臺灣博碩士論文加值系統

在現今網路發達的時代,使用者能夠隨時隨地在網路上獲取他
們所需的資訊。 但這也帶來了壞處,網路犯罪者會用各種不同的
手法安裝惡意軟體在使用者的電腦。 近幾年來,最盛行的是網頁
掛馬攻擊 (Drive-by Download),此手法會讓使用者不知不覺地下
載惡意程式。 現在透過網頁內容偵測分析和防毒軟體能夠抵禦網
頁掛馬攻擊,但效果不是非常顯著。 近年來的研究開始轉向用
”zoom-out” 的方式偵測惡意程式分發架構,然而即使偵測到程式
分發架構是屬於惡意的也沒辦法根據所屬類別去找到解決方法。
在本篇研究中,我們的目標是幫助資訊安全專家快速地識別不同
類型的惡意程式分發架構,進而去減少資訊安全專家所需要花在
分析和找方法的時間。
我們提出一個方法分類不同的惡意程式分發架構,這個方法主
要是透過 sum-product algorithm 的方式去確認惡意程式分發架構所
屬類別。 sum-product algorithm 仰賴圖以及連結去做傳播,因此我
們利用惡意程式分發架構去建立出分發架構圖。 此外,我們透過
萃取與內容無關的特徵快速地給予 sum-product algorithm 所需的初
始分數。 透過本方法能夠有效地去辨識並且分類不同類別的惡意
程式分發架構。

In today’s era of the network, users can access the information they
need on the web anytime, anywhere. However, it also brings the disad-
vantage that cyber criminals install malware on the victim’s host with different ways. In recent years, the most popular method is Drive-by
Download attack which allows users to silently download malware.

The current protection is web content detection and analysis of anti-virus software, but the effect is not very significant. At the same time, researchs have turned to the ”zoom-out” approach to detect malware distribution. However, the ”zoom-out” approach detects the distribution wheather is malicious or not, and there is no way to find a solution
based on malware distribution category.

In this study, our goal is to help information security professionals quickly identifies different types
of malware distribution, and to reduce the time that information security professionals need to spend time on analyzing and finding solution ways.
We propose a method to classify different malware distributions with sum-product algorithm and to confirm the category of the malware distribution.

In addition to constructing the malware distribution for sum-product algorithm which relies on the graph and connection, we quickly give the initial scores to propagation by extracting content-agnostic features. This approach can effectively identify and classify the different types of malware distribution graph.

1 Introduction 1
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 Challenges and Goals . . . . . . . . . . . . . . . . . . . 5
1.3 Contributions . . . . . . . . . . . . . . . . . . . . . . . 6
1.4 The Outline of Thesis . . . . . . . . . . . . . . . . . . . 7

2 Background and Related Work 8
2.1 Drive-by Download . . . . . . . . . . . . . . . . . . . . 8
2.2 Malware Distribution Network . . . . . . . . . . . . . . 12
2.2.1 Landing Page . . . . . . . . . . . . . . . . . . . 12
2.2.2 Malware Repository . . . . . . . . . . . . . . . 14

3 System Description 16
3.1 System Overview . . . . . . . . . . . . . . . . . . . . . 16
3.2 Page Tracking . . . . . . . . . . . . . . . . . . . . . . . 18
3.3 Domain and URI Content-Agnostic Features Extractor . 19
3.4 Malicious Type Score Table Constructor . . . . . . . . . 21
3.5 Malware Distribution Graph Constructor . . . . . . . . . 22
3.6 Score Initialzer . . . . . . . . . . . . . . . . . . . . . . 24
3.7 Node Appending and Graph Analysis . . . . . . . . . . 26
3.7.1 Score Environmenst . . . . . . . . . . . . . . . 27
3.7.2 Message-Passing Rule . . . . . . . . . . . . . . 28
3.8 Malicious Type Identification . . . . . . . . . . . . . . . 29

4 Experiments and Results 31
4.1 Dataset and Enviroment . . . . . . . . . . . . . . . . . . 31
4.1.1 Dataset Description . . . . . . . . . . . . . . . . 31
4.2 Evaluation Metrics . . . . . . . . . . . . . . . . . . . . 32
4.3 Effectiveness Analysis . . . . . . . . . . . . . . . . . . 34
4.4 Case Study . . . . . . . . . . . . . . . . . . . . . . . . 40
4.5 Experiment Discussion . . . . . . . . . . . . . . . . . . 42
4.6 Limitations . . . . . . . . . . . . . . . . . . . . . . . . 42

5 Conclusions and Further Work 44
5.1 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . 44
5.2 Further Work . . . . . . . . . . . . . . . . . . . . . . . 45

[1] “DRIVE-BY DOWNLOAD,” 2016. [Online]. Available: https://www.rsa.com/
content/dam/rsa/PDF/so-ASOC-use-case-spearphishing.pdf

[2] “Internal Live Status,” 2017. [Online]. Available: http://www.internetlivestats.
com/

[3] “Malware Domain List,” 2017. [Online]. Available: https://www.
malwaredomainlist.com/mdl.php

[4] “PassiveTotal,” 2017. [Online]. Available: https://www.passivetotal.org

[5] “Ransomware Tracker,” 2017. [Online]. Available: https://ransomwaretracker.
abuse.ch/blocklist/

[6] “NEW TWIST TO THE TELEPHONE TECH SUPPORT SCAM,” FBI, Nov.
2014. [Online]. Available: https://www.ic3.gov/media/2014/141113.aspx

[7] T. Adachi, “An Approach to Predict Drive-by-Download Attacks by Vulnerability
Evaluation and Opcode,” Asia Joint Conference on Information Security, pp.
145–151, May 2015. [Online]. Available: https://www.ic3.gov/media/2014/
141113.aspx

[8] I. Alabdulmohsin and X. Zhang, “Content-Agnostic Malware Detection in Het-
erogeneous Malicious Distribution Graph ,” Conference on Information and

Knowledge Management, pp. 2395–2400, Oct. 2016.

[9] S. Alrwais, K. Yuan, E. Alowaisheq, Z. Li, and X. Wang, “Understanding the
Dark Side of Domain Parking,” USENIX Security Symposium, pp. 207–222, Aug.
2014. [Online]. Available: https://www.usenix.org/conference/usenixsecurity14/
technical-sessions/presentation/alrwais

[10] Y. Y. B, C. Faloutsos, and H. Kitagawa, “SocNL : Bayesian Label Propagation,”
PAKDD, vol. 1, pp. 633–645, May 2015.

[11] Z. Behfarshad, “Survey of Malware Distribution Networks,” Electrical and Com-
puter Engineering Faculty of Applied Science UBC, pp. 1–13, 2012.

[12] E. Better, P. Against, and G. Threats, “Combatting Malvertising and Drive-By
Downloads,” Cyphort, 2016.

[13] L. Bilge and J. Caballero, “Measuring PUP Prevalence and PUP Distribution
through Pay-Per-Install Services,” USENIX Security Symposium, pp. 739–756,
Aug. 2016.

[14] J. Caballero, C. Grier, C. Kreibich, V. Paxson, and U. C. Berkeley, “Measuring

Pay-per-Install : The Commoditization of Malware Distribution,” USENIX Secu-
rity Symposium, pp. 187–202, Aug. 2011.

[15] T. M. Chen and V. Wang, “Web Filtering and Censoring,” IEEE Computer Soci-
ety, vol. 43, no. 3, pp. 94–97, Mar. 2010.

[16] M. I. T. Eecs, B. Freeman, and A. Torralba, “Lecture 7 : graphical models
and belief propagation,” MIT EECS course 6.869, 2013. [Online]. Available:
http://6.869.csail.mit.edu/fa13/lectures/slideNotesCh7rev.pdf

[17] M. Egele, E. Kirda, and C. Kruegel, “Mitigating Drive-By Download Attacks :

Challenges and Open Problems,” International Federation for Information Pro-
cessing, vol. 309, pp. 52–62, Apr. 2009.

[18] M. Egele, P. Wurzinger, C. Kruegel, and E. Kirda, “Defending Browsers against
Drive-by Downloads : Mitigating Heap-Spraying Code Injection Attacks,”
DIMVA, pp. 88–106, Jul. 2009.

[19] A. Gostev, “The darker side of online virus scanners,” Kasper-
sky, 2007. [Online]. Available: https://securelist.com/blog/incidents/30350/

the-darker-side-of-online-virus-scanners/

[20] S. Hao, A. Kantchelian, B. Miller, V. Paxson, and N. Feamster, “PREDA-
TOR : Proactive Recognition and Elimination of Domain Abuse at Time-Of-
Registration,” ACM CCS, October 2016.

[21] D. M. Hawkins, “The Problem of Overfitting,” American Chemical Society, pp.
1–12, Apr. 2004.

[22] F.-h. Hsu, C.-k. Tso, Y.-c. Yeh, W.-j. Wang, and L.-h. Chen, “BrowserGuard :
A Behavior-Based Solution to Drive-by-Download Attacks,” IEEE Journal on
Selected Areas in Communications, vol. 29, no. 7, pp. 1461–1468, Aug. 2011.

[23] J. Hu, M. Ieee, S. Korl, M. Ieee, L. Ping, and S. M. Ieee, “The Factor Graph Approach to Model-Based Signal Processing,” IEEE, vol. 95, no. 6, pp. 1295 –
1322, Jun. 2007.

[24] L. Invernizzi, “js-crawler @ github.com,” Jan. 2013. [Online]. Available:
https://github.com/invernizzi/js-crawler

[25] L. Invernizzi, R. Torres, S.-j. Lee, M. Mellia, P. Torino, C. Kruegel, and G. Vigna,
“Nazca : Detecting Malware Distribution in Large-Scale Networks,” Network &
Distributed System Security Symposium (NDSS), Feb. 2014.

[26] A. Kapravelos, M. Cova, C. Kruegel, and G. Vigna, “Escape from Monkey Island
: Evading High-Interaction Honeyclients,” DIMVA, pp. 124–143, Jul. 2011.
[27] R. Kohavi, “A Study of Cross-Validation and Bootstrap for Accuracy Estimation
and Model Selection,” IJCAI, vol. 2, no. 8, pp. 1137–1143, 1995.

[28] F. R. Kschischang, S. Member, B. J. Frey, and H.-a. Loeliger, “Factor Graphs and
the Sum-Product Algorithm,” IEEE, vol. 47, no. 2, pp. 498–519, Feb. 2001.

[29] B. J. Kwon and T. Dumitras, “The Dropper Effect : Insights into Malware Dis-
tribution with Downloader Graph Analytics Categories and Subject Descriptors,”

ACM CCS, pp. 1118–1129, Oct. 2015.

[30] Z. Li, S. Alrwais, and X. Wang, “Finding the Linchpins of the Dark Web : a Study
on Topologically Dedicated Hosts on Malicious Web Infrastructures,” Security
and Privacy (SP), 2013 IEEE Symposium on, May 2013.


[31] A. Liaw and M. Wiener, “Classification and Regression by randomForest,” R News, vol. 2, no. 12, pp. 18–22, 2002. [Online]. Available: http://ai2-s2-pdfs.s3.
amazonaws.com/6e63/3b41d93051375ef9135102d54fa097dc8cf8.pdf

[32] B. C. Mccormack, S. Product, and M. Manager, “Five Stages of a Web Malware
Attack,” SOPHOS, 2016.

[33] N. Miramirkhani and N. Nikiforakis, “Dial One for Scam : A Large-Scale Anal-
ysis of Technical Support Scams,” Mar. 2017.

[34] J. Narvaez, B. Endicott, C. Seifert, and D. A. Frincke, “Drive-by-Downloads,”
Hawaii International Conference on System Sciences, pp. 1–10, Jun. 2010.

[35] J. Nazario, “PhoneyC : A Virtual Client Honeypot,” USENIX Security Sympo-
sium, Jun. 2009.

[36] T. Nelms and R. Perdisci, “WebWitness : Investigating , Categorizing , and Mit-
igating Malware Download Paths This paper is included in the Proceedings of

the,” USENIX Security Symposium, pp. 1025–1041, Aug. 2015.

[37] A. Oprea, Z. Li, T.-f. Yen, S. H. Chin, and S. Alrwais, “Detection of Early-
Stage Enterprise Infection by Mining Large-Scale Log Data,” Annual IEEE/IFIP

International Conference on Dependable Systems and Networks, pp. 45–56, Jun.
2015.

[38] D. M. W. Powers, “Evaluation: From precision, recall and f-measure to roc, in-
formedness, markedness & correlation,” Journal of Machine Learning Technolo-
gies, vol. 2, no. 1, pp. 37–63, 2011.

[39] C. Seifert and R. Steenson, “Capture - Honeypot Client (Capture-
HPC),” 2006. [Online]. Available: https://projects.honeynet.org/capture-hpc/

wiki/AboutCapture

[40] G. Shaulsky, F. Borondics, and R. Bellazzi, “Orange,” 2017. [Online]. Available:
https://orange.biolab.si/

[41] A. Shinn, “DNS-BH Malware Domain Blocklist,” 2017. [Online]. Available:
http://www.malwaredomains.com/

[42] S. Som, S. Sinha, and R. Kataria, “STUDY ON SQL INJECTION ATTACKS :

MODE ,,” International Journal of Engineering Applied Sciences and Technol-
ogy, vol. 1, pp. 23–29, Aug. 2016.

[43] C. Song and J. Zhuge, “Preventing Drive-by Download via Inter-Module Com-
munication Monitoring,” ASIACCS, pp. 124–134, Apr. 2010.

[44] A. K. Sood and S. Zeadally, “Drive-by download attacks: A comparative study,”
IT Professional, vol. 18, no. 5, pp. 18–25, Sept 2016.

[45] T. Berners-Lee, “rfc3986 @ tools.ietf.org,” May 2005. [Online]. Available:
https://tools.ietf.org/html/rfc3986

[46] T. Vissers, W. Joosen, and N. Nikiforakis, “Parking Sensors: Analyzing and De-
tecting Parked Domains,” Network and Distributed System Security Symposium

(NDSS), pp. 8–11, Feb. 2015. [Online]. Available: http://www.internetsociety.
org/doc/parking-sensors-analyzing-and-detecting-parked-domains

[47] G. Wang, J. W. Stokes, and D. Felstead, “Detecting Malicious Landing Pages in Malware Distribution Networks,” Dependable Systems and Networks (DSN),
2013 43rd Annual IEEE/IFIP International Conference on, Jun. 2013.

[48] J. S. Yedidia, W. T. Freeman, and Y. Weiss, “Understanding Belief Propagation
and its Generalizations,” International Joint Conference on Artificial Intelligence,
Aug. 2001.

[49] K. Zeeuwen, “Optimizing Re-Evaluation of Malware Distribution Networks,”
University of British Columbia, Oct. 2011.

[50] J. Zhang, C. Seifert, J. W. Stokes, and W. Lee, “ARROW: Generating Signa-
tures to Detect Drive-By Downloads,” International World Wide Web Conference

Committee, pp. 187–196, Mar. 2011.