論文使用權限 Thesis access permission:校內校外完全公開 unrestricted
開放時間 Available:
校內 Campus: 已公開 available
校外 Off-campus: 已公開 available
博碩士論文 etd-0820109-151509 詳細資訊
Title page for etd-0820109-151509
論文名稱 Title |
以異常語意為基礎的惡意網頁偵測 Malicious Web Page Detection Based on Anomaly Semantics |
||
系所名稱 Department |
|||
畢業學年期 Year, semester |
語文別 Language |
||
學位類別 Degree |
頁數 Number of pages |
68 |
|
研究生 Author |
|||
指導教授 Advisor |
|||
召集委員 Convenor |
|||
口試委員 Advisory Committee |
|||
口試日期 Date of Exam |
2009-07-13 |
繳交日期 Date of Submission |
2009-08-20 |
關鍵字 Keywords |
動態網頁、網路應用程式、惡意網頁 Dynamic Webpage, Malicious Webpage, Web Application |
||
統計 Statistics |
本論文已被瀏覽 5692 次,被下載 2013 次 The thesis/dissertation has been browsed 5692 times, has been downloaded 2013 times. |
中文摘要 |
近年來, 網路服務逐漸成為存取網路資源的主要方式。而網路服務有許多的應用,像是電子郵件、搜尋引擎、網路拍賣以及網路銀行, 主要是使用網路應用程式與動態網頁技術, 但是駭客卻會利用網路應用程式的漏洞, 或是動態網頁技術來嵌入惡意程式碼於別人的網站。然而, 部分的網站卻忽略此安全議題的重要性。本論文使用靜態分析的方式, 包含URL 特徵、異常語意、具潛在危險之標籤來偵測惡意網站。研究提出偵測惡意網頁的方法, 此法主要分成三部分: (1) 篩選是否具腳本語言與可自動連結標籤, (2) 惡意特徵比對, (3) 算分機制。第一部分篩選出不具腳本語言與可自動連結標籤, 直接視為正常網頁, 如此便能增加偵測的速率。而第二部分, 可以分辨出一些已知的惡意攻擊。第三部分, 則利用算分機制來偵測一些未知的惡意網頁。最後, 研究實驗結果顯示, 本研究所提之偵測方法, 具有低誤警率與低誤判率。 |
Abstract |
Web services are becoming the dominant way to provide access to on-line information. Web services have a lot of applications, like e-mail, web search engine, auction network and internet banking. On the web services, web application technology and dynamic webpage technology are very important, but hackers take advantage of web application vulnerabilities and dynamic webpage technology to inject malicious codes into webpages. However, a part of the web sites have neglected the issue of security. In this paper, we propose a novel approach for detecting malicious webpages by URL features, anomaly semantics, potential dangerous tags and tag attributes. This research proposed approach mainly consists of three parts: (1) scripting language and automatic link filter. (2) malicious feature. (3) scoring mechanism. By first part, this step can filter out normal webpages to increae detection speed. Second part can identify some known malicious attacks. Third part can search some unknown malicious webpages by scoring. Our experimental results show that the proposed approach achieves low false positive rate and low false negative rate. |
目次 Table of Contents |
1 緒論1 1.1 研究背景. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 研究動機. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.3 研究目的. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.4 論文架構. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2 文獻探討8 2.1 Web 安全漏洞. . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.1.1 Cross-Site Scripting . . . . . . . . . . . . . . . . . . . . 9 2.1.2 Injection Flaw . . . . . . . . . . . . . . . . . . . . . . . 9 2.1.3 Malicious File Execution . . . . . . . . . . . . . . . . . 10 2.1.4 Insecure Direct Object Reference . . . . . . . . . . . . 11 2.1.5 Cross-Site Request Forgery . . . . . . . . . . . . . . . . 12 2.1.6 Information Leakage and Improper Error Handling . . 12 2.1.7 Broken Authentication and Session Management . . . . 13 2.1.8 Insecure Cryptographic Storage . . . . . . . . . . . . . 13 2.1.9 Insecure Communication . . . . . . . . . . . . . . . . . 13 2.1.10 Failure to Restrict URL Access . . . . . . . . . . . . . 13 2.2 偵測惡意網頁之相關文獻. . . . . . . . . . . . . . . . . . . . . . 14 2.2.1 Browser Modification . . . . . . . . . . . . . . . . . . . 14 2.2.2 Code Transformation . . . . . . . . . . . . . . . . . . . 14 2.2.3 Static Analysis . . . . . . . . . . . . . . . . . . . . . . 15 2.3 惡意程式碼之混淆技術. . . . . . . . . . . . . . . . . . . . . . . 17 3 研究方法20 3.1 研究方法. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 3.2 系統架構與流程. . . . . . . . . . . . . . . . . . . . . . . . . . . 21 3.3 網頁爬行模組. . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 3.4 異常語意偵測器. . . . . . . . . . . . . . . . . . . . . . . . . . . 25 3.4.1 混淆還原模組. . . . . . . . . . . . . . . . . . . . . . . . 25 3.4.2 正常網頁篩選模組. . . . . . . . . . . . . . . . . . . . . . 25 3.4.3 網址與非原碼檢測模組. . . . . . . . . . . . . . . . . . . 29 3.4.4 原碼檢測模組. . . . . . . . . . . . . . . . . . . . . . . . 32 3.4.5 算分模組. . . . . . . . . . . . . . . . . . . . . . . . . . 39 4 實驗結果45 4.1 樣本收集. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 4.2 實驗一: 正常網頁篩選模組篩選評估. . . . . . . . . . . . . . . . . 46 4.3 實驗二: 網址與非原碼檢測模組、原碼檢測模組之特徵評估. . . . . 47 4.4 實驗三: 算分模組評估. . . . . . . . . . . . . . . . . . . . . . . . 49 4.5 實驗四: 系統平均效能之評估. . . . . . . . . . . . . . . . . . . . 50 4.6 實驗五: 與其他防毒軟體之比較. . . . . . . . . . . . . . . . . . . 52 5 結論與未來展望56 參考文獻58 |
參考文獻 References |
[1] 天罣部落格. URL http://tw.myblog.yahoo.com/edward 205 6/. [2] 防範惡意程式無名小站全面禁加Javascript. URL http://www.itis.tw/node/2182. [3] YAHOO!奇摩之拍賣網站. URL http://tw.bid.yahoo.com/. [4] 林士棻. 以模式基礎推論用於偵測惡意動態網頁之研究, 2007. [5] Web Application 首部曲. URL http://www.microsoft.com/taiwan/msdn/columns/jhu ming jhong/A-ASP.NET Architecture.htm. [6] 張智翔. 中央研究院計算中心通訊電子報: 淺談網路應用程式安全(二), . URL http://newsletter.ascc.sinica.edu.tw/news/read news.php?nid=1294. [7] 張智翔. 中央研究院計算中心通訊電子報: 淺談網路應用程式安全(三), . URL http://newsletter.ascc.sinica.edu.tw/news/read news.php?nid=1303. [8] 資安之眼:TW 網站資料庫. URL http://www.itis.tw/compromised?p=4. [9] 蔡宛宜. 以異常行為偵測惡意網頁之研究, 2008. [10] Google調查: 全球至少1/10網頁含惡意程式. URL http://www.itis.tw/node/450. [11] iThome 賽門鐵克: 惡意程式變形超出專家預期. URL http://www.ithome.com.tw/itadm/article.php?c=53448. [12] 關於xnibi.com 病毒的解決. URL http://hi.baidu.com/susdisk/blog/item/1f25b4fa8680cf9258ee90ea.html. [13] 蘇士傑. 資安論壇: 區域網路ARP 攻擊防禦的解決方案. URL http://forum.icst.org.tw/phpbb/viewtopic.php?t=12725. [14] Filtering JavaScript to Prevent Cross-Site Scripting. In EUROSEC,2005. [15] Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests, 2007. [16] Web Crawler. URL http://en.wikipedia.org/wiki/Web crawler. [17] Dynamic HTML. URL http://en.wikipedia.org/wiki/DHTML. [18] Hacker. URL http://zh.wikipedia.org/wiki/Hacker. [19] IBM Rational Web application security software (former AppShield). URL http://www-01.ibm.com/software/rational/offerings/websecurity. [20] Injection Flaw, 2008. [21] Category:OWASP Top Ten Project, 2007. URL http://www.owasp.org/index.php/Category:OWASP Top Ten Project. [22] Windows Script Host. URL http://en.wikipedia.org/wiki/WindowsScript Host. [23] Cross-site scripting. URL http://en.wikipedia.org/wiki/Cross-sitescripting. [24] Greg Aaron and Rod Rasmussen. Global Phishing Survey:Domain Name Use and Trends in 1H2008, 2008. [25] Helen J.Wang Opher Dubrovsky Saher Esmeir Charlie Reie, John Dunagan. BrowserShield: Vulnerability-driven filtering of dynamic HTML. In Proceedings of the USENIX Symposium on Operating System Design and Implementation (OSDI), 2006. [26] Peter Komisarczuk Christian Seifert, Ian Welch. Identification of Malicious Web Pages with Static Heuristics. In Telecommunication Networks and Applications Conference, 2008. [27] M. Christodorescu and S. Jha. Static analysis of executables to detect malicious patterns. In Proceedings of the 12th USENIX Security Symposium, 2003. [28] M. Christodorescu and S. Jha. Testing malware detectors. In Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis, 2004. [29] Nayeem Islam Igor Serikov Dachuan Yu, Ajay Chander. Javascript instrumentation for browser security. In Proceedings of the ACM Symposium on Principles of Programming Languages (POPL), 2007. [30] Giovanni Vigna Engin Kirda, Christopher Kruegel and Nenad Jovanovic. Noxes: A Client-Side Solution for Mitigating Cross-Site Scripting Attacks. In SAC’06, 2006. [31] D. Walker J. Ligatti, L.Bauer. Edit Automata: Enforcement Mechanisms for Run-time Security Policies. In International Journal of Information Security, 2005. [32] S. A. Seshia D. Song M. Christodorescu, S. Jha and R. E. Bryant. Semantics-aware malware detection. In Proceedings of the 2005 IEEE Symposium on Security and Privacy, 2005. [33] S. Jha S. Debray M. D. Preda, M. Christodorescu. A semantics-based approach to malware detection. In Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2007. [34] E. Kirda N. Jovanovic, C. Kruegel. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (short paper). In Proceedings of the 2006 IEEE Symposium on Security and Privacy, 2006. [35] E. Berghe T. Pietraszek, C. V. Defending against injection attacks through context-sensitive string evaluation. In Recent Advances in Intrusion Detection (RAID), 2005. [36] Michael Hicks Trevor Jim, Nikhil Swamy. Defeating Script Injection Attacks with Browser-Enforced Embedded Pokicies. In International World Wide Web Conference Committee, 2007. [37] A. Aiken Y.Xie. Static detection of security vulnerabilities in scripting languages. In Proceedings of the 15th conference on USENIX security Symposium, 2006. |
電子全文 Fulltext |
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。 |
紙本論文 Printed copies |
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。 開放時間 available 已公開 available |
QR Code |
國立中山大學 圖書與資訊處 │ 諮詢服務:2452 論文審查小組 │ 服務信箱 │ 系統開發維運:圖資處知識創新組
Office of Library and Information Services, National Sun Yat-sen University │ Contact Us : 2452 Thesis Format Review Team , Mail │ Development and operations : Knowledge Innovation Division, LIS