Skip navigation

DSpace JSPUI

DSpace preserves and enables easy and open access to all types of digital content including text, images, moving images, mpegs and data sets

Learn More
DSpace logo
English
中文
  • Browse
    • Communities
      & Collections
    • Publication Year
    • Author
    • Title
    • Subject
    • Advisor
  • Search TDR
  • Rights Q&A
    • My Page
    • Receive email
      updates
    • Edit Profile
  1. NTU Theses and Dissertations Repository
  2. 管理學院
  3. 資訊管理學系
Please use this identifier to cite or link to this item: http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/15556
Full metadata record
???org.dspace.app.webui.jsptag.ItemTag.dcfield???ValueLanguage
dc.contributor.advisor蔡益坤
dc.contributor.authorChi-Shiang Liuen
dc.contributor.author劉啟祥zh_TW
dc.date.accessioned2021-06-07T17:47:53Z-
dc.date.copyright2013-06-21
dc.date.issued2013
dc.date.submitted2013-06-03
dc.identifier.citation[1] AV-TEST Statistics. http://www.av-test.org/en/statistics/malware/.
[2] Praktische Informatik 1's website. http://pi1.informatik.uni-
mannheim.de/malheur/.
[3] Dana Angluin. Learning regular sets from queries and counterexamples. Inf. Com-
put., 75(2):87{106, 1987.
[4] Domagoj Babic, Daniel Reynaud, and Dawn Song. Malware analysis with tree
automata inference. In CAV, pages 116{131, 2011.
[5] Guillaume Bonfante, Matthieu Kaczmarek, and Jean-Yves Marion. Architecture of a
morphological malware detector. Journal in Computer Virology, 5(3):263{270, 2009.
[6] Yu-Fang Chen, Azadeh Farzan, Edmund M. Clarke, Yih-Kuen Tsay, and Bow-
Yaw Wang. Learning Minimal Separating DFA's for Compositional Veri cation.
In TACAS, pages 31{45, 2009.
[7] Frank Drewes. MAT learners for recognizable tree languages and tree series. Acta
Cybern., 19(2):249{274, 2009.
[8] Hex-rays. Ida pro disassembler and debugger. http://www.hex-rays.com/idapro/.
[9] Clemens Kolbitsch, Paolo Milani Comparetti, Christopher Kruegel, Engin Kirda,
Xiaoyong Zhou, and XiaoFeng Wang. E ective and e cient malware detection at
the end host. In Proceedings of the 18th conference on USENIX security symposium,
SSYM'09, pages 351{366, 2009.
50
[10] R. Linger, K. Sayre, T. Daly, and M. Pleszkoch. Function extraction technology:
Computing the behavior of malware. In System Sciences (HICSS), 2011 44th Hawaii
International Conference on, pages 1 {9, jan. 2011.
[11] Lorenzo Martignoni, Elizabeth Stinson, and John C. Mitchell. A layered architecture
for detecting malicious behaviors. In Symposium on Recent Advances in Intrusion
Detection (RAID), pages 78{97, 2008.
[12] M. Sharif, A. Lanzi, J. Gi n, and Wenke Lee. Automatic reverse engineering of
malware emulators. In Security and Privacy, 2009 30th IEEE Symposium on, pages
94 {109, may 2009.
[13] Symantec. Symantec Internet Security Threat Report, Trends for 2010.
http://www.symantec.com/business/threatreport/, 2010.
[14] Yi-Hsiung Wang. Malware Analysis with 3-Valued Deterministic Finite Tree Au-
tomata. Master's thesis, 2011.
[15] Carsten Willems, Thorsten Holz, and Felix Freiling. Toward Automated Dynamic
Malware Analysis Using CWSandbox. IEEE Security and Privacy, 5:32{39, 2007.
dc.identifier.urihttp://tdr.lib.ntu.edu.tw/jspui/handle/123456789/15556-
dc.description.abstract惡意程式是指一種有惡意企圖的程式,這種程式可能會執行對使用者或作業系統有害的動作。常見的惡意程式有病毒、蠕蟲、木馬和間諜軟體,它們也是在網際網路上最重大的安全威脅。而使用惡意程式偵測器來偵測惡意程式是目前大家最熟悉的方法。偵測器可以用不同的分析方法來實作,最基本且最流行的方法就是語法式特徵碼比對,而這種方法也廣泛地應用在商業的環境中。但是這種方法並不能有效的偵測更高階的惡意程式,因為高階的惡意程式會透過改變程式的語法結構來躲避偵測器的偵測。然而即使惡意程式的作者改變程式的語法結構來躲過偵測,也不能改變惡意程式本身的語意。因此,現在的惡意程式偵測的研究方向是以基於語意的方法為主。
在這篇論文中我們提出一個以語意為中心的惡意程式分析架構,包含監視程式的執行、萃取具有語意的行為以及產生惡意程式偵測器。傳統的惡意程式分析方法大部分都是使用字串當作特徵碼。樹可以比字串呈現更多的語意,因此特徵碼從字串演變成樹是再自然不過了,而我們的架構便是以樹當作特徵碼。首先我們利用沙盒來監視程式的執行並產生執行紀錄的報告,接著利用報告產生行為相依圖並將其轉成樹。最後,使用學習演算法產生三值樹自動機,並以此作為惡意程式偵測器。我們的實驗結果顯示,基於我們提出的架構而實作的雛型工具很有效果並且誤報率低。		zh_TW
dc.description.abstractMalware (or malicious software) refers to programs that have malicious intents and may perform harmful actions. Common malware includes viruses, worms, trojan horses, and spyware. They represent one of the most notorious security threats on the Internet. Using a malware detector is the most familiar method of defense to deter malware. Each malware detector has its own analysis method, and syntactic signature matching is the most basic and prevalent method used in commercial malware detectors. Unfortunately, this syntactic detection mechanism cannot cope e ectively with advanced malware, which often uses program obfuscation to alter program structures and therefore can avoid the detection easily. On the other hand, although malware writers can use obfuscation to avoid syntactic malware detector, the semantics of a malware instance is usually pre-served after obfuscation. Semantics-based approaches therefore have become the main focus of research on malware analysis.
In this thesis, we propose a semantic-centric malware analysis architecture which includes monitoring of malware executions, extraction of semantic behaviors, and gener-ation of malware detectors. Observing recently proposed methods for malware analysis, we notice that string signatures are still used widely. It is a natural evolution from strings to trees, which can exhibit more semantics than strings. Therefore, we adopt trees as signatures. First, we use a sandbox to monitor malware's execution and output reports of execution traces. We then use the execution traces to construct dependency graphs and convert them into trees. Finally, we use a learning algorithm to obtain a 3-valued de-terministic nite tree automaton as a malware detector. Experimental results show that our analysis based on the proposed architecture is e ective and has low false positives.		en
dc.description.provenanceMade available in DSpace on 2021-06-07T17:47:53Z (GMT). No. of bitstreams: 1
ntu-102-R99725024-1.pdf: 2542820 bytes, checksum: 30f17d858ef442caead68bf83ef8899f (MD5)
Previous issue date: 2013		en
dc.description.tableofcontents1 Introduction 1
1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Motivation and Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Thesis Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Related Work 6
2.1 Behavior Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1.1 Toward Automated Dynamic Malware Analysis Using CWSandbox 6
2.1.2 Function Extraction Technology: Computing the Behavior of Mal-
ware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2 Malware Analysis with Executed System Calls . . . . . . . . . . . . . . . 9
2.2.1 Eective and Ecient Malware Detection at the End Host . . . . 9
2.2.2 A Layered Architecture for Detecting Malicious Behaviors . . . . 11
2.3 Malware Analysis with Tree Automata . . . . . . . . . . . . . . . . . . . 14
2.3.1 Architecture of a Morphological Malware Detector . . . . . . . . . 14
2.3.2 Malware Analysis with Tree Automata Inference . . . . . . . . . . 16
3 Preliminaries 18
3.1 CWSandbox Trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.2 Finite Tree Automata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.3 3-Valued Deterministic Finite Tree Automata . . . . . . . . . . . . . . . 21
3.4 3-Valued Tree Automata Learning Algorithm . . . . . . . . . . . . . . . . 22
3.4.1 Learning Algorithm of Drewes . . . . . . . . . . . . . . . . . . . . 22
3.4.2 Tree Automata Learning Algorithm . . . . . . . . . . . . . . . . . 25
4 Approach 27
4.1 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.2 Behavior Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.3 Semantics Abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.4 Parsing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
4.5 Tree Automata Learning . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
5 Implementation and Experiments 35
5.1 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
5.2 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
5.2.1 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . 38
6 Conclusion 47
6.1 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
6.2 Further Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Bibliography 50
dc.language.isoen
dc.subject三值樹自動機zh_TW
dc.subject惡意程式分析zh_TW
dc.subject惡意程式偵測器zh_TW
dc.subject沙盒監視zh_TW
dc.subjectMalware Analysisen
dc.subject3-Valued Tree Automataen
dc.subjectSandbox Monitoringen
dc.subjectMalware Detectoren
dc.title一個以樹自動機呈現語意的惡意程式分析架構zh_TW
dc.titleA Semantics-Centric Architecture for Malware
Analysis Based on Tree Automata		en
dc.typeThesis
dc.date.schoolyear101-2
dc.description.degree碩士
dc.contributor.oralexamcommittee王柏堯,陳郁方
dc.subject.keyword惡意程式分析,惡意程式偵測器,沙盒監視,三值樹自動機,zh_TW
dc.subject.keywordMalware Analysis,Malware Detector,Sandbox Monitoring,3-Valued Tree Automata,en
dc.relation.page51
dc.rights.note未授權
dc.date.accepted2013-06-04
dc.contributor.author-college管理學院zh_TW
dc.contributor.author-dept資訊管理學研究所zh_TW
Appears in Collections:資訊管理學系

Files in This Item:
File SizeFormat 
ntu-102-1.pdf
  Restricted Access 		2.48 MBAdobe PDF
Show simple item record


Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.

社群連結
聯絡資訊
10617臺北市大安區羅斯福路四段1號
No.1 Sec.4, Roosevelt Rd., Taipei, Taiwan, R.O.C. 106
Tel: (02)33662353
Email: ntuetds@ntu.edu.tw
意見箱
相關連結
館藏目錄
國內圖書館整合查詢 MetaCat
臺大學術典藏 NTU Scholars
臺大圖書館數位典藏館
本站聲明
© NTU Library All Rights Reserved