APT (Advanced Persistent Threat)攻擊是一種精緻且目標導向的網路攻擊,攻擊者利用受駭主機當作跳板入侵企業網路,以竊取更多寶貴的資料,因此愈早找出受駭主機,對企業造成的損失就愈小。然而APT往往能躲過現有的防禦或偵測機制,使用的惡意程式也是特製的,即便發現一台受駭主機,也難以透過製成惡意程式特徵碼來找出其他受駭主機。在沒有更好的防禦機制前,必須利用資安事件調查的力量盡早發掘潛在受駭主機。但發掘潛在受駭主機往往耗時,特別是主機數量多的大型企業,結果造成企業更多不必要的損失。 為解決這個問題,本研究探討如何利用一台APT受駭主機上的主機型特徵(例如惡意檔案名稱)或網路型特徵(例如惡意中繼站),在歷史的行為資料中快速找出其他具相似特徵的受駭主機,這種概念稱為回溯式偵測。第一種稱為MalPEFinder,主要利用惡意檔案資訊及檔案間的關聯進行回溯式偵測;第二種稱為N-Victims,主要利用相似網路連線及惡意中繼站的關聯進行回溯式偵測。為證明本研究所提方法的可用性,我們利用已知的APT惡意程式及APT受駭案例進行實驗,並與知名商用的相似檔案搜尋工具Splunk及相似惡意中繼站比對方法N-Gram進行比較。實驗結果顯示,MalPEFinder比Splunk提高17%的偵測率,同時降低22%的誤報率。在找出前20個潛在受駭主機的假設下,N-Victims比N-Gram(N=2)提高90%偵測率。 Advanced persistent threats (APTs) are sophisticated and target-oriented cyber attacks which can evade most of the conventional prevention and detection mechanisms. The attackers leverage the victims as the stepping stone to intrude into the enterprise network for stealing valuable information. The more faster the victims are found, the lower the damages the APTs cause. However, the underlying malware of APT is customized even if the malware is found, it is too unique to be used for detecting the other similar malware. Therefore, it requires incident investigations to play a role in uncovering the potential victims. Unfortunately, the investigations are often manual and take too much time to analyze the large volume incident data. In this dissertation, we propose both host-based and a network-based retrospective detection approaches, called MalPEFinder and N-Victims, respectively. These approaches start with a known malware-infected computer in order to determine the potential victims. To prove the practicability, we test our approaches by the real-world APT malware samples and a real APT case that happened in a large enterprise network, consisting of several thousand computers, which run a commercial anti-virus system. The experimental results of MalPEFinder indicate that the detection rate can improve by 17% as compared to Splunk, which is a famous retrospective search tool, and a lower false-positive rate can be achieved (3% vs. 25%). The experimental results of N-Victims show that N-Victims can find more malware-infected computers than N-Gram-based approach, which are general bot detection approaches. In the top 20 detected computers, N-Victims also had a higher detection rate than N-Gram-based approaches (100% vs. 5%, under N=2).
