English  |  正體中文  |  简体中文  |  Items with full text/Total items : 75369/75369 (100%)
Visitors : 24799871      Online Users : 652
RC Version 7.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Tips:
  • please add "double quotation mark" for query phrases to get precise results
  • please goto advance search for comprehansive author search
  • Adv. Search
    HomeLoginUploadHelpAboutAdminister Goto mobile version

    Please use this identifier to cite or link to this item: http://ir.lib.ncu.edu.tw/handle/987654321/88337

    Title: APJudge: An AMSI-based Solution to Fileless Attacks
    Authors: 劉彥佑;Liu, Yen-Yu
    Contributors: 資訊工程學系在職專班
    Keywords: 無檔案攻擊;PowerShell;Antimalware Scan Interface;AMSI
    Date: 2022-06-09
    Issue Date: 2022-07-13 22:52:43 (UTC+8)
    Publisher: 國立中央大學
    Abstract: 惡意程式隨著攻擊手法不斷演進,逐漸從檔案類型惡意程式演變為搭配無檔案攻擊技術的惡意程式,為了防禦惡意程式攻擊,傳統防毒軟體大多是屬於檔案類型的掃描技術,透過資料庫中的特徵碼偵測檔案類型惡意程式,但無法有效應對無檔案惡意程式攻擊,例如Windows Office文件的巨集功能所提供的腳本指令,或使用Microsoft PowerShell系統管理工具,將惡意程式直接載入到記憶體執行,而不會將惡意程式以檔案形式存放在儲存裝置中,藉此躲避防毒軟體偵測,同時減少留在目標裝置中的足跡,而增加調查攻擊手法的困難度。因此我們提出一套基於Antimalware Scan Interface Provider的檢測機制APJudge,當PowerShell執行腳本指令載入惡意程式內容時,會攔截其內容並進行檢測,再依據檢測結果判斷是否為惡意程式,並終止惡意程式的執行,藉此防止無檔案惡意攻擊的威脅。;With the continuous evolution of attack techniques, malware has gradually evolved from file-based malware to fileless attacks. To defend against fileless malware, traditional antivirus software is generally file-based scanning techniques to detect file-based malware. However, they usually can’t effectively deal with fileless malware attacks, such as scripts in the macro of Windows Office documents, or the system administrator tool Microsoft PowerShell. Those attacks can execute malware in memory directly without the need to store the malware in a filesystem. Evade detection by antivirus software, and reduce the trace left on the target device to increase the difficulty of investigating fileless attacks. Therefore, we propose a detection mechanism APJudge based on Antimalware Scan Interface Provider. When PowerShell executes scripts to load malicious contents, it will intercept the contents and distinguish them between benign and malicious according to the detection result. Finally terminate the malicious process to prevent the threat of fileless malicious attacks.
    Appears in Collections:[資訊工程學系碩士在職專班 ] 博碩士論文

    Files in This Item:

    File Description SizeFormat

    All items in NCUIR are protected by copyright, with all rights reserved.

    社群 sharing

    ::: Copyright National Central University. | 國立中央大學圖書館版權所有 | 收藏本站 | 設為首頁 | 最佳瀏覽畫面: 1024*768 | 建站日期:8-24-2009 :::
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - 隱私權政策聲明