CatPaw: A Cloud-based Real-Time Mechanism to Protect End Hosts

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：42

、訪客IP：3.145.64.212

姓名

羅婷(Ting Luo) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

(CatPaw: A Cloud-based Real-Time Mechanism to Protect End Hosts)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統	★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks	★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
★ Shark: Phishing Information Recycling from Spam Mails	★ FFRTD: Beat Fast-Flux by Response Time Differences
★ Antivirus Software Shield against Antivirus Terminators	★ MAC-YURI : My ACcount, YoUr ResponsIbility
★ KKBB: Kernel Keylogger Bye-Bye	★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 ( 永不開放)

摘要(中)

惡意軟體與網路APT攻擊事件大幅提升，嚴重危害到企業以及個人電腦的安全，因此資安廠商致力於提供更多元、多觸角的防範惡意軟體服務，期望達到阻止全球化惡意攻擊的目的。縱然單一資安廠商積極提供高服務品質以進行電腦安全防護，而防毒軟體為目前主要之防範惡意軟體機制，此類資安防護軟體仍會面臨到的偵測空窗期、防毒軟體自身的安全強度與掃描時間過度冗長的問題。然而事實上，多數使用者最在意的還是實質上的惡意軟體檢測率以及防毒軟體執行掃描任務的作業速度。
因應終端系統之資安問題日趨重要，我們提出一套終端系統安全之即時預警技術，並以Windows 7作業系統作為實證平台，作法是在系統軟體執行前，將其經由網路傳送至VirusTotal做多重防毒引擎檢測。若檢測通過，再允許檔案被作業系統執行。使用VirusTotal即時掃描，除了能夠藉由多個防毒引擎的偵測提供高檢測率的偵測惡意軟體服務，也能提供使用者二十四小時即時防護。而只掃描預備執行的檔案，也將會較傳統防毒軟體一次掃描所有電腦中檔案的時間更為迅速且有效率。

摘要(英)

The rising of malicious software and network APT attacks severely brings the risk of security exploitation to all the enterprises and personal computers. Therefore, security vendors are dedicated to provide the service with more diversity in order to protect their customers from global malicious attacks. Antivirus actively provides a high quality service to protect computer security. However single security vendor may still be confronted with several problems, such as significant detection windows, antivirus self vulnerability, and tedious time consuming tasks on scanning whole system files. Actually, most users may pay closely attention to both the detection rate and the speed of scanning tasks of antivirus software.
In this thesis, we propose a defense mechanism named CatPaw to resist the intrusion of malware and malicious contents. Windows operating system will be selected as the platform to verify our design. System software or others user applications will be scanned by sending them to VirusTotal on the Internet before executing by operating systems. If the test passes without hesitation, the file can be executed continuously. Real time scanning on VirusTotal can not only provide security service with more reliability and more accurately by using multiple antivirus engines, but also provide 24 hours real time protection for users. Furthermore, scanning the files only triggered by users instead of scanning all the files in the disk by traditional single antivirus software will make it as efficient as possible.

關鍵字(中)

★ 惡意軟體
★ 防毒軟體
★ 即時檢測
★ 雲端安全

關鍵字(英)

★ Malware
★ Antivirus
★ Real Time Detection
★ Cloud Security

論文目次

摘要 i
Abstract ii
Table of Contents iii
List of figures iv
List of tables v
1. Introduction 1
2. Background 8
2.1. Windows System Service 8
2.2. System Services Descriptor Table 10
2.3. System Service Dispatcher 10
2.4. SSDT Hooking 13
2.5. VirusTotal 14
2.5.1. Characteristics of VirusTotal 14
2.5.2. Pros and Cons of VirusTotal 16
3. Design 19
3.1. Design Principle 19
3.2. System Architecture 20
3.3. Main Components 23
4. Evaluation 31
4.1. Environment 31
4.2. Test Cases 32
4.3. Experiments 33
4.3.1. Scan Tasks 33
4.3.2. Report Tasks 35
4.3.3. Total Execution Time 37
4.3.4. Results 38
5. Discussion 40
5.1. Related Work 40
5.2. Limitations 41
5.3. Future Work 42
5.4. Contributions 43
6. Conclusion 45
7. References 47

參考文獻

[1] "VirusTotal". https://www.virustotal.com/, 2015.
[2] "VirusTotal on Wiki". http://en.wikipedia.org/wiki/VirusTotal, 2015.
[3] "VirusTotal Public API in C". https://github.com/VirusTotal/c-vtapi, 2015.
[4] P. Bishop, R. Bloomfield, I. Gashi, and V. Stankovic, "Diversity for security: a study with off-the-shelf antivirus engines," in Software Reliability Engineering (ISSRE), 2011 IEEE 22nd International Symposium on pp. 11-19, 2011.
[5] B. Blunden, The Rootkit Arsenal. Texas: Wordware Publishing, 1969.
[6] Cyveillance, "Malware Detection Rates for Leading AV Solutions," August 2010.
[7] J. Gionta, A. Azab, W. Enck, P. Ning, and X. Zhang, "SEER: practical memory virus scanning as a service," in Proceedings of the 30th Annual Computer Security Applications Conference pp. 186-195, 2014.
[8] J. Haffejee and B. Irwin, "Testing antivirus engines to determine their effectiveness as a security layer," in Information Security for South Africa (ISSA), 2014 pp. 1-6, 2014.
[9] N. Jogie. "Rootkit Analysis: Hiding SSDT hooks". https://securabit.com/wp-content/uploads/2010/03/Rootkit-Analysis-Hiding-SSDT-Hooks1.pdf, 2010.
[10] J. Koret, "Breaking Antivirus Software," ed. The Symposium on Security for Asia Network(SyScan), 2014.
[11] X. Lin, "Survey on cloud based mobile security and a new framework for improvement," in Information and Automation (ICIA), 2011 IEEE International Conference on pp. 710-715, 2011.
[12] D. Lukan. "Hooking the System Service Dispatch Table (SSDT)". http://resources.infosecinstitute.com/hooking-system-service-dispatch-table-ssdt/, 2014.
[13] J. M.Hart, Windows系統程式設計第四版. 台北: 基峰資訊, 2010.
[14] Microsoft. "Named Pipe Client". https://msdn.microsoft.com/en-us/library/windows/desktop/aa365592%28v=vs.85%29.aspx.
[15] Microsoft. "Named Pipe Server Using Overlapped I/O". https://msdn.microsoft.com/en-us/library/windows/desktop/aa365603%28v=vs.85%29.aspx.
[16] J. Oberheide, E. Cooke, and F. Jahanian, "CloudAV: N-Version Antivirus in the Network Cloud," in USENIX Security Symposium pp. 91-106, 2008.
[17] J. Oberheide, E. Cooke, and F. Jahanian, "Rethinking Antivirus: Executable Analysis in the Network Cloud," in HotSec, 2007.
[18] M. A. Rajab, L. Ballard, N. Lutz, P. Mavrommatis, and N. Provos, "CAMP: Content-Agnostic Malware Protection," in NDSS, 2013.
[19] STAMFORD. "Worldwide Security Software Market Grew 5.3 Percent in 2014". http://www.gartner.com/newsroom/id/3062017, 2015.
[20] G. Vasiliadis, M. Polychronakis, and S. Ioannidis, "MIDeA: a multi-parallel intrusion detection architecture," in Proceedings of the 18th ACM conference on Computer and communications security pp. 297-308, 2011.
[21] 張帆、史彩成, Windows Device Driver Programming驅動程式設計. 台北: 博碩文化, 2009.
[22] 潘愛民, Windows核心原理與實務開發. 台北: 碁峰, 2010.

指導教授

許富皓(Fu-Hau Hsu)

審核日期

2015-7-24

推文