政大機構典藏-National Chengchi University Institutional Repository(NCCUR):Item 140.119/129972
English  |  正體中文  |  简体中文  |  Post-Print筆數 : 27 |  全文笔数/总笔数 : 113318/144297 (79%)
造访人次 : 51057127      在线人数 : 863
RC Version 6.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
搜寻范围 查询小技巧:
  • 您可在西文检索词汇前后加上"双引号",以获取较精准的检索结果
  • 若欲以作者姓名搜寻,建议至进阶搜寻限定作者字段,可获得较完整数据
  • 进阶搜寻
    政大機構典藏 > 商學院 > 資訊管理學系 > 期刊論文 >  Item 140.119/129972


    请使用永久网址来引用或连结此文件: https://nccur.lib.nccu.edu.tw/handle/140.119/129972


    题名: 使用動態分析資料於卷積神經網路上進行惡意程式家族分類
    作者: 蕭舜文
    Hsiao, Shun-Wen 
    贡献者: 資管系
    关键词: 惡意程式;動態分析;卷積神經網路;行為分類
    Malwar e;dynamic analysi s;convolution neural network;behavior classification
    日期: 2018-01
    上传时间: 2020-05-27
    摘要: 傳統上惡意程式的病毒碼特徵擷取與惡意行為分析需要耗費大量的人力與時間,分析過程通常需要借助資訊安全專家多年對於惡意程式分析的經驗。資安專家通常會比對過去已知的惡意特徵將新發現的惡意程式歸類到已知的惡意程式家族。然而現今新的惡意程式變種數量已經大幅超越人工分析的能力,面對如此資安挑戰,本論文的目的是藉助卷積神經網路對惡意程式進行家族進行自動分類並產生行為特徵,將過去人工的動作轉為自動,與其他過去的研究不同,本論文先對惡意程式進行動態側寫分析並產出其高階的Windows API呼叫序列紀錄,而卷積神經網路將視Windows API呼叫序列為輸入資料並最終輸出惡意程式家族分類的結果。本文亦利用卷積神經網路的學習結果來解釋其惡意程式之特徵行為。在實驗上我們採用國網中心以及資策會於真實世界蒐集的惡意程式,進行動態分析側寫後進行監督式的訓練以及驗證,其家族分類準確率超過99%。我們的實驗並證明可以使用有限的Windows API呼叫序列就能進行正確的家族分類,如此我們的研究成果可以進一步導入至入侵防禦系統,進行早期的入侵偵測。
    Conventionally, it takes lots of time and human resources to analyze malware to extract its byte signature and malicious behavior. Usually, such analysis process relies on years of experience of malware analysis by the cybersecurity domain experts. They usually classify the unseen malware sample into a known malware family by checking against known behavior characteristics. However, nowadays the number of new malware is too large for human experts to manually analyze them. To face such cybersecurity challenge, the purpose of this paper is to provide a method to automatically classify malware by using convolution neural network (CNN) and generate behavior characteristics with the help of CNN. Unlike previous research works, we firstly perform dynamic analysis on malware sample and produce its high-level Windows API call sequences as its behavior profile. Then, the API call sequences are fed into the convolution neural network as input to generate the malware family classification result. We also use the learning result of the convolution neural network to explain the behavior characteristics of the malware families. In our experiments, we use the malware samples collected from the real world by the National Center for High-Performance Computing (Taiwan) to generate malware profiles and perform supervised training and validation. The family classification accuracy is over 99%. Our experiments also show that we can use a limited number of Windows API call sequences to perform malware classification; in this case, our result can be used in an intrusion prevention system for early malware detection.
    關聯: 資訊安全通訊, Vol.24, No.1, pp.41-60
    数据类型: article
    显示于类别:[資訊管理學系] 期刊論文

    文件中的档案:

    档案 描述 大小格式浏览次数
    427.pdf837KbAdobe PDF2171检视/开启


    在政大典藏中所有的数据项都受到原著作权保护.


    社群 sharing

    著作權政策宣告 Copyright Announcement
    1.本網站之數位內容為國立政治大學所收錄之機構典藏,無償提供學術研究與公眾教育等公益性使用,惟仍請適度,合理使用本網站之內容,以尊重著作權人之權益。商業上之利用,則請先取得著作權人之授權。
    The digital content of this website is part of National Chengchi University Institutional Repository. It provides free access to academic research and public education for non-commercial use. Please utilize it in a proper and reasonable manner and respect the rights of copyright owners. For commercial use, please obtain authorization from the copyright owner in advance.

    2.本網站之製作,已盡力防止侵害著作權人之權益,如仍發現本網站之數位內容有侵害著作權人權益情事者,請權利人通知本網站維護人員(nccur@nccu.edu.tw),維護人員將立即採取移除該數位著作等補救措施。
    NCCU Institutional Repository is made to protect the interests of copyright owners. If you believe that any material on the website infringes copyright, please contact our staff(nccur@nccu.edu.tw). We will remove the work from the repository and investigate your claim.
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - 回馈