基于免疫的Rootkit渗透攻击机理分析与检测方法研究

A Rootkit, or more generically stealth malware, is designed to hide the existence of certain processes or programs from normal methods of detection and enables continued privileged access to a computer. Once installed it becomes possible to hide the intrusion as well as to maintain privileged access.Generally, Rootkits use different mechanisms to achieve this kind of stealth. Some of the mechanisms that rootkits have used include replacing system binaries, replacing standard system libraries with corresponding trojanised versions and subverting the kernel data structures. The threat of rootkits is even more since the actions of the attacker can go undetected by many detection tools. Therefore, Rootkit detection is an effective way to prevent stealth network intrusion and exploit. However, the fundamental problem with Rootkit detection is the capture of it. Moreover, the mechanism with which Rootkits interact with operating system must be carefully studied before designing effectively approaches to capture them. So, the proposed project will focus primarily on the mechanism of Rootkit, the capture of Rootkit dynamic behavior, the extraction of its behavior features, and the immunity-based Rootkit detection. It mainly includes the follows: ①The mechanism of Rootkits exploit attack. The analysis of Rootkit instruction code and its dynamic behavior is to reveal Rootkit exploit attack mechanism, which will provide theoretical support for the capture of Rootkit behavior. ②The capture of Rootkit dynamic behaviors. The capture of Rootkit behaviors (system service call, Input/output Request packets, and NDIS packets) and the features extraction of Rootkit dynamic behaviors are implemented by the kernel driver programming and hook technology, which provide support for further Rootkit detection. ③The detection of Rootkit. Drawing inspiration from the human immune system and using the mechanisms such as vaccination, self-tolerance, and affinity maturation are to build a dynamic approach for Rootkit detection. The proposed project can promote the mechanism analysis of Rootkit exploit attack, improve the technology of capturing Rootkit, and thereby develop a novel idea of immunity-based Rootkit detection. Furthermore, the proposed project plays an important role in building Rootkit defense products with independent property rights.

捕获并检测Rootkit动态行为，可有效发现隐形恶意代码，预防网络渗透攻击。本项目在前期研究捕获Rootkit的IRP行为和免疫检测的基础上，进一步研究Rootkit动态行为捕获与特征提取方法和Rootkit免疫检测方法。主要包括：①通过分析Rootkit的指令代码与动态行为，揭示Rootkit渗透攻击机理与规律，为捕获Rootkit行为提供理论支撑；②利用内核驱动编程和Hook技术，捕获Rootkit的系统调用、IRP请求、NDIS请求等动态行为，并提取其行为特征，为进一步的Rootkit检测提供支持；③借鉴计算机免疫系统原理，通过Rootkit检测器动态演化与检测匹配算法设计，研究Rootkit动态检测方法。本项目可促进Rootkit渗透攻击机理分析与捕获技术的进一步发展，拓展Rootkit免疫检测研究的新思路；同时，对于构建具有自主产权的Rootkit安全防御产品具有重要的参考价值。

网络攻击者（黑客）利用隐遁性强、破坏力大的Rootkit渗透攻击技术，远程控制目标网络系统，窃取敏感数据、实施网络欺诈、获取经济利益，已造成了严重的网络安全威胁。捕获并检测Rootkit动态行为，可有效发现隐形恶意代码，预防网络渗透攻击。.本项目以Rootkit为研究对象，通过将Rootkit置身于虚拟环境中，在内核层次上对Rootkit的渗透攻击机理与行为模式进行深入研究，揭示作为Rootkit最核心功能的信息隐藏内在机制与规律，在此基础上提出有效捕获Rootkit行为、提取其行为特征的方法，并构建基于免疫机理的Rootkit 动态检测方法。主要包括：①通过分析Rootkit的指令代码与动态行为，揭示Rootkit渗透攻击机理与规律，为捕获Rootkit行为提供理论支撑；②利用内核驱动编程和Hook技术，捕获Rootkit的系统调用、IRP请求、NDIS请求等动态行为，并提取其行为特征，为进一步的Rootkit检测提供支持；③借鉴计算机免疫系统原理，通过Rootkit检测器动态演化与检测匹配算法设计，研究Rootkit动态检测方法。.项目成果解决了Rootkit渗透攻击机理分析、Rootkit渗透攻击行为动态捕获机制、以及Rootkit渗透攻击免疫防御模型的动态刻画问题。本项目研究促进了Rootkit渗透攻击机理分析与捕获技术的进一步发展，拓展了Rootkit免疫检测研究的新思路；同时，对于构建具有自主产权的新一代积极主动的Rootkit安全防御具有十分重要的意义。