臺灣博碩士論文加值系統

截至目前為止所發生的TB級DDoS攻擊，其龐大的殭屍大軍多數來自於IoT連線設備。倘若駭客利用殭屍大軍針對工業基礎設施發動DDoS攻擊，可能會造成非同小可的傷害。而目前IoT發展已來到第四階段，也就是透過既有的Web標準來達成設備間互相通訊，稱之為WoT。對於新的趨勢，所會面臨到的安全議題不僅止於IoT連線設備，亦包含Web應用程式漏洞。而諸如無痕瀏覽模式、自我刪除的惡意程式等匿蹤技術的發展，使得鑑識人員於調查過程中遇到阻礙。因此，本研究藉由記憶體鑑識技術針對WoT時代可能會發生的攻擊手法進行探討。

Currently, most of the DDoS attacks that exceed 1 TB per second are executed from large-scale-IoT botnets. If these attacks were aimed at critical industrial infrastructure, it could have caused damage to our society at an extraordinary scale. The rising threat of DDoS attacks are fueled by the increased development of IoTs, which has now reached its fourth stage, called the WoT. WoT is a term used to describe approaches, software architectural styles and programming patterns that allow previously IoT objects to be part of the World Wide Web. As WoT approaches reality, on-device vulnerabilities are no longer the only problem that must be considered in a security assessment, Web application vulnerabilities must be considered as well. Additionally, Forensic investigators now encounter new challenges that increase the difficulty of investigation, with some examples being privacy browsers and self-deleting malware. As a potential solution to those challenges, this thesis discusses how memory forensic can be used to discover the cyber-criminal in a WoT crime.

致謝 i
摘要 ii
Abstract iii
目錄 iv
表目錄 vi
圖目錄 vii
第一章 1
1.1研究背景 1
1.2研究動機 4
1.3研究目的 5
第二章 6
2.1 SQL Injection 6
2.2 Cross-Site Scripting (XSS) 9
2.3殭屍網路(Botnet) 12
第三章 15
3.1記憶體鑑識工具 15
3.2記憶體鑑識應用 17
第四章 19
4.1 Web應用程式鑑識分析研究 20
4.1.1 Web應用程式漏洞之攻擊 21
4.1.2 Web應用程式漏洞之記憶體鑑識 23
4.2 Linux惡意程式鑑識分析研究 26
第五章 32
5.1 實驗環境及方法 32
5.1.1 Web機制實驗方法 33
5.1.2 Linux惡意程式實驗方法 40
5.2 Web機制討論分析 42
5.3 Linux惡意程式討論分析 52
5.4研究比較與研究貢獻 54
第六章 57
參考文獻 58
附錄1 61
附錄2 65

[1]W. Ahmed and B. Aslam, "A comparison of windows physical memory acquisition tools," IEEE Military Communications Conference (MILCOM), pp. 1292-1297, 2015.
[2]I. Balasundaram and E. Ramaraj, "An Authentication Scheme for Preventing SQL Injection Attack Using Hybrid Encryption," European Journal of Scientific Research, vol. 53, no. 3, pp. 359-368, 2011.
[3]R. Dave, N. Mistry and M.S. Dahiya, "Volatile Memory Based Forensic Artifacts & Analysis," International Journal for Research in Applied Science and Engineering Technology (IJRASET), vol. 2, no. 1, pp. 120-124, 2014.
[4]S. Dija, G.S. Suma, D.D. Gonsalvez and A.T. Pillai,"Forensic reconstruction of executables from Windows 7 physical memory," IEEE International Conference on Computational Intelligence and Computing Research (ICCIC), pp. 1-5, 2016.
[5]X. Fu, X. Du, B. Luo, J. Shi, Z. Guan and Y. Wang, "Correlating processes for automatic memory evidence analysis," IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pp. 115-120, 2015.
[6]A. Ghafarian and S.A.H. Seno, "Analysis of Privacy of Private Browsing Mode through Memory Forensics," International Journal of Computer Applications, vol. 132, no. 1, pp. 27-34, 2015.
[7]K. Hausknecht, D. Foit and J. Burić, "RAM data significance in digital forensics," International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), pp. 1372-1375, 2015.
[8]A. Heriyanto, C. Valli and P.Hannay, "Comparison of Live Response, Linux Memory Extractor (LiME) and Mem Tool for Acquiring Android’s Volatile Memory in the Malware Incident," Australian Digital Forensics Conference, pp. 5-14, 2015.
[9]Q. Hua and Y. Zhang, "Detecting Malware and Rootkit via Memory Forensics," International Conference on Computer Science and Mechanical Automation (CSMA), pp. 92-96, 2015.
[10]R. Johari and N. Gupta, "Secure Query Processing in Delay Tolerant Network Using Java Cryptography Architecture,"International Conference on Computational Intelligence and Communication Networks, pp. 653-657, 2011.
[11]R. Johari and N. Gupta, "Insecure Query Processing in the Delay/Fault Tolerant Mobile Sensor Network (DFT-MSN) and Mobile Peer to Peer Network," International Conference on Network Security and Applications, pp. 453-462, 2011.
[12]D. Kaur and P. Kaur, "Empirical Analysis of Web Attack," Procedia Computer Science, vol. 78, no. 1, pp. 298-306, 2016.
[13]B.S. Ke, J.S. Lin, S.J. Wang, and H.K. Tso, "Private Browsing Evidence of Google History Investigations in Computer Forensics," Journal of e-Business, vol. 16, no. 1, pp. 85-106, 2014.
[14]A. Kieyzun, P.J. Guo, K. Jayaraman, and M.D. Ernst, "Automatic creation of SQL Injection and cross-site scripting attacks," IEEE International Conference on Software Engineering, pp. 199-209, 2009.
[15]C. Liming, S. Jing and Q. Wei, "Study on Forensic Analysis of Physical Memory," International Symposium on Computer,Communication, Control and Automation (3CA ), pp. 221-224, 2013.
[16]M. Moh, S. Pininti, S. Doddapaneni, and T.S. Moh, "Detecting Web Attacks Using Multi-Stage Log Analysis," IEEE International Conference on Advanced Computing (IACC), pp. 733-738, 2016.
[17]D.N. Patil and B.B. Meshram, "Digital Forensic Analysis of Ubuntu File System," International Journal of Cyber-Security and Digital Forensics, vol. 5, no. 4, pp. 175-186, 2016.
[18]Periyadi, G. A. Mutiara and R. Wijaya, "Digital forensics random access memory using live technique based on network attacked," International Conference on Information and Communication Technology (ICoIC7), pp. 1-6, 2017.
[19]N.L. Petroni, A.Walters, T.Fraser and W.A. Arbaugh, "FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory," Digital Investigation, vol. 3, no. 4, pp. 197-210, 2006.
[20]R. Putthacharoen and P. Bunyatnoparat, "Protecting Cookies from Cross Site Script Attacks using Dynamic Cookies Rewriting Technique," International Conference on Advanced Communication Technology (ICACT), pp. 1090-1094, 2011.
[21]N.B. Said, F. Biondi, V. Bontchev, O. Decourbe, T.G. Wilson, et al, "Detection of Mirai by Syntactic and Semantic Analysis", 2017.
[22]B. Schatz, "BodySnatcher: towards reliable volatile memory acquisition by software," Digital Investigation, vol.4, no.1, pp. S126 -S134, 2007.
[23]J. Seo, S. Lee, and T. Shon, "A study on memory dump analysis based on digital forensic tools," Peer-to-Peer Networking and Applications, vol. 8, no. 4, pp. 694-703, 2015
[24]C. Sharma and S. C. Jain, "Analysis and Classification of SQL Injection Vulnerabilities and Attacks on Web Applications,"International Conference on Advances in Engineering & Technology Research (ICAETR), pp. 1-6, 2014.
[25]H. Sinanović and S. Mrdovic, "Analysis of Mirai malicious software," International Conference on Software, Telecommunications and Computer Networks (SoftCOM), pp. 1-5, 2017.
[26]N. Suteva, and A. Mileva, "Computer Forensic Analysis of Some Web Attack," World Congress on Internet Security (WorldCIS), pp. 42-47, 2014.
[27]M. Thapliyal, A. Bijalwan, N. Garg, and E. Pilli, "A Generic Process Model for Botnet Forensic Analysis," Conference on Advances in Communication and Control Systems (CAC2S), pp. 98-102, 2013.
[28]Q. Zhang, H. Chen, and J. Sun, "An Execution-flow Based Method for Detecting Cross-Site Scripting Attacks, " International Conference on Software Engineering and Data Mining, pp. 160-165, 2010.
[29]Open Web Application Security Project, "OWASP Top Ten Project, " Retrieved March 1, 2017 from http://www.owasp.org/index.php/Category: OWASP Top Ten Project.
[30]Gartner, "Leading the IoT," Retrieved June 1, 2018 https://www.gartner.com/imagesrv/books/iot/iotEbook_digital.pdf.
[31]Kaspersky, Retrieved July 1, 2018 from http://www.199it.com/archives/723914.html.
[32]WhiteHat Security, "12th Annual Application Security Statistics Report, " Retrieved July 11, 2017 from https://info.whitehatsec.com/rs/675-YBI-674/images/WHS%202017%20Application%20Security%20Report%20FINAL.pdf?mkt_tok=eyJpIjoiTWpZMVpU-UmxZVEF3TlRkaCIsInQiOiJTQVdQbzlLNlBSSGM0XC96VkZaa2NEbk4ySzBLTGc1QzN4R3JrdG95b2FLRlNSdndiSUlNOUxDUm-hvMUo3WmNrN1VtbThGWGE5a015TlpGS1lMak01azA5azQ1NXRoQnVvbDJTWlRac2Ezc05BbEd2VVQrXC82N042WFF3NmE2MzB1In0%3D.
[33]IoT Developer Survey, " IoT Developer Survey Results," Retrieved July 19, 2018 from https://www.slideshare.net/kartben/iot-developer-survey-2018.
[34]iThome, Retrieved June 1, 2018 from https://www.ithome.com.tw/news/110135.