惡意程式可疑檔案關聯建立與辨識之即時系統設計與實作

Abstract

本論文提供了一個系統- Pirus，該系統不需要病毒特徵碼並可以即時地回報系統內受惡意程式感染的檔案。一般而言，雖然惡意程式可以被商業軟體移除，但通常一些相關的惡意元件(例如:instigator, 幕後主使者)並未被同時移除乾淨導致惡意程式有再滋生的可能並且可持續地竊取機密資訊或使得資訊系統曝露在公開場合底下而顯得不安全。 本論文提供了一個產生感染圖(infection graph)的演算法來關聯起惡意程式及其相關元件；感染圖除了可以完整地移除單一惡意程式外，亦可基於系統中不同的惡意程式會共用的系統檔案來偵測到其它的惡意程式並移除之。 透過本論文的實驗結果得知，實驗所得的惡意檔案清單和市售防毒軟體的比較，無論是已知或是未知的惡意程式，本論文的實作系統可以找到相較於市售軟體還要多的惡意檔案。

This thesis provided a real-time system, Pirus, to list all the malicious components for given malware without the need of any virus definition file. Although now a malware can be detected and removed by commercial tools, however, the related malicious components (ex, instigator) may not be detected thus malware continuously steal user privacy and expose information systems to be insecure. This thesis provided infection graph generation algorithm to correlate malware and its related malicious component. This thesis can also detect other malware based on the shared malicious components between malware. Finally, the experiment result showed that compared with commercial tools Pirus detected more malicious files than commercial tools for both known and unknown malware.