利用惡意攻擊樣板比對評量資安威脅情資報告品質

呂晟維; Cheng-Wei Lu

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/89984

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	孫雅麗	zh_TW
dc.contributor.advisor	Yea-Li Sun	en
dc.contributor.author	呂晟維	zh_TW
dc.contributor.author	Cheng-Wei Lu	en
dc.date.accessioned	2023-09-22T16:56:25Z	-
dc.date.available	2023-11-09	-
dc.date.copyright	2023-09-22	-
dc.date.issued	2023	-
dc.date.submitted	2023-08-11	-
dc.identifier.citation	[1] Z. Li, J. Zeng, Y. Chen, and Z. Liang, “Attackg: Constructing technique knowledgegraph from cyber threat intelligence reports,” Lecture Notes in Computer Science,p. 589–609, 05 2022. [Online]. Available: https://arxiv.org/abs/2111.07093 [2] G. Husari, E. Al-Shaer, M. Ahmed, B. Chu, and X. Niu, “Ttpdrill,” Proceedingsof the 33rd Annual Computer Security Applications Conference, pp. 103–115, 122017. [Online]. Available: https://dl.acm.org/doi/10.1145/3134600.3134646 [3] M. T. Alam, D. Bhusal, Y. Park, and N. Rastogi, “Looking beyond iocs:Automatically extracting attack patterns from external cti,” arXiv.org, 11 2022.[Online]. Available: https://arxiv.org/abs/2211.01753 [4] K. Satvat, R. Gjomemo, and V. Venkatakrishnan, “Extractor: Extracting attackbehavior from threat reports,” 2021 IEEE EuroS&P, p. 598–615, 09 2021. [Online].Available: https://ieeexplore.ieee.org/document/9581182 [5] S. M. Milajerdi, R. Gjomemo, B. Eshete, R. Sekar, and V. N. Venkatakrishnan,“Holmes: Real-time apt detection through correlation of suspicious informationflows,” IEEE Xplore, p. 1137–1152, 05 2019. [Online]. Available: https://ieeexplore.ieee.org/document/8835390 [6] W. U. Hassan, A. Bates, and D. Marino, “Tactical provenance analysis for endpoint detection and response systems,” IEEE Xplore, p. 1172–1189, 05 2020. [Online]. Available: https://ieeexplore.ieee.org/abstract/document/9152771 [7] F. Liu, Y. Wen, D. Zhang, X. Jiang, X. Xing, and D. Meng, “Log2vec: A heterogeneousgraph embedding based approach for detecting cyber threats within enterprise,”Proceedings of the 2019 ACM SIGSAC Conference on Computer andCommunications Security, 11 2019. [8] Y. Shen, E. Mariconti, P. A. Vervier, and G. Stringhini, “Tiresias: Predicting securityevents through deep learning,” Proceedings of the 2018 ACM SIGSAC Conferenceon Computer and Communications Security, 01 2018. [9] K. A. Akbar, Y. Wang, M. S. Islam, A. Singhal, L. Khan, and B. Thuraisingham,“Identifying tactics of advanced persistent threats with limited attack traces,”Information Systems Security, pp. 3–25, 2021. [10] “Iot developer survey,” Eclipse, 2019. [Online]. Available: https://iot.eclipse.org/resources/iot-developer-survey/iot-developer-survey-2019.pdf [11] Q.-S. , “Usage statistics and market share of operating systems for websites,november 2019,” W3techs.com, 2019. [Online]. Available: https://w3techs.com/technologies/overview/operating_system [12] “Endpoint protection - symantec enterprise,” community.broadcom.com, 032014. [Online]. Available: https://community.broadcom.com/symantecenterprise/viewdocument/iot-worm-used-to-mine-cryptocurrenc [13] LloydLabs, “[part 1] - analysing the new linux/aes.ddos iot malware,” 11 2017. [Online]. Available: https://blog.syscall.party/2017/11/19/aes-ddos-analysis-part-1.html [14] P. Litvak, “Evilgnome: Rare malware spying on linux desktop users,” Intezer, 07 2019. [Online]. Available: https://intezer.com/blog/malware-analysis/evilgnome-rare-malware-spying-on-linux-desktop-users/ [15] M. T. I. , “Rise in xorddos: A deeper look at the stealthy ddos malware targeting linux devices,” Microsoft Security Blog, 05 2022. [Online]. Available: https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/ [16] K. Ivy Titiwa, “Backdoor.linux.dofloo.ab - threat encyclopedia,” www.trendmicro.com, 06 2020. [Online]. Available: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Backdoor.Linux.DOFLOO.AB [17] “Backdoor:osx/tsunami.a \| f-secure labs,” www.f-secure.com. [Online]. Available: https://www.f-secure.com/v-descs/backdoor-osx-tsunami-a.shtml [18] A. Remillano II, “Exposed docker server abused to drop cryptominer ddos bot,” Trend Micro, 09 2020. [Online]. Available: https://www.trendmicro.com/en_hk/research/20/i/exposed-docker-server-abused-to-drop-cryptominer-ddos-bot-.html [19] P. Paganini, “Aesddos bot exploits cve-2019-3396 flaw to hit atlassian confluence server,” Security Affairs, 04 2019. [Online]. Available: https://securityaffairs.com/84591/malware/aesddos-bot-atlassian-confluence.html [20] L. Abrams, “Bleepingcomputer,” BleepingComputer. [Online]. Available: https://www.bleepingcomputer.com/ [21] “Luabot: Njccic threat profile,” Nj.gov, 2023. [Online]. Available: https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/luabot [22] P. Sharfman, “Information sharing in support of strategic intelligence,” International conference on Countering Modern Terrorism History, Current Issues, and Future Threats, Virginia, USA, 16‐17, 12 2004. [23] V. Mavroeidis and S. Bromander, “Cyber threat intelligence model: An evaluation of taxonomies, sharing standards, and ontologies within cyber threat intelligence,” 2017 European Intelligence and Security Informatics Conference (EISIC), p. 91– 98, 09 2017. [Online]. Available: https://ieeexplore.ieee.org/document/8240774/ [24] D. Schlette, F. Böhm, M. Caselli, and G. Pernul, “Measuring and visualizing cyber threat intelligence quality,” International Journal of Information Security, vol. 20, 03 2020. [25] L. Qiang, J. Zhengwei, Y. Zeming, L. Baoxu, W. Xin, and Z. Yunan, “A quality evaluation method of cyber threat intelligence in user perspective,” IEEE Xplore, p. 269–276, 08 2018. [Online]. Available: https://ieeexplore.ieee.org/document/8455917/ [26] V. G. Li, M. Dunn, P. Pearce, D. McCoy, G. M. Voelker, and S. Savage, “Reading the tea leaves: A comparative analysis of threat intelligence,” In Proceedings of the 28th USENIX Conference on Security Symposium (SEC’19), p. 851–867, 2019. [27] “Alienvault - open threat exchange,” AlienVault Open Threat Exchange. [Online]. Available: https://otx.alienvault.com/ [28] “Blocklist ip sets,” GitHub, 05 2023. [Online]. Available: https://github.com/firehol/blocklist-ipsets [29] “Abuse.ch - fighting malware and botnets,” Abuse.ch, 2019. [Online]. Available: https://abuse.ch/ [30] “Packet-mail,” Packet-mail.net, 2022. [Online]. Available: https://packet-mail.net/ [31] “Threatexchange,” Meta for Developers. [Online]. Available: https://developers.facebook.com/docs/threat-exchange/ [32] “Threatbook intelligence - threatbook cti,” threatbook.io. [Online]. Available: https://threatbook.io/ [33] “Ibm x-force exchange,” exchange.xforce.ibmcloud.com. [Online]. Available: https://exchange.xforce.ibmcloud.com/ [34] MITRE, “Mitre att&ck™,” Mitre.org. [Online]. Available: https://attack.mitre.org/ [35] Z. Cai, C. Marquart, and D. W. Shaffer, “Neural recall network: A neural network solution to low recall problem in regex-based qualitative coding,” ERIC, 2022. [Online]. Available: https://eric.ed.gov/?id=ED624125 [36] “iocextract,” GitHub, 05 2023. [Online]. Available: https://github.com/InQuest/iocextract [37] S. N. G. , CoreNLP. [Online]. Available: https://stanfordnlp.github.io/CoreNLP/index.html [38] “Linguistic features,” spaCy. [Online]. Available: https://spacy.io/usage/linguistic-features [39] “Language processing pipelines,” spaCy. [Online]. Available: https://spacy.io/usage/processing-pipelines [40] T. Dumitras and I. Neamtiu, “Experimental challenges in cyber security: a story of provenance and lineage for malware,” Proceedings of the 4th conference on Cyber security experimentation and test, pp. 9–9, 08 2011. [41] N. J. Leeper and J. P. Cooke, “Microrna and mechanisms of impaired ngiogenesis in diabetes mellitus,” Circulation, vol. 123, pp. 236–238, 01 2011. [42] M. Zipperle, F. Gottwalt, E. Chang, and T. Dillon, “Provenance-based intrusion detection systems: A survey,” ACM Computing Surveys, vol. 55, pp. 1–36, 12 2022. [43] K. McCammon, “Evaluating endpoint security products: Visibility vs protection,” Red Canary, 06 2022. [Online]. Available: https://redcanary.com/blog/evaluating-endpoint-products-in-a-crowded-confusing-market/ [44] T. Nguyen, M. Orenbach, and A. Atamli, “Live system call trace reconstruction on linux,” Forensic Science International: Digital Investigation, vol. 42, p. 301398, 07 2022. [45] “syscalls(2) - linux manual page,” man7.org. [Online]. Available: https://man7.org/linux/man-pages/man2/syscalls.2.html [46] “Chromiumos docs - linux system call table,” googlesource.com. [Online]. Available: https://chromium.googlesource.com/chromiumos/docs/+/HEAD/constants/syscalls.md [47] “strace: the linux syscall tracer,” GitHub, 06 2023. [Online]. Available: https://github.com/strace/strace/blob/master/src/linux/arm/syscallent.h [48] T. Schaberreiter, V. Kupfersberger, K. Rantos, A. Spyros, A. Papanikolaou, C. Ilioudis, and G. Quirchmayr, “A quantitative evaluation of trust in the quality of cyber threat intelligence sources,” Proceedings of the 14th International Conference on Availability, Reliability and Security - ARES ’19, 2019. [49] J. Devlin, M.-W. Chang, K. Lee, and K. Toutanova, “Bert: Pre-training of deep bidirectional transformers for language understanding,” arXiv.org, 10 2018. [Online]. Available: https://arxiv.org/abs/1810.04805 [50] A. Vaswani, N. Shazeer, N. Parmar, J. Uszkoreit, L. Jones, A. N. Gomez, L. Kaiser, and I. Polosukhin, “Attention is all you need,” arXiv.org, 2017. [Online]. Available: https://arxiv.org/abs/1706.03762 [51] I. Balazevic, C. Allen, and T. Hospedales, “Tucker: Tensor factorization for knowledge graph completion,” ACLWeb, p. 5185–5194, 11 2019. [Online]. Available: https://aclanthology.org/D19-1522/ [52] Y. Liu, M. Zhang, D. Li, K. Jee, Z. Li, Z. Wu, J. Rhee, and P. Mittal, “Towards a timely causality analysis for enterprise security,” Proceedings 2018 Network and Distributed System Security Symposium, 2018. [53] Z. Xu, Z. Wu, Z.-C. Li, K. Jee, J. Rhee, X. Xiao, F. Xu, H. Wang, and G. Jiang, “High fidelity data reduction for big data security dependency analyses,” Computer and Communications Security, 10 2016. [54] “Chapter 13. auditing the system red hat enterprise linux 8,” access. redhat.com. [Online]. Available: https://access.redhat.com/documentation/zh-tw/red_hat_enterprise_linux/8/html/security_hardening/auditing-the-system_security-hardening [55] DOMARS, “Event tracing for windows (etw),” learn.microsoft.com, 12 2021. [Online]. Available: https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/event-tracing-for-windows--etw- [56] A. Gokhale and D. C. Schmidt, “Principles for optimizing corba internet inter-protocol performance,” Proceedings of the Thirty-First Hawaii International Conference on System Sciences, 01 1998. [57] G. Wang, J. Koshy, S. Subramanian, K. Paramasivam, M. Zadeh, N. Narkhede, J. Rao, J. Kreps, and J. Stein, “Building a replicated logging system with apache kafka,” Proceedings of the VLDB Endowment, vol. 8, pp. 1654–1655, 08 2015. [58] “Xorddos malware information,” success.trendmicro.com. [Online]. Available: https://success.trendmicro.com/tw/solution/000278087 [59] J. Kennedy, “Linux backdoor redxor likely operated by chinese nation-state,” Intezer, 03 2021. [Online]. Available: https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/ [60] J. C. HE, “Attack scenario analysis for linux-based malware,” 08 2020. [61] “Accelerating deployment of arm-based solutions,” Linaro. [Online]. Available: https://www.linaro.org [62] “General overview of the linux file system,” tldp.org. [Online]. Available: https://tldp.org/LDP/intro-linux/html/sect_03_01.html [63] A. Loukas, “Graph reduction with spectral and cut guarantees,” Journal of Machine Learning Research, vol. 20, p. 1–42, 2019. [Online]. Available: https://jmlr.org/papers/v20/18-680.html [64] “The linux documentation project,” tldp.org. [Online]. Available: https://tldp.org/ [65] M. Kerrisk, man7.org. [Online]. Available: https://man7.org/ [66] “Malware technical insight turla penquin_x64,” 05 2020. [Online]. Available: https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+“Penquin_x64”.pdf	-
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/89984	-
dc.description.abstract	惡意程式的資安威脅情報（CTI）記錄入侵指標（IoCs）和惡意活動，對於偵測和應對網路威脅的環節扮演了至關重要的角色。然而，目前現有研究很少涉及文本報告的評估，我們需要解決評估層面、自動化和基本事實等方面的議題。在這篇論文中，我們引入了基於系統物件和行為層次的 CTI 文件質量評估概念，並使用評估指標和視覺的攻擊圖譜來進行評估。我們的評估系統是客觀、自動化和有效率的，並通過案例研究來展示其流程、功能和效能。此外，我們還提供了一個嶄新的、整理有序的資安威脅情報文件數據集，以及一個 Syscall SynonymBase，用於彌合 Linux 系統呼叫和自然語言之間的語意隔閡。	zh_TW
dc.description.abstract	Malware Cyber Threat Intelligence (CTI) reports – which record the Indicators of Compromise (IoCs) and malicious activities – playing a crucial role in detecting and responding to cyber threats. Text report evaluation is an area that is not often covered by existing research and we need to overcome evaluation aspect issue, automation issue and ground truth issue. In this paper, we introduce concepts of measuring the quality of individual CTI document based on system object and behavior levels with quality metrics and visual representations. Our evaluation system is objective, automated, and distinguished, and we demonstrate its pipeline, functionality, and effectiveness through case studies. We also contribute a new, well-sorted malware CTI documents dataset and a Syscall SynonymBase that bridge the semantic gap between Linux system call and natural language.	en
dc.description.provenance	Submitted by admin ntu (admin@lib.ntu.edu.tw) on 2023-09-22T16:56:25Z No. of bitstreams: 0	en
dc.description.provenance	Made available in DSpace on 2023-09-22T16:56:25Z (GMT). No. of bitstreams: 0	en
dc.description.tableofcontents	Acknowledgements i 摘要iii Abstract v Contents vii List of Figures xi List of Tables xiii Denotation xv Chapter 1 Introduction 1 1.1 Overview 1 1.2 Cyber Threat Intelligence 1 1.3 Cyber Threat Intelligence document 2 1.3.1 Malware Analysis Report 2 1.3.2 Malware Technical Report 3 1.3.3 Campaign Report 4 1.3.4 Security News 4 1.4 Need of CTI documents quality evaluation 5 1.5 Issues to face to accomplish the work 6 1.5.1 Evaluation Aspect Issue 6 1.5.2 Automation Issue 7 1.5.3 Ground Truth Issue 7 1.6 Contributions 8 Chapter 2 Background 11 2.1 MITRE ATTACK overview 11 2.2 Cyber Attacks and CTI Documents 11 2.2.1 Named Entity Recognition (NER) 12 2.2.2 Relationships Extraction (RE) 12 2.2.3 Part of Speech (POS) 12 2.2.4 Dependency Parsing (DP) 13 2.3 Regular Expression 14 2.4 Provenance Graph 15 2.4.1 Data Sources 15 2.4.2 Components 16 2.4.3 System Resource 17 2.4.4 Operations that Change System State 18 2.5 System Call 19 Chapter 3 Related works 21 3.1 Cyber Threat Intelligence Evaluation 21 3.2 Report Extraction state-of-the-art 23 3.3 Provenance Graph Application state-of-the-art 24 Chapter 4 Problem Statement 27 4.1 Motivating Example 27 4.2 Issues arise from the scenario 30 Chapter 5 Solution Approach 33 5.1 System Design 33 5.2 Preprocessing Subject CTI Document 34 5.3 Constructing ASG as the Baseline Reference 35 5.3.1 Sandbox and supported architectures 35 5.3.2 Handling of recorded traces and conversion to ASG 36 5.3.3 Graph Reduction without information loss 37 5.3.4 Doc Search Regex Generator 37 5.4 Extracting Attack Activity Description from CTI Document 38 5.4.1 Filtering Sentence Segments containing STobjects 38 5.4.2 Extracting Attack Activity Descriptions 39 5.5 Bridging Semantic Gap between CTI Natural Language and System Calls 41 5.5.1 Extracting Linux System Manual Page 41 5.5.2 Establishing Synonymbase 42 5.5.3 Using Synonymbase to Achieve Mutual Conversion 43 5.6 Quality Evaluation Metrics 43 5.6.1 The Quality Metrics 44 5.6.2 Parallel Processing of CTI Documents with the same Subject Malware 45 5.6.3 Activity Description Attack Flow Diagram 46 Chapter 6 Implementation 47 6.1 Dataset 47 6.2 Environment 48 Chapter 7 Experiments and Results 51 7.1 Results of 77 CTI documents 51 7.2 Experiments 55 7.2.1 Effectiveness of Document Extraction 55 7.2.2 Reliability of Scheme 56 7.3 Case Study: Quality Scores and Attack-Flow on Dofloo Malware 58 7.3.1 About the Dofloo Family 58 7.3.2 Quality Scores 59 7.3.3 Activity Description Attack Flow Diagram 61 Chapter 8 Conclusion 63 References 65 Appendix A — Algorithms 75 A.1 Construct CTI SyscallSynonymBase 75 A.2 Query CTI SyscallSynonymBase 75 A.3 Classify Document 75	-
dc.language.iso	en	-
dc.title	利用惡意攻擊樣板比對評量資安威脅情資報告品質	zh_TW
dc.title	Measuring the Quality of Cyber Threat Intelligence Documents through Malware Attack Pattern Matching	en
dc.type	Thesis	-
dc.date.schoolyear	111-2	-
dc.description.degree	碩士	-
dc.contributor.oralexamcommittee	李育杰;陳俊良;陳孟彰;黃意婷	zh_TW
dc.contributor.oralexamcommittee	Yuh-Jye Lee;Jiann-Liang Chen;Meng-Chang Chen;Yi-Ting Huang	en
dc.subject.keyword	惡意程式動態分析,威脅情資報評量,報告解析,Syscall Synonym Base,	zh_TW
dc.subject.keyword	Dynamically Analysis,Malware CTI Document Quality Evaluation,Report Extraction,Syscall Synonym Base,	en
dc.relation.page	78	-
dc.identifier.doi	10.6342/NTU202302378	-
dc.rights.note	同意授權(全球公開)	-
dc.date.accepted	2023-08-12	-
dc.contributor.author-college	管理學院	-
dc.contributor.author-dept	資訊管理學系	-
顯示於系所單位：	資訊管理學系

文件中的檔案：

檔案	大小	格式
ntu-111-2.pdf	4.43 MB	Adobe PDF	檢視/開啟

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。