以回溯式偵測方法發掘潛在APT受駭主機之研究

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：63

、訪客IP：3.137.173.172

姓名

劉順德(Shun-Te Liu) 查詢紙本館藏

畢業系所

資訊管理學系

論文名稱

以回溯式偵測方法發掘潛在APT受駭主機之研究
(The Study on Retrospective Detection Approaches for Uncovering Potential APT Victims)

相關論文

★ 應用數位版權管理機制於數位影音光碟內容保護之研究	★ 以應用程式虛擬化技術達成企業軟體版權管理之研究
★ 以IAX2為基礎之網頁電話架構設計	★ 應用機器學習技術協助警察偵辦詐騙案件之研究
★ 擴充防止詐欺及保護隱私功能之帳戶式票務系統研究-以大眾運輸為例	★ 網際網路半結構化資料之蒐集與整合研究
★ 電子商務環境下網路購物幫手之研究	★ 網路安全縱深防護機制之研究
★ 國家寬頻實驗網路上資源預先保留與資源衝突之研究	★ 以樹狀關聯式架構偵測電子郵件病毒之研究
★ 考量地區差異性之隨選視訊系統影片配置研究	★ 不信任區域網路中數位證據保留之研究
★ 入侵偵測系統事件說明暨自動增加偵測規則之整合性輔助系統研發	★ 利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研究
★ 一種網頁資訊擷取程式之自動化產生技術研發	★ 應用XML/XACML於工作流程管理系統之授權管制研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

APT (Advanced Persistent Threat)攻擊是一種精緻且目標導向的網路攻擊，攻擊者利用受駭主機當作跳板入侵企業網路，以竊取更多寶貴的資料，因此愈早找出受駭主機，對企業造成的損失就愈小。然而APT往往能躲過現有的防禦或偵測機制，使用的惡意程式也是特製的，即便發現一台受駭主機，也難以透過製成惡意程式特徵碼來找出其他受駭主機。在沒有更好的防禦機制前，必須利用資安事件調查的力量盡早發掘潛在受駭主機。但發掘潛在受駭主機往往耗時，特別是主機數量多的大型企業，結果造成企業更多不必要的損失。
為解決這個問題，本研究探討如何利用一台APT受駭主機上的主機型特徵(例如惡意檔案名稱)或網路型特徵(例如惡意中繼站)，在歷史的行為資料中快速找出其他具相似特徵的受駭主機，這種概念稱為回溯式偵測。第一種稱為MalPEFinder，主要利用惡意檔案資訊及檔案間的關聯進行回溯式偵測；第二種稱為N-Victims，主要利用相似網路連線及惡意中繼站的關聯進行回溯式偵測。為證明本研究所提方法的可用性，我們利用已知的APT惡意程式及APT受駭案例進行實驗，並與知名商用的相似檔案搜尋工具Splunk及相似惡意中繼站比對方法N-Gram進行比較。實驗結果顯示，MalPEFinder比Splunk提高17%的偵測率，同時降低22%的誤報率。在找出前20個潛在受駭主機的假設下，N-Victims比N-Gram(N=2)提高90%偵測率。

摘要(英)

Advanced persistent threats (APTs) are sophisticated and target-oriented cyber attacks which can evade most of the conventional prevention and detection mechanisms. The attackers leverage the victims as the stepping stone to intrude into the enterprise network for stealing valuable information. The more faster the victims are found, the lower the damages the APTs cause. However, the underlying malware of APT is customized; even if the malware is found, it is too unique to be used for detecting the other similar malware. Therefore, it requires incident investigations to play a role in uncovering the potential victims. Unfortunately, the investigations are often manual and take too much time to analyze the large volume incident data.
In this dissertation, we propose both host-based and a network-based retrospective detection approaches, called MalPEFinder and N-Victims, respectively. These approaches start with a known malware-infected computer in order to determine the potential victims. To prove the practicability, we test our approaches by the real-world APT malware samples and a real APT case that happened in a large enterprise network, consisting of several thousand computers, which run a commercial anti-virus system. The experimental results of MalPEFinder indicate that the detection rate can improve by 17% as compared to Splunk, which is a famous retrospective search tool, and a lower false-positive rate can be achieved (3% vs. 25%). The experimental results of N-Victims show that N-Victims can find more malware-infected computers than N-Gram-based approach, which are general bot detection approaches. In the top 20 detected computers, N-Victims also had a higher detection rate than N-Gram-based approaches (100% vs. 5%, under N=2).

關鍵字(中)

★ 進階持續威脅
★ 回溯式偵測
★ 惡意程式偵測
★ 資安事件調查
★ 彊屍網路偵測

關鍵字(英)

★ advanced persistent threat
★ retrospective detection
★ malware detection
★ incident investigation
★ botnet detection

論文目次

中文摘要 i
Abstract ii
誌謝 iv
Table of Contents v
List of Figures viii
List of Tables x
Chapter 1. Introduction 1
1.1. Research background and motivation 1
1.2. Research problems 3
1.3. Research objectives 4
1.4. Contributions 8
Chapter 2. Literature Review 9
2.1. Advanced persistent threat 9
2.2. Retrospective detection 12
2.3. Host-based retrospective detection 12
2.4. Network-based retrospective detection 15
2.5. The summary of the literature review 17
Chapter 3. The Proposed Approaches 19
3.1. Overview 19
3.2. MalPEFinder 21
3.2.1. PEF ownerships 22
3.2.2. Ownership graph 25
3.2.3. Searching MalPEFs in the graph 28
3.3. N-Victims 31
3.3.1. The concept of N-Victims 32
3.3.2. The similarity of HTTP requests 34
3.3.3. Building HTTP tree 36
3.3.4. Determine the malware-infected computers 37
Chapter 4. System Design and Implementation 40
4.1. MalPEFinder design 40
4.1.1. Agent 41
4.1.2. Server 42
4.1.3. PEF indexing 42
4.1.4. Searching MalPEF 43
4.2. N-Victim design 44
4.2.1. HTTP tree builder 45
4.2.2. Indexer 47
4.2.3. Searcher 47
4.2.4. Detector 47
Chapter 5. Evaluations 50
5.1. Evaluation criteria 50
5.2. Evaluations of MalPEFinder 51
5.2.1. Experiment setup 52
5.2.2. Determining weight vector 53
5.2.3. Experiment results of effectiveness 54
5.2.4. Experiment results of efficiency 62
5.3. Evaluations of N-Victims 66
5.3.1. Experiment setup 66
5.3.2. Determining parameters 68
5.3.3. Experiment results of effectiveness 68
5.3.4. Experiment results of efficiency 73
5.4. Discussion 75
Chapter 6. Conclusions and Future Work 78
References 82

參考文獻

[1] Dmitri Alperovitch, Revealed: operation shady RAT, Aug 3 2011, retrieved from http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf.
[2] Apache, Apache Lucene, Jun 30 2013, retrieved from http://lucene.apache.org.
[3] James M. Aquilina, Eoghan Casey and Cameron H. Malin, Malware forensics: investigating and analyzing malicious code, Syngress Publishing, 2008.
[4] Eric Baize, "Developing Secure Products in the Age of Advanced Persistent Threats", IEEE Security & Privacy, Vol. 10, pp. 88-92, 2012.
[5] Beth E. Binde, Russ McRee and Terrence J. O’ Connor, Assessing Outbound Traffic to Uncover Advanced Persistent Threat, May 5 2011 retrieved from https://www.sans.edu/student-files/projects/JWP-Binde-McRee-OConnor.pdf.
[6] Keith Epstein Brian Grow, Chi-Chu Tschang, The New E-spionage Threat, Apri 9 2008, retrieved from http://www.businessweek.com/stories/2008-04-09/the-new-e-spionage-threat.
[7] Jos´e Brustoloni, Nicholas Farnan, Ricardo Villamar´ın-Salom´on et al., "Efficient Detection of Bots in Subscribers’ Computers", IEEE International Conference on Communications, pp. 1-6, Dresden, Germany, 2009.
[8] Georgia Tech Information Security Center, Open Malware, Jun 30 2013, retrieved from http://www.offensivecomputing.net/.
[9] Michael K. Daly, The Advanced Persistent Threat, Nov 4 2009, retrieved from http://static.usenix.org/event/lisa09/tech/slides/daly.pdf.
[10] Damballa, Advanced Persistent Threats (APT), May, 30 2012, retrieved from http://www.damballa.com/knowledge/advanced-persistent-threats.php.
[11] Kelley Dempsey, Nirali Shah Chawla, Arnold Johnson et al., Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, National Institute of Standards and Technology U.S. Department of Commerce, 2011.
[12] Eldad Eilam, Reversing: secrets of reverse engineering, Wiley Publishing, Inc., 2005.
[13] E Filiol, Computer viruses: from theory to applications, Springer, 2005.
[14] FireEye, FireEye Malware Analysis System, Jun 30 2013, retrieved from http://www.fireeye.com/products-and-solutions/malware-analysis.html.
[15] Jan Goebel and Thorsten Holz, "Rishi: identify bot contaminated hosts by IRC nickname evaluation", Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, pp. 8-8, Cambridge, MA, 2007.
[16] Thomson Gordon, "APTs: a poorly understood challenge", Network Security, Vol. 2011, pp. 9-11, 2011.
[17] Jonathan L. Gross and Jay Yellen, Graph theory and its applications, CRC press, 2006.
[18] Guofei Gu, Junjie Zhang and Wenke Lee, "BotSniffer: Detecting botnet command and control channels in network traffic", Proceedings of the 15th Annual Network and Distributed System Security Symposium, pp. 1-18, CA, USA, 2008.
[19] Erik Hatcher and Otis Gospodnetic, Lucene in action, Manning Publications, 2004.
[20] Greg Hoglund, Advanced Persistent Threat, Feb 19 2010, retrieved from http://www.issa-sac.org/info_resources/ISSA_20100219_HBGary_Advanced_Persistent_Threat.pdf.
[21] Aghatise E. Joseph, Cybercrime definition, Jun 28 2008, retrieved from http://www.crime-research.org/articles/joseph06/.
[22] Ari Juels and Ting-Fang Yen, "Sherlock Holmes and The Case of the Advanced Persistent Threat", Proceedings of the 5th USENIX conference on Large-Scale Exploits and Emergent Threats, pp. 2-2, CA, USA, 2012.
[23] Mehmed Kantardzic, Data mining: concepts, models, methods, and algorithms, Wiley-IEEE Press, 2011.
[24] International Secure Systems Lab, Anubis: Analyzing Unknown Binaries, Jun 30 2013, retrieved from http://anubis.iseclab.org/.
[25] Robert Eugene Larson, CCSP: Cisco Certified Security Professional Certification All-in-One Exam Guide, McGraw Hill, 2003.
[26] Andrew W. Leung, Minglong Shao, Tim Bisson et al., "Spyglass: Fast, scalable metadata search for large-scale storage systems", Proccedings of the 7th conference on File and storage technologies, pp. 153-166, CA, USA, 2009.
[27] Frankie Li and Antonios Atlasis, A Detailed Analysis of an Advanced Persistent Threat Malware, Oct 13 2011, retrieved from http://www.sans.org/reading_room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware_33814.
[28] Frankie Li, Anthony Lai and Ddl Ddl, "Evidence of Advanced Persistent Threat: A case study of malware for political espionage", 2011 6th International Conference on Malicious and Unwanted Software, pp. 102-109, Fajardo, PR, USA, 2011.
[29] Shun-Te Liu and Yi-Ming Chen, "Retrospective Detection of Malware Attacks by Cloud Computing", 2010 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery, pp. 510-517, Huangshan, China, 2010.
[30] Shun-Te Liu, Yi-Ming Chen and Hui-Ching Hung, "N-Victims: An Approach to Determine N-Victims for APT Investigations", Lecture Notes in Computer Science, Vol. 7690, pp. 226-240, Springer Berlin Heidelberg, 2012.
[31] Justin Ma, Lawrence K. Saul, Stefan Savage et al., "Beyond blacklists: learning to detect malicious web sites from suspicious URLs", Proceedings of the 15th ACM SIGKDD international conference on Knowledge discovery and data mining, pp. 1245-1254, Paris, France, 2009.
[32] Ronny Merkel, Tobias Hoppe, Christian Kraetzer et al., "Statistical Detection of Malicious PE-Executables for Fast Offline Analysis", Communications and Multimedia Security, pp. 93-105, Linz, Austria, 2010.
[33] Microsoft, How to Use the Windiff.exe Utility, Jun 30 2013, retrieved from http://support.microsoft.com/?scid=kb%3Ben-us%3B159214&x=17&y=11.
[34] Matthias Neugschwandtner, Paolo Milani Comparetti and Christian Platzer, "Detecting malware’s failover C&C strategies with squeeze", Proceedings of the 27th Annual Computer Security Applications Conference, pp. 21-30, Orlando, Florida, 2011.
[35] Jon Oberheide, Evan Cooke and Farnam Jahanian, "Cloudav: N-version antivirus in the network cloud", Proceedings of the 17th conference on Security symposium, pp. 91-106, CA, USA, 2008.
[36] Roberto Perdisci, Wenke Lee and Nick Feamster, "Behavioral clustering of HTTP-based malware and signature generation using malicious network traces", Proceedings of the 7th USENIX conference on Networked systems design and implementation, pp. 26-26, CA, USA, 2010.
[37] Donald L. Pipkin, Information Security: Protecting the Global Enterprise, Prentice Hall PTR, 2000.
[38] David Pogue, Google Takes on Your Desktop, Oct 21 2004, retrieved from http://www.nytimes.com/2004/10/21/technology/circuits/21stat.html.
[39] Costin Raiu, Igor Soumenkov, Kurt Baumgartner et al., The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor, Feb 27 2013, retrieved from http://www.securelist.com/en/downloads/vlpdfs/themysteryofthepdf0-dayassemblermicrobackdoor.pdf.
[40] Konrad Rieck, Guido Schwenk, Tobias Limmer et al., "Botzilla: detecting the "phoning home" of malicious software", Proceedings of the 2010 ACM Symposium on Applied Computing, pp. 1978-1984, Sierre, Switzerland, 2010.
[41] Mark Russinovich and Bryce Cogswell, Process Monitor, Jun 4 2013, retrieved from http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx.
[42] ME Russinovich and DA Solomon, Microsoft Windows Internals, Microsoft Press, 2005.
[43] Sam Shah, Craig A. N. Soules, Gregory R. Ganger et al., "Using provenance to aid in personal file search", 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference, pp. 1-14, CA, USA, 2007.
[44] Raja M. Khurram Shahzad, Syed Imran Haider and Niklas Lavesson, "Detection of Spyware by Mining Executable Files", 2010 International Conference on Availability, Reliability and Security, pp. 295-302, Krakow, Poland, 2010.
[45] Aditya K Sood and Richard J. Enbody, "Targeted Cyber Attacks - A Superset of Advanced Persistent Threats", Security & Privacy, IEEE, Vol. 99, pp. 1-3, 2012.
[46] Aditya K. Sood, Rohit Bansal and Richard J. Enbody, "Cybercrime : Dissecting the State of Underground Enterprise", IEEE Internet Computing, Vol. 17, pp. 60-68, 2013.
[47] Sophos, SOPHOS, Nov 25 2010, retrieved from http://www.sophos.com/.
[48] Craig A. N. Soules and Gregory R. Ganger, "Connections: using context to enhance file search", ACM SIGOPS Operating Systems Review, Vol. 39, pp. 119-132, 2005.
[49] Splunk, Splunk: The it search company, Nov 27 2010, retrieved from http://www.splunk.com/.
[50] Symantec, Security Response, Jun 30 2013, retrieved from http://www.symantec.com/ security_response/.
[51] Jiaqi Tan, Xinghao Pan, Soila Kavulya et al., "SALSA: analyzing logs as state machines", Proceedings of the First USENIX conference on Analysis of system logs, pp. 6-6, CA, USA, 2008.
[52] Colin Tankard, "Advanced Persistent threats and how to monitor and deter them", Network Security, Vol. 2011, pp. 16-19, 2011.
[53] Olivier Thonnard, Leyla Bilge, Gavin O’Gorman et al., "Industrial Espionage and Targeted Attacks: Understanding the Characteristics of an Escalating Threat Research in Attacks, Intrusions, and Defenses", Lecture Notes in Computer Science, Vol. 7462, pp. 64-85, Springer Berlin / Heidelberg, 2012.
[54] TrendMicro, Threat Encyclopedia, Dec 27 2010, retrieved from http://about-threats. trendmicro.com/ArchiveMalware.aspx?language=us&name=TROJ_MDROPPER.ZY.
[55] Carnegie Mellon University, Live View, Jun 30 2013, retrieved from http://liveview.sourceforge.net/.
[56] Amit Vasudevan, "MalTRAK: Tracking and Eliminating Unknown Malware", Proceedings of the 2008 Annual Computer Security Applications Conference, pp. 311-321, CA, USA, 2008.
[57] Martin Warmer, "Detection of web based command & control channels", University of TWENTE, 2011.
[58] websense, Advanced Persistent Threats and Other Advanced Attacks, Feb 10 2012, retrieved from http://www.websense.com/content/advanced-attacks-in-the-news.aspx.
[59] Tom White, Hadoop: The Definitive Guide, O’Reilly Media, 2009.
[60] Davey Winder, "Persistent and Evasive Attacks Uncovered", Infosecurity, Vol. 8, pp. 40-43, 2011.
[61] Sandeep Yadav, Ashwath Kumar Krishna Reddy, A.L. Narasimha Reddy et al., "Detecting Algorithmically Generated Domain-Flux Attacks With DNS Traffic Analysis", IEEE/ACM Transactions on Networking, Vol. 20, pp. 1663-1677, 2012.
[62] Kim Zetter, Google hack attack was ultra sophisticated, new details show, Jan 14 2010, retrieved from http://www.wired.com/threatlevel/2010/01/operation-aurora/.
[63] Zhaosheng Zhu, IL Evanston, Guohan Lu et al., "Botnet Research Survey", 32nd Annual IEEE International Computer Software and Applications, pp. 967-972, Turku, 2008.

指導教授

陳奕明(Yi-Ming Chen)

審核日期

2013-7-26

推文