簡易檢索 / 詳目顯示
| 研究生: |
謝棋安 Hsieh, Chi-An |
|---|---|
| 論文名稱: |
以檔案特徵分析減少殭屍網路惡意程式檢測誤判率之研究 A Study of Improving the Detection Accuracy by Analyzing the File Patterns of Botnet Malware |
| 指導教授: |
區國良
Ou, Kuo-Liang |
| 口試委員: | |
| 學位類別: |
碩士 Master |
| 系所名稱: |
電機資訊學院 - 資訊工程學系 Computer Science |
| 論文出版年: | 2012 |
| 畢業學年度: | 101 |
| 語文別: | 中文 |
| 論文頁數: | 43 |
| 中文關鍵詞: | 殭屍網路 、惡意程式 、機器學習 、virustotal |
| 外文關鍵詞: | Botnet, Malware, Machine Learning, virustotal |
| 相關次數: | 點閱:2 下載:0 |
| 分享至: |
| 查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
近年來隨著網際網路(Internet)快速的發展與普及化,人們對於電腦與網路使用也漸漸的密不可分。因此,大量的惡意程式(Malware)也漸漸活躍於網際網路之中,並且隨時隨地的伺機竊取個人電腦敏感的機密資料。但許多的惡意程式仍在持續變種中,防毒軟體偵測到病毒效果也漸漸下降,該如何提升防毒軟體的正確率也漸漸成為各家防毒軟體公司的課題。
本論文將針對應用程序(Process)、本機特定資料夾、開機執行之程式等等常見的安全檢測規則中找出特徵的惡意檔案或程式,並且透過virustotal檢測檔案並加上機器學習找出惡意程式的規則性,及防毒軟體不易發現的檔案規則,建立一個有效的決策樹,將準確率提升並降低單一防毒軟體的誤判、誤刪檔案等問題,來提高系統的安全性。
As the convenience and easy use of Internet, people are wildly applying Internet to communicate with each other and to perfome daily works. Meanwhile, some security information and personal data will be exchanged via Internet without any protection at the same time. Therefore, Malwares may have opportunities to steal those information from PC secretly without leaving any notice. Although there are several anti-virus systems support PCs robust protections from Malwares’ attaction, the problem of misjudgement of anti-virus system are still borthering users. Thus, to improve the correct rate of anti-virus sytems is an important issue.
Some file attributes will be employed in this study to improve the correct rate of anti-virus systems. These attributes will be aimed to: process, special folders, runs program of startup and local device files. After filtering the target files stored in PCs by anti-virus system, for example the virustotal system, the Machine learning technique is used to find the Malware’s regularity for building an effective decision tree. The tree will classifing the affected files and clean files in the rule-based tree by testing the attributes of file attributes, meanwhile, the reasons of misjustment of anti-virues system will be illustrated at the same time by tracking the rules. After the experiment of analyzing all files which were collected by 2 PCs (1663 files are affected and 2421 files are clean), the decision tree was impoved the performance of virustotal including the accuracy rate, precision rate, recall and true-negtive rate. Especially, the precision rate is improved from 49.4% to 94.1%, which means the misjudge files was decreased successfully by the assistance of using file attributes on decision tree.
1. Wood, P., et al., Symantec Internet Security Threat Report, in Symantec Enterprise Security。 2012。
2. Turner, D., et al., Symantec Internet Security Threat Report, in Symantec Enterprise Security。 2007。
3. Fossi, M., et al., Symantec Internet Security Threat Report, in Symantec Enterprise Security。 2011。
4. 趨勢科技。企業防毒新觀念。 2003; Available from: http://www.trend.com.tw/corporate/security/topic_newidea.htm。
5. Brachman, R.J., et al., Mining Business Databases。 Communication of the ACM, 1996。39(11): p. 42-48。
6. 楊木貴, 基於企圖取得管理權限之網際網路駭客行為特性模式的決策樹分析, in 華梵大學資訊管理學系碩士班碩士論文。 2007。
7. Canavan, J., The Evolution of Malicious IRC Bots Contents, in White Paper : Symantec Security Response。 2005。
8. Pouget, F., M. Dacier, and V.H. Pham, Understanding threats: a prerequisite to enhance survivability of computing systems, in 2004 25th IEEE International Real-Time Systems Symposium on International Infrastructure Survivability Workshop。 2004。
9. Chi, Z. and Z. Zhao, Detecting and Blocking Malicious Traffic Caused by IRC Protocol Based Botnets, in 2007 IFIP International Conference on Network and Parallel Computing Workshops。 2007。 p. 485-489。
10. Gu, G., P. Porras, and W. Lee, BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation, in 16th USENIX Security Symposium。 2007。 p. 167-182。
11. Zou, C.C. and R. Cunningham, Honeypot-Aware Advanced Botnet Construction and Maintenance, in 2006 International Conference on Dependable Systems and Networks。 2006。 p. 199-208。
12. 黃培生 and 楊中皇, 結合入侵偵測和蜜罐之分散式預警系統的設計與實現。資訊、科技與社會學報, 2009。16: p. 83-97。
13. Strayer, W.T., et al., Detecting Botnets with Tight Command and Control, in 2006 31th IEEE Conference on Local Computer Networks。 2006。
14. Choi, H., et al., Botnet Detection by Monitoring Group Activities in DNS Traffic, in 2007 7th IEEE International Conference on Computer and Information Technology。 2007。 p. 715-720。
15. Villamarín-Salomón, R. and J.C. Brustoloni, Identifying Botnets Using Anomaly Detection Techniques Applied to DNS Traffic, in 2008 5th IEEE Conference of Consumer Communications and Networking Conference。 2008。 p. 476-481。
16. Gu, G., J. Zhang, and W. Lee, BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic, in 2008 15th Annual Network & Distributed System Security Symposium。 2008。
17. 劉邦威, P2P殭屍網路之適應性防禦機制, in 中原大學資訊工程學系碩士學位論文。 2009。
18. 毛敬豪, Botnet C&C and Fast-Flux Detection, in 第一屆台灣區Botnet偵測與防治技術研討會。 2009。
19. Bishop, P., et al., Diversity for Security: a Study with Off-The-Shelf AntiVirus Engines, in 21st International Symposium on Software Reliability Engineering (ISSRE 2011)。 2011。
20. 田宜歆, 輔助教師以機器學習分析及評量學生鋼琴演奏技巧之研究, 。2008。
21. Villamarín-Salomón, R. and J.C. Brustoloni, Bayesian bot detection based on DNS traffic similarity, in SAC '09 Proceedings of the 2009 ACM symposium on Applied Computing。 2009。 p. 2035-2041。
22. Lee, J., C. Im, and H. Jeong, A study of malware detection and classification by comparing extracted strings, in ICUIMC '11 Proceedings of the 5th International Conference on Ubiquitous Information Management and Communication。 2011。
23. Kohavi, R. and F. Provost, Glossary of Terms。 Machine Learning 1998。30(2-3): p. 271-274。
全文公開日期 本全文未授權公開 (校內網路)全文公開日期 本全文未授權公開 (校外網路)