請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/48006完整後設資料紀錄
| DC 欄位 | 值 | 語言 |
|---|---|---|
| dc.contributor.advisor | 郭斯彥(Sy-Yen Kuo) | |
| dc.contributor.author | Ting-Yu Lee | en |
| dc.contributor.author | 李庭宇 | zh_TW |
| dc.date.accessioned | 2021-06-15T06:44:19Z | - |
| dc.date.available | 2011-07-07 | |
| dc.date.copyright | 2011-07-07 | |
| dc.date.issued | 2011 | |
| dc.date.submitted | 2011-07-01 | |
| dc.identifier.citation | [1] Ulrich Bayer_,Paolo Milani Comparetti_,Clemens Hlauschek_,Christopher Kruegel§, and Engin KirdaScalable, “Behavior-Based Malware Clustering” ,Secure Systems Lab, Technical University Vienna,2009
[2] MWCollect, “A software to collect malware behavior,” http://www.mwcollect.org/, 2008. [3] Shadowserver,” It gathers intelligence on the darker side of the internet,” http://shadowserver.org/wiki/,2008. [4] Virus Total, “A website to collect all virus software,” http://www.virustotal.com/, 2008. [5] L. Spitzner. Honeypots: Tracking Hackers. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 2002. [6] CWSandbox. “It gives you the power to analyze virtually any Windows application or file including infected,” http://www.cwsandbox.org/, 2008. [7] Norman Sandbox, “The SandBox Analyzer is capable of processing large batches of files, generating instant forensic intelligence without the need of user intervention”http://www.norman.com/microsites/nsic/, 2008. [8] Anubis, “Anubis is a service for analyzing malware. ”http://anubis.iseclab.org/, 2008 [9] F. Bellard. Qemu,” A Fast and Portable Dynamic Translator,” First Conference on Usenix Annual Technical, 2005, Feb. [10] M. Gheorghescu, “An Automated Virus Classification System,” Conference on Virus Bulletin, 2005. [11] T. H. Haveliwala, A. Gionis, and P. Indyk,”Scalable techniques for clustering the web,” In WebDB (Informal Proceedings), pages 129–134, 2000. [12] T. Holz, C. Willems, K. Rieck, P. Duessel, and P. Laskov. Learning and Classification of Malware Behavior,”In Fifth Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 08),” 2008,June. [13] P. Indyk and R. Motwani, “Approximate nearest neighbors: towards removing the curse of dimensionality,” In Proc. Of 30th STOC, pages 604–613, 1998. [14] J. Z. Kolter and M. A. Maloof, “Learning to detect and classify malicious executables in the wild,” J. Mach. Learn. Res., 7:2721–2744, 2006. [15] T. Lee and J. J. Mody, “Behavioral Classification,” In EICAR Conference, 2006. [16] T. Lee and J. J. Mody, “Behavioral Classification,” In EICAR Conference, 2006. [17] P. Indyk and R. Motwani, “Approximate nearest neighbors: towards removing the curse of dimensionality”. In Proc. Of 30th STOC, pages 604–613, 1998. [18] U. Bayer, C. Kruegel, and E. Kirda, “TTAnalyze: A Tool for Analyzing Malware. “In 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference, 2006, April. [19] Philipp Trinius1, Carsten Willems1, Thorsten Holz1,2, and Konrad Rieck3, “A Malware Instruction Set for Behavior-Based Analysis” University of Mannheim, Vienna University of Technology, Berlin Institute of Technology Germany [20] Holography. “Our malware system by S.Y.Dau: A tool for analyzing malware,” [21] Ubuntu 10 “Another OS like linux it provide by Canonical,” http://wiki.ubuntu-tw.org/index.php?title=%E9%A6%96%E9%A0%81 [22] UPX “It is a free, portable, extendable, high-performance executable packer for several executable formats,” http://upx.sourceforge.net/ [23] ASPack “It is an advanced Win32 executable file compressor, capable of reducing the file size of 32-bit Windows programs by as much as 70%.,” http://www.ASPack.com/index.html | |
| dc.identifier.uri | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/48006 | - |
| dc.description.abstract | 有鑑於近年來惡意程式成長速度驚人,而在2009年病毒暴增量更創歷史新高,因此如何讓防毒軟體變得更有效率,是目前資安界最重要的課題之一。
現有的比對技術是利用特徵比對來偵測惡意程式,而這樣的比對方式常常只要病毒加殼或是修改特徵碼就能躲過特徵比對的偵測。因此如何有效的提高惡意程式的比對效率就成了我們的研究目標。 根據Cisco的研究,惡意程式中加殼程式大概佔了70-80%的比例,因此我們針對加殼變種程式提出更有效的偵測方式 – 行為比對。也就是利用病毒行為不變的原理,在病毒產生特殊作用時,加以防範並且提醒使用者電腦已經遭到不明的更改。 我們透過一種稱為Profile的方式,將病毒的行為分類,並且利用數字編號的方法來加速系統的執行。最後則是透過與Virus Total比較的實驗,證明我們的系統能有效的監看惡意程式的行為,並且能防範加殼類的變種病毒。 | zh_TW |
| dc.description.abstract | Anti-malware companies receive thousands of malware samples every day. And the malware increase kept surging in 2009 for historical new high. So, how to let the antivirus program more effective is an important and urgent problem.
Traditionally, people detect malware by signature. However, if the malware is packed or the signature is changed, the antivirus program will not be able to find the malware. So we want to provide a new way to solve this problem. By Cisco’s research, 70%-80% malwares are packed. In this thesis, we provide a new way for detecting packed malwares. When a malware does something special to a user’s computer, we can detect the behavior and tell the user this is a suspicious behavior by malware. We propose a scalable clustering approach to identify and group malware samples that exhibit similar behaviors. And we use the number register to let our system be more effective. The result of our extensive experiment shows that our system can find the malware more effective than the existing tools. | en |
| dc.description.provenance | Made available in DSpace on 2021-06-15T06:44:19Z (GMT). No. of bitstreams: 1 ntu-100-R98943155-1.pdf: 4760504 bytes, checksum: 1ab3b1c29352ba83dd2811e6704cc9b7 (MD5) Previous issue date: 2011 | en |
| dc.description.tableofcontents | 誌謝 I
摘要 II Abstract III List of Contents IV List of Figures VI List of Tables VIII Chapter 1. Introduction 1 1.1 Motivation 2 1.2 Background 4 1.3 The Problem 6 Chapter 2. Related Works 7 2.1 Behavior-Based Malware Clustering 7 2.2 MIST 10 2.3 Discussion 13 Chapter 3. Design and Implementation 14 3.1 System overview 14 3.1.1 System Architecture 14 3.1.2 Operating System 17 3.2 Binary Data to Information 18 3.3 Extraction to Profile 21 3.3.1 Profile 21 3.3.2 Extraction System Call to Profile 24 3.4 Profile Database 26 3.5 Detect Malware Behavior 29 3.5.1 Compared Profile with Database 29 3.5.2 Using Labels to Detect Malware Behavior 31 3.6 Random Parameter 34 Chapter 4. Evaluation 38 4.1 System Interface 39 4.2 Normal Malware Behavior 42 4.3 Packed Malware Behavior 45 4.3.1 UPX and ASPack 45 4.3.2 Testing with Virus Total and Our System 48 4.4 Other Malware with the Same Behavior 51 Chapter 5. Conclusion and Future Works 53 5.1 Future Works 53 5.2 Conclusion 54 References 55 | |
| dc.language.iso | en | |
| dc.subject | 惡意程式分析 | zh_TW |
| dc.subject | 惡意元件偵測 | zh_TW |
| dc.subject | 行為比對 | zh_TW |
| dc.subject | 病毒行為偵測 | zh_TW |
| dc.subject | 加殼變種病毒偵測 | zh_TW |
| dc.subject | signature detection | en |
| dc.subject | behavioral detection | en |
| dc.subject | malware analysis | en |
| dc.subject | packed malware detection | en |
| dc.subject | clustering | en |
| dc.title | 利用行為比對分類之加殼病毒偵測 | zh_TW |
| dc.title | Packed Malware Detection Based on Behavior Classification | en |
| dc.type | Thesis | |
| dc.date.schoolyear | 99-2 | |
| dc.description.degree | 碩士 | |
| dc.contributor.oralexamcommittee | 雷欽隆(Chin-Laung Lei),陳英一(Chen Ing-Yi),呂學坤(Shyue-Kung Lu),陳俊良(Jiann-Liang Chen) | |
| dc.subject.keyword | 惡意程式分析,惡意元件偵測,行為比對,病毒行為偵測,加殼變種病毒偵測, | zh_TW |
| dc.subject.keyword | malware analysis,behavioral detection,signature detection,clustering,packed malware detection, | en |
| dc.relation.page | 57 | |
| dc.rights.note | 有償授權 | |
| dc.date.accepted | 2011-07-01 | |
| dc.contributor.author-college | 電機資訊學院 | zh_TW |
| dc.contributor.author-dept | 電子工程學研究所 | zh_TW |
| 顯示於系所單位: | 電子工程學研究所 | |
文件中的檔案:
| 檔案 | 大小 | 格式 | |
|---|---|---|---|
| ntu-100-1.pdf 未授權公開取用 | 4.65 MB | Adobe PDF |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。