【摘要】 针对当前Rootkits类型的恶意代码数目剧增且隐匿于系统内核而使传统反病毒技术难以检测的问题,受生物免疫系统的启发,提出了一种基于免疫机理的Rootkits检测模型IMRD(immunity-inspired model for Rootkits detec-tion)。该模型将进程运行时在内核模式中所产生的动态IRP(I/O request packets)请求序列提取为抗原,将系统中干净正常的良性程序定义为自体,将已知的Rootkits恶意代码定义为非自体。通过对Rootkits恶意代码进程行为监控和家族基因分析来监视Rootkits恶意代码演化,通过疫苗接种、克隆选择、基因进化等方式来学习与进化识别未知Ro-otkits并提取它们的基因以更新抗体基因库。理论分析与实验表明:该模型对于未知Rootkits的检测率较高,误报率和漏报率较低。更多还原

【Abstract】 Rootkits affect system security by modifying the kernel data structures and hiding themselves in the system kernel to achieve a variety of malicious goals.A biological immune system method was used in an immunity model for Rootkits detection named IMRD.The model extracts IRPs(I/O request packets) generated by the processes running in the kernel mode as antigens,defines normal benign programs as self programs,and defines malicious codes as nonself programs.The system monitors process behavior with Rootkits family gene analyses to monitor the evolution of Rootkits malicious code.The model generates immature antibodies by vaccination,produces mature antibodies by clonal selection and gene evolution,and then learns and identifies unknown Rootkits malicious code using mature antibodies.Theoretical analyses and tests show that the model for unknown Rootkits detection has a high detection rate,low false alarm rate,and low omission rate.更多还原