基于免疫的Rootkit隐遁攻击动态内存取证方法研究

A Rootkit for Windows systems is a program that penetrates into the system and intercepts the system functions. Rootkit evasion attack is a kind of network attacks,which can effectively hide their presence by intercepting low-level API functions or modifying the system kernel. Moreover, it can hide the presence of particular processes, folders, files and registry keys. Recently, some Rootkits install their own drivers and services only in the system memory. That particular trend makes them invisible and difficult to detect. Therefore, it is very important for preventing network stealth attacks and curbing cyber crimes to completely obtain memory data, analyse the data, and extract the Rootkit evasion attacks evidence. The proposed project will focus primarily on Rootkit evasion attacks about memory data obtainment, memory data analysis，and immunity-inspired memory forensics. It mainly includes the follows: ① The memory data full obtainment of Rootkit evasion attacks. The completely memory data obtained by reversely analyzing the Windows page-swapping files will provide data support for the analysis of it. ② The memory process accurately analysis and its portable executable image file reconstruction. Those information obtained with kernel mode driver will provide evidence support for Rootkit evasion attacks memory forensics. ③The immunity-inspired Rootkit evasion attacks memory forensics. Drawing inspiration from the human immune system and using the mechanisms such as vaccination, self-tolerance, affinity maturation, and antigen presentation are to build a dynamic approach for Rootkit evasion memory forensics. The proposed project can promote the memory data obtainment of Rootkit evasion attacks, improve the technology of analyzing memory data, and thereby develop a novel idea of immunity-inspired Rootkit evasion attacks memory forensics. Furthermore, the proposed project plays an important role in building Rootkit forensics defense products with independent property rights.

完整获取、分析内存镜像数据，并从中提取Rootkit隐遁攻击证据，能有效预防恶意隐遁网络攻击、遏制网络犯罪。本项目在前期研究Rootkit攻击进程分析与免疫检测的基础上，进一步研究Rootkit内存数据获取与分析方法和Rootkit内存免疫取证方法。主要包括：①通过逆向分析Windows内存页面交换机制，获取完整的内存镜像数据，为内存数据分析提供数据支持；②利用内核驱动技术，动态分析内存镜像中的进程数据，并重建与进程相对应的可执行文件映像，为进一步的Rootkit内存取证提供技术与证据支持；③借鉴人体免疫系统机理，通过Rootkit检测器（免疫细胞）的动态演化及证据提取，研究Rootkit隐遁攻击动态内存取证方法。本项目可促进Rootkit隐遁攻击内存数据获取与分析技术的深入发展，拓展Rootkit内存免疫取证研究新思路；同时，对构建自主产权的Rootkit安全取证产品具有重要参考价值。

Rootkit 隐遁攻击原本已经所向披靡，加之采用内存反取证对抗措施后，致使传统的磁盘文件系统取证方法难以取证，这对于网络信息安全的威胁无疑雪上加霜。因此，从Rootkit 隐遁攻击的发展趋势来看，对Rootkit隐遁攻击进行内存取证分析，已是大势所趋、势在必行。.完整获取、分析内存镜像数据，并从中提取Rootkit 隐遁攻击证据，能有效预防恶意隐遁网络攻击、遏制网络犯罪。本项目在前期研究Rootkit 攻击进程分析与免疫检测的基础上，进一步研究Rootkit 内存数据获取与分析方法和Rootkit 内存免疫取证方法。主要包括：①通过逆向分析Windows 内存页面交换机制，获取完整的内存镜像数据，为内存数据分析提供数据支持；②利用内核驱动技术，动态分析内存镜像中的进程数据，并重建与进程相对应的可执行文件映像，为进一步的Rootkit 内存取证提供技术与证据支持；③借鉴人体免疫系统机理，通过Rootkit 检测器（免疫细胞）的动态演化及证据提取，研究Rootkit隐遁攻击动态内存取证方法。.项目成果解决了内存镜像数据完整获取、内存镜像数据的进程分析与可执行文件映像重建、以及Rootkit隐遁攻击内存取证免疫模型的动态刻画问题。本项目促进了Rootkit 隐遁攻击内存数据获取与分析技术的深入发展，拓展了Rootkit隐遁攻击内存免疫取证研究新思路；同时，对构建新一代自主产权的Rootkit 安全取证产品具有重要参考价值。

内容获取失败，请点击重试