臺灣博碩士論文加值系統

惡意程式(Malware)是一種會對的電腦設備帶來損害的惡意執行代碼。一般的防毒軟體使用基於特徵碼的偵測方法阻擋已知的惡意程式。對於偵測未知的惡意程式許多研究使用基於機器學習的分類模型進行偵測。這些偵測未知惡意程式的研究主要先透過分析現有的惡意程式集合與正常程式集合，萃取出代表不同類別程式的特徵，再利用機器學習分類演算法產生惡意程式與正常程式的分類模式。檢測時將受測程式依據相同分析程序取出程式特徵後，再由分類模式進行預測。
一般研究方法所使用的雙類別分類演算法中，需要大量且正確分類的惡意程式和正常程式資料集。但因為正常程式缺乏有效的認證方法，因此正常程式集合有可能存在錯誤。大多數的研究都聚焦於偵測方法的改進而忽略了這個問題。在本研究中結合單類別分類模式與多準則決策，提出一個容忍資料集錯誤下有效檢測未知惡意程式的方法論。
本研究可概括為三個部分；第一，研究初期先基於各不同研究所提出的方法證明樣本資料庫的正確性造成問題。第二，進行兩種不同觀點的分析，擷取出可代表樣本程式的特徵。最後用多準則決策的整合架構，同時將兩個分類模型的分類意見整合進行實驗。實驗結果證明新型辨識方法適用於對未知型惡意程式的檢測，並對於資料集錯誤有強健性。

Malware is a type of malicious code that would damage the computer. Common anti-virus software prevents known malware with signature-based detection method, and unknown malware is detected with classified model based on machine learning techniques. The procedure of unknown malware detection is first analyzing the benign and malware programs in the dataset and exploring their features into different classes. Then, the machine learning techniques are used to generate classification model. When testing, features of the test program are extracted through the same procedure and predicted by the classification model.
In most Two-Class classification algorithm for malware detection, a large and well-defined database is typically required to classify malware and benign programs. However, there is no effective authentication method for benign programs, so errors may exist in the benign program dataset. Most researches neglect this problem and instead focus on improving detection methods. In this study, we combine One-Class machine learning classification method and the Multiple Criteria Decision Making (MCDM) method into an effective methodology which can detect unknown malware and avoid the problems of defective benign dataset.
This thesis consists of three sections. In the first section, related researches are surveyed and the issues caused by the defective database are also verified. In the second section, the static and dynamic analyzing methods are introduced to extract features from samples. In the last section, a valid MCDM combined model is proposed to detect unknown malware. The experiment results show that the proposed method is suitable for unknown malware detection and also robust to defective database.

誌謝 ii
摘要 iii
Abstract iv
目錄 v
表目錄 viii
圖目錄 ix
1. 緒論 1
1.1 研究背景 1
1.2 研究動機與目的 7
1.3 研究方法 8
1.4 論文架構 14
2. 惡意程式偵測研究回顧 15
2.1 樣本蒐集 16
2.2 程式分析與特徵擷取 19
2.2.1 靜態分析 20
2.2.1.1 執行檔格式欄位(Protable Excution Format, PE Format) 20
2.2.1.2 系統呼叫(Application Programming Interface, API) 21
2.2.1.3 指令碼(Opcode) 22
2.2.1.4 原語法模型(N-gram) 23
2.2.1.5 字元字串(Strings) 24
2.2.1.6 控制串流圖(Control Flow Graph, CFG) 25
2.2.2 動態分析 27
2.2.2.1 虛擬化測試平台 27
2.2.2.2 作業系統防護機制 29
2.2.2.3 系統呼叫序列 31
2.2.2.4 行為分析(Behavior Analysis) 32
2.3 特徵選取方法 33
2.3.1 應用於多類別分類模式之已知樣本類型的特徵選取 33
2.3.2 應用於單類別分類模式之未知樣本類型的特徵選取 35
2.4 機器學習分類演算法 38
2.4.1 雙類別分類演算法 39
2.4.2 單類別分類演算法 43
2.4.3 集成式分類演算法 44
3. 缺陷樣本資料庫影響與改進 52
3.1 缺陷樣本資料庫 53
3.2 分類效能影響 55
3.3 擷取特徵 59
3.4 單類別分類模式 68
3.5 基於行為與內容之異質式階層分類法 70
4. 多準則決策分類模式與實驗結果 74
4.1 選取訓練樣本 74
4.2 多準則決策 77
4.3 多準則決策整合架構設計 79
4.3.1 決定可行方案 80
4.3.2 決定屬性與評量值 80
4.4 實驗與結果 82
4.4.1 實驗步驟 83
4.4.2 實驗環境 83
4.4.3 實驗結果 84
4.4.4 實驗討論 85
5. 結論與未來工作 86
5.1 結論 86
5.2 未來工作 86
參考文獻 88
論文發表 95
自傳 96

[1]http://www.internetworldstats.com/(2015.3.20)
[2]Paul, W., “Internet Security Threat Report Volume 19,” Symantec, USA, pp. 49-76, 2014.
[3]Paul, W., “Internet Security Threat Report Volume 17,” Symantec, USA, pp. 1-48, 2012.
[4]http://www.eugenemdavis.com/survey-automated-malware-identification-systems (2015.3.20)
[5]Cheng, Julia, Y. C., Tsai, T. S., and Yang, C. S., “An Information Retrieval Approach for Malware Classification Based on Windows API Calls,” 2013 International Conference on Machine Learning and Cybernetics (ICMLC), Hong Kong, China, pp. 1678-1683, 2013.
[6]何盈橋，“惡意程式威脅分析及分類技術”，碩士論文，國防大學理工學院資訊科學系，桃園，第9-31頁，2010。
[7]高百健，“植基於專家經驗的惡意程式特徵擷取之研究”，碩士論文，國防大學理工學院資訊科學系，桃園，第11-45頁，2008。
[8]高啟智，“植基於機器學習之惡意程式偵測模式研究”，碩士論文，國防大學理工學院資訊科學系，桃園，第6-30頁，2008。
[9]Lu, Y.B., Din, S.C., Zheng, C.F., and Gao, B.J., “Using Multi-Feature and Classifier Ensembles to Improve Malware Detection,” Journal of C.C.I.T., Vol. 39, No.2, pp57-72, 2010.
[10]http://blogs.technet.com/b/twsecurity/archive/2013/07/08/apt.aspx(2015.3.20)
[11]http://zh.wikipedia.org/wiki/%E9%9C%87%E7%BD%91(2015.3.20)
[12]Schultz, M. G., Eskin, E., Zadok, F., and Stolfo, S. J., “Data Mining Methods for Detection of New Malicious Executables,” Proceedings of the 2001 IEEE Symposium on Security and Privacy, Washington D.C., USA, pp. 38-49, 2001.
[13]陸儀斌、鄭朝福，“惡意程式行為分析及資料庫建立”， 第17屆國防科技學術研討會論文集，桃園，第801-804頁，2008。
[14]https://www.virustotal.com/zh-tw/ (2015.3.20)
[15]Zahra, B., Hashem, H., Seyed, M. H. F., Ali, H., “A Survey on Heuristic Malware Detection Techniques,” 2013 Conference on 5th Information and Knowledge Technology, Shiraz, Iran, pp. 113-120, 2013.
[16]http://www.cs.waikato.ac.nz/ml/ weka/.(2015.3.20)
[17]http://www.mathworks.com/products/matlab/(2015.3.20)
[18]Koushanfar, F. and Mirhoseini, A., “A Unified Framework For Multimodal Submodular Integrated Circuits Trojan Detection,” IEEE Trans. on Information Forensic, Vol. 6, No. 1, pp. 162-174, 2011.
[19]Hsu, F. H., Tso, C. K., Yeh, Y. C., Wang, W. J., and Chen, L. H., “BrowserGuard: A Behavior-Based Solution to Drive-by-Download Attacks,” IEEE Journal On Selected Areas in Communications, Vol. 29, No.7, pp.1461-1468, 2011.
[20]Gianvecchio, S., Xie, M., Wu, Z., and Wang, H., “Humans and Bots in Internet Chat: Measurement, Analysis, and Automated Classification, ” IEEE/ACM Transactions on Networking, Vol. 19, No. 5, pp.1557-1571 ,2011
[21]Duan, Z., Chen, P., Sanchez, F., Dong, Y., Stephenson, M., and Barker, J. M., “Detecting Spam Zombies by Monitoring Outgoing Messages,” IEEE Transactions on Dependable and Secure Computing, Vol. 9, No. 2, pp.198-210, 2012
[22]Tony, A. A., Nick, C., Vlado, K., and Ray, S., “N-gram Based Detection of New Malicious Code,” Proceedings of the 28th Annual International Computer Software and Applications Conference, Hong Kong, China, pp. 41-42, 2004.
[23]Zhang, B. U., Yin, J. P., and Hao, J. B., “Using Fuzzy Pattern Recognition to Detect Unknown Malicious Executables Code,” Proceedings of The Second International Conference on Fuzzy Systems and Knowledge Discovery, Changsha, China, pp. 629-634, 2005.
[24]Wang, T. Y., Horng, S. J., Wu, C. H., Wang, P. C., and Su, W. Z., “A Surveillance Spyware Detection System Based on Data Mining Methods,” Proceedings of the IEEE Congress on Evolutionary Computation, Vancouver, Canada, pp. 11005-11010, 2006.
[25]Zhang, B. U., Yin, J. P., and Hao, J. B., “Using RS and SVM to Detect New Malicious Executable Codes,” Proceedings of the Fifth International Conference on Rough Sets and Knowledge Technology, Chongquing, China, pp. 574-579, 2006.
[26]Kolter, J. Z. and Maloof, M. A., “Learning to Detect and Classify Malicious Executables in the Wild,” Journal of Machine Learning Research, Vol 7, pp. 2721-2744, 2006.
[27]Henchiri, O., Japkowicz, N., “A Feature Selection and Evaluation Scheme for Computer Virus Detection,” Proceedings of the Sixth International Conference on Data Mining, Hong Kong, pp. 891-895, 2006.
[28]Moskovitch, R., Elovici, Y., and Rokach, L., “Detection of Unknown Computer Worms Based on Behavioral Classification of the Host,” Computational Statistics & Data Analysis, Vol. 52, No. 9, pp. 4544-4566, 2008.
[29]Rafiqul I., Ronghua T., Lynn M. B., and Steve V., “Classification of Malware Based On Integrated Static And Dynamic Features,” Journal of Network and Computer Applications, Vol. 36, Issue 2, pp. 646-656, 2013.
[30]Ammar, A. E. E., Mohd A. M., and Bazara I. A. B., “Improving The Detection of Malware Behaviour Using Simplified Data Dependent Api Call Graph,” International Journal of Security and Its Applications, Vol. 7, No. 5, pp. 29-42, 2013.
[31]Khorsand, Z. and Hamzeh, A., “A Novel Compression-Based Approach For Malware Detection Using PE Header,” 2013 Conference on 5th Information and Knowledge Technology (IKT), Shiraz, Iran, pp. 127-133, 2013.
[32]Liu, J., Song, J., Miao, Q., and Cao, Y., “FENOC: An Ensemble One-Class Learning Framework for Malware Detection,” 2013 International Conference on 9th Computational Intelligence and Security (CIS), Sichuan Province, China, pp. 523-527, 2013.
[33]Xiao, X., Ding, Y., Zhang, Y., Tang, K., and Dai, W., “Malware Detection Based on Objective-Oriented Association Mining,” 2013 International Conference on Machine Learning and Cybernetics (ICMLC), Hong Kong, China, pp. 375-380, 2013.
[34]Eitan, M., Asaf, S., and Adi, L., “POSTER: Detecting Malware Through Temporal Function-Based Features,” Proceedings of The 2013 ACM SIGSAC Conference On Computer & Communications Security, Berlin, Germany, pp. 1379-1381, 2013.
[35]Baldangombo, U., Jambaljav, N., and Horng, S. J., “A Static Malware Detection System Using Data Mining Methods,” International Journal of Artificial Intelligence & Applications, Vol. 4, Issue 4, pp. 113-126, 2013.
[36]Bisio, F., Gastaldo, P., Zunino, R., and Decherchi, S., “Semi-Supervised Machine Learning Approach for Unknown Malicious Software Detection,” Proceeding of International Symposium on INnovations in Intelligent SysTems and Applications (INISTA), Alberobello, Italy, 2014.
[37]Dolly, U., Rakhi, S., Vishakha, M., and Vinesh, J., “Malware Detection And Classification Based On Extraction Of API Sequences,” 2014 International Conference on Computational Collective Intelligence (ICACCI), Seoul, Korea, pp. 2337-2342, 2014.
[38]Ding, Y., Dai W., Zhang Y., and Xue, C., “Malicious Code Detection Using Opcode Running Tree Representation,” International Conference On 9th P2p, Parallel, Grid, Cloud, and Internet Computing, Guangzhou, China, pp. 616-621, 2014.
[39]Markel, Z. and Michael B., “Building A Machine Learning Classifier for Malware Detection,” The Second Workshop on Anti-Malware Testing Research (water 2014), Canterbury, UK, 2014.
[40]Ghiasi, M., Ashkan S., and Zahra S., “Dynamic VSA: A Framework for Malware Detection Based on Register Contents,” Engineering Applications of Artificial Intelligence, Vol. 44, pp. 111-122, 2015.
[41]Shijo, P. V. and Salim, A., “Integrated Static and Dynamic Analysis for Malware Detection,” Procedia Computer Science, Vol. 46, pp. 804–811, 2015.
[42]Shivani, S., Himali, J., Sathvik, S., and Kiran B., “Virus Detection Using Artificial Neural Networks,” International Journal of Computer Applications, Vol. 84, No. 5, pp. 17-23, 2013.
[43]Kinder, J., Katzenbeisser, S., Schallhart,C., and Veith, H., “Proactive Detection Of Computer Worms Using Model Checking,” IEEE Transactions on Dependable and Secure Computing, Vol. 7, No. 4, pp. 424-437, 2010.
[44]張又仁，“泛間諜程式跨Windows平台辨識技術之研究”，碩士論文，國防大學理工學院資訊科學系，桃園，第17-36頁，2011。
[45]http://www.vmware.com/technical-resources/security/overview.html(2015.3.20)
[46]http://docs.cuckoosandbox.org/en/latest/(2015.3.20)
[47]http://cwsandbox.org/(2015.3.20)
[48]https://anubis.iseclab.org/(2015.3.20)
[49]http://ether.gtisc.gatech.edu/source.html(2015.3.20)
[50]http://drakvuf.com/(2015.3.20)
[51]Kirat, D. and Vigna, G., “Barecloud: Bare-Metal Analysis-Based Evasive Malware Detection,” Proceedings of the 23rd USENIX Security Symposium, San Diego, USA, pp. 287-301, 2014.
[52]http://twman.nchc.org.tw/index.php/tw/(2015.3.20)
[53]陸儀斌、高百健、張又仁，“基於不同Windows作業平台的惡意程式行為分析之研究”， 第21屆國防科技學術研討會論文集，桃園，第F1-F7頁，2012。
[54]http://windows.microsoft.com/zh-TW/windows7/products/features/windows-defender(2015.3.20)
[55]https://malwr.com/submission/(2015.3.20)
[56]Shaik, Z., Ignus S., and Nelishia P., “Persistent Technical Difficulties Preventing Effective Software Assurance,” Proceedings of the 10th International Conference on Cyber Warfare and Security, Kruger National Park, South Africa, 2015.
[57]Azhagusundari, B. and Thanamani, A. S., “Feature Selection Based on Information Gain,” International Journal of Innovative Technology and Exploring Engineering, Vol. 2, No. 2, pp.18-21, 2013.
[58]Julio, P., and Adem, K, Data Mining and Knowledge Discovery in Real Life Applications, I-Tech, Vienna, Austria, pp. 35-50, 2009.
[59]Ramos, J., “Using Tf-Idf to Determine Word Relevance in Document Queries,” Proceedings of The First Instructional Conference On Machine Learning, Piscataway, USA, 2003.
[60]Jeong, Y. S., Kang I. H., and Jeong M. K., “A New Feature Selection Method for One-Class Classification Problems,” IEEE Transactions on Systems, Man, and Cybernetics, Vol. 42, No. 6, pp. 1500-1509, 2012.
[61]張云濤、龔玲，資料探勘原理與技術，五南出版社，臺北市，第89-100頁，2007。
[62]尹相志，SQL Server 2008 Data Mining 資料採礦，學貫行銷股份有限公司，臺北，第146-155頁，2009。
[63]Tan, P. N., Steinbach, M., and Kumar, V., Introduction to Data Mining, Pearson Addison Wesley, USA, pp. 256-265, 2006.
[64]Wang, D. , Yeung, D. S., and Tsang, E. C., “Structured One-Class Classification,” IEEE Transactions on Systems, Man, and Cybernetics-Part B: Cybernetics, Vol. 36, No. 6, pp. 1283-1295, 2006.
[65]Chang, W. C., Lee, C. P., and Lin, C. J., “A Revisit to Support Vector Data Description,” National Taiwan University, Taiwan, pp. 1-21, 2013.
[66]陳善泰、竇祥霖、翁志嘉、巫建辰，“應用異質式階層分類架構於入侵偵測之研究”， 第16屆國防科技學術研討會論文集，桃園，第5-34至5-40頁，2007。
[67]朱發、業寧、徐昇、徐姍姍，“邊界檢測快速SVDD演算法”，江蘇科技大學學報，第26卷，第2期，第159-162頁，2012。
[68]楊明峰、林俊達，“應用模糊理論建構彈性製造系統配置規劃之決策支援系統”，育達研究叢刊，第5卷，第6期，第259-282頁，2003。
[69]Alireza, A., Majid, M., and Rosnah, M. Y., “Simple Additive Weighting approach to Personnel Selection problem,” International Journal of Innovation, Management and Technology, Vol. 1, No. 5, pp511-515, 2010.