請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/49845完整後設資料紀錄
| DC 欄位 | 值 | 語言 |
|---|---|---|
| dc.contributor.advisor | 孫雅麗(Yea-Li Sun) | |
| dc.contributor.author | Li-Yuan Chiang | en |
| dc.contributor.author | 姜立垣 | zh_TW |
| dc.date.accessioned | 2021-06-15T11:52:08Z | - |
| dc.date.available | 2019-08-31 | |
| dc.date.copyright | 2016-08-31 | |
| dc.date.issued | 2016 | |
| dc.date.submitted | 2016-08-11 | |
| dc.identifier.citation | 1. McAfee Labs Threats Report. 2015; Available from: http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2015.pdf.
2. Rad, B.B., M. Masrom, and S. Ibrahim, Camouflage in Malware: from Encryption to Metamorphism. IJCSNS International Journal of Computer Science and Network Security, 2012. 12. 3. malware info of d0c4bba46e68e0ff5efce1297faa3b49 on VirusTotal. Available from: https://www.virustotal.com/zh-tw/file/d0ed5649c0111ed938ed6f8eaf3705422ff4f1306a663308c28f04a56b1b389e/analysis/. 4. VirusTotal. Available from: https://www.virustotal.com/. 5. Gupta, A., et al., An empirical study of malware evolution. Communication Systems and Networks and Workshops, 2009. COMSNETS 2009. First International, 2009. 6. Konrad Rieck, et al., Learning and Classification of Malware Behavior. 5th International Conference, DIMVA 2008, 2008. 7. ExtPhr32 - Frequent phrase extraction tool. 2005; Available from: http://instruct.uwo.ca/gplis/677/extphr32/extphr32.htm. 8. Koobface. Available from: https://en.wikipedia.org/wiki/Koobface. 9. The real face of Koobface Available from: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the-real-face-of-koobface.pdf. 10. The PlugX malware revisited: introducing “Smoaler”. 2013; Available from: https://sophosnews.files.wordpress.com/2013/07/sophosszappanosplugxrevisitedintroducingsmoaler-rev1.pdf. 11. Pulling the plug on PlugX. Available from: http://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/112/pulling-the-plug-on-plugx. 12. Garfinkel, T. and M. Rosenblum, A Virtual Machine Introspection Based Architecture for Intrusion Detection. Network and Distributed System Security Symposium (NDSS) 2003. 13. Hsiao, S.-W., et al., Combining Dynamic Passive Analysis and Active Fingerprinting for Effective Bot Malware Detection in Virtualized Environments. International Conference on Network and System Security (NSS), 2013. 14. Ki, Y., E. Kim, and H.K. Kim, A Novel Approach to Detect Malware Based on API Call Sequence Analysis. International Journal of Distributed Sensor Networks, 2015. 15. TL, B., et al., MEME: discovering and analyzing DNA and protein sequence motifs. Nucleic Acids Research, 2006. 34. 16. Wong, K.-C., et al., DNA motif elucidation using belief propagation. Nucleic Acids Research, 2013. 17. Nan, L., et al., An Algorithm for Generation of Attack Signatures Based on Sequences Alignment. International Conference on Computer Science and Software Engineering, 2008. 18. Yong, T., et al., Automatic Generation of Attack Signatures Based on Multi-Sequence Alignment. Chinese Journal of Computers, 2006(9): p. 1531-1539. 19. Tang, Y., B. Xiao, and X. Lu, Using a bioinformatics approach to generate accurate exploit-based signatures for polymorphic worms. computers & security 28, 2009. 20. Khoo, W.M. and P.L. ́, Unity in diversity: Phylogenetic-inspired techniques for reverse engineering and detection of malware families. SysSec Workshop (SysSec), 2011 First, 2011. 21. Shankarapani, M.K., et al., Malware detection using assembly and API call sequences. Journal in Computer Virology, 2011. 22. Sung, A.H., et al., Static analyzer of vicious executables (SAVE). Computer Security Applications Conference, 2004. 20th Annual, 2004. 23. Xu, J., et al., Obfuscated Malicious Executable Scanner. Journal of Research and Practice in Information Technology, 2007. 24. Wagener, G.r., R. State, and A. Dulaunoy, Malware behaviour analysis. Journal in Computer Virology 2008. 25. Lu, H., et al., DiffSig: Resource Differentiation Based Malware Behavioral Concise Signature Generation. Information and Communication Technology, 2013. 26. W32Dasm. Available from: https://zh.wikipedia.org/wiki/W32Dasm. 27. Cosine Similarity. Available from: https://en.wikipedia.org/wiki/Cosine_similarity. 28. Strehl and J. Ghosh, Value-based customer grouping from large retail data-sets. Proceedings of SPIE Conference on Data Mining and Knowledge Discovery, 2000. 4057: p. 32-40. 29. Pearson Correlation. Available from: https://en.wikipedia.org/wiki/Pearson_product-moment_correlation_coefficient. 30. Wine. Available from: https://www.winehq.org/. 31. Luk, C.-K., et al., Pin: Building customized program analysis tools with dynamic instrumentation. Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, 2005. 32. Neighbor joining Available from: https://en.wikipedia.org/wiki/Neighbor_joining. 33. Linux strings coomand. Available from: http://linux.about.com/library/cmd/blcmdl1_strings.htm. 34. PEiD. Available from: https://www.aldeid.com/wiki/PEiD. 35. IDA. Available from: https://www.hex-rays.com/products/ida/. 36. WinAPIOverride. Available from: http://jacquelin.potier.free.fr/winapioverride32/. 37. IsDebuggerPresent WinAPI function. Available from: https://msdn.microsoft.com/zh-tw/library/windows/desktop/ms680345(v=vs.85).aspx. 38. Needleman, et al., A general method applicable to the search for similarities in the amino acid sequence of two proteins. Journal of Molecular Biology, 1970. 48. 39. Carrillo, H. and D. Lipman, The multiple sequence alignment problem in biology. Journal SIAM Journal on Applied Mathematics, 1988. 48(5): p. 1073-1082 40. Hogeweg, P. and B. Hesper, The alignment of sets of sequences and the construction of phyletic trees: An integrated method. Journal of Molecular Evolution, 1984. 20(2): p. 175-186. 41. M, H., et al., Comprehensive study on iterative algorithms of multiple sequence alignment. Computer applications in biosciences (CABIOS), 1995. 42. Edgar, R.C., MUSCLE: multiple sequence alignment with high accuracy and high throughput. Nucleic Acids Research, 2004. 43. R.C., E., Local homology recognition and distance measures in linear time using compressed amino acid alphabets. Nucleic Acids Research, 2004. 44. M., K., The Neutral Theory of Molecular Evolution. Cambridge University Press., 1983. 45. CARO naming convention. Available from: https://www.microsoft.com/security/portal/mmpc/shared/malwarenaming.aspx. 46. Malware info of 44028b50deaa305986c953435013d802 on VirusTotal. Available from: https://www.virustotal.com/zh-tw/file/f72d2098d3cbced048751628a7a472fc971c43eb36edb7acd489b5993a283215/analysis/. 47. Malware info of 719c09bdaef5d7db72ef2a1a50ebfe32 on VirusTotal. Available from: https://www.virustotal.com/zh-tw/file/ad8a1fc706454f5a03e3fac2c20e29f07e50be4e8536b0d8baae3f60dd276912/analysis/. 48. Firseria details by TrendMicro. Available from: http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PUA_FIRSERIA. | |
| dc.identifier.uri | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/49845 | - |
| dc.description.abstract | 本論文旨在針對Windows平台上的惡意程式,擷取惡意程式家族中的共同特徵行為與辨識家族中變種間的差異化行為特徵。
首先,我們定義一個惡意程式的行程為一個Windows API call的執行序列並篩選參數內容,再來,為了比較各行程間的異同之處,我們使用序列比對技術讓執行序列中相似的片段盡量貼合在一起,差異之處插入間隔或是不匹配的貼合,於是我們基於Needleman-Wunsch演算法發展了一套系統以進行多序列比對,並產生可以描述家族內變種之間在各執行階段各片段異同的資料結構,稱作stageMatrix。 接著,我們擷取家族內的共同執行階段,定義造成系統狀態改變的API(StateChange_API, SC_API),追蹤這些SC_API所使用到的資源內容,並將其完整使用流程圖像化。 最後,在未來展望之處,我們希望可以拓展至家族之間特徵的比較。 | zh_TW |
| dc.description.abstract | This thesis aims to focus on malware on Windows platform, extracting common characteristic behaviors in a malware family, identifying differentiated characteristic behavior among malware family variants.
First, we define a malware process execution to be a Windows API call sequence and winnow parameters in these sequences. Then, in order to compare these sequences, we apply sequence alignment techniques to align similar parts in execution sequences, insert gaps or align mismatch parts in different parts. Thus, we develop a system for multiple sequence alignment based on Needleman-Wunsch algorithm. This system produces a data structure, stageMatrix, to describe all segment alignment information among a family variants. Next, we extract common execution stages. We define APIs that may cause system state changes (StateChange_API, SC_API) and track the resources these APIs access and visualize the full access flow. At last, we plan to extend characteristic comparison to multiple families in future work. | en |
| dc.description.provenance | Made available in DSpace on 2021-06-15T11:52:08Z (GMT). No. of bitstreams: 1 ntu-105-R03725038-1.pdf: 2878548 bytes, checksum: cf9d0d7c4b5883725ebd8ee7e7226536 (MD5) Previous issue date: 2016 | en |
| dc.description.tableofcontents | 誌謝 II
摘要 III THESIS ABSTRACT IV 目錄 V 第一章 介紹 1 第一節 研究動機 1 第二節 研究目的 6 第三節 研究貢獻 6 第二章 相關文獻 7 第三章 背景知識 14 第一節 惡意軟體分析方法 14 1 靜態分析 14 2 動態分析 15 2-1 API hooking 15 2-2 Virtual Machine Introspection (VMI) 16 第二節 序列比對(SEQUENCE ALIGNMENT) 17 1 Pairwise sequence alignment 18 1-1 Dotmatrix 18 1-2 Dynamic Programming 19 2 Multiple Sequence Alignment (MSA) 25 第四章 系統架構(SYSTEM DESIGN) 32 第一節 惡意程式家族 32 第二節 VMI PROFILING 35 第三節 篩選(WINNOWING) 37 第四節 GLOBAL ALIGNMENT SCHEME 40 第五節 斷序演算法(DELINEATION ALGORITHM) 44 第六節 COMMON STAGE: MOTIF ANALYSIS 50 1 共同階段擷取(Common Stage Extraction) 51 2 Observations in Common Stages 51 3 Common Stage Sequence: Resource Use Analysis 54 4 Common Stage Sequence: Common Motif Analysis 55 5 Common Stage Sequence: Def Chain 56 第五章 案例研究(CASE STUDY) 56 第六章 結論 64 第七章 參考文獻 66 | |
| dc.language.iso | zh-TW | |
| dc.subject | 家族 | zh_TW |
| dc.subject | 惡意程式 | zh_TW |
| dc.subject | 共同特徵擷取 | zh_TW |
| dc.subject | 序列比對 | zh_TW |
| dc.subject | 差異化行為辨識 | zh_TW |
| dc.subject | Sequence alignment | en |
| dc.subject | Family | en |
| dc.subject | Malware | en |
| dc.subject | Differentiated behaviors identification | en |
| dc.subject | Common characteristics extraction | en |
| dc.title | 在Windows平台上的惡意軟體家族的基序API序列分析 | zh_TW |
| dc.title | Malware Family Motif API Sequence Analysis on Windows Platform | en |
| dc.type | Thesis | |
| dc.date.schoolyear | 104-2 | |
| dc.description.degree | 碩士 | |
| dc.contributor.oralexamcommittee | 陳孟彰(Meng-Chang Chen),李育杰(Yuh-Jye Lee),李漢銘(Hahn-Ming Lee),謝錫?(Ce-Kuen Shieh) | |
| dc.subject.keyword | 惡意程式,家族,序列比對,共同特徵擷取,差異化行為辨識, | zh_TW |
| dc.subject.keyword | Malware,Family,Sequence alignment,Common characteristics extraction,Differentiated behaviors identification, | en |
| dc.relation.page | 69 | |
| dc.identifier.doi | 10.6342/NTU201602282 | |
| dc.rights.note | 有償授權 | |
| dc.date.accepted | 2016-08-11 | |
| dc.contributor.author-college | 管理學院 | zh_TW |
| dc.contributor.author-dept | 資訊管理學研究所 | zh_TW |
| 顯示於系所單位: | 資訊管理學系 | |
文件中的檔案:
| 檔案 | 大小 | 格式 | |
|---|---|---|---|
| ntu-105-1.pdf 未授權公開取用 | 2.81 MB | Adobe PDF |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。