance to study the memory evidence extraction in virtual environment and the malicious software attack behavior reduction to help the political and legal organs to rebuild the evidence after the event and to crack down on the network crime. This paper studies and implements a special memory forensics system in virtual environment, which mainly includes the following three innovations. Firstly, this paper proposes a memory forensics model for VMware virtual environment. The model improves the evidence flow of the existing memory forensics model and has the advantages of repeatable process, high accuracy of memory acquisition, high efficiency of evidence collection and strong anti-interference. Secondly, this paper proposes a virtual environment called "digital footprint", which defines the digital feature extracted by traditional memory forensics as "digital pattern", and its dynamic behavior feature in time series is defined as "digital footprint". It is more comprehensive than the traditional "digital pattern" to capture behavior information. Third, this paper proposes an improved K-means malicious process multi-source association analysis algorithm, which extends the process relationship to parent-son, name, time, file, communication, account six-element relationship. The correlation degree of six variables replaces the cosine distance of traditional K-means algorithm and the initialization rule of malicious process replaces the random initialization of traditional K-means algorithm which has the advantages of high stability and high association integrity. This paper studies memory management and address translation mechanism of virtual environment, reconstructs memory volatile data, completes virtual environment "digital footprint" extraction, malicious behavior detection, malicious process correlation analysis, and finally realizes malicious software behavior reconstruction. To meet the business needs of the political and legal authorities in business applications, in-depth analysis, clue tracking and so on. The test results show that the proposed virtual environment memory forensics model has higher accuracy and accuracy in extracting volatile memory data from malware, and the virtual environment memory forensics system has a higher integrity rate for virtual environment "digital footprint" extraction. The improved K-means multi-source association analysis algorithm can improve the malware behavior analysis graph, and the correlation integrity rate is higher. However, the extraction of "digital footprint" in this paper is still incomplete, malware behavior restore false alarm rate is slightly higher, server version memory extraction business interruption problem has not been resolved, the above three points can be taken as the future research direction.
【學位授予單位】：四川師范大學
【學位級別】：碩士
【學位授予年份】：2017
【分類號】：TP309

【參考文獻】

相關(guān)期刊論文 前5條

1 張瑜;劉慶中;李濤;吳麗華;石春;;內(nèi)存取證研究與進展[J];軟件學報;2015年05期

2 何祥;周安民;蒲偉;周妍;;基于vmem文件的隱藏信息檢測研究[J];信息安全與通信保密;2012年10期

3 殷聯(lián)甫;;計算機取證中的物理內(nèi)存取證分析方法研究[J];計算機應用與軟件;2010年12期

4 陳陽;鄭新廣;;商業(yè)銀行經(jīng)濟資本“組合效應”與分配方法研究[J];金融論壇;2009年05期

5 丁麗萍,王永吉;多維計算機取證模型研究[J];信息網(wǎng)絡安全;2005年10期

相關(guān)博士學位論文 前2條

1 王連海;基于物理內(nèi)存分析的在線取證模型與方法的研究[D];山東大學;2014年

2 楊s，

本文編號：2035200