簡易檢索 / 詳目顯示

回結果列表
研究生: 黃佳郁
Chia-Yu Huang
論文名稱: 基於主機事件罪惡關聯分析識別HID攻擊
Identifying HID-based Attacks through Process Event Graph Using Guilt-by-Association Analysis
指導教授: 李漢銘
Hahn-Ming Lee
口試委員: 李漢銘
鄧惟中
鄭欣明
林豐澤
毛敬豪
學位類別: 碩士
Master
系所名稱: 電資學院 - 資訊工程系
Department of Computer Science and Information Engineering
論文出版年: 2018
畢業學年度: 106
語文別: 英文
論文頁數: 72
中文關鍵詞: USB HID攻擊罪惡關聯事件記錄檔事件重構主成分分析
外文關鍵詞: USB HID Attack, Guilt-by-Association, Event logs, Event Reconstruction, Principal Component Analysis
相關次數: 點閱:170下載:2
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 隨著USB技術的發展及普及,USB裝置已成為主要資料傳輸介面之一。由於其韌體的可編譯性,USB成為攻擊手法之一,藉其可重新編寫的性質及裝置本身設計的缺陷,導致 BadUSB 的出現。在本篇研究中,我們目標在於藉由不修改主機核心模組的方式下,識別可疑的HID攻擊事件,以減低企業偵測所需的成本。
    我們提供一個HID攻擊行為識別系統-HIDTracker,藉由分析原生主機事件記錄檔,在不需修改主機核心模組的情況下,取得可疑的 HID 攻擊事件。此方法透過將各HID相關事件建構為各HID事件關聯圖,考量事件及物件間的罪惡關聯性,識別可疑HID行為。藉由此演算法,可將未知事件與其他事件關聯,以識別其可疑度。並透過事件評分機制,以利取得較為可疑之HID事件。
    本研究結果顯示,藉由考慮事件間的罪惡關聯可提升偵測的準確度至高達90%,並降低誤報率為2.33%,本研究主要有以下幾點貢獻:(1) 藉由主機事件記錄檔分析識別HID攻擊行為;(2) 透過建構HID事件圖,以萃取HID相關事件;(3) 考量所有事件圖中,事件與物件間的罪惡關聯,以將未知事件進行分類。

    Recently, with the programmability of Universal Serial Bus (USB) devices, many kinds of USB attacks were proposed. In our study, we focus on identifying Human Interface Device (HID-based) attacks, which attackers exploit the weakness of USB devices and reprogram the devices, without modifying the kernel module so that enterprises can reduce the costs when detecting the attacks.
    We propose an HID identification mechanism, HIDTracker, to recognize the suspicious HID attacks by analyzing native host event logs. Each HID event graph is constructed of HID-related events. The guilt-by-association between events and objects are considered to correctly obtain suspicious HID. Through the algorithm, unknown events are connected with others to identify the suspiciousness of the events. An HID event scoring module is implemented to identify the more suspicious HID event graphs.
    As our experimental result, with guilt-by-association analysis, the precision rate increases to 90%, and the false positive rate decreases to 2.33%. The main contributions of the study are as follows: (1) Identifying HID-based attacks with analyzing native host event logs rather than modifying the kernel module of the host systems; (2) Recognizing HID-related events by constructing HID event graphs; (3) Reducing event background noise through investigating the guilt-by-association between the events.

    1 Introduction 1 1.1 Motivation 2 1.2 Challenges and Goals 4 1.3 Contributions 5 1.4 Outline of the Thesis 6 2 BackgroundandRelatedWork 7 2.1 APT & Insider Threat 7 2.2 USB-based Attack 9 2.2.1 USB Work Flow 9 2.2.2 HID Attack 10 2.3 Event Reconstruction 12 2.4 Guilt-by-Association Analysis 12 2.5 USB Attack Detection 13 3 Suspicious HID Attack Identification 16 3.1 Event Transferring Platform 18 3.2 HID Event Graph Generation 19 3.3 Event Graph Guilt-by-Association Scoring 20 3.3.1 Event Graph Bipartition 21 3.3.2 Association Graph Projection 22 3.3.3 Event/Object Scoring 24 3.3.4 HID Event Graph Score Calculation 25 3.4 HID Event Graph Feature Extraction 26 3.5 Suspicious HID Identification 27 4 Experiments & Analysis 30 4.1 Environment Setup and Dataset 31 4.1.1 Experimental Design 31 4.1.2 Attack Scenarios 32 4.1.3 Data Collection and Label 34 4.1.4 Analysis Environment 37 4.2 Evaluation Metrics 38 4.3 Effectiveness Analysis 39 4.3.1 Effectiveness of Guilt-by-Association Analysis 39 4.3.2 Effectiveness of Different Parameters 42 4.4 Efficiency Analysis 44 4.5 Case Study 46 4.5.1 Identification Results: True Positive 46 4.5.2 Identification Results: False Positive 47 4.5.3 Identification Results: False Negative 47 5 Discussion and Limitations 48 5.1 Limitations 48 5.2 Evasion Strategies 49 6 Conclusions and Further Work 50 6.1 Conclusions 50 6.2 Further Work 51

    [1] “2018 cost of insider threats,” 2018. [Online]. Available: https://www.observeit. com/ponemon-report-cost-of-insider-threats/
    [2] “Insider threat report 2016,” 2016. [Online]. Available: https://www.veriato.com/docs/default-source/whitepapers/insider-threat-report-2016.pdf
    [3] “Insider threat report 2018,” 2018. [Online]. Available: https://www.ca.com/content/dam/ca/us/files/ebook/insider-threat-report.pdf
    [4] L. Liu, O. Y. de Vel, Q. Han, J. Zhang, and Y. Xiang, “Detecting and preventingcyber insider threats: A survey,” IEEE Communications Surveys and Tutorials, vol. 20, no. 2, pp. 1397–1417, Feb. 2018.
    [5] M. Tischer, Z. Durumeric, S. Foster, S. Duan, A. Mori, E. Bursztein, and M. Bailey,“Users really do plug in USB drives they find,” in Proceedings of IEEE SymposiumSecurity and Privacy (SP ’16), San Jose, CA, USA, May 22-26, 2016, pp. 306–319.
    [6] N. Nissim, R. Yahalom, and Y. Elovici, “Usb-based attacks,” Computers & Security,vol. 70, pp. 675–688, Sep. 2017.
    [7] M. Tischer, Z. Durumeric, E. Bursztein, and M. Bailey, “The danger of USB
    drives,” IEEE Security Privacy, vol. 15, no. 2, pp. 62–69, Mar. 2017.
    [8] D. J. Tian, N. Scaife, A. M. Bates, K. R. B. Butler, and P. Traynor, “Making USB great again with USBFILTER,” in 25th USENIX Security Symposium (USENIX ’16), Austin, TX, USA, August 10-12, 2016, pp. 415–430.
    [9] S. Angel, R. S. Wahby, M. Howald, J. B. Leners, M. Spilo, Z. Sun, A. J. Blumberg, and M. Walfish, “Defending against malicious peripherals with cinch,” in 25th USENIX Security Symposium (USENIX ’16), Austin, TX, USA, August 10-12, 2016, pp. 397–414.
    [10] G. Hernandez, F. Fowze, D. J. Tian, T. Yavuz, and K. R. B. Butler, “FirmUSB: Vetting USB device firmware using domain informed symbolic execution,” in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS ’17), Dallas, TX, USA, October 30 - November 03, 2017, pp. 2245–2262.
    [11] J. Fu, J. Huang, and L. Zhang, “Curtain: Keep your hosts away from USB attacks,” in Information Security - 20th International Conference (ISC ’17), Ho Chi Minh City, Vietnam, November 22-24, 2017, pp. 455–471.
    [12] D. Koutra, T. Ke, U. Kang, D. H. Chau, H. K. Pao, and C. Faloutsos, “Unifying guilt-by-association approaches: Theorems and fast algorithms,” in Machine Learning and Knowledge Discovery in Databases - European Conference (ECML PKDD ’11), Athens, Greece, September 5-9, 2011, pp. 245–260.
    [13] Cyber kill chain. Accessed on: Jun. 30, 2018. [Online]. Available: https://www.csoonline.com/article/2134037/cyber-attacks-espionage/strategic-planning-erm-the-practicality-of-the-cyber-kill-chain-approach-to-security.html
    [14] “Rubber ducky,” accessed on: Jun. 30, 2018. [Online]. Available: https://hakshop.com/products/usb-rubber-ducky-deluxe
    [15] A. Crenshaw, “PHUKD (Programmable HID USB Keyboard/Mouse Dongle),” accessed on: Jun. 30, 2018. [Online]. Available: http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle
    [16] M. Elkins, “URFUKED (Universal RF USB Keyboard Emulation Device),” accessed on: Jun. 30, 2018. [Online]. Available: https://www.defcon.org/images/defcon-18/dc-18-presentations/Elkins/DEFCON-18-Elkins-Universal-RF-Keyboard.pdf
    [17] S. Kamakar, “USBdriveby,” accessed on: Jun. 30, 2018. [Online]. Available: http://samy.pl/usbdriveby/
    [18] R. Feroz, “Evilduino,” accessed on: Jun. 30, 2018. [Online]. Available: https://www.slideshare.net/Rashidferoz1/evilduino
    [19] Z. Wang and A. Stavrou, “Exploiting smart-phone USB connectivity for fun and profit,” in Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC ’10), Orlando, Florida, December 5-9, 2010.
    [20] “Kali nethunter,” accessed on: Jun. 30, 2018. [Online]. Available: https://www.kali.org/kali-linux-nethunter/
    [21] K. Nohl and J. Lell, “BadUSB - on accessories that turn evil,” Black Hat USA, 2014. [Online]. Available: https://srlabs.de/wp-content/uploads/2014/07/SRLabs-BadUSB-BlackHat-v1.pdf
    [22] Y. Liu, M. Zhang, D. Li, K. Jee, Z. Li, Z. Wu, J. Rhee, and P. Mittal, “Towards a timely causality analysis for enterprise security,” in Network and Distributed Systems Security Symposium 2018 (NDSS ’18), San Diego, CA, USA, February 18-21, 2018.
    [23] S. T. King and P. M. Chen, “Backtracking intrusions,” in Proceedings of the 19th ACM Symposium on Operating Systems Principles 2003 (SOSP ’03), Bolton Landing, NY, USA, October 19-22, 2003, pp. 223–236.
    [24] Y. Kwon, F. Wang, W. Wang, K. H. Lee, W.-C. Lee, S. Ma, X. Zhang, D. Xu, S. Jha, G. Ciocarlie et al., “MCI: Modeling-based causality inference in audit logging for attack investigation,” in Proceedings of the 25th Network and Distributed System Security Symposium (NDSS ’18), San Diego, CA, USA, February 18-21, 2018.
    [25] Y. Kwon, D. Kim, W. N. Sumner, K. Kim, B. Saltaformaggio, X. Zhang, and D. Xu, “LDX: Causality inference by lightweight dual execution,” in Proceedings of the 21st International Conference on Architectural Support for Programming Languages and Operating Systems, 2016, pp. 503–515.
    [26] M. N. Hossain, S. M. Milajerdi, J. Wang, B. Eshete, R. Gjomemo, R. Sekar, S. D. Stoller, and V. Venkatakrishnan, “SLEUTH: Real-time attack scenario reconstruction from cots audit data,” in 26th USENIX Security Symposium (USENIX ’17), Vancouver, BC, Canada, August 16–18, 2017, pp. 487–504.
    [27] Y. Ji, S. Lee, E. Downing, W. Wang, M. Fazzini, T. Kim, A. Orso, and W. Lee, “RAIN: Refinable attack investigation with on-demand inter-process information flow tracking,” in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS ’17), Dallas, TX, USA, October 30- November 3, 2017, pp. 377–390.
    [28] S. Ma, X. Zhang, and D. Xu, “Protracer: Towards practical provenance tracing by alternating between logging and tainting,” in 23rd Annual Network and Distributed System Security Symposium (NDSS ’16), San Diego, California, USA, February 21-24, 2016.
    [29] D. H. P. Chau, C. Nachenberg, J. Wilhelm, A. Wright, and C. Faloutsos, “Polonium: Tera-scale graph mining and inference for malware detection,” in Proceedings of the 16th ACM SIGKDD international conference on Knowledge discovery and data mining, Workshop: Large-scale Data Mining: Theory and Applications (KDD-LDMTA ’10), Washington, DC, USA, July 25, 2010, pp. 131–142.
    [30] A. Tamersoy, K. Roundy, and D. H. Chau, “Guilt by association: Large scale malware detection by mining file-relation graphs,” in Proceedings of the 20th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, 2014, pp. 1524–1533.
    [31] J. François, S. Wang, R. State, and T. Engel, “BotTrack: Tracking botnets using netflow and pagerank,” in NETWORKING 2011 - 10th International IFIP TC 6 Networking Conference, Valencia, Spain, May 9-13, 2011, pp. 1–14.
    [32] Z. Li, S. Alrwais, Y. Xie, F. Yu, and X. Wang, “Finding the linchpins of the dark web: a study on topologically dedicated hosts on malicious web infrastructures,” in Proceedings of thee 34th IEEE Symposium Security and Privacy (S&P ’13), Berkeley, CA, USA, May 19-22, 2013, pp. 112–126.
    [33] B. Kang, S. Yerima, K. McLaughlin, and S. Sezer, “PageRank in malware categorization,” in Proceedings of the 2015 Conference on Research in Adaptive and Convergent Systems (RACS ’15), Prague, Czech Republic, October 9-12, 2015, pp. 291–295.
    [34] “Lumension Endpoint Security,” Jun. 2018. [Online]. Available: https://www.ivanti.com/company/history/lumension-security
    [35] “IronKey,” Jun. 2018. [Online]. Available: http://www.ironkey.com/en-US/
    [36] D. J. Tian, A. M. Bates, K. R. B. Butler, and R. Rangaswami, “Provusb: Blocklevel provenance-based data protection for USB storage devices,” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS ’16), Vienna, Austria, October 24-28, 2016, pp. 242–253.
    [37] B. Yang, Y. Qin, Y. Zhang, W. Wang, and D. Feng, “TMSUI: A trust management scheme of USB storage devices for industrial control systems,” in Information and Communications Security - 17th International Conference (ICICS ’15), Beijing, China, December 9-11, 2015, pp. 152–168.
    [38] J. D. Tian, A. M. Bates, and K. R. B. Butler, “Defending against malicious USB firmware with GoodUSB,” in Proceedings of the 31st Annual Computer Security Applications Conference, Los Angeles, CA, USA, December 7-11, 2015, pp. 261–270.
    [39] J. Shlens, “A tutorial on principal component analysis,” Apr. 2014. [Online]. Available: https://arxiv.org/abs/1404.1100
    [40] “Mcafee antivirus software,” accessed on: Jun. 30, 2018. [Online]. Available: https://www.mcafee.com/
    [41] “Winlogbeat,” accessed on: Jun. 30, 2018. [Online]. Available: https://www.elastic.co/products/beats/winlogbeat
    [42] “Elasticsearch,” accessed on: Jun. 30, 2018. [Online]. Available: https://www.elastic.co/products/elasticsearch
    [43] “Teensy 3.2,” accessed on: Jun. 30, 2018. [Online]. Available: https://www.pjrc.com/store/teensy32.html
    [44] “Arduino pro micro,” accessed on: Jun. 30, 2018. [Online]. Available: https://www.sparkfun.com/products/12640
    [45] “Ducky script,” accessed on: Jun. 30, 2018. [Online]. Available: https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Duckyscript
    [46] “Ducky payloads,” accessed on: Jun. 30, 2018. [Online]. Available: https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads
    [47] “Windows security log events,” Jun. 2018. [Online]. Available: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/
    [48] “Python elasticsearch library,” accessed on: Jun. 30, 2018. [Online]. Available: https://elasticsearch-py.readthedocs.io/en/master/
    [49] “Python networkx library,” accessed on: Jun. 30, 2018. [Online]. Available: https://networkx.github.io/documentation/stable/index.html
    [50] “Scikit-learn,” Jun. 2018. [Online]. Available: http://scikit-learn.org/stable/index.html
    [51] A. M. Bates, D. Tian, K. R. B. Butler, and T. Moyer, “Trustworthy whole-system provenance for the linux kernel,” in 24th USENIX Security Symposium (USENIX ’15), Washington, D.C., USA, August 12-14, 2015, pp. 319–334.

    QR CODE