博碩士論文 975302011 詳細資訊




以作者查詢圖書館館藏 以作者查詢臺灣博碩士 以作者查詢全國書目 勘誤回報 、線上人數:10 、訪客IP:18.208.186.19
姓名 林郁展(Yu-chan Lin)  查詢紙本館藏   畢業系所 資訊工程學系在職專班
論文名稱 Discoverer- Rootkit即時偵測系統
(Discoverer- a realtime Rootkit detection system)
相關論文
★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm★ 一項Android手機上詐騙簡訊的偵測與防禦機制
★ SRA系統防禦ARP欺騙劫持路由器★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
★ Shark: Phishing Information Recycling from Spam Mails★ FFRTD: Beat Fast-Flux by Response Time Differences
★ Antivirus Software Shield against Antivirus Terminators★ MAC-YURI : My ACcount, YoUr ResponsIbility
★ KKBB: Kernel Keylogger Bye-Bye★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment
★ PrivacyGuard:A Kernel-based Solution to Enhance the User Privacy When Using Private Browsing★ DEH:Dynamic Extensible Two-way Honeypot
檔案 [Endnote RIS 格式]    [Bibtex 格式]    [相關文章]   [文章引用]   [完整記錄]   [館藏目錄]   至系統瀏覽論文 ( 永不開放)
摘要(中) Rootkit 是目前最常被攻擊者用來隱藏其攻擊行為的工具,現有的Rootkit 檢測機
制大多以檢查系統的靜態特徵或比對系統的完整性等方式偵測Rootkit,但攻擊者可透
過不同的方式混淆系統的特徵值,而快速即時的完整性確認亦不易達成。 因此本論文
提出一精確、快速即時的Rootkit 偵測機制–Discoverer–以提昇系統偵測Rootkit 的
能力。由於攻擊者的網路連線及攻擊者正在執行的程序是Root kit 主要的隱藏對象,
因此 Discoverer 藉由找出被隱藏的網路連線及程序偵測Rootkit。為了管理網路連線
及程序,作業系統內包含有各式的資料結構來記錄相關的訊息,攻擊者可加入甚至修改
程式碼以讓使用者無法得知攻擊者的網路連線或正在執行的攻擊者程序,但若藉由竄改
與網路連線或程序相關的資料結構,如run queue,來達成上述目的,則很可能會破壞
系統的正常運作,因此這些資料結構中的資訊是最能真實反應系統狀態的資訊,本論文
利用新增的系統呼叫,將使用者模式下所列出的程序相關資料(如ps、netstat)傳入核
心,與系統內部相關資料結構中的資訊逐一比對。找出隱藏程序的pid、socket 連線、
及所存取的file 名稱與路徑。實驗結果顯示Discoverer 可精確地偵測出我們所蒐集到
的各式Rootkit。
摘要(英) Rootkit is most often used by attacker to hide their behavior, the
Rootkit detection mechanisms mostly focus on static characteristics or the
integrity of the system, but the attacker can confuse the system eigenvalues
through various ways , and the integrity of the rapid real-time confirmation
would not be easy to reach. This paper presents an accurate, rapid real-time
Rootkit detection mechanisms-Discoverer-to enhance the ability of the
system to detect Rootkit. Since the attacker’’s network connection and the
running process is the main hidden object of Rootkit, Discoverer by locating
the hidden network connections and process to detect Rootkits. In order
to manage network connections and process, the operating system contains
a variety of data structures to record the relevant message, the attacker
can be added or even modify the code to allow users to not know the attacker’’s
network connection, or are under implementation process of the attacker,
but if by tampering with the network connection or process-related data
structures, such as the run queue, to achieve the above purpose, they are
likely to undermine the normal functioning of the system, so the information
in these data structures can be a true reflection of system status
information, this paper list and send all the user mode process information
(such as ps, the netstat) into the Kernel by adding the new system call,
and compare one by one with kernel data .Then find out the hidden process
PID, socket connections, and the access file name and path. The experimental
results show that Discoverer can accurately detect all kinds of Rootkits
which we collected.
關鍵字(中) ★ 核心
★ 程序
關鍵字(英) ★ process
★ Rootkit
論文目次 目錄
摘要 5
誌謝 6
目錄 7
圖目錄 9
表目錄 10
第一章 緒論 11
1-1 研究背景 11
1-2 研究動機與目的 11
1-3 研究範圍與限制 11
1-4 章節架構 12
第二章 文獻探討 13
2-1 Rootkit定義: 13
2-2 Rootkit分類: 13
2-2-1 Binary Rootkit: 15
2-2-2 Library-level Rootkit 15
2-2-3 Kernel-level Rootkit 15
2-3 Rootkit偵測方式 21
2-3-1 檢測網路可疑連線 21
2-3-2 檢查系統本機部份 21
2-3-3整合性偵測 24
第三章 架構與設計 28
3-1系統核心程式執行流程 28
3-2 修改系統核心 31
3-2-1 project_call()部份 31
3-2-2 schedule()部份 38
第四章 實驗與分析 39
4-1 樣本程式偵測 39
4-1-1 sshdoor 40
4-1-2 nx_back.c 40
4-1-3 ipsecs-Kbeast-va.tar 41
4-1-4 Trixd00r-0.0.1.tar.gz 42
4-1-5 Jynx2 42
4-2 實驗分析 43
4-2-1 False Positive 43
4-2-2 False Negative 43
4-3 效能分析 43
4-3-1 單一效能分析 43
4-3-2 整體效能分析 44
第五章 結論 45
5-1 貢獻 45
5-2未來展望 45
參考文獻 46
參考文獻 參考文獻
[1] Rootkit, http://zh.wikipedia.org/wiki/Rootkit.
[2] Anton Chuvakin, ”An Overview of Unix Rootkits”,iDefense, Feburuary 2003.
[3] James Buitler, Jeffrey L. Undercoffer and John Pinkstion, “Hidden Processes: The Implication for Intrusion Detection” ,in Proceeding of the IEEE Conference on Information Assurance Workshop, June 2003.
[4] Nick L. Petroni, Jr. Timothy Fraser Jesus Molina William A. Arbaugh, ”Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor ”in Proceeding of the 13th USENIX Security Symposium , August 2004.
[5] Suckit, http://www.phrack.org/issues.html?id=7&issue=58
[6] “The Linux kernel Module Programming Guide”,http://tldp.org/LDP /lkmpg/2.6/html/
[7] Ashwin Ramaswamy,”Detecting Kernel Rootkits”,September 2008.
[8] Ashwin Ramaswamy, ”Autoscopy: Detecting Pattern-Searching Rootkits via Control Flow Tracing”,May 2009.
[9] Andreas Bierfert,”Advanced Exploitaion Techniques kernel backdooring on i386 and amd64 via /dev/mem”,February 2007.
[10] Anthony Lineberry, ”Malicious Code Injection via /dev/mem”,in BlackHat-Europe, March 27,2009
[11] J.Levine, B.Grizzard,and H.Owen,“Detecting and Categorizing Kernel-Level Rootkits to Aid Future Detection”,IEEE Journal on Security & Privacy, Volume 4,Issue:1, pages 24 - 32, February 2006.
[12] Doug Wampler ,James Graham,”A Method For Detecting Linux Kernel Module Rootkits”, Advances in Digital ForensicsIII IFIP Interna tional Conference on Digital Forensics ,Volume 242,pages 107 - 11 6,January, 2007.
[13] Levine, J.G ,Grizzard, J.B , Hutto, P.W. ,Owen, H.L. ”A Methodology to Characterize Kernel Level Rootkit Exploits that Overwrite the System Call Table”,in Proceedings of the IEEE SoutheastCon, pages 25-31, March 2004.
[14] Jamie Butler,”VICE – Catch the hookers!”, in BlackHat-USA, 2004
[15] Evan Cooke, Farnam Jahanian, Danny McPherson,”The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets”,in Proceedings of USENIX SRUTI’05, 2005.
[16] Decloedt,HE, van Heerden,R ,”Rootkits, Trojans, Backdoors and New Developments”,In CSIR research space, October 2010.
[177] J.Scambray, S. McClure, and G. Kurtz, Hacking Exposed,”Network Security Secrets and Solutions”,2nd edition, McGraw-Hill, 2001.
[188] Nick L. Petroni, Jr.Timothy Fraser Aron Walters William A. Arbaugh,”An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data”, in 15th USENIX Security Symposium, 2006.
[19] Nick L. Petroni, Jr.and Michael Hicks, “Automated Detection of Persistent Kernel Control-Flow Attacks”, Proceedings of the ACM conference on Computer and communications security, pages 103-115, October 2007.
[190] Sebastian’s method, http://www.ouah.org/Rootkitsfaq.txt.
[21] Unhide, http://www.unhide-forensics.info/index.php
[20] Samuel T. King, Z. Morley Mao, Dominic G. Lucchetti, Peter M. Chen “Enriching intrusion alerts through multi-host causality”, InNDSS 05, San Diego, CA, February, 2005.
[21] Daniel P.Bovet and Marco Cesati Understanding The Linux Kernel,3rd edition ,O’Rreilly, 2005.
[22] Sshdoor,http://www.hacker.org/forum/viewtopic.php?p=14350&sid=314d a026f6 f4ebfbd5a39e054d0007d6 .
[23] Nx_back,http://packetstormsecurity.org/UNIX/penetration/Rootkits/n x_back.c
[24] KBeast http://ipsecs.com/web/?p=277
[25] Trixd00r http://packetstormsecurity.org/files/109567/trixd00r-0.0.1.html
[26] Jynx2 http://www.blackhatlibrary.net/Jynx_Rootkit/2.0
指導教授 許富皓(Fu-Hau Hsu) 審核日期 2012-7-25
推文 facebook   plurk   twitter   funp   google   live   udn   HD   myshare   reddit   netvibes   friend   youpush   delicious   baidu   
網路書籤 Google bookmarks   del.icio.us   hemidemi   myshare   

若有論文相關問題,請聯絡國立中央大學圖書館推廣服務組 TEL:(03)422-7151轉57407,或E-mail聯絡  - 隱私權政策聲明