【摘要】：近年來,PDF文檔格式作為一種電子文件的常見格式,已經(jīng)得到了廣泛使用。自2008年Adobe Reader被發(fā)現(xiàn)出第一例關(guān)鍵漏洞(CVE-2008-2549)以來,越來越多的PDF文件已經(jīng)成為攻擊的重要手段。但與其他的JavaScript的攻擊方式相比,基于PDF的攻擊在研究中并沒有引起大量的關(guān)注,在此背景下,有必要開展對(duì)PDF文檔的安全性檢測(cè)的研究。本文首先介紹了開展PDF文檔安全性研究的背景和發(fā)展現(xiàn)狀,從純靜態(tài)檢測(cè)、純動(dòng)態(tài)檢測(cè)和動(dòng)靜結(jié)合的檢測(cè)模式三方面對(duì)目前的研究狀況進(jìn)行了介紹和分析。接著介紹了PDF文檔的格式和PDF文檔的安全性問題,對(duì)每個(gè)部分的構(gòu)成進(jìn)行了詳細(xì)的闡述和介紹。在PDF文檔的安全性上,對(duì)PDF文檔中的JavaScript模塊進(jìn)行了展開分析,此部分是PDF文檔的安全性問題的基礎(chǔ)和重點(diǎn)。在靜態(tài)檢測(cè)方面,本文介紹了靜態(tài)檢測(cè)PDF文檔安全性的原理和對(duì)靜態(tài)檢測(cè)方案進(jìn)行了改進(jìn)和實(shí)現(xiàn)。首先是從PDF文檔中對(duì)JavaScript代碼進(jìn)行提取,通過在提取過程中加入一定的反混淆(deobfuscate)措施,能夠從PDF文檔中正確的提取出相應(yīng)的JavaScript代碼,使特征分析更為準(zhǔn)確。結(jié)合PDF文檔的安全性問題的特殊性,設(shè)計(jì)了單一類別支持向量機(jī)的衍生模型,建立了更為完善的機(jī)器學(xué)習(xí)模型,通過子模型的加入,能夠?qū)�惡意的PDF文檔的攻擊模式進(jìn)行分類。與傳統(tǒng)的方案相比,這種靜態(tài)檢測(cè)方案提高了靜態(tài)檢測(cè)的準(zhǔn)確度,并能夠提供更多的有效信息。在動(dòng)態(tài)檢測(cè)方面,本文對(duì)動(dòng)態(tài)檢測(cè)PDF文檔的安全性的原理進(jìn)行了介紹并建立了完整的動(dòng)態(tài)檢測(cè)系統(tǒng)。首先利用shellcode的模擬器libemu對(duì)能夠提取出shellcode的PDF文檔進(jìn)行直接檢測(cè),對(duì)其他類型的文檔,則通過沙盒機(jī)制,利用Cuckoo Sandbox進(jìn)行詳細(xì)的行為分析。由于對(duì)靜態(tài)檢測(cè)結(jié)果的充分使用并且加入了模擬器等機(jī)制,與單純的使用沙盒對(duì)PDF文檔的安全性進(jìn)行動(dòng)態(tài)檢測(cè)相比,既能夠充分的利用動(dòng)態(tài)檢測(cè)具有較高的準(zhǔn)確率的優(yōu)點(diǎn)并且能夠減少檢測(cè)時(shí)間,提高檢測(cè)效率。最后本文對(duì)整個(gè)PDF文檔的安全性檢測(cè)系統(tǒng)進(jìn)行了介紹和實(shí)現(xiàn),并且利用從網(wǎng)絡(luò)中收集到的PDF文檔的樣本對(duì)整個(gè)系統(tǒng)進(jìn)行了測(cè)試。從實(shí)驗(yàn)結(jié)果可以看出,整個(gè)系統(tǒng)充分的利用了PDF文檔安全性問題的特征,能夠準(zhǔn)確快速的為PDF文檔的安全性進(jìn)行檢測(cè)和分析。
[Abstract]:In recent years, PDF document format, as a common format of electronic documents, has been widely used. Since the first critical vulnerability (CVE-2008-2549) was discovered in Adobe Reader in 2008, more and more PDF files have become an important means of attack. However, compared with other JavaScript attacks, PDF based attacks have not attracted much attention in the research. In this context, it is necessary to carry out research on the security detection of PDF documents. This paper first introduces the background and development of PDF document security research, and introduces and analyzes the current research status from three aspects: pure static detection, pure dynamic detection and dynamic detection mode. Then the paper introduces the format of PDF document and the security of PDF document, and describes the composition of each part in detail. In the aspect of PDF document security, the JavaScript module in PDF document is analyzed. This part is the foundation and emphasis of PDF document security problem. In the aspect of static detection, this paper introduces the principle of static detection PDF document security and the improvement and implementation of static detection scheme. Firstly, the JavaScript code is extracted from the PDF document. By adding some anti-obfuscation (deobfuscate) measures in the extraction process, the corresponding JavaScript code can be extracted correctly from the PDF document, so that the feature analysis is more accurate. Considering the particularity of the security problem of PDF document, the derivative model of single class support vector machine is designed, and a more perfect machine learning model is established. By adding the sub-model, the attack pattern of malicious PDF document can be classified. Compared with the traditional scheme, the static detection scheme can improve the accuracy of static detection and provide more effective information. In the aspect of dynamic detection, this paper introduces the principle of dynamic detection of PDF document and establishes a complete dynamic detection system. Firstly, the shellcode simulator libemu is used to directly detect the PDF documents that can extract shellcode, and for other types of documents, the detailed behavior analysis is carried out through sandboxie mechanism and Cuckoo Sandbox. Due to the full use of static detection results and the addition of simulator mechanisms, compared with using sandboxie to dynamically detect the security of PDF documents, It can make full use of the high accuracy of dynamic detection, reduce the detection time and improve the detection efficiency. Finally, this paper introduces and implements the security detection system of the whole PDF document, and tests the whole system by using the samples of the PDF documents collected from the network. It can be seen from the experimental results that the whole system makes full use of the security characteristics of PDF documents and can accurately and quickly detect and analyze the security of PDF documents.
【學(xué)位授予單位】：上海交通大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2015
【分類號(hào)】：TP309

【參考文獻(xiàn)】

相關(guān)期刊論文 前1條

1 張小康;帥建梅;史林;;基于加權(quán)信息增益的惡意代碼檢測(cè)方法[J];計(jì)算機(jī)工程;2010年06期

，

本文編號(hào)：2282199