Title page for 984203053


[Back to Results | New Search]

Student Number 984203053
Author Chien-Fu Peng(彭建福)
Author's Email Address No Public.
Statistics This thesis had been viewed 540 times. Download 484 times.
Department Information Management
Year 2010
Semester 2
Degree Master
Type of Document Master's Thesis
Language zh-TW.Big5 Chinese
Title Using Aggregation Technology to Improve System Call Based Malware Behavior Detection
Date of Defense 2011-07-19
Page Count 63
Keyword
  • Behavioral detection of malware
  • self-replication
  • survival intent
  • system call
  • Abstract Malware is one kind of software which has intention to attack computer systems. In recent years there has significant increase in the number of malware, in addition malware also use polymorphism, obfuscation and packing technologies to protect itself. For the above reason, the effect of traditional static malware detection technology is restricted, as a result in recent years many studies focused on dynamic malware detection technology. However most of the previous studies are process center oriented, which mean these studies only monitor one process’s behavior, ignoring the possibility of malware using multiple process to complete malicious intent, or control legal process to hide their malicious behavior. In this paper we propose the use of dependency structure matrix to record the behavior of all process in user’s system and also propose an algorithm to detect multiple process’s self-replication and survival behavior, find the relations of the system processes by using the aggregation technology to improve the detection rate of traditional dynamic malware detection. As an evaluation of our proposes system. We execute the malware samples in the virtual machine and using process monitor tool to recorded system processes, and then detect whether our system can detect the malware or not. Experimental results show that we can detect 11% malware used the multiple processes to complete malicious intent in the 140 malware samples, and improve the weakness of previous studies which must used white list to avoid false positive.
    Table of Content 中文摘要I
    英文摘要II
    目錄III
    圖目錄V
    表目錄VII
    第一章 緒論1
    1.1 研究背景2
    1.2 研究動機與目的4
    1.3 研究貢獻7
    1.4 章節架構8
    第二章 相關研究9
    2.1惡意程式行為特徵之研究9
    2.2自我複製行為偵測之研究10
    2.3惡意程式存活意圖偵測之研究14
    2.4 小結15
    第三章 聚合偵測技術17
    3.1 研究限制與考量18
    3.2惡意程式自我複製與存活意圖行為分析18
    3.3相依關係矩陣23
    3.4惡意程式自我複製行為偵測26
    3.5惡意程式存活意圖偵測31
    第四章 實驗結果分析33
    4.1 實驗架構和流程33
    4.2事前訓練實驗分析35
    4.3自我複製行為偵測實驗分析39
    4.4效能分析41
    4.5實驗結果與商業軟體比較42
    第五章 結論與未來研究48
    5-1 研究結論與貢獻48
    5-2 未來研究49
    參考文獻50
    Reference [ACK 2007] Moser, A., Kruegel, C., and Kirda, “Exploring Multiple Execution Paths for Malware Analysis.” In IEEE Symposium on Security and Privacy, Oakland, 2007.
    [ESK 2011]EGELE, M., SCHOLTE, T., KIRDA, E., KRUEGEL, C., “A Survey on automated dynamic malware analysis techniques and tools”, ACM Computing Surveys ,2011.
    [KREB 2007]Krebs, B., “Mpack exploit tool slips through security holes.” The malwareWashington Post, June 2007.
    [KASP 2002] Kaspersky Corporation,”Attempts to infect users’ computers increase by ver25%.”
    ,2011.http://www.kaspersky.com/reading_room?chapter=207717258
    [SYMA 2010] Symantec Corporation, “Symantec Global Internet Security Threat Report, Volume 16” 2010.http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xv_04-2010.en-us.pdf
    [SYMA 2011] Symantec Corporation, “Symantec Global Internet Security Threat Report , Volume 16”, 2011.http://www.symantec.com/business/threatreport/index.jsp
    [HZD 2008] Heng, Y., Zhenkai, L., Dawn, S.. “HookFinder: Identifying and understanding malware hooking behaviors.” , In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08), February 2008.
    [VASU 2008] Vasudevan, A., “MalTRAK_Tracking and Eliminating Unknown Malware,” in Proceedings of Computer Security Applications Conference , pp.: 311 - 321, 2008.
    [ALSA 2008] Alsagoff, S., “Malware Self Protection Mechanism” Information Technology, 2008. ITSim 2008. International Symposium on 3, pp.:1-8, 2008 .
    [LBK 2008] Lanzi, A.,Balzarotti,D., Kruegel,C., “AccessMiner: Using system-centric models for malware protection” In: Proceedings of the 17th ACM conference on Computer and communications security, ACM (2010) pp.:399–412 ,2010.
    [KCK 2009] Kolbitsch, C., Comparetti, PM., Kruegel, C., “Effective and efficient malware detection at the end host,” In USENIX Security Symposium, Montr′eal, Canada, August 2009.
    [MWCZ 2010] Miao, QG., Wang, Y., Cao, Y., Zhang, XG., “APICapture-A tool for monitoring the behavior of malware,” Proceedings of the 3rd International Conference on Advanced Computer Theory and Engineering, pp.: 390-394, August 2010.
    [MCD 2010] Morales, J. A., Clarke, P. J., Deng. Y., “Identification of file infecting virus through detection of self-reference replication” Journal in Computer Virology,2010. 
    [MCD 2008] Morales, J. A., Clarke, P. J., Deng “Characterizing and detecting virus replication,” Proceedings of Third International Conference on Systems, Cancun, pp.. 214-219, 2008.
    [SVS 2007] Skormin, V., Volynkin, A., Summerville, D., “Prevention of information attacks by run-time detection of self-replication in computer codes,” Journal in Computer Virology, 2010.
    [EK 2007] Egele, M.,kruegel, E., “Dynamic spyware analysis,” In Proceedings of USENIX Annual Technical Conference, 2007.
    [YSE 2007] Yin, H., Song, D., Egele, M., Kruegel,. “Panorama: capturing system-wide information flow for malware detection and analysis” Proceedings of the 14th ACM conference on Computer and communications security, pp.:116-127, 2007.
    [WRV 2005] Wang, YM., Roussev, R., Verbowski, C.,“Gatekeeper: monitoring auto-start extensibility points(ASEPs) for Spyware management” In Proceedings of the 18th Large Installation System Administration Conference (LISA ’04), Atlanta, GA, November 2004.
    [WWK 2008] Wu, M.W., Wang,Y.M., Kuo, S.Y.,“Self-Healing Spyware: Detection, and Remediation” Reliability, IEEE Transactions on, pp.: 588 – 596,2007.
    [KAS 2010] Kaspersky Corporation, “Kaspersky Security Bulletin 2010. Statistics” http://www.securelist.com/en/analysis/204792162/Kaspersky_Security_Bulletin_2010_Statistics_2010.,2010
    [SOPHOS 2010] W32/Krap http://www.sophos.com/en-us//threat-center/threat-analyses/viruses-and-spyware/Mal~Krap-I.aspx
    [SOPHOS 2008] Troj/Lineag http://www.sophos.com/en-us//threat-center/threat-analyses/viruses-and-spyware/Troj~Lineag-DQ.aspx
    [SOPHOS 2010] Mal/Katusha-A http://www.sophos.com/en-us//threat-center/threat-analyses/viruses-and-spyware/Mal~Katusha-A.aspx.
    [FY 2010]Fukushima,Y.,Sakai,A. “A behavior based malware detection scheme for avoiding false positivet,” Proceedings of the 6th IEEE Secure Network Protocols (NPSec), pp.: 79 – 84,2010
    [WPZ 2009] Wang, C., Pang, J., Zhao, R., “Using API Sequence and Bayes Algorithm to Detect Suspicious Behavior,”International Conference on Communication Software and Networks, 2009.
    [TA 2001] Taylor. R. Browning, “Applying the design structure matrix to system decomposition and integration problems: a review and new directions” IEEE Transactions on Engineering management,  pp.:292-306, 2001.
    [BHB 2009] Bayer, U., Habibi, I ., Balzarotti., “A View on Current Malware Behaviors,” Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more,2009
    [AV 2010] Alazab, M., Venkataraman , S., “Towards Understanding Malware Behaviour by the Extraction of API Calls,” IEEE/ACM Transactions on Networking, Volume 15, 2010.
    [PM 2010] Process Monitor: http://technet.microsoft.com/en-us/sysinternals/bb896645.2010
    [EVAD 2009] Evading  userland  hooks  -  problems  w/hooking  implementations, http://www.stanford.edu/∼stinson/paper notes/win dev/hooks/defeating hooks.txt
    [KT 2009] Keong, T.C., AntiHookExec Version 1.0 (Anti API Hooking
        Proof-Of-Concept), http://www.security.org.sg/code/antihookexec.html.
    [VX 2010] VX Heaven. http://vx.netlux.org/,2010
    [OC 2010] Offensive Computing, http://www.offensivecomputing.net/.
    [PERF 2010] Perfmon ,http://technet.microsoft.com/en-us/library/bb490957.aspx
    [KAS 2011] Kaspersky Corporation, “Monthly Malware Statistics, March 2011”,2011
    [VT 2009] Virus total, http://www.virustotal.com/
    [MD 2010] Troj/Mdrop-COH,Aliases:Trojan-GameThief.Win32.Magania.ddox
    http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Mdrop-COH.aspx
    [CON 2010]SOPHOS: Mal/Conficker-A:
    http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Conficker-A/detailed-analysis.aspx
    [SAL2010]SOPHOS: W32/00 Sality-AM
    http://www.sophos.com/en-us//threat-center/threat-analyses/viruses-and-spyware/W32~Sality-AM.aspx
    [CLAM 2010]ClamAV , http://www.clamav.net/lang/en/,2010.
    [NOVA 2010]Nova Shield , http://www.novashield.com/.2010
    Advisor
  • Yi-Ming Chen(陳奕明)
  • Files
  • 984203053.pdf
  • approve in 1 year
    Date of Submission 2011-08-25

    [Back to Results | New Search]


    Browse | Search All Available ETDs

    If you have dissertation-related questions, please contact with the NCU library extension service section.
    Our service phone is (03)422-7151 Ext. 57407,E-mail is also welcomed.