摘要
随着计算机技术的快速发展,人们步入信息化时代的同时也正饱受着各种安全问题的困扰:计算机网络不断地遭到非法入侵,重要信息不断地被窃取,甚至造成系统的瘫痪等。如何有效的预防和检测计算机病毒是信息安全领域一个长期研究和发展的课题。
由于计算机网络的发展以及病毒编码水平的提高,传统的计算机病毒检测技术的不足已经越来越明显,很难满足人们对信息安全的需求。基于行为的病毒检测技术是利用病毒的特有行为特征来检测病毒的方法,它能很好的检测未知病毒。这种病毒检测技术可以很好的适应计算机病毒逐渐呈现的新特点,无疑具有巨大的优越性和广阔的发展空间,应该在今后相当长时间内代表着病毒检测技术的发展趋势。
论文分析了各种计算机病毒行为特征,实现了一个基于行为特征的病毒检测系统。系统分为四个主要的功能模块:文件系统监控模块、行为检测模块、行为分析模块、系统恢复模块。在系统实现之前首先分析了病毒的行为特征,构建了病毒的特征行为库。根据病毒的破坏行为主要集中在修改WINDOWS系统的可执行文件或特定类型的系统文件以及注册表中的相关项的特点,我们通过文件过滤驱动程序和应用层程序的相互配合实现了系统。文件过滤驱动程序主要完成虚拟系统的构建和文件系统的监控工作;应用层程序则主要完成注册表的检测,病毒行为的提取、分析以及系统的恢复工作。最后我们运用大量的病毒样本对系统的整体性进行了测试。
With the rapid development of computer technology, people are suffering all kinds of security problems while entering the information stage: network is invaded illegally; important information is always stolen or system crashed. How to prevent and detect viruses is a long-term research and developed issue in the field of information security.
As the development of network and the improvement of level of virus code, the traditional virus detection technologies' shortcoming is more obviously, and it is difficult to meet the people's needs for information security. Behavior-based virus detection technology uses the unique characteristics of the virus to detect computer virus; it can detect unknown viruses successfully. This virus detection technology can adapt to the new features of computer virus well. Undoubtedly it has a tremendous superiority and broad development prospects, and will stand for the development trend of virus detection technology for quite a long time.
We analyzed the behavior characteristics of all kinds of viruses and implemented a virus detection system in this paper. The system is divided into four functional modules: file system monitoring module, behavior detection module, behavior analysis module and system recovery module. We first analyzed the behavior characteristics of all kinds of viruses, and constructed the library of virus behavior characteristics. According to the character that malicious behaviors are mainly concentrated in destroying the executable files or system files of some specific type, as well as the relevant registry keys, we implemented the system based on file filter driver, corporation with application. The driver mainly constructs the virtual system and monitors the file system; the application completes registry testing; extracting and analyzing behaviors of viruses; system recovery. Finally we tested the system's performance using numbers of virus samples.
引文
[1](美)Art Baker.Windows 2000设备驱动程序设计指南.第二版[m].北京.机械工业出版社.2001.229-310
[2]Brown,Bradley J.Software checksum.An inoculation against computer virus.Annual Quality Congress Transactions.1990
[3]鲍欣龙,马建辉,罗文坚,曹先彬,王煦法.用于未知病毒检测的免疫识别模型和算法研究.计算机科学.2005.74-94
[4](美)Chris Cant.Windows WDM设备驱动科序开发指南[m].北京.机械工业出版社.2000.74-80
[5]陈桂生,张哲.计算机病毒检测方法的分析.商丘职业技术学院.2007.39-41
[6]陈俊,唐屹,刘磊,唐琰琰.未知病毒的行为分析和防御.广州大学学报.2006.2.32-36
[7]陈月玲,贾小珠.基于程序行为的计算机病毒检测方法.青岛大学学报(自然科学版).2006.6.61-65
[8]Engin Kirda,Christopher Kruegel.Behavior-based Spyware Detection
[9]Fred Cohen.Models of Practical Defenses Against Computer Viruses.Computers and Security.1989.149-160
[10]Fred Cohen.Computer Viruses Theory and Experiments.22-35
[11]Honeynet Project.Know Your Enemy:Defining Virtual Honeynets.http://www.honeynet.org.2003
[12]http://www.driverdevelop.com.2007-3
[13]Hruska,Jan Virus detection,IEE Conference Publication.1997
[14](美)Jeffrey Richter.Windows核心编程[m].北京.机械工业出版社.2000.98-132
[15]李果.计算机病毒检测技术分析与对比.设计信息化.2007.6.107-110
[16]李民,方勇,刘林超,熊帆.文件过滤驱动及应用.信息与电子工程.2005.12
[17]Microsoft Corporation.Windows IFS DDK 2003:Windows Kernal and Drivers Devices.October 2004.120-126
[18]Microsoft Company.Microsoft Windows Instalable File System Kit Documentation[EB].2002.33-212
[19]Prabhat K Singh,Arun Lakhotia.Static Verification of Worm and Virus Behavior in BinaryExecutables using Model Checking.Proceedings of the 2003 IEEE Workshop on Information Assurance United States Military Academy,West Point,NY June 2003.298-300
[20]Shamus Software Ltd.Multiprecision Integer and Rational Arithmetic C/C++ Library.http://indigo.ie/~mscott/
[21]孙知信,冒正祥,王汝传.基于诱骗的中心控制病毒防卫模型研究.南京邮电学院学报.2005.10.65-69
[22]URL:http://www.cert.org/stats/#vulnerabilities.
[23]Understanding Virus Behavior under Windows NT.Symantec Antivirus Research Center
[24]Walter Oney.Programming the Windows Driver Mode(2nd).Microsoft Press.2003. 301-312
[25]武安河.Windows 2000/XP WDM设备驱动程序开发.第二版.北京.电子工业出版社.2005-5.18-24
[26]王海峰,段友祥,刘仁宁.基于行为分析的病毒检测引擎的改良研究.计算机应用.2004.12.109-110
[27]吴建刚,鲁士文.针对恶意代码的行为阻断方法研究.微电子学与计算机.2004.78-85
[28]王岩.Windows系统下的计算机病毒免疫技术研究.中国教育和计算机科学网
[29]叶飞.蜜罐技术浅析.网络安全技术与应用.2007.5.35-37
[30]Zhang Boyun.Unknown computer virus detection based on multi-naive Bayes algorithm.Jisuanji Gongcheng/Computer Engineering.2006
[31]周才学,计算机病毒与反病毒检测技术.九江学院学报(自然科学版).2005.33-35
[32]周端,李娜,杨银堂.恶意程序的检测和删除.微电子学与计算机.2002.11-14