由於即時通訊 (instant messaging， IM) 的普遍性及立即性，現今已成為駭客散佈惡意軟體 (malware) 的平台。並且為了躲避防毒軟體的偵測，已較少使用傳送惡意檔案的方式，而是以傳送惡意網址 (malicious URL) 為目前普遍的擴散途徑。這些惡意 URL 可能會下載一個病毒檔案或是連到釣魚網站 (phishing website)。一旦使用者被 IM 惡意程式攻陷，惡意 URL 就會透過受害者的連絡人清單繼續擴散出去，而且有時候還會搭配社交工程的手法，使得收訊者很難判斷此連結是否為惡意。而目前並沒有一個有效的解決方案，能夠即時地偵測 IM 惡意 URL，因此，本研究提出一個即時偵測 IM 惡意 URL 的方法。此方法基於 URL 的異常特徵及傳訊者的異常行為，定義了一組行為模式來描述可能的惡意行為，並且利用算分機制來評估異常特徵的重要性，藉此預測 URL 是否為惡意。為了增加偵測速度，惡意行為模式可以有效地用來識別已知的惡意 URL，另外算分機制產生的分數模型，可以被用來偵測未知的惡意 URL。實驗結果顯示，本研究提出的方法能夠達到低誤警率 (false positive rate) 和低誤判率 (false negative rate)。

Instant messaging (IM) has been a platform of spreading malware for hackers due to its popularity and immediacy. To evade anti-virus detection, hacker might send malicious URL message, instead of malicious binary file. A malicious URL is a link pointing to a malware file or a phishing site, and it may then propagate through the victim's contact list. Moreover, hacker sometimes might use social engineering tricks making malicious URLs hard to be identified. The previous solutions are improper to detect IM malicious URL in real-time. Therefore, we propose a novel approach for detecting IM malicious URL in a timely manner based on the anomalies of URL messages and sender's behavior. Malicious behaviors are profiled as a set of behavior patterns and a scoring model is developed to evaluate the significance of each anomaly. To speed up the detection, the malicious behavior patterns can identify known malicious URLs efficiently, while the scoring model is used to detect unknown malicious URLs. Our experimental results show that the proposed approach achieves low false positive rate and low false negative rate.

1 緒論 1
1.1 研究背景 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 研究動機 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 研究目的 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.4 論文架構 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2 相關研究 7
2.1 IM 架構 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2 IM 網路拓撲 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.3 IM 蠕蟲 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.4 IM 蠕蟲擴散抑制及偵測技術 . . . . . . . . . . . . . . . . . . . 12
3 研究方法 18
3.1 系統架構與流程 . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.2 特徵擷取模組 . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.3 惡意行為比對模組 . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.4 異常特徵記分模組 . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.4.1 用來記分的特徵 . . . . . . . . . . . . . . . . . . . . . . 32
3.4.2 記分演算法 . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.4.3 記分特徵值選擇策略 . . . . . . . . . . . . . . . . . . . . 39
4 實驗結果 41
4.1 樣本收集 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.2 實驗評估 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4.3 實驗一: 不同訓練資料個數之影響 . . . . . . . . . . . . . . . . . 43
4.4 實驗二: 與瀏覽器工具列之比較 . . . . . . . . . . . . . . . . . . 45
4.5 實驗討論 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
5 結論與未來展望 52
參考文獻 53

[1] ZDNet, “社交工程: 人性弱點瓦解企業安全.” Available: http://www.
zdnet.com.tw/enterprise/technology/0,2000085680,20089917,00.htm,
Jun. 2009.
[2] Trend Micro, “社交工程: 常用的分享照片訊息.” Available:
http://tw.trendmicro.com/tw/support/tech-support/board/trend/
article/20080505101247.html, Jun. 2009.
[3] Trend Micro, “2005 毒賣新聞 - 趨勢科技 第一季病毒報告.” Avail-
able: http://tw.trendmicro.com/tw/threats/vinfo/weeknews/article/
20071001040227.html, Jun. 2009.
[4] 卿斯漢．王超．何建波．李大治, “即時通訊蠕蟲研究與發展,” Journal of
Software, vol. 17, no. 10, pp. 2118–2130, 2006.
[5] 無尺度網路, 摘自 《科學美國人》 中文版 2003.7. Available: http://www.
swarmagents.com/complex/models/network.htm, Jun. 2009.
[6] Microsoft, “Internet Explorer 8: InPrivate 瀏覽.” Avail-
able: http://www.microsoft.com/taiwan/windows/internet-explorer/
features/browse-privately.aspx?tabid=2&catid=1, Jun. 2009.
[7] InsightXplorer Ltd., “[ARO觀察]即時通訊軟體使用行為分析(一).” Avail-
able: http://blog.insightxplorer.com/2008/09/26/, Jun. 2009.
[8] Trend Micro, WORM FATSO.A. Available: http://threatinfo.
trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%
5FFATSO%2EA&VSect=T, Jun. 2009.
[9] A.-L. Barabasi and E. Bonabeau, “Scale-Free Networks,” Scientific
American Magazine, 2003.
[10] IMlogic Threat Center, “2005 Real-Time Communication Security: The
Year in Review,” 2005.
[11] M. M. Williamson, A. Parry, and A. Byde, “Virus Throttling for Instant
Messaging,” in Virus Bulletin Conference, pp. 38–48, 2004.
[12] Wikipedia, “CAPTCHA.” Available: http://en.wikipedia.org/wiki/
CAPTCHA, Jun. 2009.
[13] Microsoft, Windows Live Messenger. Available: http://3c.msn.com.tw/
messenger/msncentral/home/, Jun. 2009.
[14] Yahoo! Inc., Yahoo! Messenger. Available: http://tw.messenger.yahoo.
com/, Jun. 2009.
[15] AOL LLC, AOL Instant Messenger. Available: http://dashboard.aim.
com/aim, Jun. 2009.
[16] Skype. Available: http://www.skype.com/intl/zh-Hant/, Jun. 2009.
[17] Google, Google Talk. Available: http://www.google.com/talk/, Jun.
2009.
[18] HowStuffWorks Inc., “HowWindows Live MessengerWorks.” Available:
http://communication.howstuffworks.com/windows-live-messenger.
htm, Jun. 2009.
[19] M. Mannan and P. C. van Oorschot, “On Instant Messaging Worms,
Analysis and Countermeasures,” in Proceedings of the 2005 ACM work-
shop on Rapid malcode, pp. 2–11, 2005.
[20] M. Xie, Z. Wu, and H. Wang, “HoneyIM: Fast Detection and Suppres-
sion of Instant Messaging Malware in Enterprise-like Networks,” in Pro-
ceedings of the 2007 Annual Computer Security Applications Conference
(ACSAC ’07), 2007.
[21] N. Hindocha and E. Chien, “Malicious Threats and Vulnerabilities in
Instant Messaging,” Symantec Security Response White Paper, 2003.
[22] R. Smith, “Instant Messaging as a Scale-Free Network,” Arxiv preprint
cond-mat/0206378, 2002.
[23] C. Morse and H.Wang, “The Structure of an Instant Messenger Network
and its Vulnerability to Malicious Codes,” in Proc. of ACM SIGCOMM,
2005.
[24] Wikipedia, “Scale-Free Network.” Available: http://en.wikipedia.org/
wiki/Scale-free network, Jun. 2009.
[25] R. Pastor-Satorras and A. Vespignani, “Epidemic Spreading in Scale-
Free Networks,” Physical review letters, vol. 86, no. 14, pp. 3200–3203,
2001.
[26] Z. Xiao, L. Guo, and J. Tracey, “Understanding Instant Messaging Traf-
fic Characteristics,” in Proceedings of the 27th International Conference
on Distributed Computing Systems, 2007.
[27] Q. Yan, H. Shu, X. Huang, and X. Zhang, “Complex Network Demon-
stration: Topology of Instant Communication Systems,” in IEEE In-
ternational Conference on Systems, Man and Cybernetics, 2007. ISIC,
pp. 3245–3249, 2007.
[28] Q. Yan, “Modeling and Simulation of Instant Messaging on Internet,”
in Computer Science and Information Technology, 2008. ICCSIT’08.
International Conference on, pp. 841–844, 2008.
[29] Q. Yan and X. Huang, “User Behavior and IM Topology Analysis,”
JOURNAL OF NETWORKS, vol. 3, no. 7, pp. 1–7, 2008.
[30] D. Kienzle and M. Elder, “Recent Worms: A Survey and Trends,” in
Proceedings of the 2003 ACM workshop on Rapid Malcode, pp. 1–10,
2003.
[31] USA TODAY, “IM Viruses Opening a New Can of Worms.” Available:
http://www.usatoday.com/tech/news/2001-08-16-ebrief.htm, Jun.
2009.
[32] Secunia, “ICQ Predictable File Location Weakness.” Available: http:
//secunia.com/advisories/10970/, Jun. 2009.
[33] Microsoft TechNet, “Microsoft Security Bulletin MS05-009.” Avail-
able: http://www.microsoft.com/technet/security/bulletin/MS05-009.
mspx, Jun. 2009.
[34] Microsoft TechNet, “Microsoft Security Bulletin MS05-022.” Avail-
able: http://www.microsoft.com/technet/security/Bulletin/ms05-022.
mspx, Jun. 2009.
[35] ZDNet, “Worm Attack Forces Reuters IM Offline.” Available: http:
//news.zdnet.com/2100-1009 22-142326.html, Jun. 2009.
[36] M. Williamson, “Throttling Viruses: Restricting Propagation to Defeat
Malicious Mobile Code,” in Computer Security Applications Conference,
2002. Proceedings. 18th Annual, pp. 61–68, 2002.
[37] The Official CAPTCHA Site. Available: http://www.captcha.net/, Jun.
2009.
[38] Eyeball Networks Inc., Eyeball Chat. Available: http://www.
eyeballchat.com/, Jun. 2009.
[39] J. Wane, “Around the CAPTCHA.” Available: http:
//network-security-research.blogspot.com/, Jun. 2009.
[40] Wikipedia, “Uniform Resource Locator.” Available: http://en.
wikipedia.org/wiki/Uniform Resource Locator, Jun. 2009.
[41] Wikipedia, “Percent-encoding.” Available: http://en.wikipedia.org/
wiki/Percent-encoding, Jun. 2009.
[42] Y. Zhang, J. Hong, and L. Cranor, “CANTINA: A Content-Based Ap-
proach to Detecting Phishing Web Sites,” in Proceedings of the 16th
international conference on World Wide Web, pp. 639–648, 2007.
[43] I. Fette, N. Sadeh, and A. Tomasic, “Learning to Detect Phishing
Emails,” in Proceedings of the 16th international conference on World
Wide Web, pp. 649–656, 2007.
[44] R. Basnet, S. Mukkamala, and A. H. Sung, “Detection of Phishing At-
tacks: A Machine Learning Approach,” Soft Computing Applications in
Industry, pp. 373–383, 2008.
[45] Wikipedia, “Domain Name System.” Available: http://en.wikipedia.
org/wiki/Domain Name System, Jun. 2009.
[46] Wikipedia, “WHOIS.” Available: http://en.wikipedia.org/wiki/Whois,
Jun. 2009.
[47] Y. Pan and X. Ding, “Anomaly Based Web Phishing Page Detection,”
in Computer Security Applications Conference, 2006. ACSAC’06. 22nd
Annual, pp. 381–392, 2006.
[48] S. Gianvecchio, M. Xie, ZhenyuWu, and H. Wang, “Measurement and
Classification of Humans and Bots in Internet Chat,” in 17th USENIX
Security Symposium, 2008.
[49] A.-P. W. Group, “Global Phishing Survey: Domain Name Use and
Trends in 1H2008.” Available: http://apwg.org/reports/APWG
GlobalPhishingSurvey1H2008.pdf, Jun. 2009.
[50] How to Obscure Any URL. Available: http://www.pc-help.org/obscure.
htm, Jun. 2009.
[51] Wikipedia, “Entropy (information theory).” Available: http://en.
wikipedia.org/wiki/Entropy (Information theory), Jun. 2009.
[52] Microsoft, Internet Explorer 8. Available: http://www.microsoft.com/
taiwan/windows/internet-explorer/default.aspx, Jun. 2009.
[53] Google, Google Chrome. Available: http://www.google.com/chrome,
Jun. 2009.
[54] Chromium Blog, “Understanding Phishing and Malware Protection
in Google Chrome.” Available: http://blog.chromium.org/2008/11/
understanding-phishing-and-malware.html, Jun. 2009.
[55] McAfee, Inc., SiteAdvisor. Available: http://www.siteadvisor.com/,
Jun. 2009.
[56] L. Cranor, S. Egelman, J. Hong, and Y. Zhang, “Phinding phish: An
evaluation of anti-phishing toolbars, 11 2006.” CMU-CyLab-06-018.
[57] Threat Expert Ltd., Browser Defender. Available: http://www.
browserdefender.com/, Jun. 2009.
[58] SpoofGuard Toolbar. Available: http://crypto.stanford.edu/
SpoofGuard/, Jun. 2009.
[59] Y. Zhang, S. Egelman, L. Cranor, and J. Hong, “Phinding Phish: Eval-
uating Anti-Phishing Tools,” in Proceedings of the 14th Annual Network
and Distributed System Security Symposium (NDSS 2007), 2007.
[60] N. Chou, R. Ledesma, Y. Teraguchi, D. Boneh, and J. Mitchell, “Client-
Side Defense against Web-Based Identity Theft,” in 11th Annual Net-
work and Distributed System Security Symposium (NDSS ’04), San
Diego, 2004.