學術產出-期刊論文

文章檢視/開啟

書目匯出

Google ScholarTM

政大圖書館

引文資訊

TAIR相關學術產出

題名 虛擬化環境之殭屍網路惡意程式行為側寫與偵測
作者 蕭舜文;孫雅麗;陳孟彰
貢獻者 資管系
關鍵詞 入侵偵測;行為側寫;惡意程式;虛擬機器;殭屍網路;intrusion detection;behavior profiling;malware;virtual machine;botnet
日期 2015-05
上傳時間 23-六月-2017 17:28:12 (UTC+8)
摘要 殭屍網路(Botnet)為目前資安防治的重點,肇因於Botnet常被用於大規模的網路攻擊,例如:DDoS、垃圾信件,故為偵測Botnet惡意程式,了解其惡意程式的行為是首要步驟。在本研究中,我們利用虛擬環境提出一個側寫以及偵測Botnet惡意程式的機制,所設計的代理程式被放置於虛擬機器監視器中,用來側寫虛擬機器中的惡意程式,其產生的側寫行為檔案經分析後,可用以檢測其他虛擬機器是否有相似的感染跡象。除以上被動觀察偵測外,本研究再提出主動式偵測方法,即藉由分析側寫行為,代理程式可以主動發出特殊的刺激事件,主動測試受測的虛擬機器是否遭受感染。我們以40隻真實世界的惡意程式為實驗樣本,並與正常的程式交叉分析,藉以精確地區分各家族的惡意程式以及正常程式。Botnet have been one of the most sophisticated and popular threats to Internet security since many cybercrimes were launched by them, i.e., DDoS, spamming. To detect the existence of a bot malware, the first step is to understand its behavior. In this research, we take the advantage of virtualized environment and propose a profiling and detection mechanism of bot malware in a virtualized environment. The proposed profiling and detection agent lies in the virtual machine monitor to profile a malware execution behavior. The output of the process is the characteristic description of the malware behavior referred to as the malware profile that is aimed to be used for effective malware detection. Besides passive malware detection, we also propose to use the obtained malware profiles to conduct active fingerprinting to detect malware hidden in unknown compromised computers. The agent sends specific stimulus to a targeted virtual machine to examine whether any expected triggerable behavior are observed. We use 40 real-world malware samples and several benign programs to show that our profiling and detection mechanisms can correctly distinguish bots and benign software with low false alarm.
關聯 前瞻科技與管理, Vol.5, No.1, pp.85-105
資料類型 article
DOI http://dx.doi.org/10.3966/222014242015050501004
dc.contributor 資管系-
dc.creator (作者) 蕭舜文;孫雅麗;陳孟彰-
dc.date (日期) 2015-05-
dc.date.accessioned 23-六月-2017 17:28:12 (UTC+8)-
dc.date.available 23-六月-2017 17:28:12 (UTC+8)-
dc.date.issued (上傳時間) 23-六月-2017 17:28:12 (UTC+8)-
dc.identifier.uri (URI) http://nccur.lib.nccu.edu.tw/handle/140.119/110476-
dc.description.abstract (摘要) 殭屍網路(Botnet)為目前資安防治的重點,肇因於Botnet常被用於大規模的網路攻擊,例如:DDoS、垃圾信件,故為偵測Botnet惡意程式,了解其惡意程式的行為是首要步驟。在本研究中,我們利用虛擬環境提出一個側寫以及偵測Botnet惡意程式的機制,所設計的代理程式被放置於虛擬機器監視器中,用來側寫虛擬機器中的惡意程式,其產生的側寫行為檔案經分析後,可用以檢測其他虛擬機器是否有相似的感染跡象。除以上被動觀察偵測外,本研究再提出主動式偵測方法,即藉由分析側寫行為,代理程式可以主動發出特殊的刺激事件,主動測試受測的虛擬機器是否遭受感染。我們以40隻真實世界的惡意程式為實驗樣本,並與正常的程式交叉分析,藉以精確地區分各家族的惡意程式以及正常程式。Botnet have been one of the most sophisticated and popular threats to Internet security since many cybercrimes were launched by them, i.e., DDoS, spamming. To detect the existence of a bot malware, the first step is to understand its behavior. In this research, we take the advantage of virtualized environment and propose a profiling and detection mechanism of bot malware in a virtualized environment. The proposed profiling and detection agent lies in the virtual machine monitor to profile a malware execution behavior. The output of the process is the characteristic description of the malware behavior referred to as the malware profile that is aimed to be used for effective malware detection. Besides passive malware detection, we also propose to use the obtained malware profiles to conduct active fingerprinting to detect malware hidden in unknown compromised computers. The agent sends specific stimulus to a targeted virtual machine to examine whether any expected triggerable behavior are observed. We use 40 real-world malware samples and several benign programs to show that our profiling and detection mechanisms can correctly distinguish bots and benign software with low false alarm.-
dc.format.extent 111 bytes-
dc.format.mimetype text/html-
dc.relation (關聯) 前瞻科技與管理, Vol.5, No.1, pp.85-105-
dc.subject (關鍵詞) 入侵偵測;行為側寫;惡意程式;虛擬機器;殭屍網路;intrusion detection;behavior profiling;malware;virtual machine;botnet-
dc.title (題名) 虛擬化環境之殭屍網路惡意程式行為側寫與偵測-
dc.type (資料類型) article-
dc.identifier.doi (DOI) 10.3966/222014242015050501004-
dc.doi.uri (DOI) http://dx.doi.org/10.3966/222014242015050501004-