Electronic File Operations Identification Method Based On The Middle Tier Of The Windows Driver

As important carriers of various information in digital society, the security of electronic documents is very essential. For a confidential system, operation monitoring of electronic documents such as creation, modification, destruction is one of the key technologies of the electronic documents security management. The existing file monitoring systems for Windows often realized by hooking the applications. The kind of methods has many shortcomings such as the limited monitoring information, less of efficiency and difficulty of developing for different softwares, which also increases the complexity of monitoring software. File operation monitoring via the kernel driver has better flexibility.But it suffer from abounding redundant information. It is still difficult to identify the actual operations quickly. Therefore, there is an important significance to develop the file operation identificaiton methods based on the driver.On the basis of the introduction of the file operation monitoring technology based on Windows intermediate driver, the file operation identificaiton method based on the featured IRP letter sequence is proposed, which including extraction of the featured IRP alphabet sequence, integration and asynchronous processing. Compared with the traditional methods, the proposed mehods achieve the improvement of the identification coverage rate and accuracy. The main work of the dissertation is as follows.(1) A summary is made on the theory and technology of the Windows driver layer file monitoring. The detailed definition of the file system driver, file system filter driver, working principle and its main purpose are introduced.(2) The major existing file operation identification methods are introduced, analyzed on the advantages and disadvantages of those methods, and compared from four aspects including implementation complexity, the identification coverage, the identification efficiency and scalability.(3) On the basis of analysis of the data structure of the IRP and its processing procedure the featured IRP sequence is constructed. The extraction process of the featured IRP sequence is given and IRP sequence asynchronous processing and integrated method are presented.(4) By experiments, featured IRP letter sequences of various typical applications of file operations are obtained. The method of file operation recognition based on the AC-BM matching algorithm and the featured IRP letter sequence is proposed. Experimental results show that the new method can give satisfying performance in the aspects of recognition rate and efficiency.At last, a conclusion is drawn on the shortcomings of the dissertation, and the future research contents on this topic are prospected.