Research On Key Technologies Of Kernel Vulnerability Attack Analysis And Detection

With the continuous development of Internet technology,various malicious network attacks emerge one after another.Among them,exploiting the kernel vulnerability to launch an attack on the target host can elevate local privilege,evade the detection of security software,and then completely control the system,posing a serious threat to the security of the host.In recent years,with the surge in the number of kernel vulnerabilities and the variety of attack methods,the corresponding defense work faces greater challenges.Among them,the traditional kernel security mitigation mechanism has problems such as single truncation path and excessive overhead,and cannot flexibly respond to new attack methods,while the kernel vulnerability attack analysis and detection technology can effectively deal with complex and changeable attack methods.However,when the existing analysis technology ensures accurate acquisition of kernel mode information,the analysis efficiency is not high;and the existing detection technology is difficult to effectively mine key user mode information,resulting in a low detection accuracy.In order to efficiently and accurately discover the kernel vulnerability attack intention of the program,this thesis studies the analysis technology and detection technology respectively,and designs and implements the kernel vulnerability attack analysis system and detection system.The main research work and innovation points of this thesis are as follows:1.The state transition diagram of kernel vulnerability attack is constructed,and the Kernel-Attack model is defined,both of which are important foundations for follow-up research.Based on the principle of kernel vulnerability attack,the attack mode of each stage is summarized and divided;for the analysis work that depends on the kernel mode information,the state transition diagram of the kernel vulnerability attack is constructed to explore ways to improve the analysis efficiency;for the detection work that depends on the user mode information,defines the kernel vulnerability attack model Kernel-Attack,and uses empirical knowledge to initially establish the mapping relationship between user mode behavior events and kernel memory exploit state.2.A reverse analysis method of kernel vulnerability attack process based on finite state machine is proposed,which solves the problem of low efficiency of kernel vulnerability attack analysis relying on kernel mode information.Firstly,the idea of reverse analysis is introduced,the attack process is deeply analyzed,and a finite state machine model based on reverse analysis is established;by defining state nodes,the key state transition process is formally described in detail;based on the model,an efficient automated analysis methods can quickly obtain key code execution information.3.A detection method of kernel vulnerability attack based on multi-level mapping is proposed,which solves the problem of low detection accuracy of kernel vulnerability attack relying on user mode information.First,for the user mode API information flow extracted by dynamic binary instrumentation tools,a processing strategy based on finegrained association is proposed,which effectively extracts the key user mode information and realizes the mapping from the original API information flow to the user mode behavior event sequence;Then,based on the Kernel-Attack model,a Hidden Markov Model is constructed,and the sequence that directly reflects the attack intention of the kernel vulnerability is further mined,and the unique mapping of the user mode behavior event sequence to the kernel memory exploit state sequence is realized.The kernel vulnerability attack detection algorithm based on multi-level mapping realizes the accurate determination of the kernel vulnerability attack by limited user mode information.Experiments show that the reverse analysis method of the kernel vulnerability attack process based on finite state machine has improved analysis efficiency compared with the traditional forward analysis method;the kernel vulnerability attack detection method based on multi-level mapping is compared with the detection effect of the two detection platforms,the detection accuracy has been greatly improved.