學術產出-期刊論文

文章檢視/開啟

書目匯出

Google ScholarTM

政大圖書館

引文資訊

TAIR相關學術產出

題名 使用動態分析資料於卷積神經網路上進行惡意程式家族分類
作者 蕭舜文
Hsiao, Shun-Wen 
貢獻者 資管系
關鍵詞 惡意程式 ; 動態分析 ; 卷積神經網路 ; 行為分類
Malwar e; dynamic analysi s; convolution neural network ; behavior classification
日期 2018-01
上傳時間 2020-05-27
摘要 傳統上惡意程式的病毒碼特徵擷取與惡意行為分析需要耗費大量的人力與時間,分析過程通常需要借助資訊安全專家多年對於惡意程式分析的經驗。資安專家通常會比對過去已知的惡意特徵將新發現的惡意程式歸類到已知的惡意程式家族。然而現今新的惡意程式變種數量已經大幅超越人工分析的能力,面對如此資安挑戰,本論文的目的是藉助卷積神經網路對惡意程式進行家族進行自動分類並產生行為特徵,將過去人工的動作轉為自動,與其他過去的研究不同,本論文先對惡意程式進行動態側寫分析並產出其高階的Windows API呼叫序列紀錄,而卷積神經網路將視Windows API呼叫序列為輸入資料並最終輸出惡意程式家族分類的結果。本文亦利用卷積神經網路的學習結果來解釋其惡意程式之特徵行為。在實驗上我們採用國網中心以及資策會於真實世界蒐集的惡意程式,進行動態分析側寫後進行監督式的訓練以及驗證,其家族分類準確率超過99%。我們的實驗並證明可以使用有限的Windows API呼叫序列就能進行正確的家族分類,如此我們的研究成果可以進一步導入至入侵防禦系統,進行早期的入侵偵測。
Conventionally, it takes lots of time and human resources to analyze malware to extract its byte signature and malicious behavior. Usually, such analysis process relies on years of experience of malware analysis by the cybersecurity domain experts. They usually classify the unseen malware sample into a known malware family by checking against known behavior characteristics. However, nowadays the number of new malware is too large for human experts to manually analyze them. To face such cybersecurity challenge, the purpose of this paper is to provide a method to automatically classify malware by using convolution neural network (CNN) and generate behavior characteristics with the help of CNN. Unlike previous research works, we firstly perform dynamic analysis on malware sample and produce its high-level Windows API call sequences as its behavior profile. Then, the API call sequences are fed into the convolution neural network as input to generate the malware family classification result. We also use the learning result of the convolution neural network to explain the behavior characteristics of the malware families. In our experiments, we use the malware samples collected from the real world by the National Center for High-Performance Computing (Taiwan) to generate malware profiles and perform supervised training and validation. The family classification accuracy is over 99%. Our experiments also show that we can use a limited number of Windows API call sequences to perform malware classification; in this case, our result can be used in an intrusion prevention system for early malware detection.
關聯 資訊安全通訊, Vol.24, No.1, pp.41-60
資料類型 article
dc.contributor 資管系
dc.creator (作者) 蕭舜文
dc.creator (作者) Hsiao, Shun-Wen 
dc.date (日期) 2018-01
dc.date.accessioned 2020-05-27-
dc.date.available 2020-05-27-
dc.date.issued (上傳時間) 2020-05-27-
dc.identifier.uri (URI) http://nccur.lib.nccu.edu.tw/handle/140.119/129972-
dc.description.abstract (摘要) 傳統上惡意程式的病毒碼特徵擷取與惡意行為分析需要耗費大量的人力與時間,分析過程通常需要借助資訊安全專家多年對於惡意程式分析的經驗。資安專家通常會比對過去已知的惡意特徵將新發現的惡意程式歸類到已知的惡意程式家族。然而現今新的惡意程式變種數量已經大幅超越人工分析的能力,面對如此資安挑戰,本論文的目的是藉助卷積神經網路對惡意程式進行家族進行自動分類並產生行為特徵,將過去人工的動作轉為自動,與其他過去的研究不同,本論文先對惡意程式進行動態側寫分析並產出其高階的Windows API呼叫序列紀錄,而卷積神經網路將視Windows API呼叫序列為輸入資料並最終輸出惡意程式家族分類的結果。本文亦利用卷積神經網路的學習結果來解釋其惡意程式之特徵行為。在實驗上我們採用國網中心以及資策會於真實世界蒐集的惡意程式,進行動態分析側寫後進行監督式的訓練以及驗證,其家族分類準確率超過99%。我們的實驗並證明可以使用有限的Windows API呼叫序列就能進行正確的家族分類,如此我們的研究成果可以進一步導入至入侵防禦系統,進行早期的入侵偵測。
dc.description.abstract (摘要) Conventionally, it takes lots of time and human resources to analyze malware to extract its byte signature and malicious behavior. Usually, such analysis process relies on years of experience of malware analysis by the cybersecurity domain experts. They usually classify the unseen malware sample into a known malware family by checking against known behavior characteristics. However, nowadays the number of new malware is too large for human experts to manually analyze them. To face such cybersecurity challenge, the purpose of this paper is to provide a method to automatically classify malware by using convolution neural network (CNN) and generate behavior characteristics with the help of CNN. Unlike previous research works, we firstly perform dynamic analysis on malware sample and produce its high-level Windows API call sequences as its behavior profile. Then, the API call sequences are fed into the convolution neural network as input to generate the malware family classification result. We also use the learning result of the convolution neural network to explain the behavior characteristics of the malware families. In our experiments, we use the malware samples collected from the real world by the National Center for High-Performance Computing (Taiwan) to generate malware profiles and perform supervised training and validation. The family classification accuracy is over 99%. Our experiments also show that we can use a limited number of Windows API call sequences to perform malware classification; in this case, our result can be used in an intrusion prevention system for early malware detection.
dc.format.extent 857507 bytes-
dc.format.mimetype application/pdf-
dc.relation (關聯) 資訊安全通訊, Vol.24, No.1, pp.41-60
dc.subject (關鍵詞) 惡意程式 ; 動態分析 ; 卷積神經網路 ; 行為分類
dc.subject (關鍵詞) Malwar e; dynamic analysi s; convolution neural network ; behavior classification
dc.title (題名) 使用動態分析資料於卷積神經網路上進行惡意程式家族分類
dc.type (資料類型) article