簡易檢索 / 詳目顯示

研究生: 林閔煌
Ming-Huang Lin
論文名稱: 針對物聯網惡意程式檢測之基於雜湊的函數調用圖於合併方法
Hash-Based Function Call Graph Fusion Method for IoT Malware Detection
指導教授: 鄭欣明
Shin-Ming Cheng
口試委員: 李育杰
Yuh-Jye Lee
王紹睿
Peter Shaojui Wang
學位類別: 碩士
Master
系所名稱: 電資學院 - 資訊工程系
Department of Computer Science and Information Engineering
論文出版年: 2023
畢業學年度: 111
語文別: 英文
論文頁數: 35
中文關鍵詞: 資訊安全惡意軟體檢測深度學習惡意程式分析靜態分析圖神經網路
外文關鍵詞: Cybersecurity, malware detection, deep learning, malware analysis, static analysis, GNN
相關次數: 點閱:699下載:0
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報
  • 物聯網(IoT)的快速增長將為日常生活帶來便利和效能提升,但也帶來了風險和挑戰。惡意程式對物聯網系統的安全性構成威脅。為了確保物聯網的可持續發展,需加強物聯網設備的安全防護,並採用創新的技術來偵測惡意程式。函數調用圖(FCG)是由函數、函數中的操作碼序列及函數之間調用組成,可用於對惡意軟件進行分類。在逆向提取出的函數調用圖中,有許多具有相同操作碼序列的函數,這可能導致檢測結果的準確性下降,同時可能出現資訊誤判的情況。過去的研究在使用FCG進行惡意程式檢測時未考慮函數操作碼序列是否相同。為了解決此問題,在本研究中我們提出利用hash function一對一且搜尋快速的特性將FCG上擁有相同操作碼序列的點作合併,在維持準確率的同時大幅的縮短訊練與前處理的時間。在實驗結果顯示藉由此方法訓練的時間減少36\%,準確率達99.17\%。


    The rapid growth of the Internet of Things (IoT) brings convenience and efficiency improvements to everyday life, but it also presents risks and challenges. Malware poses a threat to the security of IoT systems. To ensure the sustainable development of IoT, it is necessary to enhance the security protection of IoT devices and adopt innovative techniques for detecting malicious software.Function Call Graph (FCG) is composed of functions, opcode sequences within functions, and function calls between functions. It can be used for classifying malicious programs. In the reverse-engineered FCG, there are often multiple functions with the same opcode sequences, which can lead to a decrease in the accuracy of detection results and potential false positives. Previous research on using FCG for malware detection did not consider whether the function opcode sequences were the same. To address this issue, in this study, we propose using the characteristics of hash functions for one-to-one mapping and fast searching to merge nodes in the FCG that have the same opcode sequences. This significantly reduces the training and preprocessing time while maintaining accuracy. Experimental results show a 36\% reduction in training time and an accuracy of 99.17\% using this method.

    Abstract in Chinese . . . . . . . . . . . . . . . . . . . . . . . . . . iii Abstract in English . . . . . . . . . . . . . . . . . . . . . . . . . . iv Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii List of Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.0.1 IoT Malware . . . . . . . . . . . . . . . . . . . . 5 2.0.2 Static analysis . . . . . . . . . . . . . . . . . . . . 6 2.0.3 Previous work on samples analysis . . . . . . . . . 6 3 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.0.1 Reverse Engineering . . . . . . . . . . . . . . . . 11 3.0.2 Reconstructing FCG . . . . . . . . . . . . . . . . 12 3.0.3 Graph Data Generation . . . . . . . . . . . . . . . 14 3.0.4 Classification Module . . . . . . . . . . . . . . . 15 4 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 4.0.1 Dataset . . . . . . . . . . . . . . . . . . . . . . . 17 4.0.2 Classification Models . . . . . . . . . . . . . . . . 17 4.0.3 Evaluation Metrics . . . . . . . . . . . . . . . . . 19 4.0.4 Evaluation . . . . . . . . . . . . . . . . . . . . . 21 5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

    [1] S. R. Department, “IoT connected devices worldwide 2030.” https://www.statista.com/
    statistics/802690/worldwide-connected-devices-by-access-technology/, July 2022.
    [2] M. Wazzan, D. Algazzawi, O. Bamasaq, A. Albeshri, and L. Cheng, “Internet of Things botnet de-
    tection approaches: Analysis and recommendations for future research,” Applied Sciences, vol. 11,
    no. 12, p. 5713, 2021.
    [3] S. Planning, “The economic impacts of inadequate infrastructure for software testing,” National In-
    stitute of Standards and Technology, vol. 1, 2002.
    [4] A. Brucker and U. Sodan, “Deploying static application security testing on a large scale,” Sicherheit
    2014–Sicherheit, Schutz und Zuverlässigkeit, 2014.
    [5] R. Kawasoe, C. Han, R. Isawa, T. Takahashi, and J. Takeuchi, “Investigating behavioral differences
    between IoT malware via function call sequence graphs,” in Proc. 36th Annual ACM Symposium on
    Applied Computing, pp. 1674–1682, 2021.
    [6] C. Li, G. Shen, and W. Sun, “Cross-architecture Intemet-of-Things malware detection based on graph
    neural network,” in 2021 International Joint Conference on Neural Networks, pp. 1–7, IEEE, 2021.
    [7] C.-Y. Wu, T. Ban, S.-M. Cheng, T. Takahashi, and D. Inoue, “IoT malware classification based on
    reinterpreted function-call graphs,” Computers & Security, vol. 125, p. 103060, 2023.
    [8] J. C. S. Sicato, P. K. Sharma, V. Loia, and J. H. Park, “VPNFilter malware analysis on cyber threat in
    smart home network,” MDPI Applied Sciences, vol. 9, no. 13, p. 2763, 2019.
    [9] M. Antonakakis et al., “Understanding the Mirai botnet,” in Proc. USENIX Security 2017, pp. 1093–
    1110, Aug. 2017.
    [10] B. Kang, S. Y. Yerima, K. Mclaughlin, and S. Sezer, “N-opcode analysis for android malware classi-
    fication and categorization,” in Proc. International Conference On Cyber Security And Protection Of
    Digital Services, pp. 1–7, 2016.
    [11] J. Z. Kolter and M. A. Maloof, “Learning to detect and classify malicious executables in the wild.,”
    Journal of Machine Learning Research, vol. 7, no. 12, 2006.
    [12] S. Gülmez and I. Sogukpinar, “Graph-based malware detection using opcode sequences,” in Proc. 9th
    International Symposium on Digital Forensics and Security, pp. 1–5, 2021.
    [13] E. Raff, J. Barker, J. Sylvester, R. Brandon, B. Catanzaro, and C. Nicholas, “Malware detection by
    eating a whole exe,” arXiv preprint arXiv:1710.09435, 2017.
    [14] J. L. Hu, M. Ebrahimi, W. Li, X. Li, and H. Chen, “Multi-view representation learning from malware
    to defend against adversarial variants,” arXiv preprint arXiv:2210.15429, 2022.
    [15] A. Narayanan, M. Chandramohan, R. Venkatesan, L. Chen, Y. Liu, and S. Jaiswal, “graph2vec: Learn-
    ing distributed representations of graphs,” arXiv preprint arXiv:1707.05005, 2017.
    [16] K. Xu, W. Hu, J. Leskovec, and S. Jegelka, “How powerful are graph neural networks?,” arXiv preprint
    arXiv:1810.00826, 2018.
    [17] Y. Gao, H. Hasegawa, Y. Yamaguchi, and H. Shimada, “Malware detection using attributed CFG gen-
    erated by pre-trained language model with graph isomorphism network,” in Proc. IEEE 46th Annual
    Computers, Software, and Applications Conference, pp. 1495–1501, 2022.
    [18] “Radare2.” https://rada.re/r/.
    [19] N. Hampton and P. Szewczyk, “A survey and method for analysing soho router firmware currency,”
    2015.
    [20] G. Sood, virustotal: R Client for the virustotal API, 2017. R package version 0.2.1.

    無法下載圖示 全文公開日期 2026/08/16 (校內網路)
    全文公開日期 2026/08/16 (校外網路)
    全文公開日期 2026/08/16 (國家圖書館:臺灣博碩士論文系統)
    QR CODE