The Research And Implementation Of Process Trusted Measurement Technology For Windows Environment

With the in-depth development of information technology,information security has been increasingly valued at home and abroad.As the most widely used operating system,Windows has attracted much attention for its security.Windows traditional virus detection technology lacks effective detection methods for unexposed attacks.Trusted computing technology provides a powerful means to solve such security problems and has been researched at home and abroad.At present,the research of trusted computing technology to ensure the trust of system startup through static metrics has matured,and there are still some deficiencies in the research of ensuring the credible operation of the system through dynamic metrics.Existing dynamic metrics lack metrics for incoming files when the process starts,lacks a measure of the file call relationship when a process calls a file,and lacks a measure of the execution flow's baseline value while the process is running.Based on the above issues,this paper proposes a trusted measurement framework for the Windows process.The main research work is as follows:1.A process startup measurement method is proposed.First of all,this method sets up appropriate metrics by analyzing the process of Windows process startup,and improves the hit rate of process startup interception;secondly,it statically obtains the referenced file list through executable file import table or keyword matching,and uses the file list as a parameter to use the process.The startup policy algorithm generates a reference value to ensure that the process startup related files are not maliciously tampered with;the process is then started using a process metric algorithm to ensure that the process is started reliably.2.A process document call relationship measurement method is proposed.First of all,this method sets up appropriate metric points by analyzing the process file call process of Windows,and improves the hit rate of process file call interception.Secondly,it classifies executable files and ordinary files according to functions,and statically obtains executable file pairs through keyword matching.The call relationship of other files,and use this relationship as a parameter to generate a reference value using the process file call relation strategy algorithm to ensure that the process file call relationship is not tampered with by malicious;finally use the process file call relationship measurement algorithm to ensure the trust of the process file call relationship.3.A process flow measurement method is proposed.First of all,this method sets up appropriate metrics by analyzing the process of mapping Windows processes into memory,improves the hit rate of the process execution flow modification interception,and second,re-executes the process execution flow through the executable file and takes the re-executed execution flow as a parameter.Use the process execution flow policy algorithm to generate baseline values to ensure that the process execution flow is not maliciously tampered with.Finally,use the process to execute the flow metric algorithm to ensure the trust of the process execution flow.4.To achieve PTM prototype.Firstly,based on the proposed process startup measurement method,process document call relationship measurement method and process execution flow measurement method,the design idea,architecture and execution flow of the PTM prototype are given.Secondly,the PTM prototype is deployed under real Windows 7 system.The final result shows that PTM can effectively detect the abnormal behavior of the program and ensure the reliable operation of the system.