惡意程式的發展,從早期的病毒﹙Virus﹚,蠕蟲﹙Worm﹚,木馬﹙Trojan Horse﹚與後門﹙Backdoor﹚程式,至今日的Rootkit、間諜軟體﹙Spyware﹚、垃圾信件發送軟體﹙Spamware﹚等,其使用的技術不斷地改變,滲透的手段日趨多元,而造成的損失也日益龐大,這些惡意軟體藉由網路多樣化的傳播途徑達散播的目的,對網路以及網路上的主機系統安全帶來巨大的威脅。 在眾多攻擊方式中,攻擊者為了掌控受害的主機,開啟後門是最重要的步驟,常見的木馬與後門程式,大多都會偽裝成一般正常程式,像是取與正常程式相同的名稱,以避免被使用者發覺,一旦攻擊者取得具有系統管理員﹙root﹚權限的後門程序,攻擊者便可對受害電腦為所欲為。 在本論文中,我們提出新的防禦機制,以程序使用網路的行為﹙behavior-based﹚為基礎來區分正常程式與後門程式,有效的保護系統不被後門程式操控,我們在系統資訊被不正常的透過網路傳出之前,即偵測出攻擊存在的可能性,在傷害尚未擴大之時,便終止可疑的程序,可阻止攻擊者利用後門程式進行後續的惡意行為,提高系統與網路伺服器的安全性。 With the popularity of computers and Internet, more information security problems are taken into consideration. From the old-time virus to the newfashioned worm, Trojan horse and backdoor, nowadays, attackers develop a variety of malware to gain lots of personal benefit. Like rootkit, spyware, or spamware, these malwares spread via all kinds of network applications. It is a huge threat to Internet and system security. In order to control the victim computers, open the backdoor is the most important step in all attacking methods. The conventional Trojan house and backdoor may mask themselves as normal programs, like having the same name with normal program, in order to cheat users. Once attackers get the backdoor process with root privilege, attackers can do everything to the victim. In this thesis, we propose a new behavior-based defensive mechanism to detect whether a program is a backdoor or not. This mechanism can protect system from controlling by backdoor. We can find out the backdoor before the system information is sent by Internet abnormally. Before the attack succeeds, we can terminate the suspicious process and stop the follow-up malicious activities in advanced. This mechanism can raise the security level of system and network server.
