以創新行為感知技術為基礎之惡意程式分析器

Shih-Yao Dai; 戴士堯

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/39521

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	郭斯彥(Sy-Yen Kuo)
dc.contributor.author	Shih-Yao Dai	en
dc.contributor.author	戴士堯	zh_TW
dc.date.accessioned	2021-06-13T17:30:41Z	-
dc.date.available	2016-07-26
dc.date.copyright	2011-07-26
dc.date.issued	2011
dc.date.submitted	2011-07-11
dc.identifier.citation	[1] Symantec. Symantec internet security threat report, 2006. URL http://www. symantec.com/business/theme.jsp?themeid=threatreport. [2] Symantec. Symantec internet security threat report, 2007. URL http://www. symantec.com/business/theme.jsp?themeid=threatreport. [3] TrendMicro. 2007 threat roundup and 2007 forecast. URL http: //us.trendmicro.com/imperia/md/content/us/pdf/threats/ securitylibrary/1h_2007_threat_roundup_final_jul2007. pdf. [4] StopBadware. Trends in badware 2007. URL http://www.stopbadware. org. [5] Symantec. Symantec internet security threat report, 2008. URL http://www. symantec.com/business/theme.jsp?themeid=threatreport. [6] Symantec. Internet security threat report volume xiv. URL http:/www. symantec.com/business/theme.jsp?themeid=threatreport. [7] International Telecommunication Union. Financial aspects of network security: Malware and spam 2008. URL http://www. itu.int/ITU-D/cyb/events/2008/brisbane/docs/bauer-financial-aspects-spam-malware-brisbane-july-08. pdf. [8] AV-Comparatives. Anti-virus comparative no.22 2009. URL http: //www.av-comparatives.org/images/stories/test/ondret/ avcreport22.pdf. [9] Yan W, Zhang Z, Ansari N. Revealing packed malware. Security & Privacy, IEEE Sept-Oct 2008; 6(5):65–69. [10] Dai SY, Kuo SY. Mapmon: A host-based malware detection tool. Proceedings of 13th IEEE Pacific Rim International Symposium on Dependable Computing, Melbourne, Australia, 2007; 349–356. [11] Dinaburg A, Royal P, Sharif M, Lee W. Ether: malware analysis via hardware virtualization extensions. CCS ’08: Proceedings of the 15th ACM conference on Computer and communications security, 2008; 51–62. [12] Anubis: Analyzing unknown binaries. URL http://anubis.iseclab.org. [13] Yin H, Song D, Egele M, Kruegel C, Kirda E. Panorama: capturing system-wide information flow for malware detection and analysis. CCS ’07: Proceedings of the 14th ACM conference on Computer and communications security, New York, NY, USA, 2007; 116–127. [14] Song D, Brumley D, Yin H, Caballero J, Jager I, Kang MG, Liang Z, James N, Poosankam P, Saxena P. Bitblaze: A new approach to computer security via binary analysis. Proceedings of the 4th International Conference on Information Systems Security, ICISS ’08, 2008; 1–25. [15] Willems C, Holz T, Freiling F. Toward automated dynamic malware analysis using cwsandbox. Security & Privacy, IEEE March-April 2007; 5(2):32–39. [16] Neugschwandtner M, Platzer C, Comparetti PM, Baye U. danubis - dynamic device driver analysis based on virtual machine introspection. Seventh Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), Bonn, Germany, 2010. [17] Garfinkel T, Rosenblum M. A virtual machine introspection based architecture for intrusion detection. In Proc. Network and Distributed Systems Security Symposium, 2003; 191–206. [18] Jiang X, Wang X, Xu D. Stealthy malware detection through vmm-based ”out-ofthe- box” semantic view reconstruction. CCS ’07: Proceedings of the 14th ACM conference on Computer and communications security, 2007; 128–138. [19] Dai SY, Yarochkin FV, Wu JS, Lin CH, Huang Y, Kuo SY. Holography: A hardware virtualization tool for malware analysis. PRDC ’09: Proceedings of the 2009 15th IEEE Pacific Rim International Symposium on Dependable Computing, IEEE Computer Society, 2009; 263–268. [20] Preda MD, ChristodorescuM, Jha S, Debray S. A semantics-based approach to malware detection. POPL ’07: Proceedings of the 34th annual ACMSIGPLAN-SIGACT symposium on Principles of programming languages, New York, NY, USA, 2007; 377–388. [21] Kirda E, Kruegel C, Banks G, Vigna G, Kemmerer RA. Behavior-based spyware detection. Proceedings of 15th USENIX Security Symposium, Vancouver, Canada, 2006; 273–288. [22] Nachenberg C. Computer virus-antivirus coevolution. Commun. ACM 1997; 40(1):46–51. [23] Sz‥or P, Ferrie P. Hunting for metamorphic. Proceedings of the 2001 Virus Bulletin Conference, Prague, Czech Republic, 2001; 123–144. [24] Sz‥or P. The Art of Computer Virus Research and Defense. Addison-Wesley Professional, 2005. [25] ChristodorescuM, Jha S. Testing malware detectors. Proceedings of ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA04), Boston,Massachusetts, USA, 2004; 34–44. [26] Lam LC, LiW, Chiueh TC. Accurate and automated system call policy-based intrusion prevention. Proceedings of International Conference on Dependable Systems and Networks (DSN’06), Philadelphia, PA, USA, 2006; 413–424. [27] Wang YM, Roussev R, Verbowski C, Johnson A, Wu MW, Huang Y, Kuo SY. Gatekeeper: Monitoring auto-start extensibility points (aseps) for spyware management. LISA ’04: Proceedings of the 18th USENIX conference on System administration, Berkeley, CA, USA, 2004; 33–46. [28] Wagner D, Dean D. Intrusion detection via static analysis. Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, 2001; 156–169. [29] Christodorescu M, Jha S, Seshia SA, Song D, Bryant RE. Semantics-aware malware detection. Proceedings of IEEE Symposium on Security and Privacy (S&P05), Madison, USA, 2005; 32–46. [30] Sa‥ıdi H. Guarded models for intrusion detection. PLAS ’07: Proceedings of the 2007 workshop on Programming languages and analysis for security, New York, NY, USA, 2007; 85–94. [31] Wagner D, Soto P. Mimicry attacks on host-based intrusion detection systems. CCS ’02: Proceedings of the 9th ACM conference on Computer and communications security, New York, NY, USA, 2002; 255–264. [32] Dasient q3 malware update: Web-based malware infections double since last year, malvertising attacks continue over summer 2010. URL http://blog. dasient.com/2010/11/normal.html. [33] Active registry monitor 2009. URL http://www.devicelock.com/arm/. [34] Microsoft. Windows sysinternals. URL http://technet.microsoft.com/ zh-tw/sysinternals/default%28en-us%29.aspx. [35] Regworks. URL http://www.regwrks.com/. [36] Windowsdefender. URL http://www.microsoft.com/taiwan/athome/ security/spyware/software/default.mspx. [37] Winpatrol. URL http://www.winpatrol.com/. [38] Spybots&d. URL http://www.safer-networking.org/en/home/ index.html. [39] Browser helper objects: The browser the way you want it. URL http://msdn2. microsoft.com/en-us/library/ms976373.aspx. [40] Com add-ins part i: Introducing an office 2000 solution for the entire (office) family. URL http://msdn2.microsoft.com/en-us/library/ aa155767(office.10).aspx. [41] Com add-ins part ii: Building a com add-in for outlook 2000. URL http: //msdn2.microsoft.com/en-us/library/aa140126(office.10) .aspx. [42] Richter J. Load your 32-bit dll into another process’s address space using injlib. [43] Richter J. Programming application for ms windows. [44] Robbins J. Debugging applications. [45] Vmware workstation. URL http://www.vmware.com/. [46] Virus encyclopedia. URL http://www.viruslist.com/en/viruses/ encyclopedia. [47] Symantec. W32.stration.dl@mm 2006. URL http://www.symantec. com/enterprise/security_response/writeup.jsp?docid= 2006-103112-2047-99. [48] F-SECURE. Agobot. URL http://www.f-secure.com/v-descs/ agobot.shtml. [49] Dunlap GW, King ST, Cinar S, Basrai MA, Chen PM. Revirt: enabling intrusion analysis through virtual-machine logging and replay. ACM: New York, NY, USA, 2002; 211–224, doi:http://doi.acm.org/10.1145/1060289.1060309. [50] Joshi A, King ST, Dunlap GW, Chen PM. Detecting past and present intrusions through vulnerability-specific predicates. SIGOPS Oper. Syst. Rev. 2005; 39(5):91– 104. [51] Vasudevan A, Yerraballi R. Cobra: Fine-grained malware analysis using stealth localized-executions. SP ’06: Proceedings of the 2006 IEEE Symposium on Security and Privacy, IEEE Computer Society: Washington, DC, USA, 2006; 264–279. [52] Bayer U, Moser A, Kruegel C, Kirda E. Dynamic analysis of malicious code. Journal in Computer Virology,Volume 2, Number 1, Springer Paris, 2006; 67–77. [53] Fireshark. URL http://fireshark.org/. [54] Cova M, Kruegel C, Vigna G. Detection and analysis of drive-by-download attacks and malicious javascript code. Proceedings of the 19th international conference on World wide web, WWW ’10, 2010; 281–290. [55] Jsunpack-a generic javascript unpacker 2011. URL http://jsunpack.jeek. org/dec/go. [56] Yun J, Shin Y, Kim H, Yoon H. Miguard : Detecting and guarding against malicious iframe through api hooking. IEICE Electronics Express 2011; 8(7):460–465. [57] Qemu. URL http://www.nongnu.org/qemu/about.html. [58] Bochs:the open source ia-32 emulation project. URL http://bochs. sourceforge.net/. [59] Microsoft portable executable and common object file format specification. URL http://www.microsoft.com/whdc/system/platform/firmware/ PECOFFdwn.mspx. [60] Norman sandbox online analyzer. URL http://www.norman.com/ security_center/security_tools/submit_file/. [61] Trojan-psw.win32.coced. URL http://www.viruslist.com/en/ viruses/encyclopedia?virusid=34235. [62] Software S. Malware report for id: 9286147. URL http://www. sunbeltsecurity.com/cwsandboxreport.aspx?id=9286147&cs= 623A4F0AD5B3B972FFD41E121674603A. [63] Anubis: Analyzing unknown binaries–trojan.psw.coced. URL http://anubis.iseclab.org/?action=result&task_id= 160424affa3b4ece4410d3f515bafb23b. [64] Security response:backdoor.berbew.d 2007. URL http://www. symantec.com/security_response/writeup.jsp?docid= 2004-042118-3301-99&tabid=2. [65] Anubis: Analyzing unknown binaries–backdoor.berbew.d. URL http://anubis.iseclab.org/?action=result&task_id= 17f13653ac7eddb94b1705248d0a9786c&format=html. [66] Oberhumer MFXJ, Moln’ar L, Reiser JF. Ultimate packer for executables. URL http://upx.sourceforge.net/. [67] Peid. URL http://www.peid.info/. [68] Kang MG, Poosankam P, Yin H. Renovo: a hidden code extractor for packed executables. WORM ’07: Proceedings of the 2007 ACM workshop on Recurring malcode, 2007; 46–53. [69] Bohne L. Pandora’s bochs: Automatic unpacking of malware. Diploma thesis, RWTH Aachen University 2008; .
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/39521	-
dc.description.abstract	在惡意程式分析領域中，行為比對偵測技術及特徵比對偵測技術是兩種很受歡迎的技術。在資訊安全產業，由其是防毒軟體廠商，已經使用特徵比對技術數年，然而此技術在偵測不具特徵碼的惡意程式已經遇到瓶頸，但是另一方面，以行為為基礎的比對偵測技術若有充足的行為模型下，有潛力可以對抗不具特徵碼的惡意程式，但若無充足的行為模型作為後盾，將可能造成嚴重的誤判，其中包括把安全的程式誤認為危險的程式，或是讓有攻擊性的程式成功進入使用者電腦。很不幸的，隨著攻擊技術不斷推陳出新及越來越複雜，還有目前存在工具本身的限制，目前所產生的結果還不足以戰勝現代的惡意程式。在本篇論文中我們透過延伸虛擬機器的能力來建置一以行為為基礎的惡意程式分析器，此分析器透過分析中央處理單元的指令、中央處理單元中暫存器的內容及記憶體內容來追蹤執行於虛擬機器中的所有程序，這些所有搜集到的資訊都會被儲存於關聯資料庫中，爾後再透過資料探勘技術探取有用的資訊。我們藉由引導數個實驗來展示本技術的成果，其中包括程式加殼行為分析及惡意廣告事件追蹤，透過我們的試驗展示我們的技術可精確的收集到程序的行為。我們有信心我們所建置的以行為為基礎的惡意程式分析器平台可以提供分析人員及自動分析系統一個可靠的行為分析平台。	zh_TW
dc.description.abstract	Behavior-based detection and signature-based detection are two popular approaches in malware (malicious software) analysis. The security industry, especially anti-virus vendors, has been using signature-based technologies for years; however this approach can hardly identify unknown malware. On the other hand, behavior-based malware detection has the potential to identify unknown malware and its accuracy relies on a sound behavior model; otherwise it would lead to high occurrences of false positives (malware is identified when in truth there is none) and/or false negatives (failing to observe a malware when in truth there is one). Unfortunately, with the increasing complexity of malware techniques and limitations of existing automatic tools, the built behavior models are generally not sufficient in defeating modern malware. In this paper, we implement a behavior-based profiler on top of a virtual machine emulator (qemu) that captures all system processes and analyzes their CPU instructions, CPU registers and utilized memories. The captured information is stored in a relational database and data mining techniques are used. We demonstrate the breadth of Holography platform application by conducting several experimental test cases: a packed binary behavior analysis and a malvertising (malicious advertising) incident tracing. Both of these tasks are known to be difficult to analyze and investigate using existing methods. We demonstrate that precise behavior information could be easily obtained through Holography platform. We feel confident that Holography can provide security researchers and automated systems with a reliable malicious software behavior analysis platform.	en
dc.description.provenance	Made available in DSpace on 2021-06-13T17:30:41Z (GMT). No. of bitstreams: 1 ntu-100-D93921014-1.pdf: 2814569 bytes, checksum: 50e1c38ad00f4baf6b8c17050cd5fd43 (MD5) Previous issue date: 2011	en
dc.description.tableofcontents	誌謝 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii 中文摘要 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 Research Motivations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2 Backgrounds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.3 Objectives and Organization . . . . . . . . . . . . . . . . . . . . . . . . 8 2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.1 In-the-System Technique . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.1.1 Related Work on ASEP Monitoring . . . . . . . . . . . . . . . . 14 2.1.2 MAPMon Tool Implementation . . . . . . . . . . . . . . . . . . 16 2.1.3 MAPMon’s Issue . . . . . . . . . . . . . . . . . . . . . . . . . . 25 2.2 Out-of-the-System Technique . . . . . . . . . . . . . . . . . . . . . . . . 27 2.3 Abnormal Behavior Models . . . . . . . . . . . . . . . . . . . . . . . . 28 2.3.1 Malware Abstract Behavior Model . . . . . . . . . . . . . . . . . 28 2.3.2 Formal Notion of Abnormal Behavior Model . . . . . . . . . . . 34 2.4 Related Work on Malvertising . . . . . . . . . . . . . . . . . . . . . . . 37 2.4.1 Fireshark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 2.4.2 Wepawet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 2.4.3 Jsunpack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 2.4.4 Browsing DLL Hooking . . . . . . . . . . . . . . . . . . . . . . 39 3 A Behavior-Based Profiler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 3.1 Overview of Holography . . . . . . . . . . . . . . . . . . . . . . . . . . 42 3.2 Design and Implementation . . . . . . . . . . . . . . . . . . . . . . . . . 45 3.2.1 Spy Satellite . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 3.2.2 Intelligence Agency . . . . . . . . . . . . . . . . . . . . . . . . 55 3.2.3 Process Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 3.2.4 Comparison with Other Analyzers . . . . . . . . . . . . . . . . . 65 4 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 4.1 Data Accuracy Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . 68 4.2 Effectiveness Verification . . . . . . . . . . . . . . . . . . . . . . . . . . 76 4.2.1 Packing Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 76 4.2.2 Malvertising Tracking . . . . . . . . . . . . . . . . . . . . . . . 88 4.3 Efficiency Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 4.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 5 Conclusion and Future Works . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 5.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 5.2 Future Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Appendix A MAPMon Intercepts Win32 API . . . . . . . . . . . . . . . . . . . . I Appendix B Malware List for MAPMon . . . . . . . . . . . . . . . . . . . . . . II Appendix C List of DLL Files . . . . . . . . . . . . . . . . . . . . . . . . . . . V Appendix D Snippet of SysCallArgSizeVector . . . . . . . . . . . . . . . . . . . VI Appendix E Log of Web Page ”www.grumtree.com” . . . . . . . . . . . . . . . . VIII
dc.language.iso	en
dc.subject	惡意廣告	zh_TW
dc.subject	虛擬機器	zh_TW
dc.subject	惡意程式分析器	zh_TW
dc.subject	動態惡意程式分析	zh_TW
dc.subject	惡意程式解殼技術	zh_TW
dc.subject	malware analyzer	en
dc.subject	malvertising	en
dc.subject	malware unpacker	en
dc.subject	dynamic malware analysis	en
dc.subject	sandbox	en
dc.subject	virtual machine emulator	en
dc.title	以創新行為感知技術為基礎之惡意程式分析器	zh_TW
dc.title	Malware Profiler Based on Innovative Behavior-Awareness Technique	en
dc.type	Thesis
dc.date.schoolyear	99-2
dc.description.degree	博士
dc.contributor.coadvisor	黃彥男(Yennun Huang)
dc.contributor.oralexamcommittee	王勝德(Sheng-De Wang),顏嗣鈞(Hsu-chun Yen),陳俊良(Jiann-Liang Chen),雷欽隆(Chin-Laung Lei),林其誼(Chi-Yi Lin),林振緯(Jenn-Wei Lin),陳英一(Ing-Yi Chen)
dc.subject.keyword	虛擬機器,惡意程式分析器,動態惡意程式分析,惡意程式解殼技術,惡意廣告,	zh_TW
dc.subject.keyword	virtual machine emulator,malware analyzer,sandbox,dynamic malware analysis,malware unpacker,malvertising,	en
dc.relation.page	118
dc.rights.note	有償授權
dc.date.accepted	2011-07-11
dc.contributor.author-college	電機資訊學院	zh_TW
dc.contributor.author-dept	電機工程學研究所	zh_TW
顯示於系所單位：	電機工程學系

文件中的檔案：

檔案	大小	格式
ntu-100-1.pdf 未授權公開取用	2.75 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。