請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/77680
標題: | 惡意軟體行為群體分析 Malware Behavior Group Analysis |
作者: | Hsing-Yun Chen 陳星妘 |
指導教授: | 孫雅麗(Yea-Li Sun) |
關鍵字: | 惡意程式,家族,行為群,序列比對,共同特徵擷取,差異化行為辨識, Malware,Family,Behavior Group,Sequence Alignment,Common characteristics extraction,Differentiated behaviors identification, |
出版年 : | 2017 |
學位: | 碩士 |
摘要: | 一個惡意軟體家族由多個變種組成,而大多變種是藉由obfuscation技術以執行相似的動態行為,從而躲避惡意軟體的偵測。故識別新惡意軟體所屬的家族,將對減緩威脅提供很有力的線索。因此,為了有效辨識惡意軟體家族成員,了解惡意軟體家族的演化、發展等非常重要。
本研究將採用我們過去研究開發的系統,一個以虛擬機的內省技術為基礎的高階語意側錄系統,利用側錄Windows API call 名稱、相關參數、回傳值等產生一個具時序性Windows API call sequence的execution trace,並將其視為可描述惡意軟體行為的profile。而後,本論文將針對產生的execution trace進行分析,開發分群演算法和序列分析演算法,用以將惡意軟體行為分群,並自動化萃取出各行為群的共同行為片段,以作為描述該行為群的特徵和行為變種獨有的特徵。此外,本研究同時引進def-use chain的分析方法,以更視覺化闡明惡意行為對於重要資源的存取及使用。最後,分析並指出每一個惡意軟體家族主要是透過哪些行為群組成,以便未來出現Windows的未知可疑軟體,可利用側錄行為、比對先前分析結果、歸類、分析等,進一步形成一個惡意軟體自動偵測系統。 藉本研究的方法和系統設計,可呈現更具深度的行為分析研究報告,且簡化惡意軟體分析流程,以達到惡意軟體的鑑識,探究惡意軟體的設計及主要目的。而在後續章節中,也將以實驗證明本研究提出的方法是確實可有效輔助現有惡意軟體分析的工具。 A malware family consists of a collection of variants, mostly owing to the obfuscation techniques, which possess resembling dynamic behaviors in order to evade malware detection. Identifying its malware family of a first-seen malware can provide useful clues to mitigate the threat. Hence, understanding the development of malware family becomes critical for member identification. In this study, firstly, we used the profiling system which is a high-level semantics profiling system by leverage virtual machine introspection technique and proposed in our previous work. The system generates the execution traces of each sample in the form of a time-ordered sequence of the hooked high-level API calls with parameters and return values. An execution trace is recorded as the profile of a malware behavior. Secondly, we developed clustering algorithm and sequence analysis algorithms so as to automatically make malware behaviors clustered and extract the common motifs (i.e., sequences of API calls) of a behavior group as the behavior group characteristics, as well as the unique characteristic of a behavioral variant. Furthermore, we introduced the def-use chain analysis method to visualize and explain the harmful behavior of malware based on its accessed resources. Finally, we identified behavioral composition of each malware family. In the future, this proposed methods will be developed into an automatic malware detection system to efficiently battle obfuscation attacks and fight against malware variants. The proposed methods could perform in-depth behavior investigation, and simplify the malware analysis process for malware forensics to investigate malware design and purpose. We also will prove that this proposed mechanism is anticipated to be helpful to complement the existing malware analysis tools. |
URI: | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/77680 |
DOI: | 10.6342/NTU201703930 |
全文授權: | 未授權 |
顯示於系所單位: | 資訊管理學系 |
文件中的檔案:
檔案 | 大小 | 格式 | |
---|---|---|---|
ntu-106-R04725007-1.pdf 目前未授權公開取用 | 3.65 MB | Adobe PDF |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。