基於威脅分類技術之自動化網路攻擊識別與惡意程式行為分析

Abstract

隨著網際網路的快速發展，資訊安全已變得越來越重要。而網路攻擊和惡意程式日益增多之趨勢，則對企業和組織構成了重大威脅。網路罪犯利用各種網路協定發動攻擊，例如：暴力破解與分散式阻斷服務攻擊，同時將其惡意活動隱藏在看似無害的全球資訊網(WWW)與網域名稱系統(DNS)流量之中。此外，惡意程式作者利用混淆技術與變型引擎，開發新一代惡意程式，導致惡意程式和惡意腳本，例如：PowerShell指令(PSCmds)的數量顯著增加。鑑於網路攻擊和惡意程式造成的嚴重資安威脅，如何經濟實惠且有效地分類受駭主機、識別內部威脅及辨識惡意程式行為以進行鑑識分析正成為企業和組織的主要關注重點。

另一方面，新興技術如機器學習(ML)與深度學習(DL)越來越受歡迎，近期已證明具有提供創新解決方案以應對資訊安全挑戰之潛力。本論文中，我們利用機器學習演算法和深度學習架構之進步，解決網路攻擊識別和惡意程式行為分析等問題。通過將機器學習或深度學習結合開源威脅情報(OSINT)與程式分析，我們提出實用的自動化方法藉由威脅分類技術檢測網路攻擊和惡意程式行為。我們提出的解決方案旨在降低識別處理資安威脅之成本，同時還提供對威脅表徵之深入理解，進而強化檢測並使我們可領先於新興威脅。

在網路攻擊識別的研究中，我們提出兩個識別網路攻擊的框架。第一個框架透過使用者與實體行為分析(UEBA)以及自動編碼器(Autoencoder)模型，將網路內的受駭主機進行分類，自動編碼器模型通過結合受駭主機靜態服務資訊和動態網路活動的三維特徵向量來識別網路威脅。第二個框架則使用DNS沉洞伺服器(Sinkhole)的開源威脅情報來關聯內部網路日誌資料，以識別內部網路威脅。以上兩個框架皆提供了創新方法以檢測和減輕企業網路中的資安威脅。

在惡意程式行為分析的研究中，我們提出一個結合深度學習和程式分析的混合框架，用於自動化反混淆PowerShell指令與行為分析(PowerDP)。 PowerDP同時在使用「字元分布特徵」對不同混淆類型進行分類以及使用抽象語法樹(AST)的「實值向量表示」進行惡意行為檢測方面皆表現出優越的性能。因此，資安分析人員可以使用此自動化機制以揭露出惡意程式衍生的PowerShell指令背後的攻擊意圖，並簡化惡意程式與鑑識分析之流程。

With the rapid growth of the Internet, cybersecurity has become increasingly important. The growing trend of network attacks and malicious software (malware) presents a significant threat to businesses and organizations. Cybercriminals employ various network protocols to launch attacks, such as brute force and Distributed Denial-of-Service (DDoS), while hiding their malicious activities in seemingly innocuous World Wide Web (WWW) and Domain Name System (DNS) traffic. In addition, the use of obfuscation techniques and metamorphic engines by malware authors has enabled the development of new malware generations, leading to a notable increase in the number of malware and scripts, e.g., PowerShell Commands (PSCmds). Given the severe cyber threats posed by network attacks and malware, cost-effectively categorizing network infections, identifying internal threats, and profiling malware behavior for forensic analysis are becoming primary concerns for businesses and organizations.

On the other hand, emerging techniques such as Machine Learning (ML) and Deep Learning (DL) are gaining popularity and recently demonstrating the potential to provide innovative solutions to cybersecurity challenges. In this dissertation, we have utilized the advances in machine learning algorithms and deep learning architectures to tackle the issues of identifying network attacks and profiling malware behavior. By combining ML/DL techniques with Open-Source threat Intelligence (OSINT) and program analysis, we have developed practical and automated methods to categorize network attacks and create malware behavioral profiles through cyber threat classification. Our proposed solutions aim to reduce the cost of identifying and responding to cyber threats while also providing a deeper understanding of threat representations for enhanced detection capabilities and enabling us to stay ahead of new threats.

To identify network attacks, we propose two frameworks. The first framework uses User and Entity Behavior Analytics (UEBA) to categorize infections within a network by combining static service information and dynamic network activities from an infected host in a three-dimensional feature vector with an autoencoder model. The second framework uses OSINT from DNS sinkhole servers to correlate internal network logs and identify internal threats. These frameworks provide innovative approaches for detecting and mitigating cyber threats in corporate networks.

In the field of malware behavior profiling, we introduce a hybrid framework combining DL and program analysis for automatic PowerShell De-obfuscation and behavioral Profiling (PowerDP). PowerDP achieves superior performance in classifying different obfuscation types using “character distribution features” and detecting malicious behaviors through “real-valued vector representations” from the Abstract Syntax Tree (AST). As a result, security analysts can use this automation mechanism to uncover the malicious intent behind malware-derived PSCmds and streamline the process of malware and forensics analysis.