English  |  正體中文  |  简体中文  |  Items with full text/Total items : 75369/75369 (100%)
Visitors : 25535707      Online Users : 472
RC Version 7.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Tips:
  • please add "double quotation mark" for query phrases to get precise results
  • please goto advance search for comprehansive author search
  • Adv. Search
    HomeLoginUploadHelpAboutAdminister Goto mobile version

    Please use this identifier to cite or link to this item: http://ir.lib.ncu.edu.tw/handle/987654321/54451

    Title: Discoverer- Rootkit即時偵測系統;Discoverer- a realtime Rootkit detection system
    Authors: 林郁展;Lin,Yu-chan
    Contributors: 資訊工程學系碩士在職專班
    Keywords: 核心;程序;process;Rootkit
    Date: 2012-07-25
    Issue Date: 2012-09-11 18:51:01 (UTC+8)
    Publisher: 國立中央大學
    Abstract: Rootkit 是目前最常被攻擊者用來隱藏其攻擊行為的工具,現有的Rootkit 檢測機制大多以檢查系統的靜態特徵或比對系統的完整性等方式偵測Rootkit,但攻擊者可透過不同的方式混淆系統的特徵值,而快速即時的完整性確認亦不易達成。 因此本論文提出一精確、快速即時的Rootkit 偵測機制–Discoverer–以提昇系統偵測Rootkit 的能力。由於攻擊者的網路連線及攻擊者正在執行的程序是Root kit 主要的隱藏對象,因此 Discoverer 藉由找出被隱藏的網路連線及程序偵測Rootkit。為了管理網路連線及程序,作業系統內包含有各式的資料結構來記錄相關的訊息,攻擊者可加入甚至修改程式碼以讓使用者無法得知攻擊者的網路連線或正在執行的攻擊者程序,但若藉由竄改與網路連線或程序相關的資料結構,如run queue,來達成上述目的,則很可能會破壞系統的正常運作,因此這些資料結構中的資訊是最能真實反應系統狀態的資訊,本論文利用新增的系統呼叫,將使用者模式下所列出的程序相關資料(如ps、netstat)傳入核心,與系統內部相關資料結構中的資訊逐一比對。找出隱藏程序的pid、socket 連線、及所存取的file 名稱與路徑。實驗結果顯示Discoverer 可精確地偵測出我們所蒐集到的各式Rootkit。Rootkit is most often used by attacker to hide their behavior, theRootkit detection mechanisms mostly focus on static characteristics or theintegrity of the system, but the attacker can confuse the system eigenvaluesthrough various ways , and the integrity of the rapid real-time confirmationwould not be easy to reach. This paper presents an accurate, rapid real-timeRootkit detection mechanisms-Discoverer-to enhance the ability of thesystem to detect Rootkit. Since the attacker's network connection and therunning process is the main hidden object of Rootkit, Discoverer by locatingthe hidden network connections and process to detect Rootkits. In orderto manage network connections and process, the operating system containsa variety of data structures to record the relevant message, the attackercan be added or even modify the code to allow users to not know the attacker'snetwork connection, or are under implementation process of the attacker,but if by tampering with the network connection or process-related datastructures, such as the run queue, to achieve the above purpose, they arelikely to undermine the normal functioning of the system, so the informationin these data structures can be a true reflection of system statusinformation, this paper list and send all the user mode process information(such as ps, the netstat) into the Kernel by adding the new system call,and compare one by one with kernel data .Then find out the hidden processPID, socket connections, and the access file name and path. The experimentalresults show that Discoverer can accurately detect all kinds of Rootkitswhich we collected.
    Appears in Collections:[資訊工程學系碩士在職專班 ] 博碩士論文

    Files in This Item:

    File Description SizeFormat

    All items in NCUIR are protected by copyright, with all rights reserved.

    社群 sharing

    ::: Copyright National Central University. | 國立中央大學圖書館版權所有 | 收藏本站 | 設為首頁 | 最佳瀏覽畫面: 1024*768 | 建站日期:8-24-2009 :::
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - 隱私權政策聲明