學術產出-Theses
Article View/Open
Publication Export
-
題名 基於記憶體鑑識發掘惡意攻擊跡證與惡意程式特徵值之研究
A Study on Exposing Evidences of Malicious Attacks and Features of Malwares Based on Memory Forensics作者 莊禾暘
Chuang, Ho-Yang貢獻者 左瑞麟
Tso, Ray-Lin
莊禾暘
Chuang, Ho-Yang關鍵詞 記憶體鑑識
Web應用程式漏洞
Linux惡意程式
Memory forensics
Web application vulnerabilities
Linux malware日期 2018 上傳時間 29-Aug-2018 15:55:28 (UTC+8) 摘要 截至目前為止所發生的TB級DDoS攻擊,其龐大的殭屍大軍多數來自於IoT連線設備。倘若駭客利用殭屍大軍針對工業基礎設施發動DDoS攻擊,可能會造成非同小可的傷害。而目前IoT發展已來到第四階段,也就是透過既有的Web標準來達成設備間互相通訊,稱之為WoT。對於新的趨勢,所會面臨到的安全議題不僅止於IoT連線設備,亦包含Web應用程式漏洞。而諸如無痕瀏覽模式、自我刪除的惡意程式等匿蹤技術的發展,使得鑑識人員於調查過程中遇到阻礙。因此,本研究藉由記憶體鑑識技術針對WoT時代可能會發生的攻擊手法進行探討。
Currently, most of the DDoS attacks that exceed 1 TB per second are executed from large-scale-IoT botnets. If these attacks were aimed at critical industrial infrastructure, it could have caused damage to our society at an extraordinary scale. The rising threat of DDoS attacks are fueled by the increased development of IoTs, which has now reached its fourth stage, called the WoT. WoT is a term used to describe approaches, software architectural styles and programming patterns that allow previously IoT objects to be part of the World Wide Web. As WoT approaches reality, on-device vulnerabilities are no longer the only problem that must be considered in a security assessment, Web application vulnerabilities must be considered as well. Additionally, Forensic investigators now encounter new challenges that increase the difficulty of investigation, with some examples being privacy browsers and self-deleting malware. As a potential solution to those challenges, this thesis discusses how memory forensic can be used to discover the cyber-criminal in a WoT crime.參考文獻 [1]W. Ahmed and B. Aslam, "A comparison of windows physical memory acquisition tools," IEEE Military Communications Conference (MILCOM), pp. 1292-1297, 2015. [2]I. Balasundaram and E. Ramaraj, "An Authentication Scheme for Preventing SQL Injection Attack Using Hybrid Encryption," European Journal of Scientific Research, vol. 53, no. 3, pp. 359-368, 2011. [3]R. Dave, N. Mistry and M.S. Dahiya, "Volatile Memory Based Forensic Artifacts & Analysis," International Journal for Research in Applied Science and Engineering Technology (IJRASET), vol. 2, no. 1, pp. 120-124, 2014. [4]S. Dija, G.S. Suma, D.D. Gonsalvez and A.T. Pillai,"Forensic reconstruction of executables from Windows 7 physical memory," IEEE International Conference on Computational Intelligence and Computing Research (ICCIC), pp. 1-5, 2016. [5]X. Fu, X. Du, B. Luo, J. Shi, Z. Guan and Y. Wang, "Correlating processes for automatic memory evidence analysis," IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pp. 115-120, 2015. [6]A. Ghafarian and S.A.H. Seno, "Analysis of Privacy of Private Browsing Mode through Memory Forensics," International Journal of Computer Applications, vol. 132, no. 1, pp. 27-34, 2015. [7]K. Hausknecht, D. Foit and J. Burić, "RAM data significance in digital forensics," International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), pp. 1372-1375, 2015. [8]A. Heriyanto, C. Valli and P.Hannay, "Comparison of Live Response, Linux Memory Extractor (LiME) and Mem Tool for Acquiring Android’s Volatile Memory in the Malware Incident," Australian Digital Forensics Conference, pp. 5-14, 2015. [9]Q. Hua and Y. Zhang, "Detecting Malware and Rootkit via Memory Forensics," International Conference on Computer Science and Mechanical Automation (CSMA), pp. 92-96, 2015. [10]R. Johari and N. Gupta, "Secure Query Processing in Delay Tolerant Network Using Java Cryptography Architecture,"International Conference on Computational Intelligence and Communication Networks, pp. 653-657, 2011. [11]R. Johari and N. Gupta, "Insecure Query Processing in the Delay/Fault Tolerant Mobile Sensor Network (DFT-MSN) and Mobile Peer to Peer Network," International Conference on Network Security and Applications, pp. 453-462, 2011. [12]D. Kaur and P. Kaur, "Empirical Analysis of Web Attack," Procedia Computer Science, vol. 78, no. 1, pp. 298-306, 2016. [13]B.S. Ke, J.S. Lin, S.J. Wang, and H.K. Tso, "Private Browsing Evidence of Google History Investigations in Computer Forensics," Journal of e-Business, vol. 16, no. 1, pp. 85-106, 2014. [14]A. Kieyzun, P.J. Guo, K. Jayaraman, and M.D. Ernst, "Automatic creation of SQL Injection and cross-site scripting attacks," IEEE International Conference on Software Engineering, pp. 199-209, 2009. [15]C. Liming, S. Jing and Q. Wei, "Study on Forensic Analysis of Physical Memory," International Symposium on Computer,Communication, Control and Automation (3CA ), pp. 221-224, 2013. [16]M. Moh, S. Pininti, S. Doddapaneni, and T.S. Moh, "Detecting Web Attacks Using Multi-Stage Log Analysis," IEEE International Conference on Advanced Computing (IACC), pp. 733-738, 2016. [17]D.N. Patil and B.B. Meshram, "Digital Forensic Analysis of Ubuntu File System," International Journal of Cyber-Security and Digital Forensics, vol. 5, no. 4, pp. 175-186, 2016. [18]Periyadi, G. A. Mutiara and R. Wijaya, "Digital forensics random access memory using live technique based on network attacked," International Conference on Information and Communication Technology (ICoIC7), pp. 1-6, 2017. [19]N.L. Petroni, A.Walters, T.Fraser and W.A. Arbaugh, "FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory," Digital Investigation, vol. 3, no. 4, pp. 197-210, 2006. [20]R. Putthacharoen and P. Bunyatnoparat, "Protecting Cookies from Cross Site Script Attacks using Dynamic Cookies Rewriting Technique," International Conference on Advanced Communication Technology (ICACT), pp. 1090-1094, 2011. [21]N.B. Said, F. Biondi, V. Bontchev, O. Decourbe, T.G. Wilson, et al, "Detection of Mirai by Syntactic and Semantic Analysis", 2017. [22]B. Schatz, "BodySnatcher: towards reliable volatile memory acquisition by software," Digital Investigation, vol.4, no.1, pp. S126 -S134, 2007. [23]J. Seo, S. Lee, and T. Shon, "A study on memory dump analysis based on digital forensic tools," Peer-to-Peer Networking and Applications, vol. 8, no. 4, pp. 694-703, 2015 [24]C. Sharma and S. C. Jain, "Analysis and Classification of SQL Injection Vulnerabilities and Attacks on Web Applications,"International Conference on Advances in Engineering & Technology Research (ICAETR), pp. 1-6, 2014. [25]H. Sinanović and S. Mrdovic, "Analysis of Mirai malicious software," International Conference on Software, Telecommunications and Computer Networks (SoftCOM), pp. 1-5, 2017. [26]N. Suteva, and A. Mileva, "Computer Forensic Analysis of Some Web Attack," World Congress on Internet Security (WorldCIS), pp. 42-47, 2014. [27]M. Thapliyal, A. Bijalwan, N. Garg, and E. Pilli, "A Generic Process Model for Botnet Forensic Analysis," Conference on Advances in Communication and Control Systems (CAC2S), pp. 98-102, 2013. [28]Q. Zhang, H. Chen, and J. Sun, "An Execution-flow Based Method for Detecting Cross-Site Scripting Attacks, " International Conference on Software Engineering and Data Mining, pp. 160-165, 2010. [29]Open Web Application Security Project, "OWASP Top Ten Project, " Retrieved March 1, 2017 from http://www.owasp.org/index.php/Category: OWASP Top Ten Project. [30]Gartner, "Leading the IoT," Retrieved June 1, 2018 https://www.gartner.com/imagesrv/books/iot/iotEbook_digital.pdf. [31]Kaspersky, Retrieved July 1, 2018 from http://www.199it.com/archives/723914.html. [32]WhiteHat Security, "12th Annual Application Security Statistics Report, " Retrieved July 11, 2017 from https://info.whitehatsec.com/rs/675-YBI-674/images/WHS%202017%20Application%20Security%20Report%20FINAL.pdf?mkt_tok=eyJpIjoiTWpZMVpU-UmxZVEF3TlRkaCIsInQiOiJTQVdQbzlLNlBSSGM0XC96VkZaa2NEbk4ySzBLTGc1QzN4R3JrdG95b2FLRlNSdndiSUlNOUxDUm-hvMUo3WmNrN1VtbThGWGE5a015TlpGS1lMak01azA5azQ1NXRoQnVvbDJTWlRac2Ezc05BbEd2VVQrXC82N042WFF3NmE2MzB1In0%3D. [33]IoT Developer Survey, " IoT Developer Survey Results," Retrieved July 19, 2018 from https://www.slideshare.net/kartben/iot-developer-survey-2018. [34]iThome, Retrieved June 1, 2018 from https://www.ithome.com.tw/news/110135. 描述 碩士
國立政治大學
資訊科學系
105753008資料來源 http://thesis.lib.nccu.edu.tw/record/#G0105753008 資料類型 thesis dc.contributor.advisor 左瑞麟 zh_TW dc.contributor.advisor Tso, Ray-Lin en_US dc.contributor.author (Authors) 莊禾暘 zh_TW dc.contributor.author (Authors) Chuang, Ho-Yang en_US dc.creator (作者) 莊禾暘 zh_TW dc.creator (作者) Chuang, Ho-Yang en_US dc.date (日期) 2018 en_US dc.date.accessioned 29-Aug-2018 15:55:28 (UTC+8) - dc.date.available 29-Aug-2018 15:55:28 (UTC+8) - dc.date.issued (上傳時間) 29-Aug-2018 15:55:28 (UTC+8) - dc.identifier (Other Identifiers) G0105753008 en_US dc.identifier.uri (URI) http://nccur.lib.nccu.edu.tw/handle/140.119/119754 - dc.description (描述) 碩士 zh_TW dc.description (描述) 國立政治大學 zh_TW dc.description (描述) 資訊科學系 zh_TW dc.description (描述) 105753008 zh_TW dc.description.abstract (摘要) 截至目前為止所發生的TB級DDoS攻擊,其龐大的殭屍大軍多數來自於IoT連線設備。倘若駭客利用殭屍大軍針對工業基礎設施發動DDoS攻擊,可能會造成非同小可的傷害。而目前IoT發展已來到第四階段,也就是透過既有的Web標準來達成設備間互相通訊,稱之為WoT。對於新的趨勢,所會面臨到的安全議題不僅止於IoT連線設備,亦包含Web應用程式漏洞。而諸如無痕瀏覽模式、自我刪除的惡意程式等匿蹤技術的發展,使得鑑識人員於調查過程中遇到阻礙。因此,本研究藉由記憶體鑑識技術針對WoT時代可能會發生的攻擊手法進行探討。 zh_TW dc.description.abstract (摘要) Currently, most of the DDoS attacks that exceed 1 TB per second are executed from large-scale-IoT botnets. If these attacks were aimed at critical industrial infrastructure, it could have caused damage to our society at an extraordinary scale. The rising threat of DDoS attacks are fueled by the increased development of IoTs, which has now reached its fourth stage, called the WoT. WoT is a term used to describe approaches, software architectural styles and programming patterns that allow previously IoT objects to be part of the World Wide Web. As WoT approaches reality, on-device vulnerabilities are no longer the only problem that must be considered in a security assessment, Web application vulnerabilities must be considered as well. Additionally, Forensic investigators now encounter new challenges that increase the difficulty of investigation, with some examples being privacy browsers and self-deleting malware. As a potential solution to those challenges, this thesis discusses how memory forensic can be used to discover the cyber-criminal in a WoT crime. en_US dc.description.tableofcontents 致謝 i 摘要 ii Abstract iii 目錄 iv 表目錄 vi 圖目錄 vii 第一章 1 1.1研究背景 1 1.2研究動機 4 1.3研究目的 5 第二章 6 2.1 SQL Injection 6 2.2 Cross-Site Scripting (XSS) 9 2.3殭屍網路(Botnet) 12 第三章 15 3.1記憶體鑑識工具 15 3.2記憶體鑑識應用 17 第四章 19 4.1 Web應用程式鑑識分析研究 20 4.1.1 Web應用程式漏洞之攻擊 21 4.1.2 Web應用程式漏洞之記憶體鑑識 23 4.2 Linux惡意程式鑑識分析研究 26 第五章 32 5.1 實驗環境及方法 32 5.1.1 Web機制實驗方法 33 5.1.2 Linux惡意程式實驗方法 40 5.2 Web機制討論分析 42 5.3 Linux惡意程式討論分析 52 5.4研究比較與研究貢獻 54 第六章 57 參考文獻 58 附錄1 61 附錄2 65 zh_TW dc.source.uri (資料來源) http://thesis.lib.nccu.edu.tw/record/#G0105753008 en_US dc.subject (關鍵詞) 記憶體鑑識 zh_TW dc.subject (關鍵詞) Web應用程式漏洞 zh_TW dc.subject (關鍵詞) Linux惡意程式 zh_TW dc.subject (關鍵詞) Memory forensics en_US dc.subject (關鍵詞) Web application vulnerabilities en_US dc.subject (關鍵詞) Linux malware en_US dc.title (題名) 基於記憶體鑑識發掘惡意攻擊跡證與惡意程式特徵值之研究 zh_TW dc.title (題名) A Study on Exposing Evidences of Malicious Attacks and Features of Malwares Based on Memory Forensics en_US dc.type (資料類型) thesis en_US dc.relation.reference (參考文獻) [1]W. Ahmed and B. Aslam, "A comparison of windows physical memory acquisition tools," IEEE Military Communications Conference (MILCOM), pp. 1292-1297, 2015. [2]I. Balasundaram and E. Ramaraj, "An Authentication Scheme for Preventing SQL Injection Attack Using Hybrid Encryption," European Journal of Scientific Research, vol. 53, no. 3, pp. 359-368, 2011. [3]R. Dave, N. Mistry and M.S. Dahiya, "Volatile Memory Based Forensic Artifacts & Analysis," International Journal for Research in Applied Science and Engineering Technology (IJRASET), vol. 2, no. 1, pp. 120-124, 2014. [4]S. Dija, G.S. Suma, D.D. Gonsalvez and A.T. Pillai,"Forensic reconstruction of executables from Windows 7 physical memory," IEEE International Conference on Computational Intelligence and Computing Research (ICCIC), pp. 1-5, 2016. [5]X. Fu, X. Du, B. Luo, J. Shi, Z. Guan and Y. Wang, "Correlating processes for automatic memory evidence analysis," IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pp. 115-120, 2015. [6]A. Ghafarian and S.A.H. Seno, "Analysis of Privacy of Private Browsing Mode through Memory Forensics," International Journal of Computer Applications, vol. 132, no. 1, pp. 27-34, 2015. [7]K. Hausknecht, D. Foit and J. Burić, "RAM data significance in digital forensics," International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), pp. 1372-1375, 2015. [8]A. Heriyanto, C. Valli and P.Hannay, "Comparison of Live Response, Linux Memory Extractor (LiME) and Mem Tool for Acquiring Android’s Volatile Memory in the Malware Incident," Australian Digital Forensics Conference, pp. 5-14, 2015. [9]Q. Hua and Y. Zhang, "Detecting Malware and Rootkit via Memory Forensics," International Conference on Computer Science and Mechanical Automation (CSMA), pp. 92-96, 2015. [10]R. Johari and N. Gupta, "Secure Query Processing in Delay Tolerant Network Using Java Cryptography Architecture,"International Conference on Computational Intelligence and Communication Networks, pp. 653-657, 2011. [11]R. Johari and N. Gupta, "Insecure Query Processing in the Delay/Fault Tolerant Mobile Sensor Network (DFT-MSN) and Mobile Peer to Peer Network," International Conference on Network Security and Applications, pp. 453-462, 2011. [12]D. Kaur and P. Kaur, "Empirical Analysis of Web Attack," Procedia Computer Science, vol. 78, no. 1, pp. 298-306, 2016. [13]B.S. Ke, J.S. Lin, S.J. Wang, and H.K. Tso, "Private Browsing Evidence of Google History Investigations in Computer Forensics," Journal of e-Business, vol. 16, no. 1, pp. 85-106, 2014. [14]A. Kieyzun, P.J. Guo, K. Jayaraman, and M.D. Ernst, "Automatic creation of SQL Injection and cross-site scripting attacks," IEEE International Conference on Software Engineering, pp. 199-209, 2009. [15]C. Liming, S. Jing and Q. Wei, "Study on Forensic Analysis of Physical Memory," International Symposium on Computer,Communication, Control and Automation (3CA ), pp. 221-224, 2013. [16]M. Moh, S. Pininti, S. Doddapaneni, and T.S. Moh, "Detecting Web Attacks Using Multi-Stage Log Analysis," IEEE International Conference on Advanced Computing (IACC), pp. 733-738, 2016. [17]D.N. Patil and B.B. Meshram, "Digital Forensic Analysis of Ubuntu File System," International Journal of Cyber-Security and Digital Forensics, vol. 5, no. 4, pp. 175-186, 2016. [18]Periyadi, G. A. Mutiara and R. Wijaya, "Digital forensics random access memory using live technique based on network attacked," International Conference on Information and Communication Technology (ICoIC7), pp. 1-6, 2017. [19]N.L. Petroni, A.Walters, T.Fraser and W.A. Arbaugh, "FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory," Digital Investigation, vol. 3, no. 4, pp. 197-210, 2006. [20]R. Putthacharoen and P. Bunyatnoparat, "Protecting Cookies from Cross Site Script Attacks using Dynamic Cookies Rewriting Technique," International Conference on Advanced Communication Technology (ICACT), pp. 1090-1094, 2011. [21]N.B. Said, F. Biondi, V. Bontchev, O. Decourbe, T.G. Wilson, et al, "Detection of Mirai by Syntactic and Semantic Analysis", 2017. [22]B. Schatz, "BodySnatcher: towards reliable volatile memory acquisition by software," Digital Investigation, vol.4, no.1, pp. S126 -S134, 2007. [23]J. Seo, S. Lee, and T. Shon, "A study on memory dump analysis based on digital forensic tools," Peer-to-Peer Networking and Applications, vol. 8, no. 4, pp. 694-703, 2015 [24]C. Sharma and S. C. Jain, "Analysis and Classification of SQL Injection Vulnerabilities and Attacks on Web Applications,"International Conference on Advances in Engineering & Technology Research (ICAETR), pp. 1-6, 2014. [25]H. Sinanović and S. Mrdovic, "Analysis of Mirai malicious software," International Conference on Software, Telecommunications and Computer Networks (SoftCOM), pp. 1-5, 2017. [26]N. Suteva, and A. Mileva, "Computer Forensic Analysis of Some Web Attack," World Congress on Internet Security (WorldCIS), pp. 42-47, 2014. [27]M. Thapliyal, A. Bijalwan, N. Garg, and E. Pilli, "A Generic Process Model for Botnet Forensic Analysis," Conference on Advances in Communication and Control Systems (CAC2S), pp. 98-102, 2013. [28]Q. Zhang, H. Chen, and J. Sun, "An Execution-flow Based Method for Detecting Cross-Site Scripting Attacks, " International Conference on Software Engineering and Data Mining, pp. 160-165, 2010. [29]Open Web Application Security Project, "OWASP Top Ten Project, " Retrieved March 1, 2017 from http://www.owasp.org/index.php/Category: OWASP Top Ten Project. [30]Gartner, "Leading the IoT," Retrieved June 1, 2018 https://www.gartner.com/imagesrv/books/iot/iotEbook_digital.pdf. [31]Kaspersky, Retrieved July 1, 2018 from http://www.199it.com/archives/723914.html. [32]WhiteHat Security, "12th Annual Application Security Statistics Report, " Retrieved July 11, 2017 from https://info.whitehatsec.com/rs/675-YBI-674/images/WHS%202017%20Application%20Security%20Report%20FINAL.pdf?mkt_tok=eyJpIjoiTWpZMVpU-UmxZVEF3TlRkaCIsInQiOiJTQVdQbzlLNlBSSGM0XC96VkZaa2NEbk4ySzBLTGc1QzN4R3JrdG95b2FLRlNSdndiSUlNOUxDUm-hvMUo3WmNrN1VtbThGWGE5a015TlpGS1lMak01azA5azQ1NXRoQnVvbDJTWlRac2Ezc05BbEd2VVQrXC82N042WFF3NmE2MzB1In0%3D. [33]IoT Developer Survey, " IoT Developer Survey Results," Retrieved July 19, 2018 from https://www.slideshare.net/kartben/iot-developer-survey-2018. [34]iThome, Retrieved June 1, 2018 from https://www.ithome.com.tw/news/110135. zh_TW dc.identifier.doi (DOI) 10.6814/THE.NCCU.CS.010.2018.B02 -
