以創新行為感知技術為基礎之惡意程式分析器

Abstract

在惡意程式分析領域中，行為比對偵測技術及特徵比對偵測技術是兩種很受歡迎的技術。在資訊安全產業，由其是防毒軟體廠商，已經使用特徵比對技術數年，然而此技術在偵測不具特徵碼的惡意程式已經遇到瓶頸，但是另一方面，以行為為基礎的比對偵測技術若有充足的行為模型下，有潛力可以對抗不具特徵碼的惡意程式，但若無充足的行為模型作為後盾，將可能造成嚴重的誤判，其中包括把安全的程式誤認為危險的程式，或是讓有攻擊性的程式成功進入使用者電腦。很不幸的，隨著攻擊技術不斷推陳出新及越來越複雜，還有目前存在工具本身的限制，目前所產生的結果還不足以戰勝現代的惡意程式。在本篇論文中我們透過延伸虛擬機器的能力來建置一以行為為基礎的惡意程式分析器，此分析器透過分析中央處理單元的指令、中央處理單元中暫存器的內容及記憶體內容來追蹤執行於虛擬機器中的所有程序，這些所有搜集到的資訊都會被儲存於關聯資料庫中，爾後再透過資料探勘技術探取有用的資訊。我們藉由引導數個實驗來展示本技術的成果，其中包括程式加殼行為分析及惡意廣告事件追蹤，透過我們的試驗展示我們的技術可精確的收集到程序的行為。我們有信心我們所建置的以行為為基礎的惡意程式分析器平台可以提供分析人員及自動分析系統一個可靠的行為分析平台。

Behavior-based detection and signature-based detection are two popular approaches in malware (malicious software) analysis. The security industry, especially anti-virus vendors, has been using signature-based technologies for years; however this approach can hardly identify unknown malware. On the other hand, behavior-based malware detection has the potential to identify unknown malware and its accuracy relies on a sound behavior model; otherwise it would lead to high occurrences of false positives (malware is identified when in truth there is none) and/or false negatives (failing to observe a malware when in truth there is one). Unfortunately, with the increasing complexity of malware techniques and limitations of existing automatic tools, the built behavior models are generally not sufficient in defeating modern malware. In this paper, we implement a behavior-based profiler on top of a virtual machine emulator (qemu) that captures all system processes and analyzes their CPU instructions, CPU registers and utilized memories. The captured information is stored in a relational database and data mining techniques are used. We demonstrate the breadth of Holography platform application by conducting several experimental test cases: a packed binary behavior analysis and a malvertising (malicious advertising) incident tracing. Both of these tasks are known to be difficult to analyze and investigate using existing methods. We demonstrate that precise behavior information could be easily obtained through Holography platform. We feel confident that Holography can provide security researchers and automated systems with a reliable malicious software behavior analysis platform.