在網際網路盛行的年代中，網路犯罪者們可以輕易地利用各式各樣的攻擊 手法將惡意程式植入使用者的電腦中，其中最為盛行的手法就是網頁掛馬攻擊 (Drive-by Downloads)，網路犯罪者利用有吸引的網站內容引誘受害者瀏覽受感 染的網頁，使得受害者不知不覺地下載惡意程式並因而遭受感染。現在的防毒 軟體能夠防禦網頁掛馬攻擊，但也只有小部分的成效，最主要是因為網路犯 罪者使用了混淆技術 (obfuscated technology) 和快速改變 (quickly churning) 惡意 程式、網址和伺服器 IP 來躲避黑名單和防毒軟體的偵測。近幾年來，資訊安 全的研究者們發現利用 “zoom-out” 的概念來偵測惡意軟體分發架構 (malware distribution) 是有所成效，藉由這些架構能夠發現倒還未被偵測的惡意軟體或其 他的資源，進而阻擋網頁掛馬攻擊；而且這個新的概念能夠幫助解決傳統防禦 機制上的不足。不幸的是 “zoom-out” 的偵測方式必須要使用到 IPS 規格的網路 流量，而真正受到網路犯罪威脅的大多是企業或是政府組織，但是這些組織所 擁有的網路流量不足以使用這種方式偵測攻擊。在此篇論文中，我們提出一個 新的方法來檢測惡意軟體分發架構，這個新的方法主要應用於企業內部，以強 化企業的防護機制。我們所提出的方法不只可以強化 “zoom-out” 的概念，還 可以解決網路流量上的問題。我們使用了主動追蹤和惡意相鄰架構 (malicious neighbor construction) 的技術，來強化系統的偵測技術；藉由主動追蹤的機制可以使系統取得更多惡意樣本而不受到網路流量的影響，而惡意相鄰的架構能夠 使系統偵測網際網路裡的惡意分發架構，並強化防毒軟體或黑名單的防護能 力。我們分析政府組織內某部門的代理伺服器內網路流量紀錄來驗證我們的方 法；此紀錄是由 4,624 實體主機在一個月內的 78,033,562 URL 網路流量紀錄。 我們的方法檢測出 37 個惡意網域，其中包含了 26 個由黑名單所檢測出來的惡 意網站，並且有 11 個惡意網域被檢測出來，這 11 個網站是還未被列入黑名單 的惡意網域。我們同時開發出可以分析惡意軟體安裝的策劃行為的惡意軟體分 發架構偵測工具 Ziffersystem。

The cyber-criminals infect victim machines successfully under any circumstances, they must disperse and install malware into victim machines as many as possible. Through the drive-by download attack is a direct way to accomplish installing malware programs by allure victims into to the infected Web page, when victims access those Web pages, and trigger the injected shellcode, the drive-by download attacks is automatically downloaded and springs the malware program as soon as it can. Even if the Antivirus solutions and blacklists can defend drive-by download attack, the effect of solutions is not availability. Because the Cyber-criminals uses the obfuscated variants of malware technology and quickly churning through domains or IP address technology to evade antivirus solutions and blacklists detection. In recent years, the researchers propose a new direction to identify the drive-by-download attacks in the installation phase by "zoom-out" view of drive-by-download behaviors. However, current soloutions need considerable number of browsing records from users of ISP scale. This solution may not work in the enterprise scale of network environment or insufficient historical browsing data. In this study, we propose "Ziffersystem", a system that detects infections in the targeted enterprise. "Ziffersystem" work on the insufficient network traffic and have good effect to result. "Ziffersystem" includes two modules, i.e.: Malicious Orchestrated Behaviors Modeling and Orchestrated Behaviors Detector. The Malicious Orchestrated Behaviors Modeling help "Ziffersystem" getting the stronger “evil seed” to modeling malicious construction and this system do not need a large scale networks data(e.g. IPS traffic) to model the malicious activity, specifically the enterprise which has few network traffic and high sensitivity data or low security protect. Then our system structures the malicious neighbor construction, this malicious neighbor construction will display the malicious download behavior feature that cannot identify by single malicious download.The Orchestrated Behaviors Detector of the "Ziffersystem" is focus on detect the telltale signs of the malicious network infrastructures that orchestrate these malware installations that become apparent when looking at the collective traffic produced and becomes apparent when looking at the collective traffic produced by many users in the targeted enterprise. This system calculates how the input data are close to malicious candidates, and assesses whether it is the Malware Distribution. We rank the input data by network traffic features(e.g. Server IP, Domain, Path) to decide their score, and input data that similar with Malware Distribution have the potential of exposing distinct parts of the malicious activity, which may otherwise remain undetected. Our system analyze 78,033,562 URL from the government Proxy logs with 4,624 real hosts. we detect a total of 37 malicious domain. The 37 malicious domain include 26 detected also by antivirus products labeled, We also implement a Malware Distribution Identification tool named "Ziffersystem" that automate the describing of Malware Distribution and the assessment of malicious orchestrated behaviors.

1. Mavrommatis, N. P. P. & Monrose, M. A. R. F. All your iframes point to us USENIX security symposium, 2008, 1-16
2. Zhang, J.; Seifert, C.; Stokes, J. W. & Lee, W. Arrow: Generating signatures to detect drive-by downloads Proceedings of the 20th international conference on World wide web, 2011, 187-196
3. Sakib, M. N. & Huang, C.-T. Automated Collection and Analysis of Malware Disseminated via Online Advertising Trustcom/BigDataSE/ISPA, 2015 IEEE, 2015, 1, 1411-1416
4. Paganini, P. AV-TEST estimates 12 million new malware variants per month THE INDEPENDENT INSTITUTE AV-TEST ISSUED AN ANALYSIS THAT RECORDED 143 MILLION NEW MALWARE SAMPLES IN 2014 AND 12 MILLION NEW VARIANTS PER MONTH., THE INDEPENDENT INSTITUTE AV-TEST ISSUED AN ANALYSIS THAT RECORDED 143 MILLION NEW MALWARE SAMPLES IN 2014 AND 12 MILLION NEW VARIANTS PER MONTH., 2015
5. Ma, J.; Saul, L. K.; Savage, S. & Voelker, G. M. Beyond blacklists: learning to detect malicious web sites from suspicious URLs Proceedings of the 15th ACM SIGKDD international conference on Knowledge discovery and data mining, 2009, 1245-1254
6. Rajab, M. A.; Ballard, L.; Lutz, N.; Mavrommatis, P. & Provos, N. CAMP: Content-Agnostic Malware Protection. NDSS, 2013
7. Seifert, C. & Steenson, R. Capture-honeypot client (capture-hpc) pp. Available at https://projects. honeynet. org/capture--hpc, 2006
8. Security, S. Coordinated takedown disrupts Changeup malware distribution network Law enforcement agencies and security vendors join forces to take down long running malware delivery network., Law enforcement agencies and security vendors join forces to take down long running malware delivery network., 2015
9. Nappa, A.; Xu, Z.; Rafique, M. Z.; Caballero, J. & Gu, G. Cyberprobe: Towards internet-scale active detection of malicious servers In Proceedings of the 2014 Network and Distributed System Security Symposium (NDSS 2014), 2014, 1-15
10. John, J. P.; Yu, F.; Xie, Y.; Krishnamurthy, A. & Abadi, M. deSEO: Combating Search-Result Poisoning. USENIX Security Symposium, 2011
11. Grill, M.; Nikolaev, I.; Valeros, V. & Rehak, M. Detecting DGA malware using NetFlow 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM), 2015, 1304-1309
12. Shanthi, K. & Seenivasan, D. Detection of botnet by analyzing network traffic flow characteristics using open source tools Intelligent Systems and Control (ISCO), 2015 IEEE 9th International Conference on, 2015, 1-5
13. Kong, D. & Yan, G. Discriminant malware distance learning on structural information for automated malware classification Proceedings of the 19th ACM SIGKDD international conference on Knowledge discovery and data mining, 2013, 1357-1365
14. Kapravelos, A.; Cova, M.; Kruegel, C. & Vigna, G. Escape from monkey island: Evading high-interaction honeyclients International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 2011, 124-143
15. Invernizzi, L. & Comparetti, P. M. Evilseed: A guided approach to finding malicious web pages 2012 IEEE Symposium on Security and Privacy, 2012, 428-442
16. Li, Z.; Alrwais, S.; Xie, Y.; Yu, F. & Wang, X. Finding the linchpins of the dark web: a study on topologically dedicated hosts on malicious web infrastructures Security and Privacy (SP), 2013 IEEE Symposium on, 2013, 112-126
17. Ivanov, A. js-crawler
18. Bacher, P.; Holz, T.; Kotter, M. & Wicherski, G. Know your enemy: Tracking botnets 2005
19. Rossow, C.; Dietrich, C. & Bos, H. Large-scale analysis of malware downloaders International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 2012, 42-61
20. Ranadive, A.; Rizvi, S. & Daswani, N. M. Malicious advertisement detection and remediation Google Patents, 2013
21. Google Malware Distribution by Autonomous System Safe Browsing scans millions of websites to identify those sites that install malware without a user's knowledge. We discover and categorize these sites by autonomous system (AS) numbers, thousands of which exist on the Internet., Safe Browsing scans millions of websites to identify those sites that install malware without a user's knowledge. We discover and categorize these sites by autonomous system (AS) numbers, thousands of which exist on the Internet., 2015
22. Grier, C.; Ballard, L.; Caballero, J.; Chachra, N.; Dietrich, C. J.; Levchenko, K.; Mavrommatis, P.; McCoy, D.; Nappa, A.; Pitsillidis, A. & others Manufacturing compromise: the emergence of exploit-as-a-service Proceedings of the 2012 ACM conference on Computer and communications security, 2012, 821-832
23. Caballero, J.; Grier, C.; Kreibich, C. & Paxson, V. Measuring Pay-per-Install: The Commoditization of Malware Distribution. Usenix security symposium, 2011, 15
24. Invernizzi, L.; Miskovic, S.; Torres, R.; Kruegel, C.; Saha, S.; Vigna, G.; Lee, S.-J. & Mellia, M. Nazca: Detecting Malware Distribution in Large-Scale Networks. NDSS, 2014, 14, 23-26
25. Bocchi, E.; Grimaudo, L.; Mellia, M.; Baralis, E.; Saha, S.; Miskovic, S.; Modelo-Howard, G. & Lee, S.-J. Network Connectivity Graph for Malicious Traffic Dissection 2015 24th International Conference on Computer Communication and Networks (ICCCN), 2015, 1-9
26. Nazario, J. PhoneyC: A Virtual Client Honeypot. LEET, 2009, 9, 911-919
27. Nachenberg, C.; Wilhelm, J.; Wright, A. & Faloutsos, C. Polonium: Tera-scale graph mining and inference for malware detection SIAM, 2011
28. Kapravelos, A.; Shoshitaishvili, Y.; Cova, M.; Kruegel, C. & Vigna, G. Revolver: An automated approach to the detection of evasive web-based malware Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13), 2013, 637-652
29. Kolbitsch, C.; Livshits, B.; Zorn, B. & Seifert, C. Rozzle: De-cloaking internet malware 2012 IEEE Symposium on Security and Privacy, 2012, 443-457
30. SANS SANS Institute InfoSec Reading Room An Early Malware Detection, Correlation, and Incident Response System with Case Studies, An Early Malware Detection, Correlation, and Incident Response System with Case Studies, 2015
31. trend micro Security Threats TO Evolving Data Centers This report discusses the security threats that enterprises face when deploying and using virtualization and cloud computing infrastructures. The report contains real-world examples of attacks and attack tools that cyber criminals use to exploit vulnerabilities in virtualization and cloud computing environments, as well as recommendations for security best practices., This report discusses the security threats that enterprises face when deploying and using virtualization and cloud computing infrastructures. The report contains real-world examples of attacks and attack tools that cyber criminals use to exploit vulnerabilities in virtualization and cloud computing environments, as well as recommendations for security best practices., 2015
32. Stringhini, G.; Kruegel, C. & Vigna, G. Shady paths: Leveraging surfing crowds to detect malicious web pages Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, 2013, 133-144
33. Anderson, D. S.; Fleizach, C.; Savage, S. & Voelker, G. M. Spamscatter: Characterizing internet scam hosting infrastructure Usenix Security, 2007, 1-14
34. Lu, L.; Perdisci, R. & Lee, W. Surf: detecting and measuring search poisoning Proceedings of the 18th ACM conference on Computer and communications security, 2011, 467-476
35. Symantec Symantec internet security threat report 2015
36. Canzanese, R.; Mancoridis, S. & Kam, M. System call-based detection of malicious processes Software Quality, Reliability and Security (QRS), 2015 IEEE International Conference on, 2015, 119-124
37. Gostev, A. The darker side of online virus scanners 2007
38. Kwon, B. J.; Mondal, J.; Jang, J.; Bilge, L. & Dumitras, T. The dropper effect: Insights into malware distribution with downloader graph analytics Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015, 1118-1129
39. Gregory, D. The everywhere war The Geographical Journal, Wiley Online Library, 2011, 177, 238-250
40. Nappa, A.; Rafique, M. Z. & Caballero, J. The MALICIA dataset: identification and analysis of drive-by download operations International Journal of Information Security, Springer, 2015, 14, 15-33
41. Lee, S. & Kim, J. WarningBird: Detecting Suspicious URLs in Twitter Stream. NDSS, 2012, 12, 1-13
42. Stokes, J. W.; Andersen, R.; Seifert, C. & Chellapilla, K. WebCop: Locating Neighborhoods of Malware on the Web. LEET, 2010
43. Curtsinger, C.; Livshits, B.; Zorn, B. & Seifert, C. Zozzle: Low-overhead mostly static javascript malware detection Proceedings of the usenix security symposium, 2011, 3-3