Botnet僵屍網路進行商業資訊的偷竊,造成許多企業與個人財物的損失。在先前的研究中,發現現今的惡意程式新趨勢 (1)已採模組化發展(2)僅需修改或附加單一模組即可成為變種病毒(3)具有反偵測虛擬環境(anti-VM)能力。本研究利用TRUMAN整合型自動分析工具進行分析,依據惡意程式是否具反偵測虛擬環境選擇置於乾淨之作業系統(clear OS)或虛擬機器,並與上傳至CWSandBox沙盒(Sandbox)進行分析,透過分析結果報告進行交叉比對,可精準歸納出病毒行為特徵準則,再運與利用情節頻繁法則(frequent episode)計算出其支持度與可信度,完成後將其新增至病毒行為資料庫。防衛者可參考執行威脅分析(threat analysis),根據分析之攻擊步驟,繪製出攻擊樹(Attack Tree)以估算系統脆弱點所造成的威脅程度,讓管理者可方便分析感染惡意程式所造成的系統損失與產生的風險。
Botnet attacks caused the series impact loss of profits for enterprises or individuals by means of stealingthe commercial information. In the previous studies for analyzing the signature of malware, defender found that some malware gotupdated with new features including (i) modular design (ii) variant is built by altering part of signatures, and (iii) anti-VM capability. Accordingly, the present study proposes a new method for analysis of malware signature problem in botnets thru aggregated TRUMAN system and sandbox technique. In the proposed approach, both clear OS and sandbox are used to predict their behavior thru the comparison of between the results of sandbox and TRUMAN in order to increase the precisionand accuracy. The analysis ability of our scheme to the support and confidence degree is enhanced by means of frequent episode. A series of case studies for threat analysis are performed to investigate the attack actions required to successfully estimate the threat degree from system vulnerabilities via attack trees. Overall, the results confirm that the proposed method provides an effective means of analyzing the impact loss and its risks from botnet threats.