硕士学位论文
(工程硕士)
基于行为分析的木马检测技术的研究与实
现
THE RESEARCH AND IMPLEMENTATION OF
ANTI-TROJAN TECHNOLOGY BASED ON
BEHAVIOR ANALYSIS
黄声声
2008年6月
国内图书分类号:TP309.5
国际图书分类号:621.3
工程硕士学位论文
基于行为分析的木马检测技术的研究与实
现
硕士研究生:黄声声
导师:张宏莉教授
副导师:陈睿高级工程师
申请学位:工程硕士
学科、专业:软件工程
所在单位:软件学院
答辩日期:2008年6月
授予学位单位:哈尔滨工业大学
Classified Index:TP309.5
U.D.C.: 621.3
Dissertation for the Master’s Degree in Engineering
THE RESEARCH AND
IMPLEMENTATION OF ANTI-TROJAN
TECHNOLOGY BASED ON BEHAVIOR
ANALYSIS
Candidate:
Supervisor:
Associate Supervisor:
Academic Degree Applied for:
Speciality:
Affiliation:
Date of Defence:
Degree-Conferring-Institution:Huang Shengsheng
Prof. Zhang Hongli Sr.Engineer Chen rui
Master of Engineering
Software Engineering
School of Software
June,2008
Harbin Institute of Technology
哈尔滨工业大学工程硕士学位论文
摘 要
本文主要介绍了我们在木马自动识别方面的一些成果。本文首先简单描
述了目前反病毒技术在应对木马的攻击时面临的困境,并着重介绍了采用特
征码匹配技术时遇到的困难。接着,本文提出,行为分析技术的使用将有效
解决这些困境。在此基础上,我们提出了一个基于行为分析的木马样本自动
分析技术的框架,并基于此框架完成了一个产品原型,以验证该技术的可行
性。我们还讨论了此框架涉及到的关键技术与相关基础性理论,并对此框架
未来的发展进行了展望。
在这个系统当中,我们实现了完整的样本行为拦截与行为序列记录功
能,并且可以通过一个基于机器学习的分类器进行自动化的木马样本分析。
在系统框架中,通过基于接口的架构设计,分类器支持采用不同的分类算法
进行实现。在基于此框架的原型系统中,分类器就采用了朴素贝叶斯算法进
行实现。为了给分类器提供优化的支持,框架引入了其他一些技术来对行为
记录数据进行过滤与转换操作。系统采用了一个归纳器对行为记录数据进行
了转换,以便改善分类器的泛化能力。我们还使用了一个IDF过滤器对非
重要的行为数据进行过滤,以改善系统的效率。
本文所描述的研究结果以及文中提供的实现方法,已经在金山软件股份
有限公司的关于行为分析的内部研究中得到实际的应用。目前,该系统已经
完成开发工作。实践证明,本文所提出的技术方案具有较好的实际应用价值
及效果。
关键词 反病毒;机器学习;反木马;行为分析;贝叶斯分类
- - I哈尔滨工业大学工程硕士学位论文
Abstract
This paper briefly introduces our achievements in automatic Trojan
detection. First it simply describes the difficulties when current anti-virus
technology dealing with Trojan attacks, especially when using signature
matching technology. Then, it points out that behavior analysis technology will
be an effective solution to these problems. To verify the feasibility, this paper
proposes an automatic Trojan detection framework based on behavior analysis,
and a prototype system developed with this framework. Moreover, the paper
discusses the key technology and relevant basic theory related to the framework
and prospects its future development.
This framework achieves complete behavior interception and recording
functions, and support automatic Trojan detection by a classifier that based on
machine learning technology. Through interface based architecture, the
classifier in this framework supports different algorithm. In the prototype
system developed with this framework, the classifier uses Naive Bayesian
algorithm to achieve its function. The framework also imports some other
technologies to filtrate and transform behavior records, in order to provide an
optimum support to the classifier. A normalizer is used in this system to
transform all behavior records, that improve the generalization ability of the
classifier .We also use an IDF filter to filtrate those unimportant records, in
order to improve efficiency of the system.
The methods and the results mentioned in this paper have been applied in
the internal research of behavior analysis in Kingsoft Corporation. Currently, the
system development has been completed.The practice has shown that this
technical scheme has received highly application value and effects.
Key words Antivirus; Machine Learning; Anti-Trojan; Behavior Analysis; Bayesian Classification
- - II哈尔滨工业大学工程硕士学位论文
目录
摘 要...............................................................................................................I Abstract..........................................................................................................II 第1章 绪论..................................................................................................1 1.1 课题的背景及研究目的........................................................................1 1.1.1病毒与木马程序的定义...................................................................1 1.1.2木马程序威胁的现状.......................................................................2 1.1.3木马程序泛滥的原因.......................................................................2 1.1.4木马程序的危害..............................................................................3 1.2国内外反木马技术研究综述.................................................................3 1.2.1反木马技术发展现状的概述...........................................................3 1.2.2 行为分析技术在反病毒应用的现状...............................................4 1.2.3 样本行为自动分析技术的研究现状...............................................5 1.3课题的来源及研究内容.........................................................................6 1.4 本论文的主要工作内容与结构............................................................6 第2章 反木马的相关技术............................................................................8 2.1 特征码匹配技术及其困境....................................................................8 2.2主机入侵防御系统..............................................................................10 2.3行为拦截技术......................................................................................11 2.4机器学习技术......................................................................................14 2.5布隆过滤器..........................................................................................15 2.6 本章小结.............................................................................................16 第3章 基于行为分析的木马检测系统设计.................................................17 3.1 系统需求分析.....................................................................................17 3.1.1不采用特征码匹配技术的原因.....................................................17 3.1.2行为分析技术的优势.....................................................................22 3.2 系统的框架与组成.............................................................................22 3.3 分类器的设计.....................................................................................23 3.3.1分类器的基本原理.........................................................................23 3.3.2分类器的设计................................................................................24 3.3.3 分类算法研究的展望....................................................................28
- - III
