以聚合技術改善系統呼叫為基礎之惡意程式行為偵測

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：145

、訪客IP：3.144.242.40

姓名

彭建福(Chien-Fu Peng) 查詢紙本館藏

畢業系所

資訊管理學系

論文名稱

以聚合技術改善系統呼叫為基礎之惡意程式行為偵測
(Using Aggregation Technology to Improve System Call Based Malware Behavior Detection)

相關論文

★ 應用數位版權管理機制於數位影音光碟內容保護之研究	★ 以應用程式虛擬化技術達成企業軟體版權管理之研究
★ 以IAX2為基礎之網頁電話架構設計	★ 應用機器學習技術協助警察偵辦詐騙案件之研究
★ 擴充防止詐欺及保護隱私功能之帳戶式票務系統研究-以大眾運輸為例	★ 網際網路半結構化資料之蒐集與整合研究
★ 電子商務環境下網路購物幫手之研究	★ 網路安全縱深防護機制之研究
★ 國家寬頻實驗網路上資源預先保留與資源衝突之研究	★ 以樹狀關聯式架構偵測電子郵件病毒之研究
★ 考量地區差異性之隨選視訊系統影片配置研究	★ 不信任區域網路中數位證據保留之研究
★ 入侵偵測系統事件說明暨自動增加偵測規則之整合性輔助系統研發	★ 利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研究
★ 一種網頁資訊擷取程式之自動化產生技術研發	★ 應用XML/XACML於工作流程管理系統之授權管制研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

惡意軟體(Malware) 是指具某些攻擊意圖的軟體，近年來惡意程式的大量增加，以及多型、模糊化、加密等惡意程式自我防護技術，使得傳統惡意程式靜態分析方式效果有所限制，因此目前許多研究著重在惡意程式的行為偵測。然而先前惡意程式行為偵測研究大部分以程序(process)為導向，意即只監控單一程序的行為，忽略了惡意程式可能利用多個共犯程序相互合作以完成其目的，甚至利用合法程序來掩飾本身的惡意行為。本研究提出以相依矩陣來記錄系統中所有程序的相依關係，並提出演算法偵測惡意程式由多個程序所共同產生自我複製、存活意圖等行為特徵，達到以聚合式多模組方法來關聯系統中所有程序，藉此以改善傳統惡意程式行為偵測的缺陷。我們在虛擬機器上執行惡意程式後利用微軟process monitor記錄系統中所有模組的行為，再以聚合技術偵測系統中是否有自我複製以及存活意圖等惡意行為特徵，本研究中實驗了140支惡意程，其中有11%惡意程式具有利用多模組來完成自我複製行為，在J.A.Mories以及V.Skormin等研究中將會對該類型惡意程式都會產生漏報，本研究採聚合偵測技術克服此缺點並成功偵測出此類型惡意程式，此外在惡意程式存活行為偵測改善了先前研究須採用白名單的缺點，降低了誤報的情形。

摘要(英)

Malware is one kind of software which has intention to attack computer systems. In recent years there has significant increase in the number of malware, in addition malware also use polymorphism, obfuscation and packing technologies to protect itself. For the above reason, the effect of traditional static malware detection technology is restricted, as a result in recent years many studies focused on dynamic malware detection technology. However most of the previous studies are process center oriented, which mean these studies only monitor one process’s behavior, ignoring the possibility of malware using multiple process to complete malicious intent, or control legal process to hide their malicious behavior. In this paper we propose the use of dependency structure matrix to record the behavior of all process in user’s system and also propose an algorithm to detect multiple process’s self-replication and survival behavior, find the relations of the system processes by using the aggregation technology to improve the detection rate of traditional dynamic malware detection. As an evaluation of our proposes system. We execute the malware samples in the virtual machine and using process monitor tool to recorded system processes, and then detect whether our system can detect the malware or not. Experimental results show that we can detect 11% malware used the multiple processes to complete malicious intent in the 140 malware samples, and improve the weakness of previous studies which must used white list to avoid false positive.

關鍵字(中)

★ 存活意圖
★ 惡意程式行為偵測
★ 系統呼叫
★ 自我複製

關鍵字(英)

★ survival intent
★ Behavioral detection of malware
★ system call
★ self-replication

論文目次

中文摘要 I
英文摘要 II
目錄 III
圖目錄 V
表目錄 VII
第一章緒論 1
1.1 研究背景 2
1.2 研究動機與目的 4
1.3 研究貢獻 7
1.4 章節架構 8
第二章相關研究 9
2.1惡意程式行為特徵之研究 9
2.2自我複製行為偵測之研究 10
2.3惡意程式存活意圖偵測之研究 14
2.4 小結 15
第三章聚合偵測技術 17
3.1 研究限制與考量 18
3.2惡意程式自我複製與存活意圖行為分析 18
3.3相依關係矩陣 23
3.4惡意程式自我複製行為偵測 26
3.5惡意程式存活意圖偵測 31
第四章實驗結果分析 33
4.1 實驗架構和流程 33
4.2事前訓練實驗分析 35
4.3自我複製行為偵測實驗分析 39
4.4效能分析 41
4.5實驗結果與商業軟體比較 42
第五章結論與未來研究 48
5-1 研究結論與貢獻 48
5-2 未來研究 49
參考文獻 50

參考文獻

[ACK 2007] Moser, A., Kruegel, C., and Kirda, “Exploring Multiple Execution Paths for Malware Analysis.” In IEEE Symposium on Security and Privacy, Oakland, 2007.
[ESK 2011]EGELE, M., SCHOLTE, T., KIRDA, E., KRUEGEL, C., “A Survey on automated dynamic malware analysis techniques and tools”, ACM Computing Surveys ,2011.
[KREB 2007]Krebs, B., “Mpack exploit tool slips through security holes.” The malwareWashington Post, June 2007.
[KASP 2002] Kaspersky Corporation,”Attempts to infect users’ computers increase by ver25%.”
,2011.http://www.kaspersky.com/reading_room?chapter=207717258
[SYMA 2010] Symantec Corporation, “Symantec Global Internet Security Threat Report, Volume 16” 2010.http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xv_04-2010.en-us.pdf
[SYMA 2011] Symantec Corporation, “Symantec Global Internet Security Threat Report , Volume 16”, 2011.http://www.symantec.com/business/threatreport/index.jsp
[HZD 2008] Heng, Y., Zhenkai, L., Dawn, S.. “HookFinder: Identifying and understanding malware hooking behaviors.” , In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08), February 2008.
[VASU 2008] Vasudevan, A., “MalTRAK_Tracking and Eliminating Unknown Malware,” in Proceedings of Computer Security Applications Conference , pp.: 311 - 321, 2008.
[ALSA 2008] Alsagoff, S., “Malware Self Protection Mechanism” Information Technology, 2008. ITSim 2008. International Symposium on 3, pp.:1-8, 2008 .
[LBK 2008] Lanzi, A.,Balzarotti,D., Kruegel,C., “AccessMiner: Using system-centric models for malware protection” In: Proceedings of the 17th ACM conference on Computer and communications security, ACM (2010) pp.:399–412 ,2010.
[KCK 2009] Kolbitsch, C., Comparetti, PM., Kruegel, C., “Effective and efficient malware detection at the end host,” In USENIX Security Symposium, Montr′eal, Canada, August 2009.
[MWCZ 2010] Miao, QG., Wang, Y., Cao, Y., Zhang, XG., “APICapture-A tool for monitoring the behavior of malware,” Proceedings of the 3rd International Conference on Advanced Computer Theory and Engineering, pp.: 390-394, August 2010.
[MCD 2010] Morales, J. A., Clarke, P. J., Deng. Y., “Identification of file infecting virus through detection of self-reference replication” Journal in Computer Virology,2010.
[MCD 2008] Morales, J. A., Clarke, P. J., Deng “Characterizing and detecting virus replication,” Proceedings of Third International Conference on Systems, Cancun, pp.. 214-219, 2008.
[SVS 2007] Skormin, V., Volynkin, A., Summerville, D., “Prevention of information attacks by run-time detection of self-replication in computer codes,” Journal in Computer Virology, 2010.
[EK 2007] Egele, M.,kruegel, E., “Dynamic spyware analysis,” In Proceedings of USENIX Annual Technical Conference, 2007.
[YSE 2007] Yin, H., Song, D., Egele, M., Kruegel,. “Panorama: capturing system-wide information flow for malware detection and analysis” Proceedings of the 14th ACM conference on Computer and communications security, pp.:116-127, 2007.
[WRV 2005] Wang, YM., Roussev, R., Verbowski, C.,“Gatekeeper: monitoring auto-start extensibility points(ASEPs) for Spyware management” In Proceedings of the 18th Large Installation System Administration Conference (LISA ’04), Atlanta, GA, November 2004.
[WWK 2008] Wu, M.W., Wang,Y.M., Kuo, S.Y.,“Self-Healing Spyware: Detection, and Remediation” Reliability, IEEE Transactions on, pp.: 588 – 596,2007.
[KAS 2010] Kaspersky Corporation, “Kaspersky Security Bulletin 2010. Statistics” http://www.securelist.com/en/analysis/204792162/Kaspersky_Security_Bulletin_2010_Statistics_2010.,2010
[SOPHOS 2010] W32/Krap http://www.sophos.com/en-us//threat-center/threat-analyses/viruses-and-spyware/Mal~Krap-I.aspx
[SOPHOS 2008] Troj/Lineag http://www.sophos.com/en-us//threat-center/threat-analyses/viruses-and-spyware/Troj~Lineag-DQ.aspx
[SOPHOS 2010] Mal/Katusha-A http://www.sophos.com/en-us//threat-center/threat-analyses/viruses-and-spyware/Mal~Katusha-A.aspx.
[FY 2010]Fukushima,Y.,Sakai,A. “A behavior based malware detection scheme for avoiding false positivet,” Proceedings of the 6th IEEE Secure Network Protocols (NPSec), pp.: 79 – 84,2010
[WPZ 2009] Wang, C., Pang, J., Zhao, R., “Using API Sequence and Bayes Algorithm to Detect Suspicious Behavior,”International Conference on Communication Software and Networks, 2009.
[TA 2001] Taylor. R. Browning, “Applying the design structure matrix to system decomposition and integration problems: a review and new directions” IEEE Transactions on Engineering management, pp.:292-306, 2001.
[BHB 2009] Bayer, U., Habibi, I ., Balzarotti., “A View on Current Malware Behaviors,” Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more,2009
[AV 2010] Alazab, M., Venkataraman , S., “Towards Understanding Malware Behaviour by the Extraction of API Calls,” IEEE/ACM Transactions on Networking, Volume 15, 2010.
[PM 2010] Process Monitor： http://technet.microsoft.com/en-us/sysinternals/bb896645.2010
[EVAD 2009] Evading userland hooks - problems w/hooking implementations, http://www.stanford.edu/∼stinson/paper notes/win dev/hooks/defeating hooks.txt
[KT 2009] Keong, T.C., AntiHookExec Version 1.0 (Anti API Hooking
　　　　Proof-Of-Concept), http://www.security.org.sg/code/antihookexec.html.
[VX 2010] VX Heaven. http://vx.netlux.org/,2010
[OC 2010] Offensive Computing, http://www.offensivecomputing.net/.
[PERF 2010] Perfmon ,http://technet.microsoft.com/en-us/library/bb490957.aspx
[KAS 2011] Kaspersky Corporation, “Monthly Malware Statistics, March 2011”,2011
[VT 2009] Virus total, http://www.virustotal.com/
[MD 2010] Troj/Mdrop-COH,Aliases：Trojan-GameThief.Win32.Magania.ddox
http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Mdrop-COH.aspx
[CON 2010]SOPHOS： Mal/Conficker-A：
http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Conficker-A/detailed-analysis.aspx
[SAL2010]SOPHOS： W32/00 Sality-AM
http://www.sophos.com/en-us//threat-center/threat-analyses/viruses-and-spyware/W32~Sality-AM.aspx
[CLAM 2010]ClamAV , http://www.clamav.net/lang/en/,2010.
[NOVA 2010]Nova Shield , http://www.novashield.com/.2010

指導教授

陳奕明(Yi-Ming Chen)

審核日期

2011-8-25

推文