使用ATT CK框架進行惡意軟體行為分析

Abstract

近幾年來惡意軟體增長迅速，許多反惡意軟體防禦性解決方案都專注於檢測惡意軟件家族，其中大多依賴於簽名的技術。但是，此類基於簽名的技術通常無法檢測到未知惡意軟體，並且由於惡意軟件家族無法清楚地描述特定惡意軟體樣本的攻擊行為，因此我們提出了一種新穎的自動惡意軟件行為分析模型，用於自動生成由ATT＆CK定義的行為技術（TTP），以此在系統上進行惡意軟體分析。 給定一組惡意軟體報告，我們提出的方法將學習API calls與行為技術之間的關係，這些關係將一系列具有這些特徵的API calls關聯到行為技術中。此方法是基於MITER ATT＆CK的框架，該框架提供了常用的對策策略和技術的數據庫，它為我們提供了清晰的畫面來描述惡意軟體樣本的行為。在本文中，我們將惡意軟體在Cuckoo沙箱上執行以獲取其運行時行為。在執行結束時，Cuckoo沙箱會報告惡意軟體在執行過程中調用的API calls。但是，此報告為JSON格式，因使我們將其轉換為MIST格式以提取API calls。最後，我們建立了RNN和Seq2Seq模型，它們具有保留順序信息的能力。我們的評估結果表明，在於預測已知惡意軟體的行為技術達到94.95％的f1分數，在預測未知惡意軟體的行為技術達到99.40％的f1分數，這證明了深度學習方法在關聯API calls和行為技術的通用性和可行性。

In recent years, Malicious software or malware has grown rapidly and many anti-malware defensive solutions focus on detecting the malware family and most of them rely on signature-based technique. However, such signature-based techniques often failed to detect the unknown malware and since the malware family cannot clearly describe the attack behaviors of a specific malware sample, we propose a novel Automatic Malware Behavior Analysis Model for automatically generating the techniques defined by ATT CK on a malware analysis system. Given a set of malware reports, the proposed method learns the relationship between API calls and Tactics, Techniques and Procedures (TTPs), which connect a series of API calls into a TTP with those characteristics. The method is based on the framework of MITRE ATT CK which provides a database of commonly observed countermeasure strategies and technologies, it supplies us a clear picture to describe the behavior of a malware sample. In this thesis, the malware is executed on the Cuckoo sandbox to obtain its run-time behavior. At the end of the execution, the Cuckoo sandbox reports the API calls invoked by the malware during execution. However, this report is in JSON format and has to be converted to MIST format to extract the API calls. Finally, we construct RNN and Seq2Seq models which have the ability to reserve sequential information. Our evaluation results show that 94.95% of the f1-score on predicting TTPs from known malware and 99.40% of the f1-score from unknown malware, which prove the universality and feasibility of deep learning methods in associating the API calls and TTPs.