請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/74037
完整後設資料紀錄
DC 欄位 | 值 | 語言 |
---|---|---|
dc.contributor.advisor | 孫雅麗(Yea-li Sun) | |
dc.contributor.author | Cheng-Hung Peng | en |
dc.contributor.author | 彭証鴻 | zh_TW |
dc.date.accessioned | 2021-06-17T08:17:36Z | - |
dc.date.available | 2022-08-19 | |
dc.date.copyright | 2019-08-19 | |
dc.date.issued | 2019 | |
dc.date.submitted | 2019-08-14 | |
dc.identifier.citation | [1] (2018). McAfee Labs Threats Report. [Online]. Available: https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-sep-2018.pdf (線上資源範本)
[2] (2018). PeStudio. [Online]. Available: https://www.winitor.com/ [3] (2018). 010Editor. [Online]. Available: https://www.sweetscape.com/010editor/ [4] (2017). IDAPro. [Online]. Available: https://www.hex-rays.com/products/ida/index.shtml [5] (2018). CuckooSandbox. [Online]. Available: https://cuckoosandbox.org/ [6] (2018). CWSandbox. [Online]. Available: https://cwsandbox.org/ [7] Yin, Heng & Song, Dawn. Temu: Binary code analysis via whole-system layered annotative execution. EECS Department, University of California, Berkeley, Tech. Rep. UCB/EECS-2010-3, 2010. [8] Fabrice Bellard. 2005. QEMU, a fast and portable dynamic translator. In Proceedings of the annual conference on USENIX Annual Technical Conference (ATEC '05). USENIX Association, Berkeley, CA, USA, 41-41. [9] Sebastián M., Rivera R., Kotzias P., Caballero J. (2016) AVclass: A Tool for Massive Malware Labeling. In: Monrose F., Dacier M., Blanc G., Garcia-Alfaro J. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2016. Lecture Notes in Computer Science, vol 9854. Springer, Cham [10] Qiguang Miao, Jiachen Liu, Ying Cao, and Jianfeng Song. 2016. Malware detection using bilayer behavior abstraction and improved one-class support vector machines. Int. J. Inf. Secur. 15, 4 (August 2016), 361-379. DOI: http://dx.doi.org/10.1007/s10207-015-0297-6 [11] Wei-Jhih Chiu. 2017. Automated Malware Family Signature Generation based on Runtime API Call Sequence. [12] (2018.) VirusTotal. [Online]. Available: https://www.virustotal.com/ [13] CARO (Computer Antivirus Research Organization). [Online]. Available: http://www.caro.org/index.html [14] 'Trend Micro USA Threat Encyclopedia - WORM_BRONTOK.W', Trendmicro.com, [Online]. Available: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_brontok.w. [15] S. Hsiao, Y. Chen, Y. Sun and M. Chen, 'A cooperative botnet profiling and detection in virtualized environment', 2013 IEEE Conference on Communications and Network Security (CNS), 2013. [16] Chu-Yun Hsueh. 2017. Automated Generation and Semantic Analysis of System-state-change Activity Lifecycle of Malware Family [17] Backdoor.Berbew Summary (Symantec)https://www.symantec.com/security-center/writeup/2003-071616-0350-99 [18] Microsoft Docs – WinHttp https://docs.microsoft.com/en-us/windows/win32/api/winhttp/nf-winhttp-winhttpopen [19] Microsoft Docs – CLSID Key https://docs.microsoft.com/en-us/windows/win32/com/clsid-key-hklm [20] Microsoft Docs – Process & Threads API https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessw [21] Microsoft Docs – Registry API https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regcreatekeya [22] Microsoft Docs – API Requirements https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regcreatekeya#requirements [23] Microsoft Docs – CreateFile https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea [24] Han, Weijie, et al. 'MalDAE: Detecting and explaining malware based on correlation and fusion of static and dynamic characteristics.' Computers & Security 83 (2019): 208-233. [25] Yi-Ting Huang and Y. Sun and M. Chen, S.Hsiao, and Chen, Yu-Yuan and Yang, Chih-Chun 'Tagging Malware Intentions by Using Attention-Based Sequence-to-Sequence Neural Network', 2019 [26] 'Microsoft LSASS Service Buffer Overflow Lets Remote Users Execute Arbitrary Code With SYSTEM Privileges - SecurityTracker', [Online]. Available: https://securitytracker.com/id/1009751. [27] https://docs.microsoft.com/zh-tw/windows-server/identity/software-restriction-policies/determine-allow-deny-list-and-application-inventory-for-software-restriction-policies [28] Critical Section Registry [Online]. Available: https://kknews.cc/zh-tw/other/9l6r53j.html [29] Microsoft Docs – Crypt32 registry [Online]. Available: https://support.microsoft.com/zh-tw/help/2861596/sdp-3-df8807f4-2327-4c3b-94fa-c8d6c14c3db4-firewall-diagnostic [30] Microsoft Docs – INFO: CreateFile() Using CONOUT$ or CONIN$ [Online]. Available: https://support.microsoft.com/zh-tw/help/90088/info-createfile-using-conout-or-conin [31] MountPoints Description [Online]. Availabe: https://www.techwalla.com/articles/how-to-delete-mountpoints2-with-regedit [32] [Online]. Available: https://www.ithome.com.tw/news/94618 [33] Microsoft Intelligence Berbew.I [Online] Available: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Berbew.I&threatId=-2147479346 [34] uxtheme.dll description [Online] Available: https://www.itsfun.com.tw/uxtheme.dll/wiki-3821486 [35] SystemSetupInProgress description [Online] Available: https://www.itprotoday.com/windows-78/inside-windows-nt-registry [36] Input Method Manager [Online]. Available: https://blog.csdn.net/mspinyin/article/details/6137709 [37] Process Library - msctfime.ime [Online]. Available: https://www.processlibrary.com/en/directory/files/msctfime/237541/ [38] Registry – Explorer [Online] Available: http://mc-computing.com/WinExplorer/WinExplorerPolicyKey.htm [39] CLSID Special Direcotry[Online]. Available: http://t7yang.blogspot.com/2011/02/special-object-and-folder-in-windows.html [40] 'Sophos’s Threat Analyses - W32/Shodi-F', [Online]. Available: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Shodi-F/detailed-analysis.aspx. [41] Microsoft Docs – TCP/IP Registry [Online]. Available: https://support.microsoft.com/zh-tw/help/314053/tcp-ip-and-nbt-configuration-parameters-for-windows-xp | |
dc.identifier.uri | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/74037 | - |
dc.description.abstract | 近年來,惡意程式產製的速度快速地成長,對個人、企業造成的威脅也日漸增加,倘若了解各惡意程式執行過程中透過哪些攻擊手法達到其惡意目的,將直接對惡意程式偵測、防禦及後續惡意程式分析有相當大的幫助。
儘管各防毒廠商試圖透過標籤(label)向資訊安全專家、一般使用者表達惡意程式所屬的種類(type)、平台(platform)、家族(family)或變種版本[5],進而讓使用者們對此惡意程式造成的影響、威脅有個初步的概念。然而過去文獻[3]指出每一家防毒廠商有各自標籤的準則與依據,其中多所不一致。且根據[11],儘管屬於同一個標籤的惡意程式,其行為態樣仍相當多元,這就說明了目前提出的標籤不具有語意解釋力。 所以本篇論文提出檢視個別惡意程式的執行序(a sequence of API call invocations),並由執行序中萃取出一系列階段性執行活動(activity group)。 在萃取出activity group後,我們參考MITRE ATT&CK框架下的攻擊手法,給予每一個階段性執行活動語意描述標籤,最終得到一系列語意描述標籤序。一系列語意描述標籤序能夠清楚呈現各階段執行活動的執行意圖及惡意程式的目的,藉此提供深度且清楚的惡意程式家族的惡意活動說明。 | zh_TW |
dc.description.abstract | In recent years, the speed of malware production has grown rapidly, and the threat to individuals and businesses has increased. If we understand the attack techniques used by malware to achieve their malicious purposes, we can directly detect and defend against malware.
Although anti-virus vendors try to explain the impact and threat of malware to the security experts by labels. However, [3] pointed out that each Anti-Virus vendor has its own labeling criteria and basis, and many of them are inconsistent. According to [11], although the malware belonging to the same label, their behavior are still quite diverse. It indicates that the currently proposed label does not have a semantic explanatory power. Therefore, this thesis proposes to examine a sequence of API call invocations, and extracts a sequence of activity groups from the execution sequence. After extracting the activity groups, we refer to the attack technique under the MITRE ATT&CK framework, and give each activity group one semantic description tag, and finally get a sequence of semantic description tag. A sequence of semantic description tags can clearly show the execution intent of each stage of execution activities and the purpose of the malware, thereby providing a deep and clear description of the malicious activity of the malware family. | en |
dc.description.provenance | Made available in DSpace on 2021-06-17T08:17:36Z (GMT). No. of bitstreams: 1 ntu-108-R06725041-1.pdf: 2560846 bytes, checksum: 161f4c6a253c19c032c963982e119524 (MD5) Previous issue date: 2019 | en |
dc.description.tableofcontents | 誌謝 i
中文摘要 ii Abstract iii 目錄 iv 圖目錄 v 表目錄 vi 第1章. 緒論 1 1.1 研究動機 1 1.2 研究目的 1 1.3 研究議題 2 1.4 研究貢獻 2 第2章. 背景知識與相關文獻 3 2.1背景知識 3 2.2 相關文獻探討 4 第3章. 自動化惡意程式行為貼標演算法 6 3.1 Execution Trace Generation 6 3.2 惡意活動萃取(Activity Extraction) 9 第4章. Semantic Description for Activity Group 22 第5章. 實驗 30 5.1 實驗資料 31 5.2 實驗1:評估萃取活動演算法 31 5.3 實驗2:Investigation for Activity Group 38 5.3.1 Malware Family: Berbew 38 5.3.2 Malware Family: Ludbaruma 57 5.3.3 Malware Family: Shodi 70 第6章. 結論 84 參考文獻 85 附錄 88 | |
dc.language.iso | zh-TW | |
dc.title | 自動化惡意程式貼標系統 | zh_TW |
dc.title | Automated Malware Tagging | en |
dc.type | Thesis | |
dc.date.schoolyear | 107-2 | |
dc.description.degree | 碩士 | |
dc.contributor.oralexamcommittee | 陳孟彰(Meng-Chang Chen),李漢銘(Han-Ming Li),蕭舜文(Shun-Wun Hsiao) | |
dc.subject.keyword | 惡意程式,語意描述標籤,惡意意圖,惡意行為,動態分析, | zh_TW |
dc.subject.keyword | Malware,Semantic description tag,Malicious Intent,Malicious Behavior,Dynamic Analysis, | en |
dc.relation.page | 88 | |
dc.identifier.doi | 10.6342/NTU201903376 | |
dc.rights.note | 有償授權 | |
dc.date.accepted | 2019-08-14 | |
dc.contributor.author-college | 管理學院 | zh_TW |
dc.contributor.author-dept | 資訊管理學研究所 | zh_TW |
顯示於系所單位: | 資訊管理學系 |
文件中的檔案:
檔案 | 大小 | 格式 | |
---|---|---|---|
ntu-108-1.pdf 目前未授權公開取用 | 2.5 MB | Adobe PDF |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。