自動化Linux-based惡意程式攻擊情境分析

JHIH-CHENG HE; 何智誠

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/49542

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	孫雅麗(Yeali S. Sun)
dc.contributor.author	JHIH-CHENG HE	en
dc.contributor.author	何智誠	zh_TW
dc.date.accessioned	2021-06-15T11:33:50Z	-
dc.date.available	2022-08-31
dc.date.copyright	2020-09-16
dc.date.issued	2020
dc.date.submitted	2020-08-13
dc.identifier.citation	[1] 'IoT Developer Survey,' Eclipse, 2019. [Online]. Available: https://iot.eclipse.org/resources/iot-developer-survey/iot-developer-survey-2019.pdf. [2] “McAfee Labs Threats Report,” McAfee, August 2019. [Online]. Available: https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-aug-2019.pdf. [3] “Linux Enterprise Matrix,” MITRE ATT CK, [Online]. Available: https://attack.mitre.org/matrices/enterprise/linux/. [4] “The Dark Side of The FORSSHE: A landscape of OpenSSH backdoors.,” ESET, 2018. [Online]. Available: https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf. [5] “Indicator of Compromise Definition.,” Trend Micro, [Online]. Available: https://www.trendmicro.com/vinfo/us/security/definition/indicators-of-compromise. [6] “Qemu Processor Emulator,” [Online]. Available: https://www.qemu.org. [7] “strace,” [Online]. Available: https://linux.die.net/man/1/strace. [8] “ELF Parser,” [Online]. Available: http://elfparser.com. [9] “Radare2,” radareorg, [Online]. Available: https://github.com/radareorg/radare2. [10] “IDA,” Hex-Rays, [Online]. Available: https://www.hex-rays.com/products/ida/. [11] “Executable and Linkable Format,” [Online]. Available: https://en.wikipedia.org/wiki/Executable_and_Linkable_Format. [12] “Instruction Set Architecture,” [Online]. Available: https://en.wikipedia.org/wiki/Instruction_set_architecture. [13] “Linking,” [Online]. Available: https://en.wikipedia.org/wiki/Static_build. [14] X. Li, P.K. Loh, and F. Tan, “Mechanisms of polymorphic and metamorphic viruses,” in Intelligence and Security Informatics Conference (EISIC), European, 2011. [15] “Cuckoo,” [Online]. Available: https://github.com/cuckoosandbox/cuckoo. [16] “PADAWAN,” [Online]. Available: https://padawan.s3.eurecom.fr/about. [17] “Limon,” [Online]. Available: https://github.com/monnappa22/Limon. [18] “Detux,” [Online]. Available: https://github.com/detuxsandbox/detux. [19] “HaboMalHunter,” Tencent, [Online]. Available: https://github.com/Tencent/HaboMalHunter. [20] “Complex Instruction Set Computer,” [Online]. Available: https://en.wikipedia.org/wiki/Complex_instruction_set_computer. [21] “Reduced Instruction Set Computer,” [Online]. Available: https://en.wikipedia.org/wiki/Reduced_instruction_set_computer. [22] Monnappa K A, “ Automating Linux Malware Analysis Using Limon Sandbox,” in BlackHat , Europe, 2015. [23] Y. P. Minn, S. Suzuki, K. Yoshioka, T. Matsumoto, and C. Rossow, “IoTPOT: Analysing the rise of IoT compromises,” in 9th USENIX Workshop on Offensive Technologies (WOOT), 2015. [24] M. Antonakakis, T. April, M. Bailey, E. Bursztein, J. Cochran, Z. Durumeric, J. A. Halderman, D. Menscher, C. Seaman, N. Sullivan et al., “Understanding the Mirai Botnet,” in USENIX Security Symposium, 2017. [25] E. Cozzi, M. Graziano, Y. Fratantonio, and D. Balzarotti, “ Understanding Linux Malware,” in IEEE Symposium on Security and Privacy (S P), 2018. [26] “SystemTap,” [Online]. Available: https://sourceware.org/systemtap/. [27] Md Nahid Hossain, Sadegh M. Milajerdi, Junao Wang, Birhanu Eshete, Rigel Gjomemo, R. Sekar, Scott Stoller, and V.N. Venkatakrishnan, 'SLEUTH: Real- time Attack Scenario Reconstruction from COTS Audit Data,' in 26th USENIX Security Symposium, Vancouver, BC. [28] Sadegh M. Milajerdi, Birhanu Eshete, Rigel Gjomemo, V.N. Venkatakrishnan, “POIROT: Aligning Attack Behavior with Kernel Audit Records for Cyber Threat Hunting,” in Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, 2019. [29] “Structured Threat Information Expression,” [Online]. Available: https://stixproject.github.io/about/. [30] Sadegh M. Milajerdi, Rigel Gjomemo, Birhanu Eshete, R. Sekar, V.N. Venkatakrishnan, “HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows,” in IEEE Symposium on Security and Privacy (S P), 2019. [31] “VirtualBox,” [Online]. Available: https://www.virtualbox.org. [32] “INetSim,” [Online]. Available: https://www.inetsim.org/about.html. [33] “Audit System,” [Online]. Available: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing. [34] “Understanding Audit Log Files,” Red Hat, [Online]. Available: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-understanding_audit_log_files. [35] “Linaro,” [Online]. Available: https://www.linaro.org. [36] “VirusTotal API,” [Online]. Available: https://developers.virustotal.com/v3.0/reference#overview. [37] “智能设备恶意程序活动情况报告,” 中國國家互聯網應急中心(CNCERT), 2019. [Online]. [38] “Exit Codes With Special Meaning,” [Online]. Available: http://www.tldp.org/LDP/abs/html/exitcodes.html . [39] “Mirai Source Code,” [Online]. Available: https://github.com/jgamblin/Mirai-Source-Code. [40] “Mirai Variant Source Code,” [Online]. Available: https://github.com/therealmoloko/Mirai-Variant/blob/master/rand.c. [41] “Linux程序建立函式vfork簡介,” [Online]. Available: https://www.itread01.com/content/1550506323.html. [42] “MITRE Software,” [Online]. Available: https://attack.mitre.org/software/. [43] “Atomic Tests Linux Matrix,” Atomic Red Team, [Online]. Available: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/Indexes/Matrices/linux-matrix.md.
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/49542	-
dc.description.abstract	近年來針對物聯網設備的惡意程式，其所造成的威脅正快速增加，較高階的連網裝置如路由器、智慧電視及網路攝影機等，內部軟體多運行於Linux-based的作業系統上，因此有關Linux系統資訊安全，及惡意程式研究的議題也越趨被各界重視。本研究將使用behavior-based的方式，來進行Linux惡意程式的行為分析。由於ARM、x86及x86-64為當前物聯網裝置市場中，最常見的三種硬體架構，因此本研究開發了一套支援此三種架構的動態側錄系統，提供惡意程式虛擬化的執行環境，能夠自動化側錄大量惡意程式，取得惡意程式在系統執行產生的System Call Trace，並在統整初步的惡意行為概覽後，根據行為概覽的數個面向調整側錄系統的環境設置，以盡可能觸發惡意行為的展現。接著，本研究開發一套行為分析系統，能夠自動化的將代表惡意程式行為的System Call Trace，轉換成以Provenance Graph為基礎的Attack Scenario Graph，Graph中的Node由惡意程式操作的程序、檔案以及網路位址所組成，Edge則代表程序對其他物件的動作，讓資安人員可先透過此圖，快速了解惡意程式對系統造成的影響。本研究也參考了MITRE ATT CK在Linux Matrix上列出的七種攻擊手法，為每個手法設計了可用於標示Attack Scenario Graph的Mapping Rules，產出Tactic Technique Graph；圖中的節點與動作如果被偵測出符合該攻擊手法，就會以攻擊手法的ID及所屬的攻擊意圖所標示，讓資安人員能夠以更高階的面相，去解讀惡意程式在圖中各階段的攻擊目的及手法。本研究最後也使用以上開發的系統，研究Linux惡意程式的實例，探討其產生的惡意行為。	zh_TW
dc.description.abstract	Security threat caused by malwares which targeted at IoT devices has increase rapidly. Lots of devices like router, smart TV or IP camera, run their application on top of Linux-based operating system. As a result, Linux-based security and malware analysis has become a critical research topic. This research adopts behavior-based analysis to study Linux-based malwares’ behavior. ARM, x86 and x86-64 are the three most common architectures in the IoT device market share. This research develops a sandbox system that provides an execution environment, and it can be used to automatically extract system call trace from malware samples. We also summarize malware behavior overview by difference aspects and conclude a best sandbox environment set up in order to trigger malware’s malicious behavior as much as possible. After that, we develop a behavior analysis system that can automatically transform system call trace into a provenance graph-based representation, which is called Attack Scenario Graph. The nodes on graph represent of process, file or IP address, and the edges represent of the action that a process takes on other objects. Security researcher can use this graph to have a quick overview on how this malware affects system. Besides, this research also utilizes Linux attack matrix from MITRE ATT CK to summarize seven attack technique mapping rules. These rules can be used to automatically label nodes and edges on graph with the technique and tactic it used, when the content match the corresponding attack pattern. After this step, security researcher can interpret different stage of malware behaviors from a high level perspective. Finally, this research uses the two system to study on Linux malware real cases and illustrates the attack scenario and behavior they generate.	en
dc.description.provenance	Made available in DSpace on 2021-06-15T11:33:50Z (GMT). No. of bitstreams: 1 U0001-1208202012453800.pdf: 3097826 bytes, checksum: c148e97e13df4100889bd1465fd5d0ad (MD5) Previous issue date: 2020	en
dc.description.tableofcontents	第一章介紹 1 1.1 研究動機 1 1.2 研究目的 3 第二章背景知識與文獻探討 5 2.1 背景知識 5 2.2 文獻探討 9 第三章動態LINUX側錄系統 11 3.1 側錄系統概覽 11 3.2 側錄系統環境設置 12 3.3 系統側錄資訊 13 3.4 惡意程式資料集 15 3.5 側錄系統環境評估及惡意行為概覽 16 第四章攻擊情境分析系統 28 4.1 BACKDOOR 案例研究 28 4.2 攻擊情境自動化產生模組 32 4.3 攻擊戰略暨手法自動化產生模組 40 4.4 GENERATION OF TECHNIQUE DESCRIPTION OF LIFE CYCLE 46 第五章 ATTACK SCENARIO GRAPH實例分析 49 5.1 BACKDOOR:DOFLOO 49 5.2 HEUR:BACKDOOR:TSUNAMI 50 5.3 HEUR:BACKDOOR:MIRAI 51 第六章結論 52 參考文獻 53
dc.language.iso	zh-TW
dc.subject	Provenance Graph	zh_TW
dc.subject	惡意程式	zh_TW
dc.subject	Linux系統	zh_TW
dc.subject	動態分析	zh_TW
dc.subject	攻擊情境分析	zh_TW
dc.subject	Malware	en
dc.subject	Provenance Graph	en
dc.subject	Attack Scenario Analysis	en
dc.subject	Dynamic Analysis	en
dc.subject	Linux	en
dc.title	自動化Linux-based惡意程式攻擊情境分析	zh_TW
dc.title	Attack Scenario Analysis for Linux-based Malware	en
dc.type	Thesis
dc.date.schoolyear	108-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	陳俊良(Jiann-Liang Chen),李育杰(Yuh-Jye Lee),李漢銘(Hahn-Ming Lee),蕭舜文(Shun-Wen Hsiao)
dc.subject.keyword	惡意程式,Linux系統,動態分析,攻擊情境分析,Provenance Graph,	zh_TW
dc.subject.keyword	Malware,Linux,Dynamic Analysis,Attack Scenario Analysis,Provenance Graph,	en
dc.relation.page	56
dc.identifier.doi	10.6342/NTU202003071
dc.rights.note	有償授權
dc.date.accepted	2020-08-13
dc.contributor.author-college	管理學院	zh_TW
dc.contributor.author-dept	資訊管理學研究所	zh_TW
顯示於系所單位：	資訊管理學系

文件中的檔案：

檔案	大小	格式
U0001-1208202012453800.pdf 未授權公開取用	3.03 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。