| Abstract:With the rapid development of virtualization technology,more and more business application of enterprises,universities,government transferred to the virtual environment.The virtualization technology application business surge,for the virtual environment of the network attacks are increasing dramatically.These attacks against virtual environments pose a serious threat to the economy and security of countries and businesses.The network attack technology for virtual environment is developed to the concealment direction(such as the modern Trojan anti-forensic technology).It makes the traditional memory forensics technology can not effectively deal with the forensic work in the virtual environment.Therefore,it is of great significance to research the non-destructive extraction of virtual environment memory evidence and the reduction of malware attacks.It can help the political and legal organs to complete the reconstruction of evidence afterwards and to combat cybercrime.This dissertation researches and implementates a virtual environment memory forensics system,the innovation mainly includes the following three points.Firstly,this dissertation proposes a memory forensics model for VMware virtual environment.The model improves the forensic process of the existing memory forensics model.It has the advantages of high repeatability of forensics process,high accuracy of memory acquisition and high efficiency of forensics.Secondly,this dissertation proposes the virtual environment "digital footprint".The traditional memory forensic extraction of digital features defined as "digital lines",its dynamic behavioral characteristics on time series are defined as "digital footprint".It can capture more comprehensive behavior information than the traditional "digital lines".Thirdly,this dissertation proposes an improved K-means malicious process multi-source correlation analysis algorithm.The algorithm extends the process relationship to six relationships.They are the father and son,the name,the time,the file,the communication,the account relationships.The correlation degree of six relationships replaces the cosine distance of the traditional K-means algorithm.And the malicious process initialization rule replaces the traditional K-means algorithm random initialization rule.The algorithm has the advantages of high stability and high correlation.This dissertation reconstracts memory volatile data by researching virtual environment memory management and address translation mechanism.And it completes virtual environment "digital footprint" extraction,malicious behavior detection,malicious process correlation analysis.This dissertation ultimately realizes the reconstruction of malicious software behavior,and meets the political and legal organs in Business application,depth analysis,clue tracking and other aspects of business needs.The test results show that the virtual environment memory forensics model proposed in this dissertation has high precision and accuracy of malware volatile memory data extraction.And it also shows that the virtual environment memory forensics system has a high integrity of virtual environment "digital footprint"extraction.The improved K-means multi-source correlation analysis algorithm can improve the malware behavior analysis graph.And the algorithm has high integrity of correlation.But in this dissertation,the "digital footprint" extraction is still not complete,the false alarm rate of malware behavior reconstraction is slightly higher,and the business interruption problem of the server version's memory extraction is also not resolved.The above three points can be future research directions. |
PDF Full Text Request