Research On Detection Method Of Malicious Removable Storage Media In Intranet

In order to ensure the security of core assets such as various devices and confidential data in the internal network,various organizations isolate the internal and external networks,which makes the removable storage media widely used for data exchange between the internal and external networks.Due to the lack of strict management and control policies for removable storage media,internal illegal users can use removable storage media to threaten internal security.On the one hand,attackers can inject malicious code into the intranet using removable storage media.The existing malicious programs are mainly developed by C/C++,but the malicious programs developed by JavaScript begin to appear,which can be injected into the intranet through the removable storage media.On the other hand,the attacker can also use the removable storage media to automatically steal the core data based on the Autorun mechanism.Although this mechanism has been disabled,there are still attacks that bypass this defense to achieve automatic data stealing.It is necessary to explore potential automatic data stealing methods and detect them.In this paper,we research the use of removable storage media by insider threat actors to inject malicious JavaScript scripts into the intranet and automate data theft.From the above two perspectives,the system and data security guarantee capabilities in the intranet are further improved.The main research contents include the following aspects.1)In order to prevent malicious JavaScript scripts from being injected into the intranet using removable storage media,we use n-gram method to extract features,and based on the correlation algorithm,the detection can be completed without distinguishing whether the code is confused.2)We propose an efficient dimension reduction method to avoid the curse of dimensionality caused by using the N-gram model to identify malicious JavaScript.The method uses the TF-IDF-like model to calculate respectively the weight of features in normal samples and malicious samples,and carries out dimension reduction based on the difference feature weight.Based on many recognition algorithms,we compare the proposed method with the dimension reduction method based on Principal Component Analysis(PCA).The experimental results demonstrate two conclusions.Firstly,the recognition effect of the proposed method is better than that of PCA at the same feature dimension.Secondly,when the reserved dimension exceeds a certain threshold,with the increase of the reserved dimension,the growth rate of time cost is much lower than PCA.3)We propose a method to automatically steal data when the ID of the removable storage media connected with the host is consistent with the preset ID in the script injected into the host in advance.This method can complete the attack when the Autorun mechanism has been disabled.4)In order to detect the attack of automatic data stealing,we collect the normal behavior data using removable storage media and the abnormal behavior data of automatic data stealing.Based on this data,we analyze the difference between manual and script automatic operation files.And taking behavioral data between one plug and pull event as a sample,we propose to use one-class SVM algorithm to detect it.The experiment shows that this method can effectively detect automatic data stealing attacks.