基于免疫的Rootkit隐遁攻击动态内存取证方法研究

项目名称： 基于免疫的Rootkit隐遁攻击动态内存取证方法研究

项目编号： No.61462025

项目类型： 地区科学基金项目

立项/批准年度： 2015

项目学科： 自动化技术、计算机技术

项目作者： 张瑜

作者单位： 海南师范大学

项目金额： 44万元

中文摘要： 完整获取、分析内存镜像数据，并从中提取Rootkit隐遁攻击证据，能有效预防恶意隐遁网络攻击、遏制网络犯罪。本项目在前期研究Rootkit攻击进程分析与免疫检测的基础上，进一步研究Rootkit内存数据获取与分析方法和Rootkit内存免疫取证方法。主要包括：①通过逆向分析Windows内存页面交换机制，获取完整的内存镜像数据，为内存数据分析提供数据支持；②利用内核驱动技术，动态分析内存镜像中的进程数据，并重建与进程相对应的可执行文件映像，为进一步的Rootkit内存取证提供技术与证据支持；③借鉴人体免疫系统机理，通过Rootkit检测器（免疫细胞）的动态演化及证据提取，研究Rootkit隐遁攻击动态内存取证方法。本项目可促进Rootkit隐遁攻击内存数据获取与分析技术的深入发展，拓展Rootkit内存免疫取证研究新思路；同时，对构建自主产权的Rootkit安全取证产品具有重要参考价值。

中文关键词： Rootkit；隐遁攻击；内存取证；人工免疫系统；网络信息安全

英文摘要： A Rootkit for Windows systems is a program that penetrates into the system and intercepts the system functions. Rootkit evasion attack is a kind of network attacks,which can effectively hide their presence by intercepting low-level API functions or modifying the system kernel. Moreover, it can hide the presence of particular processes, folders, files and registry keys. Recently, some Rootkits install their own drivers and services only in the system memory. That particular trend makes them invisible and difficult to detect. Therefore, it is very important for preventing network stealth attacks and curbing cyber crimes to completely obtain memory data, analyse the data, and extract the Rootkit evasion attacks evidence. The proposed project will focus primarily on Rootkit evasion attacks about memory data obtainment, memory data analysis，and immunity-inspired memory forensics. It mainly includes the follows: ① The memory data full obtainment of Rootkit evasion attacks. The completely memory data obtained by reversely analyzing the Windows page-swapping files will provide data support for the analysis of it. ② The memory process accurately analysis and its portable executable image file reconstruction. Those information obtained with kernel mode driver will provide evidence support for Rootkit evasion attacks memory forensics. ③The immunity-inspired Rootkit evasion attacks memory forensics. Drawing inspiration from the human immune system and using the mechanisms such as vaccination, self-tolerance, affinity maturation, and antigen presentation are to build a dynamic approach for Rootkit evasion memory forensics. The proposed project can promote the memory data obtainment of Rootkit evasion attacks, improve the technology of analyzing memory data, and thereby develop a novel idea of immunity-inspired Rootkit evasion attacks memory forensics. Furthermore, the proposed project plays an important role in building Rootkit forensics defense products with independent property rights.

英文关键词： Rootkit;Evasion Attacks;Memory Forensics;Artificial Immune System;Network Information Security