Research On Trojan Detection Technology Of Rootkit In Linux Kernel

In recent years,due to its excellent performance and open source characteristics,the Linux operating system has become more and more important in the server field.More and more companies or individuals have made it the preferred operating system for application servers.But at the same time,the security challenges it faces are getting more and more serious.The Linux kernel-based rootkit is a typical Trojan horse threat.The kernel Rootkit Trojan leaves a back door in the system,which can hide key information such as files,network connections and processes,clear traces of intrusion,and collect sensitive user information,making it difficult for system administrators to detect its intrusion behavior.Therefore,Linux kernel rootkit detection is an important research topic in the field of computer security,and it has important research significance for protecting computer system security and user privacy.Considering that rootkit Trojan collects the privacy information of the host and sends data packets to the remote control host regularly,this thesis proposes a network traffic difference analysis method to detect whether the system is infected by rootkit Trojan.This thesis first summarizes the knowledge of the Linux kernel-level Rootkit Trojan,and then elaborates the network traffic difference analysis scheme in detail.The corresponding prototype system is designed to compare with other rootkit detection tools.The main contents and achievements of this thesis are as follows:(1)Improve the traditional method of file integrity detection.In order to improve the efficiency of file integrity detection,this thesis adds random detection factors to solve the problems of detecting large number of files,time-consuming and computing resources consumed by traditional methods;(2)Inspired by the cross view comparison method,a network traffic difference analysis method is proposed to monitor the communication information between the Rootkit hidden process and the remote host.We use kretprobe technology to set monitoring points for system calls,and capture the actual process set created by the kernel,which makes a difference with the user level process set obtained,and look for the process list hidden by rootkit Trojan horse.We use jprobe technology to capture the input parameters of network device driver interface,and obtain the corresponding relationship between process and network connection.We capture network card traffic with Libpcap Library.We correlate information such as processes,network connections,and traffic to monitor network connection communications for hidden processes.This thesis implements the Rootkit Trojan detection prototype system on the Linux-4.4.0 kernel,and analyzes Rootkit Trojans such as hanj-wukong,nurupu-rootkit,and lz-rootkit.The experiment results show that the file integrity random detection scheme and the network traffic difference analysis scheme proposed in this thesis have correct functions,and the former scheme has a 19.7% efficiency improvement over traditional detection method.The experimental results prove that this method is universal for the detection of Linux kernel-level Rootkit Trojan which has the characteristic of network connection.This method can solve the problem of low efficiency of traditional file integrity detection methods.This method can solve the problem that virtual machine cross view comparison needs additional virtual machine resources.And this method can solve the problem of machine learning methods requiring a large number of Rootkit Trojan samples.