| With the development of computer technology and the popularization of the Internet,computers have entered the 64-bit architecture in an all-round way.Although the WINDOWS 64-bit operating system family of products uses a new operating system kernel and adds a new security mechanism KPP and DSE,these mechanisms themselves contain vulnerabilities that do not fully guarantee the security of users'terminal information.However,the vulnerability attacks against the security vulnerabilities of WINDOWS operating system emerge in endlessly,forming a huge black industrial chain,which poses a great threat to the security of the system.The static scanning technology based on signature analysis and comparison technology has been unable to ensure the security of the system in real time.However,the process behavior monitoring technology based on hook function has been unable to meet the security monitoring requirements of 64-bit WINDOWS system.In order to solve the problem of process dynamic behavior monitoring,this paper analyzes the main core requirements of security monitoring-process behavior,file behavior and network behavior monitoring.The mainstream security monitoring technology used to realize process enumeration,process behavior monitoring,file operation monitoring and network connection monitoring is studied.The communication requirements between driver and application are analyzed,and the communication mechanism between driver and application is studied.According to the results of requirement analysis and the research results of security monitoring technology,a new security monitoring framework based on 64-bit WINDOWS operating system is proposed.The framework mainly uses event notification and callback mechanism,file system microfilter framework and WFP network filtering platform framework to achieve comprehensive monitoring of process behavior.In this paper,the security monitoring algorithm in the security monitoring framework described above is studied and designed in detail,and a set of security monitoring software based on dynamic behavior monitoring is implemented.The system is mainly divided into three modules:process monitoring module,file monitoring module and network monitoring module.The process monitoring module is responsible for the enumeration of processes and the monitoring of process behavior.By designing the algorithm of process enumeration and suspicious process screening,the enumeration of all process information and the screening of suspicious processes are realized.The hook monitoring scheme with very poor stability is abandoned,and the process behavior monitoring algorithm is designed under the framework of event notification and callback mechanism to effectively control the process behavior of the process,and the file monitoring module is responsible for monitoring the file operation behavior of the process.Abandoning the tedious traditional file filtering driver,the file behavior identification control algorithm is designed under the framework of MiniFilter file filtering driver to realize the monitoring of file operation,and the network monitoring module is responsible for the control of network connection.The TDI framework which is no longer supported is eliminated.Under the WFP framework,a network connection control algorithm based on asynchronous mechanism is designed,which is mainly implemented by WFP network filtering platform.At the end of this paper,the test shows that the security monitoring system designed in this paper can effectively enumerate all the processes in the system and identify the hidden suspicious processes.Because of the bottom monitoring framework which makes use of the new technical characteristics,the system can accurately capture the operation behavior information of the monitored process,realize real-time control of the operation behavior of the monitored process,and provide the log of the operation behavior of the process.It meets the further analysis requirements of security personnel for system security. |
PDF Full Text Request