研究生: 謝懷德
論文名稱: 基於加殼分析之惡意程式偵測系統
Malware Detection System Based on Shell Analysis
指導教授: 洪西進
Shi-Jinn Horng
口試委員: 賴祐吉
Yu-Chi Lai
Hsing-Kuo Pao
Wei-Chung Teng
Yi-Leh Wu
學位類別: 碩士
系所名稱: 電資學院 - 資訊工程系
Department of Computer Science and Information Engineering
論文出版年: 2010
畢業學年度: 98
語文別: 中文
論文頁數: 49
中文關鍵詞: 惡意程式加殼資訊增益支援向量機
外文關鍵詞: Malware, shell, information gain, support vector machine
本研究下載最新的VX Heavens資料集內所有Win32種類惡意程式分析,使用有別於一般解殼及防毒軟體的技術,讓系統不僅能有效偵測現有的加殼程式及惡意程式,更能有效預測未知的加殼程式及惡意程式。
本研究先萃取出PE Table裡的特徵,再使用資訊增益方法找出有用的資訊,最後使用SVM針對加殼程式及惡意程式作偵測。

Although the shelling technology is very popular among malware authors in the past few years. It causes the confusion of features and it can also avoid detection of anti-virus software. The unshelling software have been developed that can extract encrypted code from shelled program, then revealing invisible malware that can be detected by anti-virus software[1]. But the unshelling software can not unshell the new type, variant shelled program, and it can only unshell a portion of the shelled program. Besides each shelled program is required to through the unshelling process every time then determine whether it is malware or not. It needs a lot of time and resources.
Therefore, we hope to find out a solution for current anti-virus technology by focusing on the shell problem nowadays without unshelling process at first. Because features of the program will change after shelling process, we can use the differences of the features to distinguish if the program is shelled or not. When we train the features of malware, it should be separated from shelled and non-shelled program, then it won’t be confused by shelled features, so the results of malware detection system will be more rigid.
We download the latest VX Heavens dataset of all Wins32 malware in this thesis. It is different from general unshelling and the anti-virus software. Our system can not only detect existing shelled program and malware but also can predict the unknown shelled program and malware efficiently.
In this thesis, we extracted features from PE Table, and then we use the information gain method to find out useful information. We use SVM to detect the shelled program and malware finally.

中文摘要1 英文摘要2 誌 謝3 目 錄4 圖目錄6 表目錄7 第一章 簡介8 1.1 研究動機與目標8 1.2 研究成果與貢獻9 第二章 相關工作11 2.1 惡意程式11 2.2 加殼的概念16 2.3 傳統的病毒碼掃描法14 第三章 研究方法17 3.1 機器學習方法17 3.2 程式加解殼分析16 3.3 Pe table格式剖析17 3.4 Information Gain24 3.5 Support Vector Machine24 第四章 系統實作26 4.1 系統架構25 4.2加殼程式辨識系統 26 4.2.1 加殼目的造成特徵改變25 4.2.2 加殼行為造成特徵改變26 4.2.3 加殼演算法造成特徵改變27 4.3惡意程式偵測系統27 4.3.1 Option Header特徵選取28 4.3.2 Data Directory特徵選取30 4.3.3 File header特徵選取31 4.3.4 Section header特徵選取31 第五章 實驗與結果35 5.1實驗資料集與實驗環境35 5.2實作驗證方法36 5.3實驗結果37 第六章 結論與未來展望42 參考文獻43 圖 3.1程式加殼前後的檔案與動作19 圖 3.2 PE Table架構19 圖 4.1惡意程式偵測系統架構26 圖 5.1不同Info Gain值加殼惡意程式的預測率38 圖 5.2不同Info Gain值未加殼惡意程式的預測率39 圖 5.3未加殼惡意程式使用IG前後的CV及FP39 圖 5.4加殼惡意程式使用IG前後的CV及FP40 表 5.1 加殼程式辨識系統實作結果40 表 5.2 與參考文獻[5]比較表41

