Responsive image
博碩士論文 etd-0821107-114320 詳細資訊
Title page for etd-0821107-114320
論文名稱
Title
以模式基礎推論用於偵測惡意動態網頁之研究
Malicious DHTML Detection by Model-based Reasoning
系所名稱
Department
畢業學年期
Year, semester
語文別
Language
學位類別
Degree
頁數
Number of pages
47
研究生
Author
指導教授
Advisor
召集委員
Convenor
口試委員
Advisory Committee
口試日期
Date of Exam
2007-06-23
繳交日期
Date of Submission
2007-08-21
關鍵字
Keywords
模式檢驗、記憶基礎推論、惡意程式碼、語意
model checking, memory-based reasoning, semantics, malicious code
統計
Statistics
本論文已被瀏覽 5870 次,被下載 22
The thesis/dissertation has been browsed 5870 times, has been downloaded 22 times.
中文摘要
 動態網頁(Dynamic HTML, DHTML)是一種包含HTML、客戶端指令碼與相關技術來創建網頁中動態內容的方法。網頁動態化的需求與網頁應用程式的普及使得攻擊者現今有了DHTML此種散佈便利且又難以察覺的新攻擊載體。而面對往往經過變形、混淆(obfuscate)的惡意DHTML,一般使用者所仰賴的防毒軟體其普遍使用的特徵比對技術又對此難以著力。
 有鑑於此,本研究由模式(model)與推論(reasoning)的觀點,提出模式基礎推論(Model-based Reasoning, MoBR)此種對多型與變型等混淆機制具耐受性而能正確判斷DHTML是否為惡意的演算法。在MoBR中,本研究以樣板(template)的機制,透過描述字詞與語意兩方面的特徵來構築某類惡意DHTML的模式。以現實網路上的DHTML所進行的實驗結果證實: 相較於市售防毒軟體,本研究基於MoBR實作的偵測程式AlgoMD,在誤警率與誤判率方面均有優良的表現。除此之外AlgoMD亦對混淆機制具耐受性,能在低誤警率(false positive rate)下有效辨識出已經混淆變形的惡意DHTML網頁。
Abstract
 Including of HTML, client-side script, and other relative technology, Dynamic HTML (DHTML) is a mechanism of creating dynamic contents in a web page. Nowadays, because of the demand of dynamic web pages and the diffusion of web applications, attackers get a new, easily-spread, and hard-detected intrusion vector - DHTML. And commercial anti-virus softwares, commonly using pattern-matching approach, still have weakness against commonly obfuscated malicious DHTML.
 According to this condition, we propose a new detective algorithm Model-based Reasoning (MoBR), basing on the respects of model and reasoning, that is resilient to common obfuscations used by attackers and can correctly determine whether a webpage is malicious or not. Through describing text and semantic signatures, we constructs the model of a malicious DHTML by the mechanism of templates. Experimental evaluation by actual DHTML demonstrates that our detection algorithm is tolerant to obfuscation and perform much superior to commercial anti-virus softwares. Furthermore, it can detect variants of malicious DHTML with a low false positive rate.
目次 Table of Contents
第一章、緒論 1
第一節、研究背景 1
第二節、研究動機 3
第二章、文獻探討 6
第一節、靜態與動態分析 6
第二節、惡意程式碼隱蔽技術 7
第三節、偵測惡意軟體之相關文獻探討 8
第四節、記憶基礎推論 (MEMORY-BASED REASONING) 10
第三章、偵測演算法 12
第一節、模式基礎推論演算法 (MODEL-BASED REASONING, MOBR) 14
第二節、樣版之形式定義 (FORMAL DEFINITION) 16
第三節、反向模式檢驗 (BACKWARD MODEL CHECKING) 18
第四節、距離函數 21
第五節、組合函數 22
第六節、演算法優點與限制 23
第四章、實驗設計與參數影響 23
第一節、惡意DHTML樣本擷取與分類 24
第二節、樣板撰寫與良性樣本擷取 26
第三節、隨機抽樣與實際實驗 27
第四節、參數設定與影響 28
第五節、實驗結果 30
第五章、結論 33
參考文獻 34
附錄一 37
參考文獻 References
1. J. Kinder, S. Katzenbeisser, C. Schallhart, and H. Veith. “Detecting malicious code by model checking.” Proceedings of the 2nd International Conference on Intrusion and Malware Detection and Vulnerability Assessment, Vol. 3548, pp. 174-187, Vienna, Austria, July 2005.
2. G. McGraw and G. Morrisett. “Attacking malicious code: report to the Infosec research council.” IEEE Software, Vol. 17, No. 5, pp. 33-41, 2000.
3. M. Christodorescu, S. Jha, S. A. Seshia, D. Song, and R. E. Bryant. “Semantics-aware malware detection.” Proceedings of the 2005 IEEE
Symposium on Security and Privacy , pp. 32-46, Oakland, CA, USA, May 2005.
4. J. Bergeron et al. “Static Detection of Malicious Code in Executable Programs.” Symposium on Requirements Engineering for Information Security, Indianapolis, Indiana, USA, March 2001.
5. R.W. Lo, K.N. Levitt, and R.A. Olsson. “MCF: A malicious code filter.” Computers & Society, Vol. 14, No. 6, pp. 541-566, 1995.
6. S. S. Muchnick. “Advanced Compiler Design Implementation.” Morgan Kaufman Publishers, 1997.
7. Cristina Cifuentes, and Antoine Fraboulet. “Intraprocedural static slicing of binary executables.” Proceedings of the International Conference on Software Maintenance, Bari, Italy, pp. 188-195, Oct. 1997.
8. R.A. Paul, V.U.B. Challagulla, F.B. Bastani, and I.L. Yen. “A memory-based reasoning approach for assessing software quality.” Computer Software and Applications Conference, pp. 97-103, 2001.
9. M. Christodorescu, and S. Jha. “Static analysis of executables to detect malicious patterns.” Proceedings of the 12th USENIX Security Symposium, pp. 169-186, Aug. 2003.
10. M. Christodorescu, and S. Jha. “Testing malware detectors.” Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis 2004, pp. 34-44, Boston, MA, USA, July 2004.
11. C. Nachenberg. “Computer virus-antivirus coevolution.” Communications of the ACM, Vol. 40, No. 1, pp. 46-51, 1997.
12. D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha. “Towards automatic generation of vulnerability-based signatures.” Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 2-16, 2006.
13. C. Stanfill, D. Waltz. “Toward memory-based reasoning.” Communications of the ACM, Vol. 29, No. 12, pp. 1213-1228, 1986.
14. B.V. Dasarathy. “Nearest Neighbor (NN) Norms : NN Pattern Classification Techniques.” IEEE Computer Society Press, Las Alamitos, California, 1991.
15. K.S. Chung, T.Y. Ui, K.K. Huy, and C.P. Sang. “A hybrid approach of neural network and memory-based learning to data mining.” IEEE Transactions on Neural Networks, Vol. 11, No. 3, pp. 637-646, 2000.
16. B. Masand, G. Linoff, D. Waltz. “Classifying news stories using memory based reasoning.” International ACM SIGIR Conference, pp. 59-65, Jun. 1992.
17. Michael J. A. Berry, Gordon S. Linoff. “Data Mining Techniques: for marketing, sales, and customer support.” John Wiley & Sons, Inc.,1997.
18. 蔣耀賢:運用記憶基礎理解於多層次案例庫搜尋架構中產生標準操作程序文件。國立臺灣科技大學,碩士論文,民91。
19. Web Application. http://en.wikipedia.org/wiki/Web_Application (Last accessed: 22 Oct. 2006).
20. Dynamic HTML. http://en.wikipedia.org/wiki/DHTML (Last accessed: 22 Oct. 2006).
21. Mobile Code. http://en.wikipedia.org/wiki/Mobile_code (Last accessed: 22 Oct. 2006).
22. Metamorphic Code. http://en.wikipedia.org/wiki/Metamorphic_code (Last accessed: 26 Oct. 2006).
23. More on automated malware classification and naming. http://addxorrol.blogspot.com/2006/04/more-on-automated-malware.html (Last accessed: 30 Sep. 2006).
24. Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security. http://www.securityabsurdity.com/failure.php (Last accessed: 30 Oct. 2006).
25. The Top 20 Most Critical Internet Security Vulnerabilities. http://www.sans.org/top20/ (Last accessed: 22 Oct. 2006).
26. Regular expression. http://en.wikipedia.org/wiki/Regular_expressions (Last accessed: 17 July 2007).
27. 華視、手機王…等網站「一直」被入侵,十大毒窟罔顧資安與網友權益! http://briian.com/?p=521 (Last accessed: 11 Jun. 2007).
電子全文 Fulltext
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。
論文使用權限 Thesis access permission:校內一年後公開,校外永不公開 campus withheld
開放時間 Available:
校內 Campus: 已公開 available
校外 Off-campus:永不公開 not available

您的 IP(校外) 位址是 35.174.62.162
論文開放下載的時間是 校外不公開

Your IP address is 35.174.62.162
This thesis will be available to you on Indicate off-campus access is not available.

紙本論文 Printed copies
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。
開放時間 available 已公開 available

QR Code