論文使用權限 Thesis access permission:校內校外完全公開 unrestricted
開放時間 Available:
校內 Campus: 已公開 available
校外 Off-campus: 已公開 available
博碩士論文 etd-0729117-230140 詳細資訊
Title page for etd-0729117-230140
論文名稱 Title |
藉由監控I/O請求以進行勒索軟體偵測 Ransomware Detection by Monitoring I/O Requests |
||
系所名稱 Department |
|||
畢業學年期 Year, semester |
語文別 Language |
||
學位類別 Degree |
頁數 Number of pages |
85 |
|
研究生 Author |
|||
指導教授 Advisor |
|||
召集委員 Convenor |
|||
口試委員 Advisory Committee |
|||
口試日期 Date of Exam |
2017-07-25 |
繳交日期 Date of Submission |
2017-09-20 |
關鍵字 Keywords |
惡意軟體、動態偵測、勒索軟體 Malware, Dynamic Detection, Ransomware |
||
統計 Statistics |
本論文已被瀏覽 5906 次,被下載 61 次 The thesis/dissertation has been browsed 5906 times, has been downloaded 61 times. |
中文摘要 |
近年各大資安廠商都在年度威脅分析報告中將勒索軟體列為重點項目,勒索軟體被Botnet、漏洞利用工具(Exploit Kits)等大型攻擊散布網路擁有者當成末端攻擊武器,據FBI保守估計,在2016前半年,勒索軟體在全世界造成逾十億美元的損害。由此可見勒索軟體對於資訊安全的威脅,而面對勒索軟體的快速成長、變化以及不斷推陳出新的變種,發展有效對其進行防禦的偵測系統勢在必行。 傳統防毒軟體面對勒索軟體威脅有諸多疏漏,使用靜態分析以及病毒特徵碼方式確實跟不上全世界層出不窮的勒索軟體變種速度。面對這樣的情況,相繼有學術論文針對此一情況時做出解決的偵測系統,但是這些系統論文皆沒有對於對良性軟體的誤判率提出合理的分辨設計,其偵測方式著實無法成為具實用性的系統。所以本研究提出假設並實作出有效偵測勒索軟體同時減低對良性軟體的誤判率且具未來適用性的偵測系統。 本研究利用Minifilter的架構監控系統IRPs(I/O request packets)用以偵測勒索軟體,除了收集IRP Logs分析測定的門檻值外,還運用設置誘餌資料夾增加偵測能力。另外運用變更前後檔案的標頭一致性以及計算檔案變更前後Entropy數值變化來減少對良性程式的誤判率。 |
Abstract |
In recent years, the major security companies all report ransomware as one of major parts in their annual threat analysis reports. Large viruses spread network such as Botnet, Exploit Kits all set Ransomware as a terminal attack weapon. According to FBI conservative estimates, In the first half of 2016, ransomware caused more than one billion dollars damage around the world. Obviously, Ransomware is a huge threat of information security. To face to the rapid growth of ransomware’s evolution rate and unstoppable new varieties appearance, to develop an effective defense system of ransomware is imperative. Traditional anti-virus softwares in the aspect of facing ransomware threats have a lot of omissions, the method of static analysis and virus signatures cannot keep up with the endless stream of ransomware in the world software variants speed. In this situation, there came up with some academic papers focus on solving this situation with their detecting systems, but these systems are not design any reasonable resolution in their method to reduce the error malware detecting rate of benign software. It really cannot become a practical system. Therefore, this study defines the hypothesis and implements the effective ransomware detecting system while reducing the false detecting rate of benign software and containing the future applicability. In this study, it used Minifilter's architecture to monitor system IRPs (I/O request packets) to detect the ransomware. In addition of collecting the IRP Logs to analyze the threshold, the system also combined with the decoy folder to increase the detecting capability. Moreover, this study uses comparing the file types changing and entropy before and after of the file to reduce the error malware detecting rate of benign software. |
目次 Table of Contents |
目錄 誌謝 ii 摘要 iii Abstract iv 第一章 緒論 1 1.1 研究背景 1 1.2 研究動機 4 第二章 文獻探討 6 2.1 勒索軟體的技術面 6 2.2 軟體變種 15 2.3 靜態分析 21 2.4 動態分析 25 2.5 勒索軟體 25 2.6 威脅攻擊向量與流程 27 第三章 系統設計 32 3.1 Windows的I/O 模組與應用程式 32 3.2 Windows 的Minifilter 與IRP架構 32 3.3 勒索軟體處理單一檔案的IRP流程 40 3.4 動態分析設計 43 3.5 門檻值模組設計 45 3.6 檔案標頭偵測設計 47 3.7 Shannon Entropy偵測設計 48 第四章 系統驗證 51 4.1 分類偵測的門檻值測定 51 4.2 檔案標頭實驗 59 4.3 Shannon Entropy實驗 60 4.4 系統實測 62 4.5 系統比較實測 64 4.6 系統偵測未知新型勒索軟體 65 第五章 結論與未來展望 66 參考文獻 67 |
參考文獻 References |
[1] BBC, Cryptolocker victims to get files back for free, 2014. [Online] Available http://www.bbc.com/news/technology-28661463 [2] ArsTechnica, FBI says crypto ransomware has raked in >$18 million for cybercriminals, 2015. [Online] Available https://arstechnica.com/security/2015/06/fbi-says-crypto-ransomware-has-raked-in-18-million-for-cybercriminals/ [3] CNNtech, Cyber-extortion losses skyrocket, says FBI, 2016. [Online] Available http://money.cnn.com/2016/04/15/technology/ransomware-cyber-security/ [4] Barkly Research, New Strain of Fileless Malware Kovter Posing as Firefox Update, 2016. [Online] Available https://blog.barkly.com/fileless-malware-kovter-posing-as-firefox-update [5] Jonathan Crowe, 2017 Ransomware Trends and Forecasts, 2017. [Online] Available https://blog.barkly.com/new-ransomware-trends-2017 [6] Anton Ivanov, David Emm, Fedor Sinitsyn, Santiago Pontiroli, Kaspersky Security Bulletin 2016. The ransomware revolution, 2016. [Online] Available https://securelist.com/files/2016/12/KSB2016_Story_of_the_Year_ENG.pdf [7] TrendMicro, Security Predictions The Next Tier, 2016. [Online] Available https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2017 [8] InfoSecurity, “ ‘Lock Screen’ Ransomware Makes a Comeback”, 2016. [Online] Available http://www.infosecurity-magazine.com/news/lock-screen-ransomware-makes-a/ [9] Kafeine, “Police Locker land on Android Devices”, 2014. [Online] Available http://malware.dontneedcoffee.com/2014/05/police-locker-available-for-your.html [10] Symantec, “第 22 期賽門鐵克網路安全威脅研究報告”, 2017. [Online] Available https://www.symantec.com/zh/tw/security_response/publications/threatreport.jsp [11] Wikipedia, “Tor”, 2017. [Online] Available: https://en.wikipedia.org/wiki/Tor [12] Wikipedia, “Bitcoin”, 2017. [Online] Available: https://en.wikipedia.org/wiki/Bitcoin [13] Symantec, “第 21 期賽門鐵克網路安全威脅研究報告”, 2016. [Offline] Unavailable: https://www.symantec.com/zh/tw/security_response/publications/threatreport.jsp [14] FireEye, “LOCKY RANSOMWARE DISTRIBUTED VIA DOCM ATTACHMENTS IN LATEST EMAIL CAMPAIGNS”, 2016. [Online] Available: https://www.fireeye.com/blog/threat-research/2016/08/locky_ransomwaredis.html [15] SecureList, “TeamXRat: Brazilian cybercrime meets ransomware”, 2016. [Online] Available: https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/ [16] MalwarebytesLABS, “Neutrino exploit kit fills in for Angler EK in recent malvertising campaigns”, 2016. [Online] Available: https://blog.malwarebytes.com/cybercrime/2016/06/neutrino-exploit-kit-fills-in-for-angler-ek-in-recent-malvertising-campaigns/ [17] SoftPedia, “MarsJoke Ransomware Targets the Government and K-12 Educational Sector”, 2016. [Online] Available: http:/news.softpedia.com/news/marsjoke-ransomware-targets-the-government-and-k-12-educational-sector-508608.shtml#ixzz4LLdN7ZMR [18] Christodorescu, Mihai, et al. "Semantics-aware malware detection." 2005 IEEE Symposium on Security and Privacy (S&P'05). IEEE, 2005. [19] Idika, Nwokedi, and Aditya P. Mathur. "A survey of malware detection techniques." Purdue University 48 (2007). [20] Egele, Manuel, et al. "A survey on automated dynamic malware-analysis techniques and tools." ACM Computing Surveys (CSUR) 44.2 (2012): 6. [21] iThome, “對抗APT是企業必須面臨的長期戰爭”,March 24, 2016. [Online] Available: http://www.ithome.com.tw/news/104780 [22] 資安人:Ed Skoudis, “新的惡意攻擊程式讓軟體捉襟見肘”, 2004 . [Online] Available: http://www.informationsecurity.com.tw/article/article_print.aspx?aid=176 [23] Wikipedia, “WannaCry”, 2017. [Online] Available: https://zh.wikipedia.org/wiki/WannaCry [24] ItSecurityGuru, “Ransomware behind 42% of IT security breaches in UK organisations during 2015”, 2015. [Online] Available: http://www.itsecurityguru.org/2016/01/26/ransomware-behind-42-of-it-security-breaches-in-uk-organisations-during-2015/ [25] ItProPortal, “Cyber criminals turn to ransomware as victims pay out”, 2016. [Online] Available: http://www.itproportal.com/2016/01/26/cyber-criminals-turn-to-ransomware-as-victims-pay-out/ [26] TrendMicro, Chimera Crypto-Ransomware Wants You, 2016. [Online] Available: https://blog.trendmicro.com.tw/?tag=chimera [27] TrendMicro, “Bogus or Dangerous? Chimera Crypto-Ransomware Threatens to Dump your Data Online”, 2015. [Online] Available: http://www.trendmicro.co.id/vinfo/id/security/news/cybercrime-and-digital-threats/chimera-crypto-ransomware-threatens-to-dump-your-data-online/ [28] BleepingComputer, “Jigsaw Ransomware Decrypted: Will delete your files until you pay the Ransom”, 2016. [Online] Available: http://www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom/ [29] F-Secure, “REMOVING 'POLICE-THEMED' RANSOMWARE”, 2012. [Online] Available: https://www.f-secure.com/en/web/labs_global/removing-police-themed-ransomware [30] SoftPedia, “Scammy-Looking Shark Project Delivers Fully Working Ransomware”, 2016. [Online] Available: http:/news.softpedia.com/news/scammy-looking-shark-project-delivers-fully-working-ransomware-507306.shtml [31] GrahamCluley, Come to the dark side. Chimera ransomware asks victims to become affiliates, 2015. [Online] Available: https://www.grahamcluley.com/chimera-ransomware-asks-victims-affiliates/ [32] Panda Security Report, Malware_statics_2011-03-16, 2011 [Online] Available: https://commons.wikimedia.org/wiki/File:Malware_statics_2011-03-16-es.svg [33] CC&INC, NTU, “來自0day漏洞的綁架型軟體”, 2016. [Online] Available: http://www.cc.ntu.edu.tw/chinese/epaper/0038/20160920_3806.html [34] Wikipedia, “Antivirus software”, 2016. [Online] Available: https://en.wikipedia.org/wiki/Antivirus_software [35] TrendMicro , A Record Year for Enterprise Threats, 2017 [Online] Available: https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup [36] Wikipedia, “Ransomware”, 2016. [Online] Available: https://en.wikipedia.org/wiki/Ransomware [37] TrendMicro, “何謂勒索軟體 ( Ransomware) ?(含歷年勒索軟體與贖金) ”2016. [Online] Available: http://blog.trendmicro.com.tw/?p=11161 [38] FireEye, “TESLACRYPT: FOLLOWING THE MONEY TRAIL AND LEARNING THE HUMAN COSTS OF RANSOMWARE”, 2015. [Online] Available: https://www.fireeye.com/blog/threat-research/2015/05/teslacrypt_followin.html [39] ProofPoint, “Doh! New "Bart" Ransomware from Threat Actors Spreading Dridex and Locky”, 2016. [Online] Available: https://www.proofpoint.com/us/threat-insight/post/New-Bart-Ransomware-from-Threat-Actors-Spreading-Dridex-and-Locky [40] ESET, “ESET TeslaCrypt 解密工具程式使用方式”, 2016. [Online] Available: https://www.eset.tw/html/167/1262 [41] WeLiveSecurity, “ESET releases new decryptor for TeslaCrypt ransomware”, 2016. [Online] Available: http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/ [42] FireEye, “NEW DOWNLOADER FOR LOCKY”, 2016. [Online] Available: https://www.fireeye.com/blog/threat-research/2016/04/new_downloader_forl.html [43] TrendMicro, “New Bizarro Sundown Exploit Kit Spreads Locky”, 2016. [Online] Available: http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/ [44] TrendMicro, “Cerber Dominates Ransomware Charts”, 2017. [Online] Available: http://www.securityweek.com/cerber-dominates-ransomware-charts?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+Securityweek+(SecurityWeek+RSS+Feed) [45] EndGame, “WCryWanaCry Ransomware Technical Analysis”, 2017. [Online] Available: https://www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis [46] Coding | Reversing, Reversing the petya ransomware with constraint solvers, 2017. [Online] Available: https://0xec.blogspot.tw/2016/04/reversing-petya-ransomware-with.html [47] Jack Danahy, The Biggest Changes in Ransomware: 3 Predictions for 2017, 2016. [Online] Available: https://blog.barkly.com/new-ransomware-attacks-2017-predictions [48] ProofPoint, Quarterly Threat Report Q3 2016, 2016. [Online] Available: https://www.proofpoint.com/sites/default/files/proofpoint-quarterly-threat-report-q316-cm.pdf [49] Wikipedia , “Virtual Machine “[Online] Available: https://en.wikipedia.org/wiki/Virtual_machine [50] CWSandbox, [Online] Available: http://cwsandbox.org/ [51] Cuckoo Sandbox, [Online] Available: https://cuckoosandbox.org/ [52] Kim, Kim, “Design of Quantification Model for Ransom”, 2015. [53] Ahmadian, Shahriari, Ghaffarian, “Connection-monitor & connection-breaker A novel approach for prevention and detection of high survivable ransomwares”, 2015. [54] Thure, Suominen, F-Secure, “Detecting file encrypting malware”, 2016. [55] Kharraz, Robertson, Balzarotti, Bilge, Kirda, “Cutting the Gordian Knot A Look Under the Hood of Ransomware Attacks”, 2015. [56] Scaife, Carter, Traynor, Butler, “CryptoLock (and Drop It):Stopping Ransomware Attacks on User Data”, 2016. [57] Kharraz, Arshad, Mulliner, Robertson, Kirda, “UNVEIL:A Large-Scale, Automated Approach to Detecting Ransomware”, 2016 [58] Continella, Guagnelli, Zingaro, De Pasquale, Barenghi, Zanero, Maggi, “ShieldFS: A Self-healing, Ransomware-aware Filesystem”, 2016 [59] Microsoft, “End-User I/O Requests and File Objects”, 2017. [Online] Available: https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/end-user-i-o-requests-and-file-objects [60] Microsoft, “Filter Manager Concepts ”, 2017. [Online] Available: https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/filter-manager-concepts [61] Microsoft, “What is a driver? ”, 2017. [Online] Available: https://docs.microsoft.com/zh-tw/windows-hardware/drivers/gettingstarted/what-is-a-driver- [62] 周德凱, “Integrated Development Environment for USB device driver under Windows Operating Systems ”, 2007. [Online] Available: http://ir.lib.stust.edu.tw/bitstream/987654321/1947/2/095stut0428025.pdf [63] CSDN, Minifilter微過濾框架:框架介紹以及驅動層和應用層的通訊, 2012. [Online] Available: http://blog.csdn.net/arvon2012/article/details/7926366 [64] John , [ Windows DDP ] 派遣函式 : IRP 與派遣函式, 2011. [Online] Available: https://puremonkey2010.blogspot.tw/2011/01/windows-ddp-irp.html [65] Microsoft, “FLT_CALLBACK_DATA structure ”, 2017. [Online] Available: https://msdn.microsoft.com/en-us/library/windows/hardware/ff544620(v=vs.85).aspx [66] Microsoft, “IRP_MJ_SET_INFORMATION”, 2017. [Online] Available: https://msdn.microsoft.com/en-us/library/windows/hardware/ff549366(v=vs.85).aspx [67] Microsoft, “FLT_PARAMETERS union ”, 2017. [Online] Available: https://msdn.microsoft.com/en-us/library/windows/hardware/ff544673(v=vs.85).aspx [68] Microsoft, “FILE_RENAME_INFORMATION structure ”, 2017. [Online] Available: https://msdn.microsoft.com/en-us/library/windows/hardware/ff540344(v=vs.85).aspx [69] Microsoft, “FILE_DISPOSITION_INFORMATION structure ”, 2017. [Online] Available: https://msdn.microsoft.com/en-us/library/windows/hardware/ff545765(v=vs.85).aspx [70] C. E. Shannon, A Mathematical Theory of Communication, 1948. [Online] Available: http://math.harvard.edu/~ctm/home/text/others/shannon/entropy/entropy.pdf [71] Jason,資訊的度量- Information Entropy,2013. [Online] Available: http://blog.xuite.net/metafun/life/69851478-資訊的度量-+Information+Entropy [72] PCrisk, “Cerber ransomware removal instructions”, 2017. [Online] Available: https://www.pcrisk.com/removal-guides/9842-cerber-ransomware |
電子全文 Fulltext |
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。 |
紙本論文 Printed copies |
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。 開放時間 available 已公開 available |
QR Code |
國立中山大學 圖書與資訊處 │ 諮詢服務:2452 論文審查小組 │ 服務信箱 │ 系統開發維運:圖資處知識創新組
Office of Library and Information Services, National Sun Yat-sen University │ Contact Us : 2452 Thesis Format Review Team , Mail │ Development and operations : Knowledge Innovation Division, LIS