動態網頁(Dynamic HTML, DHTML)是一種包含HTML、客戶端指令碼與相關技術來創建網頁中動態內容的方法。網頁動態化的需求與網頁應用程式的普及使得攻擊者現今有了DHTML此種散佈便利且又難以察覺的新攻擊載體。而面對往往經過變形、混淆(obfuscate)的惡意DHTML，一般使用者所仰賴的防毒軟體其普遍使用的特徵比對技術又對此難以著力。
　有鑑於此，本研究由模式(model)與推論(reasoning)的觀點，提出模式基礎推論(Model-based Reasoning, MoBR)此種對多型與變型等混淆機制具耐受性而能正確判斷DHTML是否為惡意的演算法。在MoBR中，本研究以樣板(template)的機制，透過描述字詞與語意兩方面的特徵來構築某類惡意DHTML的模式。以現實網路上的DHTML所進行的實驗結果證實: 相較於市售防毒軟體，本研究基於MoBR實作的偵測程式AlgoMD，在誤警率與誤判率方面均有優良的表現。除此之外AlgoMD亦對混淆機制具耐受性，能在低誤警率(false positive rate)下有效辨識出已經混淆變形的惡意DHTML網頁。

　Including of HTML, client-side script, and other relative technology, Dynamic HTML (DHTML) is a mechanism of creating dynamic contents in a web page. Nowadays, because of the demand of dynamic web pages and the diffusion of web applications, attackers get a new, easily-spread, and hard-detected intrusion vector － DHTML. And commercial anti-virus softwares, commonly using pattern-matching approach, still have weakness against commonly obfuscated malicious DHTML.
　According to this condition, we propose a new detective algorithm Model-based Reasoning (MoBR), basing on the respects of model and reasoning, that is resilient to common obfuscations used by attackers and can correctly determine whether a webpage is malicious or not. Through describing text and semantic signatures, we constructs the model of a malicious DHTML by the mechanism of templates. Experimental evaluation by actual DHTML demonstrates that our detection algorithm is tolerant to obfuscation and perform much superior to commercial anti-virus softwares. Furthermore, it can detect variants of malicious DHTML with a low false positive rate.

第一章、緒論 1
第一節、研究背景 1
第二節、研究動機 3
第二章、文獻探討 6
第一節、靜態與動態分析 6
第二節、惡意程式碼隱蔽技術 7
第三節、偵測惡意軟體之相關文獻探討 8
第四節、記憶基礎推論 (MEMORY-BASED REASONING) 10
第三章、偵測演算法 12
第一節、模式基礎推論演算法 (MODEL-BASED REASONING, MOBR) 14
第二節、樣版之形式定義 (FORMAL DEFINITION) 16
第三節、反向模式檢驗 (BACKWARD MODEL CHECKING) 18
第四節、距離函數 21
第五節、組合函數 22
第六節、演算法優點與限制 23
第四章、實驗設計與參數影響 23
第一節、惡意DHTML樣本擷取與分類 24
第二節、樣板撰寫與良性樣本擷取 26
第三節、隨機抽樣與實際實驗 27
第四節、參數設定與影響 28
第五節、實驗結果 30
第五章、結論 33
參考文獻 34
附錄一 37

1.　J. Kinder, S. Katzenbeisser, C. Schallhart, and H. Veith. “Detecting malicious code by model checking.” Proceedings of the 2nd International Conference on Intrusion and Malware Detection and Vulnerability Assessment, Vol. 3548, pp. 174-187, Vienna, Austria, July 2005.
2.　G. McGraw and G. Morrisett. “Attacking malicious code: report to the Infosec research council.” IEEE Software, Vol. 17, No. 5, pp. 33-41, 2000.
3.　M. Christodorescu, S. Jha, S. A. Seshia, D. Song, and R. E. Bryant. “Semantics-aware malware detection.” Proceedings of the 2005 IEEE
Symposium on Security and Privacy , pp. 32-46, Oakland, CA, USA, May 2005.
4.　J. Bergeron et al. “Static Detection of Malicious Code in Executable Programs.” Symposium on Requirements Engineering for Information Security, Indianapolis, Indiana, USA, March 2001.
5.　R.W. Lo, K.N. Levitt, and R.A. Olsson. “MCF: A malicious code filter.” Computers & Society, Vol. 14, No. 6, pp. 541-566, 1995.
6.　S. S. Muchnick. “Advanced Compiler Design Implementation.” Morgan Kaufman Publishers, 1997.
7.　Cristina Cifuentes, and Antoine Fraboulet. “Intraprocedural static slicing of binary executables.” Proceedings of the International Conference on Software Maintenance, Bari, Italy, pp. 188-195, Oct. 1997.
8.　R.A. Paul, V.U.B. Challagulla, F.B. Bastani, and I.L. Yen. “A memory-based reasoning approach for assessing software quality.” Computer Software and Applications Conference, pp. 97-103, 2001.
9.　M. Christodorescu, and S. Jha. “Static analysis of executables to detect malicious patterns.” Proceedings of the 12th USENIX Security Symposium, pp. 169-186, Aug. 2003.
10.　M. Christodorescu, and S. Jha. “Testing malware detectors.” Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis 2004, pp. 34-44, Boston, MA, USA, July 2004.
11.　C. Nachenberg. “Computer virus-antivirus coevolution.” Communications of the ACM, Vol. 40, No. 1, pp. 46-51, 1997.
12.　D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha. “Towards automatic generation of vulnerability-based signatures.” Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 2-16, 2006.
13.　C. Stanfill, D. Waltz. “Toward memory-based reasoning.” Communications of the ACM, Vol. 29, No. 12, pp. 1213-1228, 1986.
14.　B.V. Dasarathy. “Nearest Neighbor (NN) Norms : NN Pattern Classification Techniques.” IEEE Computer Society Press, Las Alamitos, California, 1991.
15.　K.S. Chung, T.Y. Ui, K.K. Huy, and C.P. Sang. “A hybrid approach of neural network and memory-based learning to data mining.” IEEE Transactions on Neural Networks, Vol. 11, No. 3, pp. 637-646, 2000.
16.　B. Masand, G. Linoff, D. Waltz. “Classifying news stories using memory based reasoning.” International ACM SIGIR Conference, pp. 59-65, Jun. 1992.
17.　Michael J. A. Berry, Gordon S. Linoff. “Data Mining Techniques: for marketing, sales, and customer support.” John Wiley & Sons, Inc.,1997.
18.　蔣耀賢：運用記憶基礎理解於多層次案例庫搜尋架構中產生標準操作程序文件。國立臺灣科技大學，碩士論文，民91。
19.　Web Application. http://en.wikipedia.org/wiki/Web_Application (Last accessed: 22 Oct. 2006).
20.　Dynamic HTML. http://en.wikipedia.org/wiki/DHTML (Last accessed: 22 Oct. 2006).
21.　Mobile Code. http://en.wikipedia.org/wiki/Mobile_code (Last accessed: 22 Oct. 2006).
22.　Metamorphic Code. http://en.wikipedia.org/wiki/Metamorphic_code (Last accessed: 26 Oct. 2006).
23.　More on automated malware classification and naming. http://addxorrol.blogspot.com/2006/04/more-on-automated-malware.html (Last accessed: 30 Sep. 2006).
24.　Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security. http://www.securityabsurdity.com/failure.php (Last accessed: 30 Oct. 2006).
25.　The Top 20 Most Critical Internet Security Vulnerabilities. http://www.sans.org/top20/ (Last accessed: 22 Oct. 2006).
26.　Regular expression. http://en.wikipedia.org/wiki/Regular_expressions (Last accessed: 17 July 2007).
27.　華視、手機王…等網站「一直」被入侵，十大毒窟罔顧資安與網友權益！ http://briian.com/?p=521 (Last accessed: 11 Jun. 2007).