自動化生成及語意分析惡意軟體家族導致系統狀態改變之活動軌跡

Chu-Yun Hsueh; 薛筑允

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/70785

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	孫雅麗
dc.contributor.author	Chu-Yun Hsueh	en
dc.contributor.author	薛筑允	zh_TW
dc.date.accessioned	2021-06-17T04:38:24Z	-
dc.date.available	2023-08-15
dc.date.copyright	2018-08-15
dc.date.issued	2018
dc.date.submitted	2018-08-07
dc.identifier.citation	[1] 'McAfee Labs Threats Report', 2017. [Online]. Available: https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-dec-2017.pdf. [2] K. Rieck, P. Trinius, C. Willems and T. Holz, 'Automatic analysis of malware behavior using machine learning', Journal of Computer Security, vol. 19, no. 4, pp. 639-668, 2011. [3] B. Kolosnjaji, A. Zarras, G. Webster and C. Eckert, 'Deep Learning for Classification of Malware System Call Sequences', AI 2016: Advances in Artificial Intelligence, pp. 137-149, 2016. [4] J. Jang, J. Woo, J. Yun and H. Kim, 'Mal-netminer : malware classification based on social network analysis of call graph', Proceedings of the 23rd International Conference on World Wide Web - WWW '14 Companion, 2014. [5] Y. Park and D. Reeves, 'Deriving common malware behavior through graph clustering', Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security - ASIACCS '11, 2011. [6] H. Lu, B. Zhao, X. Wang and J. Su, 'DiffSig: Resource Differentiation Based Malware Behavioral Concise Signature Generation', Lecture Notes in Computer Science, pp. 271-284, 2013. [7] P. Trinius, T. Holz, J. Gobel and F. Freiling, 'Visual analysis of malware behavior using treemaps and thread graphs', 2009 6th International Workshop on Visualization for Cyber Security, 2009. [8] T. Garfinkel and M. Rosenblum, 'A Virtual Machine Introspection Based Architecture for Intrusion Detection', in Network and Distributed System Security Symposium, 2003. [9] A. Narayanan, Y. Chen, S. Pang and B. Tao, 'The Effects of Different Representations on Malware Motif Identification', 2012 Eighth International Conference on Computational Intelligence and Security, 2012. [10] S. Hsiao, Y. Chen, Y. Sun and M. Chen, 'A cooperative botnet profiling and detection in virtualized environment', 2013 IEEE Conference on Communications and Network Security (CNS), 2013. [11] 'Panda Security’s Virus Encyclopedia - Eggnog', [Online]. Available: https://www.pandasecurity.com/homeusers/security-info/38435/Eggnog. [12] 邱偉智, '基於高階API執行序列之惡意程式家族特徵的自動化產生與分析', 2018 [13] M. Bailey, J. Oberheide, J. Andersen, Z. Mao, F. Jahanian and J. Nazario, ' Automated Classification and Analysis of Internet Malware', Lecture Notes in Computer Science, pp. 178-197, 2007. [14] 'Panda Security’s Virus Encyclopedia - Lydra.AO', [Online]. Available: https://www.pandasecurity.com/cyprus/homeusers/security-info/200911/information/Lydra.AO. [15] 'McAfee Inc.’s Virus Profile - W32/Almanahe.c', [Online]. Available: https://home.mcafee.com/virusinfo/virusprofile.aspx?key=142394#none. [16] ' Windows Defender Security Intelligence - Trojan:Win32/Almanahe.B.dll threat description', [Online]. Available: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Almanahe.B.dll&ThreatID=-2147372249. [17] 'Microsoft LSASS Service Buffer Overflow Lets Remote Users Execute Arbitrary Code With SYSTEM Privileges - SecurityTracker', [Online]. Available: https://securitytracker.com/id/1009751. [18] 'Panda Security’s Virus Encyclopedia - Webber.P', [Online]. Available: https://www.pandasecurity.com/angola/homeusers/security-info/49003/information/Webber.P. [19] 'Symantec Security Center - Backdoor.Berbew', [Online]. Available: https://www.symantec.com/security-center/writeup/2003-071616-0350-99. [20] 'Symantec Security Center - Downloader.Upatre', [Online]. Available: https://www.symantec.com/security-center/writeup/2013-112017-1113-99. [21] T. Shields, 'Anti-debugging–a developers view.' Veracode Inc., USA, 2010. [22] 'Trend Micro USA Threat Encyclopedia - WORM_BRONTOK.W', Trendmicro.com, [Online]. Available: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_brontok.w. [23] 'McAfee Inc.’s Virus Profile - W32/Shodi.worm.y!8a249876e59a', [Online]. Available: https://home.mcafee.com/virusinfo/virusprofile.aspx?key=227864#none. [24] 'Sophos’s Threat Analyses - W32/Shodi-F', [Online]. Available: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Shodi-F/detailed-analysis.aspx.
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/70785	-
dc.description.abstract	本論文以可視化的方式呈現惡意軟體家族之造成系統狀態改變的共同行為。首先，根據我們所提出的家族歸類演算法進行惡意軟體的家族歸類。接著，以我們所研發的高階語意側錄系統對惡意軟體家族的不同變種進行側錄，產生包含 Windows API call 名稱、參數、回傳值的高階函式呼叫時間序列，稱之為執行軌跡檔案（execution trace）。而後，將惡意軟體家族不同變種的執行軌跡檔案輸入至動態惡意程式行為分析系統中的 Runtime API call sequence-based motif mining algorithm（稱為 RasMMA 行為分類模組）進行執行行為序分群，以區分同家族的惡意軟體變種間的行為多樣性，結果產生惡意軟體家族的行為模式森林（behavior forest）。我們將惡意軟體家族的行為模式森林中的行為模式樹（behavior tree）所屬的 profiles 輸入至動態惡意程式行為分析系統的 Global Sequence Alignment （GSA）執行序分析模組以找出最長的 alignment 組合。我們由 GSA 所產生的結果得到各惡意軟體變種的完全相同行為執行序，從中萃取出造成系統狀態改變的行為序後以可視化的方式呈現，稱之為造成系統狀態改變的行為序的軌跡圖（System-state-change resource manipulation trajectory）。藉本研究所產生的軌跡圖，我們對其進行語意解釋，闡述該惡意軟體家族的惡意意圖之運作手法，提供深度、清楚的惡意軟體家族的惡意活動說明，並佐以防毒軟體公司對惡意軟體家族行為的說明進行驗證。	zh_TW
dc.description.abstract	In this work, we aim to visualize the common behavior of malware family that cause system state changes. First of all, we conduct a malware classification based on proposed family classification algorithm. Secondly, we use the high-level semantics profiling system to profile different variants of malware family, generating the time-ordered sequences of each variant, called execution traces. Then, in order to differentiate behavior diversity between different variants in same malware family, we input execution trace of each variant to Runtime API call sequence-based motif mining algorithm to conduct behavior sequence clustering, producing behavior forest of a malware family. For each behavior tree in behavior forest, we collect execution trace belong to behavior tree and input to Global Sequence Alignment module to gather longest alignment result. For each behavior tree in behavior forest, we input all execution traces belong to the behavior tree to Global Sequence Alignment module to acquire longest alignment combination. Finally, we obtain the 100% common behavior sequence from GSA result, then extract sequence that will causing system state change from 100% common behavior sequence, visualize the behavior using trajectory graph, called system-state-change resource manipulation trajectory We also make semantic explanation toward produced trajectory graph, expound malicious intent of malware family, provide in-depth and clear malicious activity illustration, and verify behavior of malware family with illustration of antivirus software company.	en
dc.description.provenance	Made available in DSpace on 2021-06-17T04:38:24Z (GMT). No. of bitstreams: 1 ntu-107-R05725001-1.pdf: 6226025 bytes, checksum: 3f6554912c385fc7dc3137696ae24376 (MD5) Previous issue date: 2018	en
dc.description.tableofcontents	目錄誌謝 I 中文摘要 II Abstract III 目錄 IV 圖目錄 VI 表目錄 VIII 第一章介紹 1 第一節研究動機 1 第二節研究目的 2 第三節研究貢獻 3 第二章文獻探討 4 第三章背景知識 6 第一節惡意軟體動態分析 6 第二節生物序列演算法 7 第四章系統架構 9 第一節 VMI Profiling 2.0 9 第二節 Selected Parameters Filter 11 第三節 Dynamic Malware Behavior Analysis System 14 第四節 Restore Winnowing 16 第五節 APIs Filtering 17 第六節 Resource Extractor 18 第七節 Superposition 19 第五章案例深度分析 21 第一節實驗資料 21 第二節 Eggnog 家族 23 第三節 Lydra 家族 44 第四節 Almanahe 家族 77 第五節 Berbew 家族 83 第六節 Upatre 家族 90 第七節 Ludbaruma家族 95 第八節 Shodi家族 103 第六章結論 116 參考文獻 117 附錄 118
dc.language.iso	zh-TW
dc.subject	惡意軟體家族	zh_TW
dc.subject	惡意行為	zh_TW
dc.subject	動態分析	zh_TW
dc.subject	共同特徵擷取	zh_TW
dc.subject	軌跡圖	zh_TW
dc.subject	Trajectory	en
dc.subject	Malware Family	en
dc.subject	Malicious Behavior	en
dc.subject	Dynamic Analysis	en
dc.subject	Common characteristics extraction	en
dc.title	自動化生成及語意分析惡意軟體家族導致系統狀態改變之活動軌跡	zh_TW
dc.title	Automated Generation and Semantic Analysis of System-state-change Activity Lifecycle of Malware Family	en
dc.type	Thesis
dc.date.schoolyear	106-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	李漢銘,李育杰,蕭舜文,陳孟彰
dc.subject.keyword	惡意軟體家族,惡意行為,動態分析,共同特徵擷取,軌跡圖,	zh_TW
dc.subject.keyword	Malware Family,Malicious Behavior,Dynamic Analysis,Common characteristics extraction,Trajectory,	en
dc.relation.page	118
dc.identifier.doi	10.6342/NTU201802729
dc.rights.note	有償授權
dc.date.accepted	2018-08-08
dc.contributor.author-college	管理學院	zh_TW
dc.contributor.author-dept	資訊管理學研究所	zh_TW
顯示於系所單位：	資訊管理學系

文件中的檔案：

檔案	大小	格式
ntu-107-1.pdf 未授權公開取用	6.08 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。