基於威脅分類技術之自動化網路攻擊識別與惡意程式行為分析

蔡孟翰; Meng-Han Tsai

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/87196

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	雷欽隆	zh_TW
dc.contributor.advisor	Chin-Laung Lei	en
dc.contributor.author	蔡孟翰	zh_TW
dc.contributor.author	Meng-Han Tsai	en
dc.date.accessioned	2023-05-18T16:18:33Z	-
dc.date.available	2023-11-09	-
dc.date.copyright	2023-05-10	-
dc.date.issued	2023	-
dc.date.submitted	2023-02-13	-
dc.identifier.citation	J. J. George and D. E. Leidner, “From clicktivism to hacktivism: Understanding digital activism,” Inf. Org., vol. 29, no. 3, 2019. Art. no. 100249. S. Afroz, V. Garg, D. McCoy, and R. Greenstadt, “Honor among thieves: A common’s analysis of cybercrime economies,” in Proc. 8th IEEE APWG eCrime Res. Summit (eCRS), pp. 1–11, IEEE, 2013. I. Ghafir, V. Prenosil, M. Hammoudeh, F. J. Aparicio-Navarro, K. Rabie, and A.Jabban, “Disguised executable files in spear-phishing emails: Detecting the point of entry in advanced persistent threat,” in Proc. 2nd Int. Conf. Future Netw. Distrib. Syst. (ICFNDS), pp. 1–5, ACM, 2018. D. Bohannon and L. Holmes, “Revoke-obfuscation: Powershell obfuscation detection using science,” in Proc. Black Hat USA, pp. 1–20, FireEye, 2017. T. Kim, B. Kang, M. Rho, S. Sezer, and E. G. Im, “A multimodal deep learning method for android malware detection using various features,” IEEE Trans. Inf. Forensics Security, vol. 14, no. 3, pp. 773–788, 2018. Y. Shen and G. Stringhini, “{ATTACK2VEC}: Leveraging temporal word embeddings to understand the evolution of cyberattacks,” in Proc. 28th USENIX Secur. Symp., pp. 905–921, USENIX Association, 2019. S. Ndichu, S. Kim, and S. Ozawa, “Deobfuscation, unpacking, and decoding of obfuscated malicious javascript for machine learning models detection performance improvement,” CAAI Trans. Intell. Technol., vol. 5, no. 3, pp. 184–192, 2020. B. Mukherjee, L. T. Heberlein, and K. N. Levitt, “Network intrusion detection,” IEEE network, vol. 8, no. 3, pp. 26–41, 1994. K.-C. Lee, C.-H. Hsieh, L.-J. Wei, C.-H. Mao, J.-H. Dai, and Y.-T. Kuang, “Secbuzzer: cyber security emerging topic mining with open threat intelligence retrieval and timeline event annotation,” Soft Comput., vol. 21, no. 11, pp. 2883–2896, 2017. L. Bilge, S. Sen, D. Balzarotti, E. Kirda, and C. Kruegel, “Exposure: A passive dns analysis service to detect and report malicious domains,” ACM Trans. Inf. Sys. Secur., vol. 16, no. 4, pp. 1–28, 2014. W. Tounsi and H. Rais, “A survey on technical threat intelligence in the age of sophisticated cyber attacks,” Comput. Secur., vol. 72, pp. 212–233, 2018. T. D. Wagner, K. Mahbub, E. Palomar, and A. E. Abdallah, “Cyber threat intelligence sharing: Survey and research directions,” Comput. Secur., vol. 87, 2019. Art. no. 101589. J. Grisham, S. Samtani, M. Patton, and H. Chen, “Identifying mobile malware and key threat actors in online hacker forums for proactive cyber threat intelligence,” in Proc. 2017 IEEE Int. Conf. Intell. Secur. informatics (ISI), pp. 13–18, IEEE, 2017. S. Lee and T. Shon, “Open source intelligence base cyber threat inspection framework for critical infrastructures,” in Proc. 2016 Future Technol. Conf. (FTC), pp. 1030–1033, IEEE, 2016. X. Ma, J. Zhang, J. Tao, J. Li, J. Tian, and X. Guan, “Dnsradar: Outsourcing malicious domain detection based on distributed cache-footprints,” IEEE Trans. Inf. Forensics Security, vol. 9, no. 11, pp. 1906–1921, 2014. G. Zhao, K. Xu, L. Xu, and B. Wu, “Detecting apt malware infections based on malicious dns and traffic analysis,” IEEE Access, vol. 3, pp. 1132–1142, 2015. B. Rahbarinia, R. Perdisci, and M. Antonakakis, “Segugio: Efficient behavior-based tracking of malware-control domains in large isp networks,” in Proc. 45th Annu. IEEE/IFIP Int. Conf. Dependable Sys. Netw. (DSN), pp. 403–414, IEEE, 2015. B. Rahbarinia, R. Perdisci, M. Antonakakis, and D. Dagon, “Sinkminer: Mining botnet sinkholes for fun and profit,” in Proc. 6th USENIX Workshop Large-Scale Exploits Emergent Threats (LEET), 2013. M. Antonakakis, R. Perdisci, D. Dagon, W. Lee, and N. Feamster, “Building a dynamic reputation system for dns,” in Proc. 19th USENIX Secur. Symp. (USENIX Security 10), 2010. M. R. Smith, N. T. Johnson, J. B. Ingram, A. J. Carbajal, B. I. Haus, E. Domschot, R. Ramyaa, C. C. Lamb, S. J. Verzi, and W. P. Kegelmeyer, “Mind the gap: On bridging the semantic gap between machine learning and malware analysis,” in Proc. 13th ACM Work. Artif. Intell. Secur. (AISec), pp. 49–60, ACM, 2020. S. Kumar et al., “An emerging threat fileless malware: a survey and research challenges,” Cybersecurity, vol. 3, no. 1, pp. 1–12, 2020. F. Barr-Smith, X. Ugarte-Pedrero, M. Graziano, R. Spolaor, and I. Martinovic, “Survivalism: Systematic analysis of windows malware living-off-the-land,” in Proc. 42nd IEEE Symp. Secur. Privacy (SP), pp. 1557–1574, IEEE, 2021. D. Bohannon, “Invoke-obfuscation: Powershell obfusk8tion techniques & how to (try to) d””e‘tec‘t ’th’+’em’,” in Proc. DerbyCon, 2016. Accessed: Nov. 23, 2022. [Online]. Available: https://www.danielbohannon.com/blog-1/2016/9/25/invoke-obfuscation-public-release. D. Ugarte, D. Maiorca, F. Cara, and G. Giacinto, “Powerdrive: Accurate de-obfuscation and analysis of powershell malware,” in Proc. 16th Int. Conf. Detection Intrusions Malware, Vulnerability Assessment (DIMVA), pp. 240–259, Springer, 2019. J. White, Practical Behavioral Profiling of PowerShell Scripts through Static Analysis (Part 1 - Part 3). Palo Alto Networks, 2019. Accessed: Nov. 23, 2022. [Online]. Available: https://unit42.paloaltonetworks.com/practical-behavioral-profiling-of-powershell-scripts-through-static-analysis-part-1/. U. Alon, M. Zilberstein, O. Levy, and E. Yahav, “Code2vec: Learning distributed representations of code,” ACM Program. Lang., vol. 3, no. POPL, pp. 1–29, 2019. W. Wang, Y. Zhang, Y. Sui, Y. Wan, Z. Zhao, J. Wu, P. S. Yu, and G. Xu, “Reinforcement-learning-guided source code summarization using hierarchical attention,” IEEE Trans. Softw. Eng., vol. 48, no. 1, pp. 102–119, 2022. B. Gelman, B. Hoyle, J. Moore, J. Saxe, and D. Slater, “A language-agnostic model for semantic source code labeling,” in Proc. 1st Int. Work. Mach. Learn. Softw. Eng. Symbiosis (MASES), pp. 36–44, ACM, 2018. R. Wang, H. Zhang, G. Lu, L. Lyu, and C. Lyu, “Fret: Functional reinforced transformer with bert for code summarization,” IEEE Access, vol. 8, pp. 135591–135604, 2020. G. Tsoumakas and I. Katakis, “Multi-label classification: An overview,” Int. J. Data Warehousing Mining, vol. 3, no. 3, pp. 1–13, 2007. J. Qiu, J. Zhang, W. Luo, L. Pan, S. Nepal, Y. Wang, and Y. Xiang, “A3cm: automatic capability annotation for android malware,” IEEE Access, vol. 7, pp. 147156–147168, 2019. S. Mahdavifar, A. F. A. Kadir, R. Fatemi, D. Alhadidi, and A. A. Ghorbani, “Dynamic android malware category classification using semi-supervised deep learning,” in Proc. IEEE Int. Conf. Dependable, Autonomic and Secure Comput., Int. Conf. Pervasive Intell. Comput., Int. Conf. Cloud Big Data Comput., Int. Conf. Cyber Sci. Technol. Congr. (DASC/PiCom/CBDCom/CyberSciTech), pp. 515–522, IEEE, 2020. F. N. Ducau, E. M. Rudd, T. M. Heppner, A. Long, and K. Berlin, “Automatic malware description via attribute tagging and similarity embedding,” arXiv.1905.06262, 2019. Accessed: Nov. 23, 2022. D. Javaheri, P. Lalbakhsh, and M. Hosseinzadeh, “A novel method for detecting future generations of targeted and metamorphic malware based on genetic algorithm,” IEEE Access, vol. 9, pp. 69951–69970, 2021. J.-Y. Kim and S.-B. Cho, “Obfuscated malware detection using deep generative model based on global/local features,” Comput. Secur., vol. 112, 2022. Art. no. 102501. A. Rousseau, “Hijacking .net to defend powershell,” arXiv:1709.07508, 2017. Accessed: Nov. 23, 2022. M. Manna, A. Case, A. Ali-Gombe, and G. G. Richard, “Memory analysis of .net and .net core applications,” Forensic Sci. Int., Digit. Invest., vol. 42, 2022. Art. no. 301404. J. White, Pulling Back the Curtains on EncodedCommand PowerShell Attacks. Palo Alto Networks, 2017. Accessed: Nov. 23, 2022. [Online]. Available: https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/. G. Rusak, A. Al-Dujaili, and U.-M. O’Reilly, “Ast-based deep learning for detecting malicious powershell,” in Proc. 25th ACM SIGSAC Conf. Comput. Commun. Secur. (CCS), pp. 2276–2278, ACM, 2018. J. Song, J. Kim, S. Choi, J. Kim, and I. Kim, “Evaluations of ai-based malicious powershell detection with feature optimizations,” ETRI J., 2021. D. Hendler, S. Kels, and A. Rubin, “Detecting malicious powershell commands using deep neural networks,” in Proc. 13th Asia Conf. Comput. Commun. Secur. (AsiaCCS), pp. 187–197, ACM, 2018. D. Hendler, S. Kels, and A. Rubin, “Amsi-based detection of malicious powershell code using contextual embeddings,” in Proc. 15th Asia Conf. Comput. Commun. Secur. (AsiaCCS), pp. 679–693, ACM, 2020. X. Zhang, J. Zhao, and Y. LeCun, “Character-level convolutional networks for text classification,” in Proc. Adv. Neural Inf. Process. Syst. (NIPS), vol. 28, pp. 649–657, Curran Associates, Inc., 2015. Y. Fang, X. Zhou, and C. Huang, “Effective method for detecting malicious powershell scripts based on hybrid features,” Neurocomputing, vol. 448, pp. 30–39, 2021. M. Mimura and Y. Tajiri, “Static detection of malicious powershell based on word embeddings,” Internet Things, vol. 15, 2021. Art. no. 100404. S. Wu and U. Manber, “Fast text searching: allowing errors,” Commun. ACM, vol. 35, no. 10, pp. 83–91, 1992. Q. Le and T. Mikolov, “Distributed representations of sentences and documents,” in Proc. 31st Int. Conf. Mach. Learn. (ICML), vol. 32, pp. 1188–1196, JMLR.org, 2014. T. Ongun, J. W. Stokes, J. B. Or, K. Tian, F. Tajaddodianfar, J. Neil, C. Seifert, A. Oprea, and J. C. Platt, “Living-off-the-land command detection using active learning,” in Proc. 24th Int. Symp. Res. Attacks, Intrusions Defenses (RAID), pp. 442–455, ACM, 2021. S. Choi, “Malicious powershell detection using graph convolution network,” Appl. Sci., vol. 11, no. 14, 2021. Art. no. 6429. C. Liu, B. Xia, M. Yu, and Y. Liu, “Psdem: A feasible de-obfuscation method for malicious powershell detection,” in Proc. 23rd IEEE Symp. Comput. Commun. (ISCC), pp. 825–831, IEEE, 2018. Z. Li, Q. A. Chen, C. Xiong, Y. Chen, T. Zhu, and H. Yang, “Effective and light-weight deobfuscation and semantic-aware attack detection for powershell scripts,” in Proc. 26th ACM SIGSAC Conf. Comput. Commun. Secur. (CCS), pp. 1831–1847, ACM, 2019. M. Shashanka, M.-Y. Shen, and J. Wang, “User and entity behavior analytics for enterprise security,” in Proc. 4th IEEE Int. Conf. Big Data (BigData), pp. 1867– 1874, IEEE, 2016. G. E. Hinton and R. R. Salakhutdinov, “Reducing the dimensionality of data with neural networks,” science, vol. 313, no. 5786, pp. 504–507, 2006. B. Binde, R. McRee, and T. J. O’Connor, “Assessing outbound traffic to uncover advanced persistent threat,” SANS Institute. Whitepaper, vol. 16, 2011. X. Wang, K. Zheng, X. Niu, B. Wu, and C. Wu, “Detection of command and control in advanced persistent threat based on independent access,” in Proc. 2016 IEEE Int. Conf. Commun. (ICC), pp. 1–6, IEEE, 2016. A. Ramachandran and N. Feamster, “Understanding the network-level behavior of spammers,” in Proc. 2006 Conf. Appl. Technol. Architectures Protocols Comput. Commun., pp. 291–302, 2006. M. Kührer, C. Rossow, and T. Holz, “Paint it black: Evaluating the effectiveness of malware blacklists,” in Proc. Int. Workshop Recent Advances Intrusion Detection (RAID), pp. 1–21, Springer, 2014. R. Perdisci, I. Corona, and G. Giacinto, “Early detection of malicious flux networks via large-scale passive dns traffic analysis,” IEEE Trans. Dependable Secur. Comput., vol. 9, no. 5, pp. 714–726, 2012. S. M. Pontiroli and F. R. Martinez, “The tao of .net and powershell malware analysis,” in Proc. Virus Bull. Conf., pp. 1–26, 2015. A. G. Kakisim, M. Nar, and I. Sogukpinar, “Metamorphic malware identification using engine-specific patterns based on co-opcode graphs,” Comput. Standards Interfaces, vol. 71, 2020. Art. no. 103443. I. You and K. Yim, “Malware obfuscation techniques: A brief survey,” in Proc. 5th Int. Conf. Broadband, Wireless Comput., Commun. Appl. (BWCCA), pp. 297–300, 2010. M. Madou, B. Anckaert, P. Moseley, S. Debray, B. De Sutter, and K. De Bosschere, “Software protection through dynamic code mutation,” in Proc. 7th Int. Work. Inf. Secur. Appl. (WISA), pp. 194–206, Springer, 2006. F. Pedregosa, G.Varoquaux, A. Gramfort, V. Michel, B. Thirion, O. Grisel, M.Blondel, P. Prettenhofer, R. Weiss, V. Dubourg, et al., “Scikit-learn: Machine learning in python,” J. Mach. Learn. Res., vol. 12, pp. 2825–2830, 2011. H. Peng, L. Mou, G. Li, Y. Liu, L. Zhang, and Z. Jin, “Building program vector representations for deep learning,” in Proc. 8th Int. Conf. Knowl. Sci., Eng. Manage. (KSEM), vol. 9403, pp. 547–553, Springer, 2015. L. Mou, G. Li, L. Zhang, T. Wang, and Z. Jin, “Convolutional neural networks over tree structures for programming language processing,” in Proc. 13th AAAI Conf. Artif. Intell., pp. 1287–1293, AAAI, 2016. D. Rattan, R. Bhatia, and M. Singh, “Software clone detection: A systematic review,” Inf. Softw. Technol., vol. 55, no. 7, pp. 1165–1199, 2013. S. Ducasse, M. Rieger, and S. Demeyer, “A language independent approach for detecting duplicated code,” in Proc. 15th Int. Conf. Softw. Maintenance (ICSM)., pp. 109–118, IEEE, 1999. T. Kamiya, S. Kusumoto, and K. Inoue, “Ccfinder: A multilinguistic token-based code clone detection system for large scale source code,” IEEE Trans. Softw. Eng., vol. 28, no. 7, pp. 654–670, 2002. I. D. Baxter, A. Yahin, L. Moura, M. Sant’Anna, and L.Bier, “Clone detection using abstract syntax trees,” in Proc. 14th Int. Conf. Softw. Maintenance (ICSM), pp. 368–377, IEEE, 1998. J. Krinke, “Identifying similar code with program dependence graphs,” in Proc. 8th Work. Conf. Reverse Eng. (WCRE), pp. 301–309, IEEE, 2001. J. Mayrand, C. Leblanc, and E. Merlo, “Experiment on the automatic detection of function clones in a software system using metrics.,” in Proc. 12th Int. Conf. Softw. Maintenance (ICSM), vol. 96, pp. 244–253, IEEE, 1996. F. Deissenboeck, B. Hummel, E. Jürgens, B. Schätz, S. Wagner, J.-F. Girard, and S. Teuchert, “Clone detection in automotive model-based development,” in Proc. 30th Int. Conf. Softw. Eng., pp. 603–612, IEEE, 2008. R. Koschke, R. Falke, and P. Frenzel, “Clone detection using abstract syntax suffix trees,” in Proc. 13th Work. Conf. Reverse Eng. (WCRE), pp. 253–262, IEEE, 2006. L. Bergroth, H. Hakonen, and T. Raita, “A survey of longest common subsequence algorithms,” in Proc. 7th Int. Symp. String Process. Inf. Retrieval (SPIRE), pp. 39– 48, IEEE, 2000. L. Yujian and L. Bo, “A normalized levenshtein distance metric,” IEEE Trans. Pattern Anal. Mach. Intell., vol. 29, no. 6, pp. 1091–1095, 2007.	-
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/87196	-
dc.description.abstract	隨著網際網路的快速發展，資訊安全已變得越來越重要。而網路攻擊和惡意程式日益增多之趨勢，則對企業和組織構成了重大威脅。網路罪犯利用各種網路協定發動攻擊，例如：暴力破解與分散式阻斷服務攻擊，同時將其惡意活動隱藏在看似無害的全球資訊網(WWW)與網域名稱系統(DNS)流量之中。此外，惡意程式作者利用混淆技術與變型引擎，開發新一代惡意程式，導致惡意程式和惡意腳本，例如：PowerShell指令(PSCmds)的數量顯著增加。鑑於網路攻擊和惡意程式造成的嚴重資安威脅，如何經濟實惠且有效地分類受駭主機、識別內部威脅及辨識惡意程式行為以進行鑑識分析正成為企業和組織的主要關注重點。另一方面，新興技術如機器學習(ML)與深度學習(DL)越來越受歡迎，近期已證明具有提供創新解決方案以應對資訊安全挑戰之潛力。本論文中，我們利用機器學習演算法和深度學習架構之進步，解決網路攻擊識別和惡意程式行為分析等問題。通過將機器學習或深度學習結合開源威脅情報(OSINT)與程式分析，我們提出實用的自動化方法藉由威脅分類技術檢測網路攻擊和惡意程式行為。我們提出的解決方案旨在降低識別處理資安威脅之成本，同時還提供對威脅表徵之深入理解，進而強化檢測並使我們可領先於新興威脅。在網路攻擊識別的研究中，我們提出兩個識別網路攻擊的框架。第一個框架透過使用者與實體行為分析(UEBA)以及自動編碼器(Autoencoder)模型，將網路內的受駭主機進行分類，自動編碼器模型通過結合受駭主機靜態服務資訊和動態網路活動的三維特徵向量來識別網路威脅。第二個框架則使用DNS沉洞伺服器(Sinkhole)的開源威脅情報來關聯內部網路日誌資料，以識別內部網路威脅。以上兩個框架皆提供了創新方法以檢測和減輕企業網路中的資安威脅。在惡意程式行為分析的研究中，我們提出一個結合深度學習和程式分析的混合框架，用於自動化反混淆PowerShell指令與行為分析(PowerDP)。 PowerDP同時在使用「字元分布特徵」對不同混淆類型進行分類以及使用抽象語法樹(AST)的「實值向量表示」進行惡意行為檢測方面皆表現出優越的性能。因此，資安分析人員可以使用此自動化機制以揭露出惡意程式衍生的PowerShell指令背後的攻擊意圖，並簡化惡意程式與鑑識分析之流程。	zh_TW
dc.description.abstract	With the rapid growth of the Internet, cybersecurity has become increasingly important. The growing trend of network attacks and malicious software (malware) presents a significant threat to businesses and organizations. Cybercriminals employ various network protocols to launch attacks, such as brute force and Distributed Denial-of-Service (DDoS), while hiding their malicious activities in seemingly innocuous World Wide Web (WWW) and Domain Name System (DNS) traffic. In addition, the use of obfuscation techniques and metamorphic engines by malware authors has enabled the development of new malware generations, leading to a notable increase in the number of malware and scripts, e.g., PowerShell Commands (PSCmds). Given the severe cyber threats posed by network attacks and malware, cost-effectively categorizing network infections, identifying internal threats, and profiling malware behavior for forensic analysis are becoming primary concerns for businesses and organizations. On the other hand, emerging techniques such as Machine Learning (ML) and Deep Learning (DL) are gaining popularity and recently demonstrating the potential to provide innovative solutions to cybersecurity challenges. In this dissertation, we have utilized the advances in machine learning algorithms and deep learning architectures to tackle the issues of identifying network attacks and profiling malware behavior. By combining ML/DL techniques with Open-Source threat Intelligence (OSINT) and program analysis, we have developed practical and automated methods to categorize network attacks and create malware behavioral profiles through cyber threat classification. Our proposed solutions aim to reduce the cost of identifying and responding to cyber threats while also providing a deeper understanding of threat representations for enhanced detection capabilities and enabling us to stay ahead of new threats. To identify network attacks, we propose two frameworks. The first framework uses User and Entity Behavior Analytics (UEBA) to categorize infections within a network by combining static service information and dynamic network activities from an infected host in a three-dimensional feature vector with an autoencoder model. The second framework uses OSINT from DNS sinkhole servers to correlate internal network logs and identify internal threats. These frameworks provide innovative approaches for detecting and mitigating cyber threats in corporate networks. In the field of malware behavior profiling, we introduce a hybrid framework combining DL and program analysis for automatic PowerShell De-obfuscation and behavioral Profiling (PowerDP). PowerDP achieves superior performance in classifying different obfuscation types using “character distribution features” and detecting malicious behaviors through “real-valued vector representations” from the Abstract Syntax Tree (AST). As a result, security analysts can use this automation mechanism to uncover the malicious intent behind malware-derived PSCmds and streamline the process of malware and forensics analysis.	en
dc.description.provenance	Submitted by admin ntu (admin@lib.ntu.edu.tw) on 2023-05-18T16:18:33Z No. of bitstreams: 0	en
dc.description.provenance	Made available in DSpace on 2023-05-18T16:18:33Z (GMT). No. of bitstreams: 0	en
dc.description.tableofcontents	口試委員會審定書 i 誌謝 iii 中文摘要 v Abstract vii Contents ix List of Figures xiii List of Tables xv Chapter 1 Introduction 1 Chapter 2 Preliminaries and Related Works 5 2.1 Threat Identification 5 2.1.1 Related Works 9 2.1.1.1 OSINT-based Threat Identification 9 2.1.1.2 DNS-based Threat Identification 10 2.2 Malware Analysis 11 2.2.1 Related Works 16 2.2.1.1 Detection of Malicious PowerShell 17 2.2.1.2 De-Obfuscation of Malicious PowerShell 19 Chapter 3 Network Attack Identification 21 3.1 Infection Categorization Using Deep Autoencoder 22 3.1.1 The Proposed Framework 23 3.1.1.1 System Overview 24 3.1.2 The Dataset 26 3.1.3 Experiments 27 3.1.4 Summary 30 3.2 Uncovering Internal Threats Based on Open-source Intelligence 31 3.2.1 The Proposed Framework 33 3.2.1.1 System Overview 34 3.2.2 The Dataset 37 3.2.3 Experiments 37 3.2.4 Summary 39 Chapter 4 Malware Behavior Profiling 41 4.1 De-Obfuscating and Profiling Malicious PowerShell Commands With Multi-LabelClassifiers 42 4.1.1 The Proposed Framework 45 4.1.1.1 System Overview 45 4.1.1.2 De-Obfuscating PowerShell Commands 47 4.1.1.3 ProfilingPowerShellCommands 51 4.1.2 The Dataset 54 4.1.3 Experiments 57 4.1.3.1 Evaluation Methodology 58 4.1.3.2 Evaluation Results 62 4.1.4 Summary 68 Chapter 5 Conclusions and Future Works 71 References 77 Appendix A - Examples of Obfuscated PowerShell Commands (PSCmds) 87 A.1 Compression 87 A.2 Encoding Scheme 87 A.3 Encoding Scheme with Helper Function 89 A.4 String Manipulation with Helper Function 89	-
dc.language.iso	en	-
dc.subject	網路安全	zh_TW
dc.subject	多標籤分類	zh_TW
dc.subject	抽象語法樹	zh_TW
dc.subject	PowerShell反混淆	zh_TW
dc.subject	深度學習	zh_TW
dc.subject	機器學習	zh_TW
dc.subject	使用者與實體行為分析	zh_TW
dc.subject	User and Entity Behavior Analytics	en
dc.subject	Network Security	en
dc.subject	Multi-label Classification	en
dc.subject	Abstract Syntax Tree	en
dc.subject	Deep Learning	en
dc.subject	PowerShell De-Obfuscation	en
dc.subject	Machine Learning	en
dc.title	基於威脅分類技術之自動化網路攻擊識別與惡意程式行為分析	zh_TW
dc.title	Automated Network Attack Identification and Malware Behavior Profiling Through Cyber Threat Classification	en
dc.type	Thesis	-
dc.date.schoolyear	111-1	-
dc.description.degree	博士	-
dc.contributor.oralexamcommittee	顏嗣鈞;王勝德;蕭旭君;鄧惟中;紀博文	zh_TW
dc.contributor.oralexamcommittee	Hsu-chun Yen;Sheng-De Wang;Hsu-Chun Hsiao;Wei-Chung Teng;Po-Wen Chi	en
dc.subject.keyword	網路安全,使用者與實體行為分析,機器學習,深度學習,PowerShell反混淆,抽象語法樹,多標籤分類,	zh_TW
dc.subject.keyword	Network Security,User and Entity Behavior Analytics,Machine Learning,Deep Learning,PowerShell De-Obfuscation,Abstract Syntax Tree,Multi-label Classification,	en
dc.relation.page	90	-
dc.identifier.doi	10.6342/NTU202300207	-
dc.rights.note	同意授權(限校園內公開)	-
dc.date.accepted	2023-02-14	-
dc.contributor.author-college	電機資訊學院	-
dc.contributor.author-dept	電機工程學系	-
顯示於系所單位：	電機工程學系

文件中的檔案：

檔案	大小	格式
ntu-111-1.pdf 授權僅限NTU校內IP使用（校園外請利用VPN校外連線服務）	2.18 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。