System Security Technology Research

With the rapid development of the information society, computer network environments become increasingly complex. As the principal part of the information and data processing in the network, computer systems are facing increasingly severe security threat. The current popular system security technology is relatively effective against the traditional system attacks. With a view to the characteristics of rapid evolution of system security attack and defense technology, it can only guarantee the security of the system for some time even in the most comprehensive system protection mechanisms. In common with viruses in human body, malware can find defects of the system protection mechanisms quickly and then pose the constant threats to the security of computer systems. System security attack techniques, mainly related to system implantation, starting of the programs and avoidance of dectection. To become much harder to resist, system implantation generally have a strong confusing technical means, such as e-mail, common software counterfeit, dangerous hyperlink and so on. The program starting technology commonly use high hidden means, including utilizing startup folder, modifying registry, binding file type or registing system services. Avoidance of detection technology plays an important role with complex means, the common strategy is to modify the special instruction, hiding IAT, hooking functions or adding a protective shell. The realization of the popular system attack technology is relatively established, however, it has a very strong evolution. After some changes of attacking forms, the attack system can easily escape from the detection. In summary, the development of system attack and defense technology is just like the clash between spears and shields. In the struggle between the two sides, the system security technology will be increasingly sophisticated. Firstly, the study of the popular system security attack techniques will be discussed in three main areas:system implantation, the program starts and avoidance of detection technology. Secondly, by focusing on the research of the popular system security technology, which mainly refers to the special instruction identification technology with the cloud detection engine, heuristic scanning technology and proactive defense technology, this paper explores the defects of the existing security technical in the the popular system security system, for example, modifying instruction, hiding and camouflaging the input table, API Hooks technology are able to bypass security detection. Thirdly, based on the defects of the system security technology, this paper will design and implement an attack system, which mainly including four functional modules, such as the creation of a built-in code segment, hiding and restoring the input table, hiding special instruction, a breakthrough to the proactive defense. In order to prove its validity, the attack system will be tested in a lab environment. Fourthly, by analyzing the realization of the principle of the functional modules in the attack system, this paper proposed some ideas to detect it. The most effective one is function calls detection, which refers to counting and analysing the number of LoadLibraryA and GetProcAddress’s function calls. Morover, based on the attack system, this paper will design and implement a protection model, which includes hook module and detection module, the fomer one implements LoadLibraryA and GetProcAddress function’s inline hooking in DLL, the latter one implements the DLL’s process injection and creates a remote thread function to load the DLL file. Finally, to promote the development of the system security technology, this paper will verify the effectiveness of the protection model in an experimental environment.