惡意軟體行為群體分析

Hsing-Yun Chen; 陳星妘

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/77680

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	孫雅麗(Yea-Li Sun)
dc.contributor.author	Hsing-Yun Chen	en
dc.contributor.author	陳星妘	zh_TW
dc.date.accessioned	2021-07-10T22:15:31Z	-
dc.date.available	2021-07-10T22:15:31Z	-
dc.date.copyright	2017-09-04
dc.date.issued	2017
dc.date.submitted	2017-08-17
dc.identifier.citation	[1] “McAfee Labs Threats Report,” 2016. [Online]. Available: http://www.mcafee.com/us/resources/reports/rp-quarterly-threats-dec-2016.pdf. [2] “Koobface,” [Online]. Available: https://en.wikipedia.org/wiki/Koobface. [3] G. Szappanos., “The PlugX malware revisited: introducing “Smoaler”,” [Online]. Available: https://sophosnews.files.wordpress.com/2013/07/sophosszappanosplugxrevisitedintroducingsmoaler-rev1.pdf. [Access Date: Jan. 2013]. [4] R. A. Certeza., “Pulling the Plug on PlugX,” [Online]. Available: http://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/112/pulling-the-plug-on-plugx. [Access Date: Oct. 2012]. [5] S.-W. Hsiao et al., “A Cooperative Botnet Profiling and Detection in Virtualized Environment,” Proc. IEEE Conference on Com-munications and Network Security (CNS), pp. 154-162, Oct 2013. [6] C. Kruegel, “Evasive Malware Exposed and Deconstructed,” RSA Conference, San Francisco, 2015. [7] G. Vigna., “Antivirus Isn't Dead, It Just Can't Keep Up,” May 2014. [Online]. Available: http://labs.lastline.com/. [8] U. Bayer, C. Kruegel, and E. Kirda, “TTanalyze: A Tool for Analyzing Malware,” 15th Annual Conference of the European Institute for Computer Antivirus Research (EICAR), 2006. [9] U. Bayer et al., “A View on Current Malware Behaviors,” the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats, LEET, 2009. [10] U. Bayer et al., “Scalable behavior-based malware clustering,” Proceedings of the Network and Distributed System Security Symposium, 2009. [11] R. Tian et al., “Differentiating Malware from Cleanware Using Behavioural Analysis,” Proc. of the 5th IEEE Int. Conf on Malicious and Unwanted Software (Malware'10), pp. 23-30, Oct. 2010. [12] M. Alazab et al., “Zero-day Malware Detection based on Supervised Learning Algorithms of API Call Signatures,” Ninth Australasian Data Mining Conference: AusDM, Ballarat, Vic, pp. 171-182, Dec. 2011. [13] T. Lee et al., “Automatic Malware Mutant Detection and Group Classification Based on the N-gram and Clustering Coefficient,” J. Supercomput, Dec. 2015. [14] J.-W. Jang et al., “Mal-netminer: Malware Classification Based on Social Network Analysis of Call Graph,” the 23rd International Conference on World Wide Web, pp. 731-734., Apr. 2014. [15] Y. Park, D.S. Reeves, M. Stamp, “Deriving Common Malware Behavior through Graph Clustering,” Computer & Security, vol. 39, pp. 419-430, 2013. [16] S. Alam et al., “A Framework for Metamorphic Malware Analysis and Real-time Detection,” Computer & Security, vol. 48, pp. 212-233, Feb. 2015. [17] C. M. Linn et al., “Protecting Against Unexpected System Calls,” Proceedings of the 14th USENIX Security Symposium, pp. 239-254, Aug. 2005. [18] K. Rieck et al., “Automatic Analysis of Malware Behavior Using Machine Learning,” Journal of Computer Security, vol. 19, pp. 639-668, 2011. [19] M. Abadi et al., “Controlflow Integrity,” Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS), pp. 340-353, Nov. 2005. [20] M. Rajagopalan et al., “System Call Monitoring Using Authenticated System Calls,” IEEE Transactions on Dependable and Secure Computing, vol. 3, no. 3,, pp. 216-229, 2006. [21] G. Wagener, R. State, and A. Dulaunoy, “Malware behaviour analysis,” Journal in Computer Virology, vol. 4, no. 4, pp. 279-287, Nov. 2008. [22] Y. Ki, E. Kim, and H.K. Kim, “A Novel Approach to Detect Malware Based on API Call Sequence Analysis,” International Journal of Distributed Sensor Networks, vol. 11, no. 6, Jun. 2015. [23] W. M. Khoo and P. Lio, “Unity in diversity: Phylogenetic-inspired techniques for reverse engineering and detection of malware families,” SysSec Workshop, 2011. [24] H. Lu et al., “DiffSig: Resource Differentiation Based Malware Behavioral Concise Signature Generation,” Information and Communication Technology, Vol. 7804, p. 271–284, 2013. [25] A. Narayanan et al., “The effects of different representations on malware motif identification,” Eighth International Conference on Computational Intelligence and Security (CIS), pp. 86-90, Nov. 2012 . [26] D.M. Mount, Bioinformatics: Sequence and Genome Analysis, 3nd ed., Cold Spring Harbor Laboratory Press, 2001. [27] X. Li, P. Loh, and F. Tan, “Mechanisms of polymorphic and metamorphic viruses,” European Intelligence and Security Informatics Conference (EISIC), p. 149–154, Sep. 2011. [28] K. Rieck et al., “Learning and Classiﬁcation of Malware Behavior,” Detection of Intrusions and Malware, and Vulnerability Assessment, LNCS Volume 5137, pp. pp. 108-125, 2008. [29] Y. Ki et al., “A Novel Approach to Detect Malware Based on API Call Sequence Analysis,” International Journal of Distributed Sensor Networks, pp. vol. 11, no. 6, June 2015. [30] D. W. A. A. S. Schleimer, “Winnowing: Local Algorithms for Document Fingerprinting,” Proc. SIGMOD Int'l Conf. Management of Data, pp. 76-85, 2003. [31] S. B. N. a. C. D. Wunsch, “A General Method Applicable to the Search for Similarities in the Amino Acid Sequence of Two Proteins,” Journal of Molecular Biology, vol. 48, pp. 443-453, 1970. [32] “Use-define chain,” [Online]. Available: https://en.wikipedia.org/wiki/Use-define_chain. [33] D. Song et al., “BitBlaze: A New Approach to Computer Security via Binary Analysis,” Proc. International Conference on Information Systems Security, pp. 1-25, Dec 2008. [34] P. M. C. a. B. D. Noble, “When Virtual is Better Than Real,” Proc. Workshop on Hot Topics in Operating Systems, pp. 133-138, 2001. [35] “Wikidot.com,” [Online]. Available: http://virus.wikidot.com/klez . [36] “Enigmasoftware,” [Online]. Available: https://www.enigmasoftware.com/zusy-removal/. [37] “Virustotal,” [Online]. Available: https://www.virustotal.com/zh-tw/
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/77680	-
dc.description.abstract	一個惡意軟體家族由多個變種組成，而大多變種是藉由obfuscation技術以執行相似的動態行為，從而躲避惡意軟體的偵測。故識別新惡意軟體所屬的家族，將對減緩威脅提供很有力的線索。因此，為了有效辨識惡意軟體家族成員，了解惡意軟體家族的演化、發展等非常重要。本研究將採用我們過去研究開發的系統，一個以虛擬機的內省技術為基礎的高階語意側錄系統，利用側錄Windows API call 名稱、相關參數、回傳值等產生一個具時序性Windows API call sequence的execution trace，並將其視為可描述惡意軟體行為的profile。而後，本論文將針對產生的execution trace進行分析，開發分群演算法和序列分析演算法，用以將惡意軟體行為分群，並自動化萃取出各行為群的共同行為片段，以作為描述該行為群的特徵和行為變種獨有的特徵。此外，本研究同時引進def-use chain的分析方法，以更視覺化闡明惡意行為對於重要資源的存取及使用。最後，分析並指出每一個惡意軟體家族主要是透過哪些行為群組成，以便未來出現Windows的未知可疑軟體，可利用側錄行為、比對先前分析結果、歸類、分析等，進一步形成一個惡意軟體自動偵測系統。藉本研究的方法和系統設計，可呈現更具深度的行為分析研究報告，且簡化惡意軟體分析流程，以達到惡意軟體的鑑識，探究惡意軟體的設計及主要目的。而在後續章節中，也將以實驗證明本研究提出的方法是確實可有效輔助現有惡意軟體分析的工具。	zh_TW
dc.description.abstract	A malware family consists of a collection of variants, mostly owing to the obfuscation techniques, which possess resembling dynamic behaviors in order to evade malware detection. Identifying its malware family of a first-seen malware can provide useful clues to mitigate the threat. Hence, understanding the development of malware family becomes critical for member identification. In this study, firstly, we used the profiling system which is a high-level semantics profiling system by leverage virtual machine introspection technique and proposed in our previous work. The system generates the execution traces of each sample in the form of a time-ordered sequence of the hooked high-level API calls with parameters and return values. An execution trace is recorded as the profile of a malware behavior. Secondly, we developed clustering algorithm and sequence analysis algorithms so as to automatically make malware behaviors clustered and extract the common motifs (i.e., sequences of API calls) of a behavior group as the behavior group characteristics, as well as the unique characteristic of a behavioral variant. Furthermore, we introduced the def-use chain analysis method to visualize and explain the harmful behavior of malware based on its accessed resources. Finally, we identified behavioral composition of each malware family. In the future, this proposed methods will be developed into an automatic malware detection system to efficiently battle obfuscation attacks and ﬁght against malware variants. The proposed methods could perform in-depth behavior investigation, and simplify the malware analysis process for malware forensics to investigate malware design and purpose. We also will prove that this proposed mechanism is anticipated to be helpful to complement the existing malware analysis tools.	en
dc.description.provenance	Made available in DSpace on 2021-07-10T22:15:31Z (GMT). No. of bitstreams: 1 ntu-106-R04725007-1.pdf: 3741512 bytes, checksum: 735e104a1ac44375cfefce78b195cdc0 (MD5) Previous issue date: 2017	en
dc.description.tableofcontents	誌謝 I 中文摘要 II ABSTRACT III 目錄 IV 圖目錄 VI 表目錄 VIII 第一章介紹 1 第一節研究動機 1 第二節研究目的 2 第三節研究貢獻 4 第二章文獻探討 6 第三章背景知識 12 第一節生物序列介紹 12 第二節 Polymorphism和Metamorphism介紹 14 1 Polymorphism（變形） 15 2 Metamorphism（變體） 16 3 總結 17 第四章系統架構 18 第一節 Step 1. High-level API hooking: Execution Traces 20 第二節 Step 2. Winnowing: Feature Profiles 22 1 API call中篩選重要參數 22 2 取出重要參數內容的重要部分 23 第三節 Step 3. Clustering Algorithm: Behavior Groups 27 第四節 Step 4. Sequence Alignment: Behavior Group Motif Sequences 32 第五節 Step 5. Delineation: Behavior Group Stage Sequence 35 1 BehaviorStageMatrix：可描述stage sequence的資料結構 36 2 Stage Sequence和Motif Sequence 38 3 相關統計分析圖 38 第六節 Step 6. Behavior Group Common Stages: Motif Analysis 43 第五章實驗 48 第一節實驗環境 48 第二節實驗流程 48 第三節案例研究 50 1 單一Family具多個Behavior Groups 50 2 不同Family具不同Behavior Group 52 3 總結 53 第六章結論 55 參考文獻 56
dc.language.iso	zh-TW
dc.subject	行為群	zh_TW
dc.subject	家族	zh_TW
dc.subject	序列比對	zh_TW
dc.subject	共同特徵擷取	zh_TW
dc.subject	差異化行為辨識	zh_TW
dc.subject	惡意程式	zh_TW
dc.subject	Differentiated behaviors identification	en
dc.subject	Malware	en
dc.subject	Family	en
dc.subject	Behavior Group	en
dc.subject	Sequence Alignment	en
dc.subject	Common characteristics extraction	en
dc.title	惡意軟體行為群體分析	zh_TW
dc.title	Malware Behavior Group Analysis	en
dc.type	Thesis
dc.date.schoolyear	105-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	陳孟彰(Meng-Chang Chen),蕭舜文(Shun-Wen Hsiao),郁方(Fang Yu)
dc.subject.keyword	惡意程式,家族,行為群,序列比對,共同特徵擷取,差異化行為辨識,	zh_TW
dc.subject.keyword	Malware,Family,Behavior Group,Sequence Alignment,Common characteristics extraction,Differentiated behaviors identification,	en
dc.relation.page	60
dc.identifier.doi	10.6342/NTU201703930
dc.rights.note	未授權
dc.date.accepted	2017-08-18
dc.contributor.author-college	管理學院	zh_TW
dc.contributor.author-dept	資訊管理學研究所	zh_TW
顯示於系所單位：	資訊管理學系

文件中的檔案：

檔案	大小	格式
ntu-106-R04725007-1.pdf 未授權公開取用	3.65 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。