惡意程式可疑檔案關聯建立與辨識之即時系統設計與實作

Min-Chun Huang; 黃敏純

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/22519

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	郭斯彥(Sy-Yen Kuo)
dc.contributor.author	Min-Chun Huang	en
dc.contributor.author	黃敏純	zh_TW
dc.date.accessioned	2021-06-08T04:19:45Z	-
dc.date.copyright	2010-07-21
dc.date.issued	2010
dc.date.submitted	2010-07-21
dc.identifier.citation	[1] M. Fossi, D. Turner, E. Johnson, “Symantec Global Internet Security Threat Report Trends for 2009”, Volume XV, April 2010 [2] R. Richardson, “CSI Computer Crime and Security Survey 2009”, Computer Security Institure, 2009 [3] T. Holz, M. Engelberth, and F. Freiling, “Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones”, Reihe Informatik TR-2008-006, University of Mannheim, 2008. [4] M. Christodorescu , and S. Jha, “Testing malware detectors”. In Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis 2004 (ISSTA’04), pages 34–44, Boston, MA, USA, July 2004. ACM SIGSOFT, ACM Press. [5] X. Jiang, A. Walters, F. Buchholz, D. Xu, Y. Wang, and E. H. Spafford, “Provenance-Aware Tracing of Worm Break-ins and Contaminations: A Process Coloring Approach”, in Proceedings of the IEEE International Conference on Distributed Computing Systems (ICDCS 2006); Lisbon, Portugal, July 2006. [6] F. Perriot, and P. Szor, “An Analysis of the Slapper Worm Exploit”, Symantec White Paper,2003 [7] H. Yin, D. Song, M. Egele, C. Kruegel and E. Kirda, “Panorama: capturing system-wide information flow for malware detection and analysis”, Proc. of the 14th ACM Conf. on Computer and Communications Security (CCS), pp. 116–127, 2007. [8] H. Chen, F. Hsu, T. Ristenpart, J. Li, and Z. Su. “Back to the future: A framework for automatic malware removal and system repair”, In Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC’06), December 2006. [9] M. Russinovich, and B. Cogswell, Regmon tool, Microsoft Sysinternals [10] Sven B. Shcreiber. “Undocumented Windows 2000 Secrets: A Programmer's Cookbook”, volume 1. Addison-Wesley, Upper Saddle River, NJ, 1st edition, 2001. [11] S.-Y. Dai, F. V. Yarochkin, J.-S. Wu, C.-H. Lin, Y. Huang, and S.-Y. Kuo,“Holography: A hardware virtualization tool for malware analysis,” in PRDC ’09: Proceedings of the 2009 15th IEEE Pacific Rim International Symposium on Dependable Computing. IEEE Computer Society, 2009 [12] IDA Pro Disassembler and Debugger, http://www.hex-rays.com/idapro/ [13] System Services, Windows Development, MSDN Library, http://msdn.microsoft.com/en-us/library/ee663297%28v=VS.85%29.aspx [14] Graphviz, http://www.graphviz.org/ [15] Qt Jambi, http://doc.qt.nokia.com/qtjambi-4.4/html/com/trolltech/qt/qtjambi-index.html [16] R. J. Canzanese, M. Oyer, S. Mancoridis and M. Kam, “A Survey of Reverse Engineering Tools for the 32-Bit Microsoft Windows Environment”, Jan. 2005, page 17-20. [17] N. Weaver, V. Paxson, S. Staniford, and R. Cunningham, “A Taxonomy of Computer Worms”, In ACM CCS Workshop on Rapid Malcode (WORM), October 2003. [18] G. Hoglund, and J. Butler, “Rootkits: Subverting the Windows Kernel”. Addison-Wesley, Upper Saddle River, NJ (2006) [19] J. Mirkovic and P. Reiher, “A Taxonomy of DDoS Attacks and Defense Mechanisms”, ACM CCR, April 2004. [20] T. Garfinkel and M. Rosenblum., “A virtual machine introspection based architecture for intrusion detection”, In Proc. Net. and Distributed Sys. Sec. Symp., February 2003. [21] P. Ferrie, “Attacks on Virtual Machine Emulators”, Symantec Advanced Threat Research, 2006. [22] T. Raffetseder, C. Kruegel, and E. Kirda. “Detecting System Emulators”, In ISC, pages 1–18, 2007. [23] J. Grizzard, J. Levine, and Henry Owen. “Re-Establishing Trust in Compromised Systems: Recovering from Rootkits that Trojan the System Call Table”, Proc. of 9th European Symposium on Research in Computer Security, September 2004. [24] N. Idika, A. P. Mathur, “A Survey of Malware Detection Techniques”, Tehnical Report, Department of Computer Science, Purdue University, 2007. [25] S. T. King and P. M. Chen. Backtracking intrusions. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP’03), pages 223–236, October 2003.
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/22519	-
dc.description.abstract	本論文提供了一個系統- Pirus，該系統不需要病毒特徵碼並可以即時地回報系統內受惡意程式感染的檔案。一般而言，雖然惡意程式可以被商業軟體移除，但通常一些相關的惡意元件(例如:instigator, 幕後主使者)並未被同時移除乾淨導致惡意程式有再滋生的可能並且可持續地竊取機密資訊或使得資訊系統曝露在公開場合底下而顯得不安全。本論文提供了一個產生感染圖(infection graph)的演算法來關聯起惡意程式及其相關元件；感染圖除了可以完整地移除單一惡意程式外，亦可基於系統中不同的惡意程式會共用的系統檔案來偵測到其它的惡意程式並移除之。透過本論文的實驗結果得知，實驗所得的惡意檔案清單和市售防毒軟體的比較，無論是已知或是未知的惡意程式，本論文的實作系統可以找到相較於市售軟體還要多的惡意檔案。	zh_TW
dc.description.abstract	This thesis provided a real-time system, Pirus, to list all the malicious components for given malware without the need of any virus definition file. Although now a malware can be detected and removed by commercial tools, however, the related malicious components (ex, instigator) may not be detected thus malware continuously steal user privacy and expose information systems to be insecure. This thesis provided infection graph generation algorithm to correlate malware and its related malicious component. This thesis can also detect other malware based on the shared malicious components between malware. Finally, the experiment result showed that compared with commercial tools Pirus detected more malicious files than commercial tools for both known and unknown malware.	en
dc.description.provenance	Made available in DSpace on 2021-06-08T04:19:45Z (GMT). No. of bitstreams: 1 ntu-99-R97921077-1.pdf: 10445334 bytes, checksum: 61a8524d4f1fbc0dbf251c8176ab5a78 (MD5) Previous issue date: 2010	en
dc.description.tableofcontents	Chapter 1. Introduction 1 1.1 Motivation 2 1.2 Background 4 1.3 The Problem 6 Chapter 2. Related Works 7 2.1 Process Coloring Approach 7 2.2 Malware Detection System 9 2.3 Malware Removal and System Repair System 11 2.4 Discussion 12 Chapter 3. Design and Implementation 13 3.1 System Architecture 13 3.2 Raw Data Retrieval and Filter 15 3.2.1 Disassemble Malware 15 3.2.2 System Call Retrieval 18 3.2.3 Filter out System Call 21 3.3 Relation Rule Establishment 24 3.3.1 Unary Operand System Call 28 3.3.2 Binary Operand System Call 30 3.4 Introduction to Infection Graph 32 3.4.1 Infection Graph Format 32 3.4.2 Illustration of Infection Graph 34 3.5 Algorithm for Drawing Infection Graph 36 3.5.1 White List 36 3.5.2 Taint Rules 39 3.5.3 First Taint 44 3.5.4 Backward Taint 45 3.5.5 Forward Taint 47 3.5.6 Infection Algorithm 48 3.5.7 Case Study: Infection of Backdoor.Padodor.f 49 3.5.8 Discussion 54 3.6 Implementation Issues 55 3.6.1 Offline Analysis Framework 55 3.6.2 Real-time Analysis Framework 58 Chapter 4. Evaluation 64 4.1 Known Malware 64 4.2 Unknown Malware 66 Chapter 5. Conclusion and Future Works 69 References 70 Appendix - Snapshots of Infection Graph and Malicious File List of Backdoor.Padodor.f 73
dc.language.iso	en
dc.title	惡意程式可疑檔案關聯建立與辨識之即時系統設計與實作	zh_TW
dc.title	Pirus : A Real-Time Framework for Suspicious Entities Correlation and Discrimination for Malware Identification	en
dc.type	Thesis
dc.date.schoolyear	98-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	王國禎(Kuo-Chen Wang),陳英一(Ing-Yi Chen),雷欽隆(Chin-Laung Lei),顏嗣鈞(Hsu-chun Yen)
dc.subject.keyword	惡意程式分析,惡意元件偵測,感染圖,病毒特徵碼,系統呼叫程式,	zh_TW
dc.subject.keyword	malware analysis,malicious component detection,infection graph,signature,system call,	en
dc.relation.page	93
dc.rights.note	未授權
dc.date.accepted	2010-07-21
dc.contributor.author-college	電機資訊學院	zh_TW
dc.contributor.author-dept	電機工程學研究所	zh_TW
顯示於系所單位：	電機工程學系

文件中的檔案：

檔案	大小	格式
ntu-99-1.pdf 目前未授權公開取用	10.2 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。