以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：54

、訪客IP：18.119.107.208

姓名	蕭登銓(Teng-Chuan Hsiao)  查詢紙本館藏	畢業系所	資訊工程學系
論文名稱	(COE: Anti-Virus for Fileless Malware)
相關論文	★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm ★ Discoverer- Rootkit即時偵測系統 ★ 一項Android手機上詐騙簡訊的偵測與防禦機制 ★ SRA系統防禦ARP欺騙劫持路由器 ★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines ★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統 ★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統 ★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection ★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks ★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection ★ Shark: Phishing Information Recycling from Spam Mails ★ FFRTD: Beat Fast-Flux by Response Time Differences ★ Antivirus Software Shield against Antivirus Terminators ★ MAC-YURI : My ACcount, YoUr ResponsIbility ★ KKBB: Kernel Keylogger Bye-Bye ★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment
檔案	[Endnote RIS 格式]    [Bibtex 格式]    [相關文章]   [文章引用]   [完整記錄]   [館藏目錄]   至系統瀏覽論文 (2025-6-30以後開放)
摘要(中)	防毒軟體是保護資訊安全重要的一環，能有效偵測並刪除惡意程式，而傳統的防毒軟體大部分以靜態分析的簽章 (signature-based) 技術來偵測病毒。然而，在面對新型態的攻擊手法時，僅使用靜態分析則無法發揮保護效果。傳統攻擊手法會先將惡意程式檔案寫入磁碟，再執行此惡意程式才能達成其惡意行為，而無檔案惡意程式不像傳統惡意程式那樣容易被偵測，攻擊者會利用各種技巧來隱藏惡意程式，使惡意程式不需要先被寫入磁碟，而是能直接在記憶體中執行，藉此規避防毒軟體的偵測。因此在本篇論文中我們提出一套檢查機制，命名為Check-on-Execute(COE)，當程式要執行可寫又可執行之記憶體區段中的一段程式碼或僅存於記憶體的檔案時，COE 會暫停這個未經檢查的執行，並對其程式碼進行檢查。然後再依據檢查的結果判斷是否允許執行，防止系統遭到無檔案惡意程式攻擊。
摘要(英)	Anti-virus software is an important part of protecting information security, which can effectively detect and delete malicious programs, and most of the traditional anti-virus software uses static analysis (signaturebased) technology to detect viruses. However, in the face of a new type of attack methods, only using static analysis can not play a protective effect. 　　Traditional attack methods will first store the malware to disk, and then execute this malware to achieve its malicious behavior. Fileless malware is not as easily detected as traditional malware. Attackers will use various techniques to hide malicious programs. And the malware can be directly executed in the memory without being loaded into the disk first, and can avoid the detection of anti-virus software. 　　Therefore, in this paper, we propose a set of defense mechanisms, named Check-on-Execute (COE). When a program wants to execute a piece of code in a writable and executable memory area or a in-memoryonly file , COE will suspend this unchecked execution and check its code. And then judge whether to allow execution based on the results of the check to prevent the system from being attacked by fileless malware.
關鍵字(中)	★ 防毒軟體 ★ 無檔案攻擊 ★ 動態分析 ★ 記憶體分析	關鍵字(英)	★ anti-virus ★ filess malware ★ dynamic analysis ★ memory analysis
論文目次	目錄 頁次 摘要 i Abstract ii 誌謝 iii 目錄 iv 圖目錄 vi 第 1 章 緒論 1 第 2 章 背景介紹 2 2.1 無檔案病毒 2 2.2 無檔案病毒攻擊原理 2 2.3 無檔案病毒攻擊範例 3 第 3 章 相關研究 5 3.1 靜態分析 5 3.2 動態分析 6 3.3 無檔案執行之安全設定 6 第 4 章 實驗設計與實作 8 4.1 設計原理 8 4.2 系統架構 9 4.2.1 COE Code Extractor 10 4.2.2 COE Packer 12 4.2.3 COE Scanner 13 4.2.4 COE File Checker 14 4.3 系統流程圖 15 4.3.1 COE Code Extractor 流程圖 15 4.3.2 COE File Extractor 流程圖 15 第 5 章 實驗結果及分析 17 5.1 實際運作 17 5.1.1 實驗環境 17 5.1.2 COE Code Extractor 執行畫面 17 5.1.3 COE File Extractor 執行畫面 22 5.2 防禦效果評估 24 5.3 使用資源評估 26 5.4 掃描時間評估 28 第 6 章 討論 30 6.1 限制 30 6.2 未來展望 30 第 7 章 總結 32 參考文獻 33
參考文獻	[1] A. Alzuri, D. C. Andrade, Y. N. Escobar, and B. M. Zamora, “The growth of fileless malware,” 2019. [2] A. D. Rayome. (2017). “Report: Fileless malware attacks 10x more likely to infect your machine than others,” [Online]. Available: https://www.techrepublic.com/article/report-fileless-malware-attacks-10x-more-likely-to-infectyour-machine-than-others/. [3] F. CyberSecurity. (2018). “Elf in-memory execution,” [Online]. Available: https://blog.fbkcs.ru/elf-in-memory-execution/. [4] Stuart. (2017). “In-memory-only elf execution (without tmpfs),” [Online]. Available:https ://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html. [5] R. Sihwail, K. Omar, and K. A. Zainol Ariffin, “Malware detection approach based on artifacts in memory image and dynamic analysis,” Applied Sciences, vol. 9, Sep. 2019. doi: 10.3390/app9183680. [6] O. C. bookshelf. (2020). “Page fault exception handler,” [Online]. Available: https://man7.org/linux/man-pages/man2/memfd_create.2.html. [7] S. Eranian and D. Mosberger. (2002). “How copy-on-write really works,” [Online].Available: https://www.informit.com/articles/article.aspx?p=29961&seqNum=5. [8] VirusTotal. (2019). “Virustotal,” [Online]. Available: https://www.virustotal.com/. [9] J. Esler. (2015). “Clamav,” [Online]. Available: https://www.clamav.net/. [10] Shell-Storm. (2019). “Shellcodes database for study cases,” [Online]. Available:http://shell-storm.org/shellcode/. [11] VirusShare.com. (2019). “Virusshare.com,” [Online]. Available: https://virusshare.com/. [12] S. Ninja. (2016). “Complete tour of pe and elf: Section headers,” [Online]. Available:https://resources.infosecinstitute.com/complete-tour-of-pe-and-elfpart-5/.
指導教授	許富皓(Fu-Hau Hsu)	審核日期	2020-7-23
推文	facebook   plurk   twitter   funp   google   live   udn   HD   myshare   reddit   netvibes   friend   youpush   delicious   baidu
網路書籤	Google bookmarks   del.icio.us   hemidemi   myshare