基于特征分析和行为监控的未知木马检测系统研究与实现  被引量：15

作　　者：郝增帅[1] 郭荣华 文伟平[1] 孟正[1] 

机构地区：[1]北京大学软件与微电子学院,北京102600 [2]洛阳电子装备试验中心,河南洛阳471003

出　　处：《信息网络安全》2015年第2期57-65,共9页Netinfo Security

基　　金：国家自然科学基金[61170282]

摘　　要：木马是以盗取用户个人信息和文件数据,甚至是以远程控制用户计算机为主要目的并尽可能隐藏自身的恶意程序。近年来,随着黑客行为的职业化、利益化和集团化,网络入侵与攻击手段日新月异,木马等恶意代码已成为我国网络安全的重要威胁。现阶段,木马检测通常依赖于病毒软件的检测能力,防病毒软件一般采用特征码比对和行为识别的方式进行木马查杀,这种方式需要防病毒软件拦截木马样本进行分析,提取木马样本,对木马特种库进行升级后对木马进行识别,滞后性很强,无法对新出现的或无已知特征的木马进行查杀。文章对木马反杀毒技术、隐藏技术、突破主动防御技术进行探讨,并以此为基础,提出基于特征分析和行为监控的木马检测技术,完成了未知木马检测系统的设计与实现,能够在一定程度上弥补现有防病毒软件及安全措施只能查杀和监测已知木马而不能识别和查杀未知木马的不足。Trojan is a malicious program that exists mainly to steal user＇s personal information and file data, and even to control user＇s computer remotely, while hides itself as far as possible. In recent years, the hacker＇s behavior has become more professional, interest-oriented, and group-organized, and network intrusion and attacking means have experienced daily changes. Nowadays, Trojan detection depends on the ability of anti-virus software in general, anti-virus software executes Trojan killing usually by using characteristic codes comparison and behavior recognition technology. This way needs anti-virus software to intercept the Trojan samples for analysis, extract the Trojan samples, and identify Trojan after upgrading the Trojan special library. So the hysteresis is very strong, which can＇t kill the new Trojans and the Trojans without known characteristics. This paper discusses technology against anti-virus, hiding technology and active defense breakthrough technology, puts forward the Trojan detection method based on feature analysis and behavior monitoring, and completes the design and realization of the unknown Trojan detection system. The system covers the shortage that the existing anti-virus software and security measures can only kill and monitor the known Trojans but can＇t identify and kill the unknown Trojans.

关 键 词：木马检测 木马查杀 特征分析 行为监控 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]