中大機構典藏-NCU Institutional Repository-提供博碩士論文、考古題、期刊論文、研究計畫等下載:Item 987654321/61048
English  |  正體中文  |  简体中文  |  全文笔数/总笔数 : 80990/80990 (100%)
造访人次 : 41664391      在线人数 : 1618
RC Version 7.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
搜寻范围 查询小技巧:
  • 您可在西文检索词汇前后加上"双引号",以获取较精准的检索结果
  • 若欲以作者姓名搜寻,建议至进阶搜寻限定作者字段,可获得较完整数据
  • 进阶搜寻


    jsp.display-item.identifier=請使用永久網址來引用或連結此文件: http://ir.lib.ncu.edu.tw/handle/987654321/61048


    题名: 以回溯式偵測方法發掘潛在APT受駭主機之研究;The Study on Retrospective Detection Approaches for Uncovering Potential APT Victims
    作者: 劉順德;Liu,Shun-Te
    贡献者: 資訊管理學系
    关键词: 進階持續威脅;回溯式偵測;惡意程式偵測;資安事件調查;彊屍網路偵測;advanced persistent threat;retrospective detection;malware detection;incident investigation;botnet detection
    日期: 2013-07-26
    上传时间: 2013-08-22 12:10:42 (UTC+8)
    出版者: 國立中央大學
    摘要: APT (Advanced Persistent Threat)攻擊是一種精緻且目標導向的網路攻擊,攻擊者利用受駭主機當作跳板入侵企業網路,以竊取更多寶貴的資料,因此愈早找出受駭主機,對企業造成的損失就愈小。然而APT往往能躲過現有的防禦或偵測機制,使用的惡意程式也是特製的,即便發現一台受駭主機,也難以透過製成惡意程式特徵碼來找出其他受駭主機。在沒有更好的防禦機制前,必須利用資安事件調查的力量盡早發掘潛在受駭主機。但發掘潛在受駭主機往往耗時,特別是主機數量多的大型企業,結果造成企業更多不必要的損失。
    為解決這個問題,本研究探討如何利用一台APT受駭主機上的主機型特徵(例如惡意檔案名稱)或網路型特徵(例如惡意中繼站),在歷史的行為資料中快速找出其他具相似特徵的受駭主機,這種概念稱為回溯式偵測。第一種稱為MalPEFinder,主要利用惡意檔案資訊及檔案間的關聯進行回溯式偵測;第二種稱為N-Victims,主要利用相似網路連線及惡意中繼站的關聯進行回溯式偵測。為證明本研究所提方法的可用性,我們利用已知的APT惡意程式及APT受駭案例進行實驗,並與知名商用的相似檔案搜尋工具Splunk及相似惡意中繼站比對方法N-Gram進行比較。實驗結果顯示,MalPEFinder比Splunk提高17%的偵測率,同時降低22%的誤報率。在找出前20個潛在受駭主機的假設下,N-Victims比N-Gram(N=2)提高90%偵測率。
    Advanced persistent threats (APTs) are sophisticated and target-oriented cyber attacks which can evade most of the conventional prevention and detection mechanisms. The attackers leverage the victims as the stepping stone to intrude into the enterprise network for stealing valuable information. The more faster the victims are found, the lower the damages the APTs cause. However, the underlying malware of APT is customized
    even if the malware is found, it is too unique to be used for detecting the other similar malware. Therefore, it requires incident investigations to play a role in uncovering the potential victims. Unfortunately, the investigations are often manual and take too much time to analyze the large volume incident data.
    In this dissertation, we propose both host-based and a network-based retrospective detection approaches, called MalPEFinder and N-Victims, respectively. These approaches start with a known malware-infected computer in order to determine the potential victims. To prove the practicability, we test our approaches by the real-world APT malware samples and a real APT case that happened in a large enterprise network, consisting of several thousand computers, which run a commercial anti-virus system. The experimental results of MalPEFinder indicate that the detection rate can improve by 17% as compared to Splunk, which is a famous retrospective search tool, and a lower false-positive rate can be achieved (3% vs. 25%). The experimental results of N-Victims show that N-Victims can find more malware-infected computers than N-Gram-based approach, which are general bot detection approaches. In the top 20 detected computers, N-Victims also had a higher detection rate than N-Gram-based approaches (100% vs. 5%, under N=2).
    显示于类别:[資訊管理研究所] 博碩士論文

    文件中的档案:

    档案 描述 大小格式浏览次数
    index.html0KbHTML957检视/开启


    在NCUIR中所有的数据项都受到原著作权保护.

    社群 sharing

    ::: Copyright National Central University. | 國立中央大學圖書館版權所有 | 收藏本站 | 設為首頁 | 最佳瀏覽畫面: 1024*768 | 建站日期:8-24-2009 :::
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - 隱私權政策聲明