簡易檢索 / 詳目顯示

回結果列表
研究生: 張庭耀
Ting-Yao Chang
論文名稱: 在虛擬環境應用張量分析的惡意軟體偵測
Identifying Malware in Virtual Machines from Hypervisor with Tensor Analysis
指導教授: 項天瑞
Tien-Ruey Hsiang
口試委員: 李育杰
Yuh-Jye Lee
鮑興國
Hsing-Kuo Pao
學位類別: 碩士
Master
系所名稱: 電資學院 - 資訊工程系
Department of Computer Science and Information Engineering
論文出版年: 2013
畢業學年度: 102
語文別: 中文
論文頁數: 44
中文關鍵詞: 惡意軟體辨識張量
外文關鍵詞: Identifying Malware, tensor
相關次數: 點閱:171下載:0
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報
  •  上一筆

    • 自從電腦普及使用與未來可期待的廣泛利用下, 偵測惡意軟體已成為一個重要的研究主題。隨著虛擬化和雲端運算的發展,在雲端環境上的資安問題日趨重要。現今雲端服務供應商計費方式通常是固定硬體資源,因此使用者的系統資源就變得非常珍貴。由於惡意軟體可能破壞硬體、盜取私人資料和佔用資源,對服務供應商和使用者將造成極大的損失。
    惡意軟體偵測大致分為動態分析和靜態分析,而我們著重在動態分析裡的沙箱。我們使用的沙箱含有Xen 和Intel VT 的硬體虛擬化技術,能在Hypervisor層監視和記錄惡意軟體的執行過程。我們聚焦在記錄中的系統呼叫,並用系統呼叫序列做為主要特徵。
    我們利用張量運算對系統呼叫序列進行分析。透過對系統呼叫序列觀察和處理,我們提出兩種區段的作法,分別為時間區段和個數區段。分析結果顯示兩種區段作法在八種分類中的平均準確率皆有79% 以上。

    Detecting malware has been becoming an important subject of research since computers are universalized in every aspect and expected to be widespread in the future. With the development of virtualization and cloud computing, the information security in the cloud environment is gradually important. Nowadays the cost way of cloud severs usually use stationery hardware resources. Therefore the system
    resource of users becomes very rare. Due to the invasion of malware may destroy hardware, stole data, and occupy private information, which becomes a great sum of loss to sever and users; detecting malware is an important joint to computers.
    Malware detections are divided to dynamic analysis and static analysis, and we focus on the sandbox of dynamic analysis. The sandbox we use has Xen and Intel VT hardware virtualization technique. It can monitor and record the execution process in the Hypervisor layer. We focus on the record of system call and take the sequence of system call as main feature.
    We use tensor computing to analyze the sequence of system call. Through the observation and arrangement to the sequence of system call, we propose two section ways, time period and count period. As the result, it shows that the average accuracy of two ways in the eight classifications is up to 79%.

    論文指導教授推薦書. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i 考試委員審定書. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii 中文摘要. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii 英文摘要. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv 誌謝. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v 目錄. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi 表目錄. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii 圖目錄. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix 1 簡介. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 研究動機和目的. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 方法簡述. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.3 論文架構. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2 相關研究探討. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1 靜態分析式之惡意軟體辨識. . . . . . . . . . . . . . . . . . . . . . . 3 2.2 動態分析式之惡意軟體辨識. . . . . . . . . . . . . . . . . . . . . . . 3 2.3 Hypervisor 與虛擬機器的關係. . . . . . . . . . . . . . . . . . . . . . 4 3 應用張量分析的惡意軟體偵測. . . . . . . . . . . . . . . . . . . . . . . . . 6 3.1 主成分分析原理. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.2 張量分析原理. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 3.2.1 張量的符號定義和運算. . . . . . . . . . . . . . . . . . . . . 14 3.2.2 主成分分析和N-mode SVD 的關連. . . . . . . . . . . . . . . 17 3.3 對惡意軟體使用張量分析. . . . . . . . . . . . . . . . . . . . . . . . 18 4 實驗模擬與評估. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 4.1 資料取得與實驗架構. . . . . . . . . . . . . . . . . . . . . . . . . . . 23 4.1.1 資料集描述. . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 4.1.2 實驗架構. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 4.2 實驗模擬分析. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 4.2.1 以時間為區段的實驗. . . . . . . . . . . . . . . . . . . . . . . 26 4.2.2 以個數為區段的實驗. . . . . . . . . . . . . . . . . . . . . . . 29 4.2.3 分析與討論. . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 5 結論與未來展望. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 參考文獻. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 附錄:所有偵測到的系統呼叫. . . . . . . . . . . . . . . . . . . . . . . . . . . 41

    [1] P. Szor, ”The art of computer virus research and defense”. Pearson Education,
    2005.
    [2] D. Distler and C. Hornat, “Malware analysis: An introduction,” SANS Institute,
    vol. 8, 2007.
    [3] A. Shabtai, R. Moskovitch, Y. Elovici, and C. Glezer, “Detection of malicious
    code by applying machine learning classifiers on static features: A state-of-theart
    survey,” Information Security Technical Report, vol. 14, no. 1, pp. 16–29,
    2009.
    [4] X. Hu, T. Chiueh, and K. G. Shin, “Large-scale malware indexing using
    function-call graphs,” Proceedings of the 16th ACM conference on Computer
    and communications security, pp. 611–620, 2009.
    [5] D. Bruschi, L. Martignoni, and M. Monga, “Detecting self-mutating malware
    using control-flow graph matching,” Proceedings of the Third International Conference
    on Detection of Intrusions and Malware & Vulnerability Assessment,
    pp. 129–143, 2006.
    [6] P. Royal, M. Halpin, D. Dagon, R. Edmonds, and W. Lee, “Polyunpack: Automating
    the hidden-code extraction of unpack-executing malware,” Computer
    Security Applications Conference, 2006. ACSAC’06. 22nd Annual, pp. 289–300,
    2006.
    [7] Crystal security sandbox from institute for information industry. [Online].
    Available: http://www.iii.org.tw/
    [8] Xen:the leading open source virtualization platform. [Online]. Available:
    http://www.xenproject.org/
    [9] Intel vt. [Online]. Available: http://www.intel.com/technology/virtualization/
    [10] Cwsandbox:behavior-based malware analysis. [Online]. Available: http:
    //mwanalysis.org/
    [11] C. Willems, T. Holz, and F. Freiling, “Toward automated dynamic malware
    analysis using cwsandbox,” Security & Privacy, IEEE, vol. 5, no. 2, pp. 32–39,
    2007.
    [12] Anubis:analyzing unknown binaries. [Online]. Available: http://anubis.iseclab.
    org/
    [13] Qemu:a generic and open source machine emulator and virtualizer. [Online].
    Available: http://wiki.qemu.org/Index.html
    [14] F. Apap, A. Honig, S. Hershkop, E. Eskin, and S. Stolfo, “Detecting malicious
    software by monitoring anomalous windows registry accesses,” Recent Advances
    in Intrusion Detection, pp. 36–53, 2002.
    [15] H. Xiao and T. Stibor, “A supervised topic transition model for detecting malicious
    system call sequences,” Proceedings of the 2011 workshop on Knowledge
    discovery, modeling and simulation, pp. 23–30, 2011.
    [16] G. H. Golub and C. Reinsch, “Singular value decomposition and least squares
    solutions,” Numerische Mathematik, vol. 14, no. 5, pp. 403–420, 1970.
    [17] P. Lauchli, “Jordan-elimination und ausgleichung nach kleinsten quadraten,”
    Numerische Mathematik, vol. 3, no. 1, pp. 226–240, 1961.
    [18] R. A. Harshman, “Foundations of the parafac procedure: models and conditions
    for an ’explanatory’ multimodal factor analysis,” UCLA Working Papers in
    Phonetics, 1970.
    [19] L. R. Tucker, “Some mathematical notes on three-mode factor analysis,” Psychometrika,
    vol. 31, no. 3, pp. 279–311, 1966.
    [20] J. D. Carroll and J. Chang, “Analysis of individual differences in multidimensional
    scaling via an n-way generalization of ’eckart-young’ decomposition,”
    Psychometrika, vol. 35, no. 3, pp. 283–319, 1970.
    [21] R. A. Harshman, “Parafac2: Mathematical and technical notes,” UCLA working
    papers in phonetics, vol. 22, pp. 30–44, 1972.
    [22] J. D. Carroll, S. Pruzansky, and J. B. Kruskal, “Candelinc: A general approach
    to multidimensional analysis of many-way arrays with linear constraints on
    parameters,” Psychometrika, vol. 45, no. 1, pp. 3–24, 1980.
    [23] R. A. Harshman, “Models for analysis of asymmetrical relationships among n
    objects or stimuli,” Paper presented at the First Joint Meeting of the Psychometric
    Society and the Society for Mathematical Psychology, McMaster University,
    Hamilton, Ontario, 1978.
    [24] R. A. Harshman and M. E. Lundy, “Uniqueness proof for a family of models
    sharing features of tucker’s three-mode factor analysis and parafac/candecomp,”
    Psychometrika, vol. 61, no. 1, pp. 133–154, 1996.
    [25] T. G. Kolda and B. W. Bader, “Tensor decompositions and applications,” SIAM
    review, vol. 51, no. 3, pp. 455–500, 2009.
    [26] L. De Lathauwer, B. De Moor, and J. Vandewalle, “A multilinear singular value
    decomposition,” SIAM journal on Matrix Analysis and Applications, vol. 21,
    no. 4, pp. 1253–1278, 2000.
    [27] M. A. O. Vasilescu and D. Terzopoulos, “Multilinear image analysis for facial
    recognition,” IEEE Proceedings of the 16th International Conference on Pattern
    Recognition, vol. 2, pp. 511–514, 2002.
    [28] M. A. O. Vasilescu, “Multilinear analysis of image ensembles:tensorfaces,” Proceedings
    of the 7th European Conference on Computer Vision-Part I, pp. 447–
    460, 2002.
    [29] T. G. Kolda, “Orthogonal tensor decompositions,” SIAM Journal on Matrix
    Analysis and Applications, vol. 23, no. 1, pp. 243–255, 2001.
    [30] Vx heaven. [Online]. Available: http://vxheaven.org/
    [31] Clam antivirus. [Online]. Available: http://www.clamav.net/lang/en/
    [32] Matlab tensor toolbox. [Online]. Available: http://www.sandia.gov/~tgkolda/
    TensorToolbox/index-2.3.html
    [33] J. Sun, D. Tao, S. Papadimitriou, P. S. Yu, and C. Faloutsos, “Incremental
    tensor analysis: Theory and applications,” ACM Transactions on Knowledge
    Discovery from Data (TKDD), vol. 2, no. 3, p. 11, 2008.

    無法下載圖示 全文公開日期 2018/12/09 (校內網路)
    全文公開日期 本全文未授權公開 (校外網路)
    全文公開日期 本全文未授權公開 (國家圖書館:臺灣博碩士論文系統)
    QR CODE