自動化資安威脅情報萃取與知識本體產製

Abstract

近年來對惡意程式的研究，大多基於一個給定的惡意程式樣本，利用沙箱技術做動態紀錄，分析樣本在系統內的執行的高階函式呼叫序，以瞭解該惡意程式活動的實際作為，然而此方法存在侷限性，例如內容量過大、低階資訊細節過多、分析成本過高、呈現格式不一等…，即使是各家大型資訊安全公司產出的技術報告也面臨同樣問題。 為從高階與宏觀角度，探討惡意程式攻擊的來龍去脈，須充分瞭解惡意程式行為特徵及接觸的系統資源，本研究設計一套自動化威脅情報萃取方法，彙整、分析MITRE ATT CK框架資源中每一個攻擊戰略 (Tactic) 下的攻擊手法 (Technique) 收錄之攻擊事件案例 (Procedure Example) 內容，擷取出一或多個可辨識該攻擊戰略及攻擊手法的惡意行為，並結合哲學領域中用於描述領域知識的本體論 (Ontology)，建立用於描述惡意活動攻擊手法與企圖的威脅知識本體 (Threat Ontology)。藉由威脅知識本體，便可針對一惡意程式樣本執行序，比對、整理兩者間互相對應的惡意活動資訊，最後產製具備時間脈絡、具體化、結構化特性之TTP (Tactic, Technique, Procedure) 技術摘要報告，呈現該惡意程式在其生命週期內經歷的重要活動過程。 實驗結果展現了研究流程產製的威脅知識本體，確實能提供低階惡意程式活動具體威脅與高階惡意程式生命週期資訊，並且證明能夠應用於實際惡意程式樣本的惡意行為偵測任務，藉此快速、有效率地提供易於人類解讀的威脅情資，對於資安管理者的情報掌握與傳遞，或是一般人學習資安專業知識皆能有所助益。

In recent years, the researches on malware mostly use sandbox to make dynamic records, and analyze the tracelog to understand the actual activity that malware perform based on a given malicious executable sample. However, this approach has limitations, such as too much content, too detailed information, too high analysis cost (time, manpower), different presentation formats, and so on. Technical reports which are generated by threat intelligence companies even face the same problem. In order to explore the ins and outs of malware attacks from a high-level and macro perspective, it is necessary to fully understand the behavioral characteristics of malware and the system resources which it contacts. This research designed an automated threat intelligence extraction method to analyze the technical and tactical content proposed in the MITER ATT CK framework. Then, we extract one or more attack event cases (process examples) , and identify the malicious behavior of the attack strategy and method. When the extracted malicious behaviors are combined with the ontology, the threat ontology can be established to describe the attack methods and attempts. With the threat ontology, malicious activities corresponding to the malware's tracelog can be found. Finally, we can procduce the TTP (Tactic, Technique, Procedure) summary report. This report reflects the important process of the malware during its life cycle with som characteristics including time sequential, specific, and structured. The experiment result shows the threat ontology produced by the research process, which can indeed provide specific information about low-level malware’s activities and high-level malware’s lifecycle. In addition, the threat ontology has been proven to be applicable to malicious behavior detection of actual malware samples. In this way, it is possible to quickly and effectively provide easy-to-understand threat intelligence, which is helpful for security managers to collect and transmit information, and it is also conducive for ordinary people to acquire knowledge of cyber security.