透過您的圖書館登入 IP:3.145.163.58
透過您的圖書館登入
IP:3.145.163.58
  • 精確檢索 : 冠狀病毒
  • 模糊檢索 : 冠狀病毒
  • 冠狀病毒感染
    冠狀病毒疾病
  • 查詢出版品: 冠狀病毒
進階查詢
查詢歷史
主題瀏覽
  • 學位論文

基於高階API執行序列之惡意程式家族特徵的自動化產生與分析

Automated Malware Family Signature Generation based on Runtime API Call Sequence

邱偉志(Wei-Jhih Chiu)
指導教授 : 孫雅麗
國立臺灣大學/管理學院/資訊管理學研究所/碩士(2018年)
https://doi.org/10.6342/NTU201802357
全文下載

摘要

近年來惡意程式所造成的威脅快速增加,分析並瞭解惡意程式的特徵將對惡意程式的偵測和防禦有所助益。而目前市面上的各家防毒軟體廠商均會依據所觀察到的惡意程式特徵為樣本貼上不同的家族標籤,本研究將依據此標籤進行各家族的行為分析。由於單一個惡意程式樣本可能會參雜許多混淆的行為意圖,因此相較於單一樣本的分析,我們著重在找尋同家族中的一群惡意程式中的共同行為。我們設計並實作了一個以API Call Sequence為基礎的階層式分群演算法-RasMMA,輸入一群惡意程式的動態側錄結果,此演算法能夠依據這些側錄內容將惡意程式樣本分群,並且輸出每一群惡意程式的具語義共同行為,這些共同行為即可作為該家族的特徵行為群。同時在我們的研究過程中發現同一個家族內的樣本,其行為也可能具有多元性,因此一個家族可能會擁有一個或多個的共同行為群,這些共同行為群甚至可能會有跨家族的現象。除了設計演算法來找到各惡意程式家族的特徵之外,本研究也嘗試將這些特徵用於家族後代樣本的偵測之中,並且證明我們的方法在惡意程式行為序列資料的分類中可以比其它傳統資料探勘方法具有更好的效果。

關鍵字

惡意程式 家族 共同特徵 動態分析 分群 序列比對 行為

並列摘要

Recent years, the threats from malware are increasing in the world. It is important if we analyze the malwares and extract their signatures. The malware threat detection and defense will benefit from that.This research collected the malware family labels from anti-virus vendors and analyzed the behavior intents of malware family. We designed a API Call Sequence-based clustering algorithm – RasMMA, which could extract the common signature of a group of malwares. If we input some malware profiles, RasMMA algorithm could cluster the malware samples and output the common behavior of each cluster. The cluster common behavior is semantic-based which human experts could analyze the intent that malwares done. We could see the common behavior as the signature of malware family. Besides, we also found that malware family is pluralistic. The behavior clusters might different to each other in one family. Even though some clusters are cross-family clusters which behavior is similar to other families’ behavior.In the research, we also apply the behavior cluster to family sample detection. We found that our method had a better performance than other traditional data mining method in the time series malware data classification.

並列關鍵字

malware common behavior signature malware family dynamic analysis clustering sequence comparison

參考文獻

參考文獻
[1] McAfee. (2017). McAfee Labs Threat Report September 2017. Available: https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-sept-2017.pdf
[2] G. Szappanos. (2013). The PlugX malware revisited: introducing “Smoaler”. Available: https://sophosnews.files.wordpress.com/2013/07/sophosszappanosplugxrevisitedintroducingsmoaler-rev1.pdf
[3] X. Li, P. K. Loh, and F. Tan, "Mechanisms of polymorphic and metamorphic viruses," in Intelligence and Security Informatics Conference (EISIC), 2011 European, 2011, pp. 149-154: IEEE.
[4] S. M. Tabish, M. Z. Shafiq, and M. Farooq, "Malware detection using statistical analysis of byte-level file content," in Proceedings of the ACM SIGKDD Workshop on CyberSecurity and Intelligence Informatics, 2009, pp. 23-31: ACM.

延伸閱讀

全文下載