Research On The Malicious Codes Monitoring Technology Based On The File System

With the rapid development of computer technology and the arrival ofinformation age, the security of computer system gradually becomes the focus ofattention. Because of the emergence and development of worms, Trojans, viruses,Rootkit, back door program and other malicious code, the security of computersystem has confronted a huge threat. Therefore, to monitor and analyze the maliciouscode, and to eliminate the threat of malicious code to the computer has become theimportant goal of computer security. As the basis of malicious code analysis, themonitoring technology can provide important information and data sources formalicious code analysis. At present, monitoring technology mainly includes: virtualmachine technology and API hook technology. But the virtual machine technologyand API hook technology for analysis and debugging of the malicious code are notenough mature, and have some limitations, it is imperative to develop an efficient andreliable monitoring system of malicious code.This article first elaborates the background of the subject and the domestic andforeign research status, and analyzes the types and characteristics of the maliciouscode. At the same time, it introduces the related monitoring technology, and themonitoring system of malicious code based on Linux. The Main design idea of themonitoring system is to monitor in the Linux kernel layer which is located in theVirtual File system (Virtual Filesystem Switch, VFS) and the real file system in lowerlevel. Based on the principle of VFS mechanism, utilize the technology loadablekernel module (Loadable Kernel Module, LKM), through modification of the jumptable of the VFS function, intercept the system calls of malicious code, acquire the fileobject which needs to operate, Contrast the permissions to the process of maliciouscode with permissions to the access of important file, refuse or allow the process ofmalicious code to operate on files. This monitoring system is mainly used to monitorthe computer process to the important file operations, and at the same time records theoperating information to the files of the computer process. It also can analyze afterpresented to the users in the form of log, and then can determine whether theoperation to the file of the process is legal. So it can protect system files effectively.This system mainly includes three sub-modules: user module, communication module and monitoring module. User module should submit the malicious codeprogress which need monitoring at the user level, and records them to thecorresponding process lists, in addition, the user module also need to providemonitoring list of the important documents and information distribution to the kernellayer, then display the log information which was monitored by the computer;Communication module is used to ensure the data communication between usermodule and monitoring module. This module delivers the progress specified by theuser module and the configuration of the important file information to the monitoringmodule, and feeds back the log information obtained by the monitoring module to theuser module; Monitoring module is the core of the system. This module can bedynamically loaded into the kernel layer. It is dynamically loaded to the VFS andlower real file system, and used to filter the operation information to the files of themonitored progress. It can monitor the malicious codes. Finally, this paper describesthe design and implementation of the various sub-modules in detail.