基于Rootkit隐藏行为特征的Linux恶意代码取证方法  被引量:4

Malicious Code Forensics Method Based on Hidden Behavior Characteristics of Rootkit on Linux

在线阅读下载全文

作  者:文伟平[1] 陈夏润 杨法偿 WEN Weiping;CHEN Xiarun;YANG Fachang(School of Software and Microelectronics,Peking University,Beijing 102600,China)

机构地区:[1]北京大学软件与微电子学院,北京102600

出  处:《信息网络安全》2020年第11期32-42,共11页Netinfo Security

基  金:国家自然科学基金[61872011]。

摘  要:近年来,在互联网不断发展的同时,网络安全问题也层出不穷,而在对抗网络安全威胁时,取证问题一直是个难题。尤其是针对Linux平台,目前主流的Linux开源取证工具多数存在滞后、效率低、无法对隐蔽性强的木马进行取证等问题。在Linux取证研究中,Rootkit木马具有隐蔽性强、危害性大的特点,传统检测方法难以进行有效检测。为解决上述问题,文章从Rootkit的行为和实现技术出发,对其启动机制和内存驻留机制进行研究分析,提炼恶意代码行为作为检测特征,提出一种基于Rootkit隐藏行为特征的Linux恶意代码取证方法。实验表明,文章提出的取证方法对各类Linux恶意代码具有很好的检出效果和取证效果,相较传统取证方法在检测效果上具有明显优势。In recent years,with the continuous development of the Internet,network security problems emerge endlessly.When fighting against network security threats,forensics has always been a big problem.Especially for Linux platform,most mainstream Linux open source forensics tools are currently lagging behind,inefficient and unable to obtain evidence from the hidden Trojans.In the research of Linux forensics,because the Rootkit Trojan has the characteristics of strong concealment and great harm,traditional detection methods are difficult to carry out effective detection.In order to solve the above problems,starting from the behavior and implementation technology of Rootkit,this paper studies and analyzes its startup mechanism and memory resident mechanism,extracts malicious code behaviors as detection features,and proposes a Linux malicious code forensics method based on Rootkit hidden behavior characteristics.The experimental results show that the forensics method proposed in this paper has a good detection effect and forensics effect for various types of Linux malicious code,and has obvious advantages in detection effect compared with traditional forensics methods.

关 键 词:计算机取证 ROOTKIT 恶意代码 LINUX系统 

分 类 号:TP309[自动化与计算机技术—计算机系统结构]

 

参考文献:

正在载入数据...

 

二级参考文献:

正在载入数据...

 

耦合文献:

正在载入数据...

 

引证文献:

正在载入数据...

 

二级引证文献:

正在载入数据...

 

同被引文献:

正在载入数据...

 

相关期刊文献:

正在载入数据...

相关的主题
相关的作者对象
相关的机构对象