中大機構典藏-NCU Institutional Repository-提供博碩士論文、考古題、期刊論文、研究計畫等下載:Item 987654321/61048
English  |  正體中文  |  简体中文  |  全文筆數/總筆數 : 80990/80990 (100%)
造訪人次 : 41679062      線上人數 : 1537
RC Version 7.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
搜尋範圍 查詢小技巧:
  • 您可在西文檢索詞彙前後加上"雙引號",以獲取較精準的檢索結果
  • 若欲以作者姓名搜尋,建議至進階搜尋限定作者欄位,可獲得較完整資料
  • 進階搜尋


    請使用永久網址來引用或連結此文件: http://ir.lib.ncu.edu.tw/handle/987654321/61048


    題名: 以回溯式偵測方法發掘潛在APT受駭主機之研究;The Study on Retrospective Detection Approaches for Uncovering Potential APT Victims
    作者: 劉順德;Liu,Shun-Te
    貢獻者: 資訊管理學系
    關鍵詞: 進階持續威脅;回溯式偵測;惡意程式偵測;資安事件調查;彊屍網路偵測;advanced persistent threat;retrospective detection;malware detection;incident investigation;botnet detection
    日期: 2013-07-26
    上傳時間: 2013-08-22 12:10:42 (UTC+8)
    出版者: 國立中央大學
    摘要: APT (Advanced Persistent Threat)攻擊是一種精緻且目標導向的網路攻擊,攻擊者利用受駭主機當作跳板入侵企業網路,以竊取更多寶貴的資料,因此愈早找出受駭主機,對企業造成的損失就愈小。然而APT往往能躲過現有的防禦或偵測機制,使用的惡意程式也是特製的,即便發現一台受駭主機,也難以透過製成惡意程式特徵碼來找出其他受駭主機。在沒有更好的防禦機制前,必須利用資安事件調查的力量盡早發掘潛在受駭主機。但發掘潛在受駭主機往往耗時,特別是主機數量多的大型企業,結果造成企業更多不必要的損失。
    為解決這個問題,本研究探討如何利用一台APT受駭主機上的主機型特徵(例如惡意檔案名稱)或網路型特徵(例如惡意中繼站),在歷史的行為資料中快速找出其他具相似特徵的受駭主機,這種概念稱為回溯式偵測。第一種稱為MalPEFinder,主要利用惡意檔案資訊及檔案間的關聯進行回溯式偵測;第二種稱為N-Victims,主要利用相似網路連線及惡意中繼站的關聯進行回溯式偵測。為證明本研究所提方法的可用性,我們利用已知的APT惡意程式及APT受駭案例進行實驗,並與知名商用的相似檔案搜尋工具Splunk及相似惡意中繼站比對方法N-Gram進行比較。實驗結果顯示,MalPEFinder比Splunk提高17%的偵測率,同時降低22%的誤報率。在找出前20個潛在受駭主機的假設下,N-Victims比N-Gram(N=2)提高90%偵測率。
    Advanced persistent threats (APTs) are sophisticated and target-oriented cyber attacks which can evade most of the conventional prevention and detection mechanisms. The attackers leverage the victims as the stepping stone to intrude into the enterprise network for stealing valuable information. The more faster the victims are found, the lower the damages the APTs cause. However, the underlying malware of APT is customized
    even if the malware is found, it is too unique to be used for detecting the other similar malware. Therefore, it requires incident investigations to play a role in uncovering the potential victims. Unfortunately, the investigations are often manual and take too much time to analyze the large volume incident data.
    In this dissertation, we propose both host-based and a network-based retrospective detection approaches, called MalPEFinder and N-Victims, respectively. These approaches start with a known malware-infected computer in order to determine the potential victims. To prove the practicability, we test our approaches by the real-world APT malware samples and a real APT case that happened in a large enterprise network, consisting of several thousand computers, which run a commercial anti-virus system. The experimental results of MalPEFinder indicate that the detection rate can improve by 17% as compared to Splunk, which is a famous retrospective search tool, and a lower false-positive rate can be achieved (3% vs. 25%). The experimental results of N-Victims show that N-Victims can find more malware-infected computers than N-Gram-based approach, which are general bot detection approaches. In the top 20 detected computers, N-Victims also had a higher detection rate than N-Gram-based approaches (100% vs. 5%, under N=2).
    顯示於類別:[資訊管理研究所] 博碩士論文

    文件中的檔案:

    檔案 描述 大小格式瀏覽次數
    index.html0KbHTML957檢視/開啟


    在NCUIR中所有的資料項目都受到原著作權保護.

    社群 sharing

    ::: Copyright National Central University. | 國立中央大學圖書館版權所有 | 收藏本站 | 設為首頁 | 最佳瀏覽畫面: 1024*768 | 建站日期:8-24-2009 :::
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - 隱私權政策聲明