請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/70785
標題: | 自動化生成及語意分析惡意軟體家族導致系統狀態改變之活動軌跡 Automated Generation and Semantic Analysis of System-state-change Activity Lifecycle of Malware Family |
作者: | Chu-Yun Hsueh 薛筑允 |
指導教授: | 孫雅麗 |
關鍵字: | 惡意軟體家族,惡意行為,動態分析,共同特徵擷取,軌跡圖, Malware Family,Malicious Behavior,Dynamic Analysis,Common characteristics extraction,Trajectory, |
出版年 : | 2018 |
學位: | 碩士 |
摘要: | 本論文以可視化的方式呈現惡意軟體家族之造成系統狀態改變的共同行為。 首先,根據我們所提出的家族歸類演算法進行惡意軟體的家族歸類。 接著,以我們所研發的高階語意側錄系統對惡意軟體家族的不同變種進行側錄,產生包含 Windows API call 名稱、參數、回傳值的高階函式呼叫時間序列,稱之為執行軌跡檔案(execution trace)。 而後,將惡意軟體家族不同變種的執行軌跡檔案輸入至動態惡意程式行為分析系統中的 Runtime API call sequence-based motif mining algorithm(稱為 RasMMA 行為分類模組)進行執行行為序分群,以區分同家族的惡意軟體變種間的行為多樣性,結果產生惡意軟體家族的行為模式森林(behavior forest)。 我們將惡意軟體家族的行為模式森林中的行為模式樹(behavior tree)所屬的 profiles 輸入至動態惡意程式行為分析系統的 Global Sequence Alignment (GSA) 執行序分析模組以找出最長的 alignment 組合。我們由 GSA 所產生的結果得到各惡意軟體變種的完全相同行為執行序,從中萃取出造成系統狀態改變的行為序後以可視化的方式呈現,稱之為造成系統狀態改變的行為序的軌跡圖(System-state-change resource manipulation trajectory)。
藉本研究所產生的軌跡圖,我們對其進行語意解釋,闡述該惡意軟體家族的惡意意圖之運作手法,提供深度、清楚的惡意軟體家族的惡意活動說明,並佐以防毒軟體公司對惡意軟體家族行為的說明進行驗證。 In this work, we aim to visualize the common behavior of malware family that cause system state changes. First of all, we conduct a malware classification based on proposed family classification algorithm. Secondly, we use the high-level semantics profiling system to profile different variants of malware family, generating the time-ordered sequences of each variant, called execution traces. Then, in order to differentiate behavior diversity between different variants in same malware family, we input execution trace of each variant to Runtime API call sequence-based motif mining algorithm to conduct behavior sequence clustering, producing behavior forest of a malware family. For each behavior tree in behavior forest, we collect execution trace belong to behavior tree and input to Global Sequence Alignment module to gather longest alignment result. For each behavior tree in behavior forest, we input all execution traces belong to the behavior tree to Global Sequence Alignment module to acquire longest alignment combination. Finally, we obtain the 100% common behavior sequence from GSA result, then extract sequence that will causing system state change from 100% common behavior sequence, visualize the behavior using trajectory graph, called system-state-change resource manipulation trajectory We also make semantic explanation toward produced trajectory graph, expound malicious intent of malware family, provide in-depth and clear malicious activity illustration, and verify behavior of malware family with illustration of antivirus software company. |
URI: | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/70785 |
DOI: | 10.6342/NTU201802729 |
全文授權: | 有償授權 |
顯示於系所單位: | 資訊管理學系 |
文件中的檔案:
檔案 | 大小 | 格式 | |
---|---|---|---|
ntu-107-1.pdf 目前未授權公開取用 | 6.08 MB | Adobe PDF |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。