政大機構典藏-National Chengchi University Institutional Repository(NCCUR):Item 140.119/136337
English  |  正體中文  |  简体中文  |  Post-Print筆數 : 27 |  Items with full text/Total items : 113318/144297 (79%)
Visitors : 50957164      Online Users : 943
RC Version 6.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Tips:
  • please add "double quotation mark" for query phrases to get precise results
  • please goto advance search for comprehansive author search
  • Adv. Search
    HomeLoginUploadHelpAboutAdminister Goto mobile version
    政大典藏 > College of Commerce > Department of MIS > Theses >  Item 140.119/136337
    Please use this identifier to cite or link to this item: https://nccur.lib.nccu.edu.tw/handle/140.119/136337


    Title: 物聯網惡意軟體動態分析監控系統與其家族行為分析
    IoT Malware Dynamic Analysis Profiling System and Family Behavior Analysis
    Authors: 陳呈祐
    Chen, Cheng-Yu
    Contributors: 蕭舜文
    Hsiao, Shun-Wen
    陳呈祐
    Chen, Cheng-Yu
    Keywords: 物聯網惡意程式
    虛擬機器內省
    順序資料
    QEMU
    動態分析
    圖形分析
    馬可夫模型
    IoT malware
    Virtual Machine Introspection
    Sequential Data
    QEMU
    Dynamic Analysis
    Graph Analysis
    Markov Model
    Date: 2020
    Issue Date: 2021-08-04 14:46:07 (UTC+8)
    Abstract: 最近不只物聯網設備的數量遽增,連帶物聯網惡意程式也大量出現。本研究希望了解物聯網惡意程式所帶來的威脅但現今缺乏方法來觀測、分析與偵測物聯網惡意程式。因此,我們設計了一個自動化的虛擬監控系統來蒐集物聯網惡意程式的行為,例如:API call invocation, system call execution等。除了傳統的監控方式 (Strace與封包側錄) 外,本研究提出一個監控系統使用虛擬機內省機制的C library hooking技術來擷取物聯網惡意程式所呼叫的C library call以避免遭到物聯網惡意程式的偵測。在所蒐集到的物聯網惡意程式行為中,本研究發現不只在各個惡意程式間有相似,在同一個惡意程式家族中也存有變異。因此,本研究認為在物聯網惡意程式中有家族並且物聯網惡意程式家族中也含有子家族。本研究提出一個家族行為分析系統透過馬可夫模型與Doc2Vec來分析物聯網惡意程式的順序資料並萃取向量化特徵、尋找子家族與子家族代表之圖形。
    Not only the number of deployed IoT devices increases but also that of IoT malware. We are eager to understand the threat made by IoT malware, but we lack the tools to observe, analyze and detect them. Therefore, we design and implement an automatic, virtual machine-based profiling system to collect valuable IoT malware behavior, such as API call invocation, system call execution, etc. In addition to conventional profiling methods (e.g., Strace and packet capture), we proposed a profiling system that adapts virtual machine introspection based C library hooking technique to intercept C library call invocation by malware so that our introspection would not be detected by IoT malware. In the profiles we collected, we observe not only similarities between profiles but also variants in IoT family malware. Therefore, we anticipate that there are families in IoT malware and subfamily in the IoT malware family. We then propose a family behavior analysis system to analyze the multiple sequential data (C library calls) by the Markov model and Doc2Vec to extract vectorized malware features, discover subfamily and generate subfamily representative behavior graph.
    Reference: [1] B. Anderson, D. Quist, J. Neil, C. Storlie, and T. Lane, “Graph-based malware detection using dynamic analysis”, Journal in computer Virology, vol. 7, no. 4, pp. 247–258, 2011
    [2] X. Jiang, X. Wang, and D. Xu, “Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction”, in Proceedings of the 2007 ACM Conference on Computer and Communications Security, 2007, pp. 128-138.
    [3] A. Grover, and J. Leskovec, “node2vec: Scalable Feature Learning for Networks”, Proceedings of the 22nd ACM SIGKDD international conference on Knowledge discovery and data mining, 2016, pp.885-864.
    [4] A. Costin, and J. Zaddach, “IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies”, BlackHat USA
    [5] M. Hossain, J. Wang, R. Sekar, and S. Stoller, “Dependence-Preserving Data Compaction for Scalable Forensic Analysis”, 27th USENIX Security Symposium (USENIX Security 18),
    2018, pp.1723-1740.
    [6] G. Davis, “2020: Life with 50 billion connected devices”, 2018 IEEE International Conference on Consumer Electronics, 2018, pp.1–1.
    [7] B. Vignau, R. Khoury, and S. Hallé, “10 Years of IoT Malware: a Feature-Based Taxonomy”, 2019 IEEE 19th International Conference on Software Quality, Reliability and Security
    Companion, 2019, pp.458-465.
    [8] S. W. Hsiao, Y. S. Sun, and M. S. Chen, “Hardware-Assisted MMU Redirection for In-Guest Monitoring and API Profiling”, IEEE Transactions on Information Forensics and Security, 2020, pp.2402-2416.
    [9] Y. Hebbal, S. Laniepce, and J. M. Menaud, “Virtual machine introspection: Techniques and applications”, 2015 10th international conference on availability, reliability and security,
    2015, pp.676-685.
    [10] Q. Le, and T. Mikolov, “Distributed representations of sentences and documents”, International conference on machine learning, 2014, pp.1188-1196.
    [11] Y. Yang, L. Wu, G. Yin, and L. Li, “A survey on security and privacy issues in Internet-ofThings”, IEEE Internet of Things Journal, 2017, pp.1250-1258.
    [12] T. Garfinkel, and M. Rosenblum, “A Virtual Machine Introspection Based Architecture for Intrusion Detection”, Ndss, 2003, pp.191-206.
    [13] W. L. Hamilton, R. Ying, and J. Leskovec, “Representation learning on graphs: Methods and applications”, arXiv preprint, 2017, arXiv:1709.05584.
    [14] P. Goyal, and E. Ferrara, “Graph embedding techniques, applications, and performance: A survey”, Knowledge-Based Systems, 2018, pp.78-94.
    [15] B. PEROZZI, R. AL-RFOU, and S. SKIENA, “Deepwalk: Online learning of social
    representations”, Proceedings of the 20th ACM SIGKDD international conference on Knowledge discovery and data mining, 2014, pp.701-710.
    [16] D. Zhang, J. Yin, X. Zhu, and C. Zhang, “Network representation learning: A survey”, IEEE transactions on Big Data, 2018
    [17] T. Mikolov, K. Chen, G. Corrado, and J. Dean, “Efficient estimation of word representations in vector space”, arXiv preprint, 2013, arXiv:1301.3781.
    [18] S. W. Hsiao, Y. S. Sun, and M. C. Chen, “Virtual machine introspection based malware behavior profiling and family grouping”, arXiv preprint, 2017, arXiv:1705.01697.
    [19] S. Vogl, and C. Eckert, “Using hardware performance events for instruction-level monitoring on the X86 architecture”, Proc. Eur. Workshop Syst. Secur. (EuroSec), 2012, pp. 1–6.
    [20] A. Dinaburg, P. Royal, M. Sharif, and W. Lee, “Ether: Malware analysis via hardware virtualization extensions”, Proc. ACM Conf. Comput. Commun. Secur., 2008, pp. 51–62.
    [21] J. Pfoh, C. Schneider, and C. Eckert, “Nitro: Hardware-based system call tracing for virtual machines”, Advances in Information and Computer Security (Lecture Notes in Computer Science), 2011, pp. 96–112.
    [22] M. I. Sharif, W. Lee, W. Cui, and A. Lanzi, “Secure in-VM monitoring using hardware virtualization”, Proc. ACM Conf. Comput. Commun. Secur., 2009, pp. 477–487.
    [23] C. Willems, R. Hund, and T. Holz, “CXPInspector: Hypervisor-based, hardware-assisted system monitoring”, Ruhr-Univ. Bochum, Bochum, Germany, Tech. Rep. TR-HGI-2012-002, Nov. 26, 2012.
    [24] B. D. Payne, M. Carbone, M. Sharif, and W. Lee, “Lares: An architecture for secure active monitoring using virtualization”, Proc. IEEE Symp. Secur. Privacy, 2008, pp. 233–247.
    [25] Y. Fu and Z. Lin, “Exterior: Using a dual-VM based external shell for guest-OS introspection, configuration, and recovery”, ACM SIGPLAN Notices, 2013, pp. 97–110.
    [26] D. Song et al. , “BitBlaze: A new approach to computer security via binary analysis”, Information Systems Security (Lecture Notes in Computer Science), 2008, pp. 1–25.
    [27] CuckooSandbox,Accessed:Sep.20,2019.Online].Available:http://www.cuckoosandbox.org
    Description: 碩士
    國立政治大學
    資訊管理學系
    107356035
    Source URI: http://thesis.lib.nccu.edu.tw/record/#G0107356035
    Data Type: thesis
    DOI: 10.6814/NCCU202101066
    Appears in Collections:[Department of MIS] Theses

    Files in This Item:

    File Description SizeFormat
    603501.pdf10480KbAdobe PDF20View/Open


    All items in 政大典藏 are protected by copyright, with all rights reserved.


    社群 sharing

    著作權政策宣告 Copyright Announcement
    1.本網站之數位內容為國立政治大學所收錄之機構典藏,無償提供學術研究與公眾教育等公益性使用,惟仍請適度,合理使用本網站之內容,以尊重著作權人之權益。商業上之利用,則請先取得著作權人之授權。
    The digital content of this website is part of National Chengchi University Institutional Repository. It provides free access to academic research and public education for non-commercial use. Please utilize it in a proper and reasonable manner and respect the rights of copyright owners. For commercial use, please obtain authorization from the copyright owner in advance.

    2.本網站之製作,已盡力防止侵害著作權人之權益,如仍發現本網站之數位內容有侵害著作權人權益情事者,請權利人通知本網站維護人員(nccur@nccu.edu.tw),維護人員將立即採取移除該數位著作等補救措施。
    NCCU Institutional Repository is made to protect the interests of copyright owners. If you believe that any material on the website infringes copyright, please contact our staff(nccur@nccu.edu.tw). We will remove the work from the repository and investigate your claim.
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - Feedback