博碩士論文 103522088 詳細資訊

以作者查詢圖書館館藏 以作者查詢臺灣博碩士 以作者查詢全國書目 勘誤回報 、線上人數:3 、訪客IP:
姓名 謝岳緯(Yue-Wei Xie)  查詢紙本館藏   畢業系所 資訊工程學系
(RGuard: A Light-weight Minifilter-based Solution to Ransomware)
★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制★ SRA系統防禦ARP欺騙劫持路由器
★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統
★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks
★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection★ Shark: Phishing Information Recycling from Spam Mails
★ FFRTD: Beat Fast-Flux by Response Time Differences★ Antivirus Software Shield against Antivirus Terminators
★ MAC-YURI : My ACcount, YoUr ResponsIbility★ KKBB: Kernel Keylogger Bye-Bye
★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment★ PrivacyGuard:A Kernel-based Solution to Enhance the User Privacy When Using Private Browsing
檔案 [Endnote RIS 格式]    [Bibtex 格式]    [相關文章]   [文章引用]   [完整記錄]   [館藏目錄]   至系統瀏覽論文 (2021-6-30以後開放)
摘要(中) 近年來勒索軟體的危害程度對於使用者越來越高,勒索軟體會想盡辦法入侵使用者的電腦去加密檔案,並勒索贖金,被攻擊的使用者只能被迫向勒索軟體作者付出高額的贖金,而且付出贖金也不一定會解鎖檔案,受害者只能被動等待作者解鎖。
為了抵禦勒索軟體的攻擊,我們提出了一個能在平時偵測疑似勒索軟體的方法,該方法是建置在 Windows 的 minifilter driver 上,因此勒索軟體很難繞過我們的偵測。
摘要(英) In recent years, ransomwares are prevalent and dangerous to users more and more. The target of ransomware is to intrude the user’s computer to encrypt files and force the user to pay money. Additionally, after paying a high ransom to the author of ransomware, the victim was not necessarily to get recovery key. Therefore, victims are to face a dilemma.
Although antivirus software can detect the attack of ransomware, it is due to the latest virus definitions. If a new virus appears and the virus definitions are out of date, user’s computer may suffer the threat of ransomware. Thus, it is important to protect the user’s computer during virus window period.
In order to resist the attack of ransomware, we propose a method to detect process whose actions are similar to the actions of ransomware. Because the method proposed is based on Windows minifilter driver, ransomware is hard to bypass the detection of our method.
After catching ransomware-like process, our system would take care user’s computer, such as terminate the process, whitelist the process. Furthermore, when users choose to terminate the program, our system will restore the files changed by the process.
關鍵字(中) ★ 勒索軟體
★ minifilter
★ Windows 驅動
關鍵字(英) ★ Ransomware
★ minifilter
★ Windows driver
論文目次 目錄
摘要 i
Abstract ii
目錄 iii
圖目錄 iv
表目錄 v
第 1 章 緒論 1
第 2 章 背景介紹 4
2.1 Ransomware 4
2.2 Windows Device Driver 7
2.3 Windows Minifilter Driver 10
第 3 章 相關研究 14
第 4 章 系統設計與實作 16
4.1 偵測原理 17
4.2 偵測程式 18
4.2.1 Callback Routine of Create 19
4.2.2 Callback Routine of Write 21
4.3 Backup Files 25
4.4 Protect Files 26
4.5 Recover Files 27
4.6 Whitelist Process 27
4.7 Terminate Process 28
第 5 章 效能分析 29
5.1 實驗環境 29
5.2 測試案例 30
5.3 效能評估 31
第 6 章 討論 34
6.1 準確率 34
6.2 限制 34
第 7 章 結論 36
7.1 貢獻 36
7.2 未來研究 37
參考文獻 38

Fig. 1‑1: 使用者遇到勒索軟體至少一次的數量 2
Fig. 1‑2: 我們針對勒索軟體提出的防禦方法 3
Fig. 2‑1: 中文的勒索訊息 6
Fig. 2‑2: 使用 driver 作為 OS 和 device 之間通訊的橋樑 7
Fig. 2‑3: 作業系統和裝置通訊透過多個 driver 8
Fig. 2‑4: 使用 software driver 通訊 9
Fig. 2‑5: 檔案的 I/O 經過 I/O Manager 及三個 minifilter driver傳送 11
Fig. 2‑6: Minifilter driver 註冊的流程 11
Fig. 3‑1: CryptoWall proxy 的地理位置 15
Fig. 4‑1: RGuard 的系統架構 16
Fig. 4‑2: Ransomware 的偵測方法 18
Fig. 4‑3: I/O operation 的註冊 19
Fig. 4‑4: Create operation 的偵測流程 20
Fig. 4‑5: Recursive I/O operation of create 21
Fig. 4‑6: Write operation 的偵測流程 22
Fig. 4‑7: Recursive I/O operation of write 24
Fig. 4‑8: 備份的時間差 24
Fig. 4‑9: 一個視窗去警告使用者 24
Fig. 4‑10: 索引的資料欄位 25
Fig. 4‑11: 拒絕訪問文件的方法 26
Fig. 4‑12: 拒絕訪問備份目錄 26
Fig. 4‑13: 還原檔案的通知訊息 27
Fig. 4‑14: 終止程式的流程 28
Fig. 5‑1: 不同性質的加密時間 31
Fig. 5‑2: 備份檔案占用的磁碟空間 32

Table 5‑1: 系統實驗環境 29
Table 5‑2: 測試案例的訊息 30
Table 5‑3: 勒索軟體的偵測 33
參考文獻 參考文獻
[1] Kaspersky Lab. KSN Report: Ransomware in 2014-2016 [Online]. Available: https://securelist.com/analysis/publications/75145/pc-ransomware-in-2014-2016/
[2] Wikipedia. Ransomware - Wikipedia, the free encyclopedia [Online]. Available: https://en.wikipedia.org/wiki/Ransomware
[3] A. Kharraz, W. Robertson, D. Balzarotti, L. Bilge, and E. Kirda, "Cutting the gordian knot: a look under the hood of ransomware attacks," in Detection of Intrusions and Malware, and Vulnerability Assessment, ed: Springer, 2015, pp. 3-24.
[4] M. M. Ahmadian, H. R. Shahriari, and S. M. Ghaffarian, "Connection-monitor & connection-breaker: A novel approach for prevention and detection of high survivable ransomwares," in Information Security and Cryptology (ISCISC), 2015 12th International Iranian Society of Cryptology Conference on, 2015, pp. 79-84
[5] D. Kim, W. Soh, and S. Kim, "Design of Quantification Model for Prevent of Cryptolocker," Indian Journal of Science and Technology, vol. 8, 2015.
[6] K. CABAJ, P. GAWKOWSKI, K. GROCHOWSKI, and D. OSOJCA, "Network activity analysis of CryptoWall ransomware," Przegląd Elektrotechniczny, vol. 91, pp. 201-204, 2015.
[7] Cindy Ng. The Complete Ransomware Guide [Online]. Available: https://blog.varonis.com/the-complete-ransomware-guide/
[8] TrendMicro. TrendLabs Security Intelligence BlogZCRYPT Crypto-ransomware Attacks Windows 7 and Later, Scraps Backward Compatibility - TrendLabs Security Intelligence Blog [Online]. Available: http://blog.trendmicro.com/trendlabs-security-intelligence/crypto-ransomware-attacks-windows-7-later-scraps-backward-compatibility/
[9] Joshua Cannell. A Look At Malware With Virtual Machine Detection | Malwarebytes Labs. [Online]. Available: https://blog.malwarebytes.com/threat-analysis/2014/02/a-look-at-malware-with-virtual-machine-detection/
[10] Jeremy Kirk. CryptoWall ransomware variant has new defenses | PCWorld [Online]. Available: http://www.pcworld.com/article/2867132/cryptowall-ransomware-variant-has-new-defenses.html
[11] Wikipedia. Shadow Copy - Wikipedia, the free encyclopedia [Online]. Available: https://en.wikipedia.org/wiki/Shadow_Copy
[12] hasherezade. Look Into Locky Ransomware | Malwarebytes Labs [Online]. Available: https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/
[13] TrendMicro. Using the Trend Micro Ransomware File Decryptor Tool [Online]. Available: http://esupport.trendmicro.com/solution/en-us/1114221.aspx
[14] Kaspersky. Ransomware Decryptor | Kaspersky Lab [Online]. Available: https://noransom.kaspersky.com/
[15] Microsoft. Choosing a driver model [Online]. Available: https://msdn.microsoft.com/en-us/library/windows/hardware/ff554652%28v=vs.85%29.aspx
[16] Microsoft. File System Filter Drivers [Online]. Available: https://msdn.microsoft.com/en-us/windows/hardware/drivers/ifs/file-system-filter-drivers
[17] Microsoft. Load Order Groups and Altitudes for Minifilter Drivers [Online]. Available: https://msdn.microsoft.com/en-us/windows/hardware/drivers/ifs/load-order-groups-and-altitudes-for-minifilter-drivers
[18] Microsoft. Allocated Altitudes [Online]. Available: https://msdn.microsoft.com/en-us/windows/hardware/drivers/ifs/allocated-altitudes
[19] L. Bridges, "The changing face of malware," Network Security, vol. 2008, pp. 17-20, 2008.
[20] X. Luo and Q. Liao, "Awareness Education as the key to Ransomware Prevention," Information Systems Security, vol. 16, pp. 195-202, 2007.
[21] A. Gazet, "Comparative analysis of various ransomware virii," Journal in computer virology, vol. 6, pp. 77-90, 2010.
[22] E. Jardine, "A Continuum of Internet-Based Crime: How the Effectiveness of Cybersecurity Policies Varies across Cybercrime Types," Research Handbook on Digital Transformations, edited by F. Xavier Olleros and Majlinda Zhegu. Edward Elgar, Northampton, MA, Forthcoming, 2015.
[23] M. Spagnuolo, F. Maggi, and S. Zanero, "Bitiodine: Extracting intelligence from the bitcoin network," in Financial Cryptography and Data Security, ed: Springer, 2014, pp. 457-468.
[24] K. Liao, Z. Zhao, A. Doupe, and G. J. Ahn, "Behind closed doors: measurement and analysis of CryptoLocker ransoms in Bitcoin," in 2016 APWG Symposium on Electronic Crime Research (eCrime), 2016, pp. 1-13.
[25] Lawrence Abrams. The Cerber Ransomware not only Encrypts Your Data But Also Speaks to You [Online]. Available: http://www.bleepingcomputer.com/news/security/the-cerber-ransomware-not-only-encrypts-your-data-but-also-speaks-to-you/
[26] zhanghaiyang9999. Visual Studio 2013開發 mini-filter driver step by step (5) - 讀寫文件 [Online]. Available: http://blog.csdn.net/zhanghaiyang9999/article/details/39033033
[27] utkusen. GitHub - utkusen/hidden-tear: an open source ransomware honeypot [Online]. Available: https://github.com/utkusen/hidden-tear
[28] VirusTotal. VirusTotal - Free Online Virus, Malware and URL Scanner. Available: https://www.virustotal.com/
[29] TrendMicro. Removing ransomware using the AntiRansomware Tool | Trend Micro. Available: https://esupport.trendmicro.com/en-us/home/pages/technical-support/1105975.aspx
指導教授 許富皓(Fu-Hau Hsu) 審核日期 2016-7-18
推文 facebook   plurk   twitter   funp   google   live   udn   HD   myshare   reddit   netvibes   friend   youpush   delicious   baidu   
網路書籤 Google bookmarks   del.icio.us   hemidemi   myshare   

若有論文相關問題,請聯絡國立中央大學圖書館推廣服務組 TEL:(03)422-7151轉57407,或E-mail聯絡  - 隱私權政策聲明