請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/49542
標題: | 自動化Linux-based惡意程式攻擊情境分析 Attack Scenario Analysis for Linux-based Malware |
作者: | JHIH-CHENG HE 何智誠 |
指導教授: | 孫雅麗(Yeali S. Sun) |
關鍵字: | 惡意程式,Linux系統,動態分析,攻擊情境分析,Provenance Graph, Malware,Linux,Dynamic Analysis,Attack Scenario Analysis,Provenance Graph, |
出版年 : | 2020 |
學位: | 碩士 |
摘要: | 近年來針對物聯網設備的惡意程式,其所造成的威脅正快速增加,較高階的連網裝置如路由器、智慧電視及網路攝影機等,內部軟體多運行於Linux-based的作業系統上,因此有關Linux系統資訊安全,及惡意程式研究的議題也越趨被各界重視。本研究將使用behavior-based的方式,來進行Linux惡意程式的行為分析。 由於ARM、x86及x86-64為當前物聯網裝置市場中,最常見的三種硬體架構,因此本研究開發了一套支援此三種架構的動態側錄系統,提供惡意程式虛擬化的執行環境,能夠自動化側錄大量惡意程式,取得惡意程式在系統執行產生的System Call Trace,並在統整初步的惡意行為概覽後,根據行為概覽的數個面向調整側錄系統的環境設置,以盡可能觸發惡意行為的展現。接著,本研究開發一套行為分析系統,能夠自動化的將代表惡意程式行為的System Call Trace,轉換成以Provenance Graph為基礎的Attack Scenario Graph,Graph中的Node由惡意程式操作的程序、檔案以及網路位址所組成,Edge則代表程序對其他物件的動作,讓資安人員可先透過此圖,快速了解惡意程式對系統造成的影響。本研究也參考了MITRE ATT CK在Linux Matrix上列出的七種攻擊手法,為每個手法設計了可用於標示Attack Scenario Graph的Mapping Rules,產出Tactic Technique Graph;圖中的節點與動作如果被偵測出符合該攻擊手法,就會以攻擊手法的ID及所屬的攻擊意圖所標示,讓資安人員能夠以更高階的面相,去解讀惡意程式在圖中各階段的攻擊目的及手法。本研究最後也使用以上開發的系統,研究Linux惡意程式的實例,探討其產生的惡意行為。 Security threat caused by malwares which targeted at IoT devices has increase rapidly. Lots of devices like router, smart TV or IP camera, run their application on top of Linux-based operating system. As a result, Linux-based security and malware analysis has become a critical research topic. This research adopts behavior-based analysis to study Linux-based malwares’ behavior. ARM, x86 and x86-64 are the three most common architectures in the IoT device market share. This research develops a sandbox system that provides an execution environment, and it can be used to automatically extract system call trace from malware samples. We also summarize malware behavior overview by difference aspects and conclude a best sandbox environment set up in order to trigger malware’s malicious behavior as much as possible. After that, we develop a behavior analysis system that can automatically transform system call trace into a provenance graph-based representation, which is called Attack Scenario Graph. The nodes on graph represent of process, file or IP address, and the edges represent of the action that a process takes on other objects. Security researcher can use this graph to have a quick overview on how this malware affects system. Besides, this research also utilizes Linux attack matrix from MITRE ATT CK to summarize seven attack technique mapping rules. These rules can be used to automatically label nodes and edges on graph with the technique and tactic it used, when the content match the corresponding attack pattern. After this step, security researcher can interpret different stage of malware behaviors from a high level perspective. Finally, this research uses the two system to study on Linux malware real cases and illustrates the attack scenario and behavior they generate. |
URI: | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/49542 |
DOI: | 10.6342/NTU202003071 |
全文授權: | 有償授權 |
顯示於系所單位: | 資訊管理學系 |
文件中的檔案:
檔案 | 大小 | 格式 | |
---|---|---|---|
U0001-1208202012453800.pdf 目前未授權公開取用 | 3.03 MB | Adobe PDF |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。