面對間諜程式的來勢洶洶，目前各大防毒軟體廠商紛紛投入研發，連微軟與雅虎也開始發展相關的防護軟體。但在學術研究方面，到目前為止僅有一篇針對間諜程式的論文發表於2004年。因本論文針對目前危害性較大的監視型間諜程式(Surveillance Spyware)加以研究探討，利用有別於目前一般防毒軟體的偵測技術，讓我們的系統不僅能有效偵測目前現有的間諜程式，更具備偵測新型未知間諜程式的能力。本論文的主要貢獻在於使用靜態與動態的分析技術去蒐集間諜程式的相關特徵，再利用資訊增益(Information Gain)和支援向量機(Support Vector Machine)兩種資料探勘(Data Mining)技術的結合發展出一套間諜程式偵測系統(Spyware Detection System, SDS) 並提出一套整體的運作架構。我們的系統不僅對已知的監視型間諜程式有高達98％的偵測率，當面對新型未知亦有96％的良好偵測效果。並且在我們的運作架構基礎下，系統將擁有自動蒐集間諜程式的新特徵並重新訓練偵測模組的能力，如此即使間諜程式不斷的推成出新，仍可有效的偵測，將其危害降到最低。

Nowadays, the problem of spyware is incredibly serious; some famous anti-virus software vendors such as Norton, Trend Micro had entered the spyware -detection field last year. Even Microsoft and Yahoo also had thrown themselves into the battle of anti-spyware. But there are still less effort to understand it in the research community. At present, there is only one research [29] about the spyware in 2004. In this thesis, we proposed an integrated architecture to defend against surveillance spyware. For overcoming the lacks of usual anti-spyware products, we combine the methods of static analysis and dynamic analysis to extract feature of spyware. By adopting the concepts of machine learning and data-mining, we construct a spyware detection system (SDS) which has 98% detecting rate for known spyware and 96% detecting rate for unknown or novel spyware.

中文摘要………………………………………………………………………....1
Abstract………………………………………………………………………......2
Acknowledgement………………………………………………………….3
Table of Contents…………………………………………............................4
List of Figures………………………………………………………………....6
List of Tables…………………………………………………………………...8
Chapter1. Introduction…………………………………………………..9
1.1 Background………………………………………………………………............9
1.2 Contributions…………………………………………………………………....11
1.3 Synopsis……………………………………………………………………….....11
Chapter2. Related Works……………………………………………..13
2.1 Difference between Spyware and Virus………………………………...….13
2.2 Classes of Spyware…………………………………………………………….14
2.3 Some Common Trojans……………………………………………………….18
2.4 Spyware Installation Methods…………………………………………….....20
2.5 Traditional Detection Methods.............................…………………......….....24
Chapter3. Support Vector Machine & Information Gain............................................................................................................................27
3.1 Data Mining…………………………………………………………..................27
3.2 Information Gain……………………………………………………………...27
3.3 Support Vector Machine……..………………………………………………28
Chapter4. Spyware Detection System (SDS)………….........35
4.1 Conception of SDS……...…………..……………………………………........35
4.2 Detect Module………..……………………………………………………….36
4.3 Data Mining Module………………………………………………………..…42
Chapter5. Experiments & Results...……………….…………......44
5.1 Experiment Data Set & Experiment Environment…………………….....44
5.2 Experiment Method…………………………………………….………….…..45
5.3 Notations & Evaluation Measures…....…………………………………..…48
5.4 Experiment Results………………………………………………………….....49
Chapter6. Conclusions & Future Works….....…………….....57
References…………………………………………………………………....…59
Appendix…………………………………………………………………..…….62
1. Content of Experiment Data Set……………………………………………....62
2. List of Selected Features………………………………………….......……..….74

[1] EarthLink Spy Audit, http://www.earthlink.net/spyaudit/press/.
[2] SpywareGuide.com, Identity Theft and Spyware- The New Threat. http://www.spywareguide.com/articles/identity-theft.html
[3] Internetweek.com, Internet Scams Cost Consumers $2.4 Billion, http://www.internetweek.com/shared/printableArticle.jhtml?articleID=22100149
[4] The Kaspersky Lab, http://www.kaspersky.com.
[5] McAfee, Inc, http://www.mcafee.com/us/.
[6] Trend Micro, Inc, http://www.trendmicro.com/en/home/us/enterprise.htm.
[7] Symantec Corporation, http://www.symantec.com/index.htm.
[8] McAfee Corporation, “Growth of Non-Viral Threats”
[9] Yin Zhang & Vern Paxson, “Detecting Backdoors,” in 9th USENIX Security Symposium, Aug. 2000.
[10] J. Bergeron, M. Debbabi, J. Desharnais, M. M.Erhioui, Y. Lavoie and N. Tawbi., “Static Detection of Malicious Code in Executable Programs,” Symposium on Requirements Engineering for Information Security (SREIS’01).
[11] C. Cifuentes, T. Waddington, M. Van Emmerik, “Computer Security Analysis
through Decompilation and High-Level Debugging,” Workshop on Decompilation
Techniques, pp.375-380, 8th IEEE WCRE (Working Conf. Rev. Eng.), Oct.2001.
[12] Matthew G. Schultz, Eleazar Eskin, Erez Zadok, and Salvatore J. Stolfo, “Data Mining Methods for Detection of New Malicious Executables,” To appear
in IEEE Symposium on Security and Privacy, May 2001.
[13] Michael Weber, Matthew Schmid, Michael Schatz & David Geyer, “A Toolkit for Detecting and Analyzing Malicious Software,” Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC.02)
[14] Peter Shaohua Deng, Jau-Hwang Wang, Wen-Gong Shieh, Chih-Pin Yen & Cheng-Tan Tung, “Intelligent Automatic Malicious Code Signatures Extraction,” Security Technology, 2003. Proceedings. IEEE 37th Annual 2003 International Carnahan Conference on, 14-16 Oct. 2003.
[15] Jau-Hwang Wang, Peter S. Deng, Yi-Shen FAN, Li-Jing JAW, Yu-Ching LIU, “Virus Detection Using Data Mining Techniques”.
[16] Prabhat K Singh & Arun Lakhotia, “Static Verification of Worm and Virus Behavior in Binary Executables using Model Checking,” Information Assurance Workshop, 2003. IEEE Systems, Man and Cybernetics Society, 18-20 June 2003
[17] A. H. Sung, J. Xu, P. Chavez, S. Mukkamala, “Static Analyzer of Vicious Executables (SAVE),” Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC’04)
[18] InformationWeek.com, “Hackers Write Spyware for Cash, Not Fame”, http://www.informationweek.com/story/showArticle.jhtml?articleID=160403715,
[19] J. R. Quinlan, “Induction of decision trees”, Machine Learning, 1, 1986.
[20] V. Vapnik, “Statistical Learning Theory,” Wiley, New York, 1998.
[21] E. Ardizzone, A. Chella, R.Pirrone, “An Architecture for Automatic Gesture Analysis”, Proceedings of the Working Conference on Advanced Visual Interfaces May 2000.
[22] Andrew H. Sung & Srinivas Mukkamala; “Identify Important Features for Intrusion Detection Using Support Vector Machines and Neural Networks”; Applications and the Internet, 2003. Proceedings. 2003 Symposium on, 27-31 Jan. 2003, pp.209 -216.
[23] Jeremy Z. kolter & Marcus A. Maloof; “Learning to detect malicious executables in the wild; Conference on Knowledge Discovery in Data”, Proceedings of the 2004 ACM SIGKDD international conference on Knowledge discovery and data mining, pages: 470 - 478
[24] Mvps.org“Blocking Unwanted Parasites with a Hosts File,” http://mvps.org/winhelp2002/hosts.htm
[25] Matt Pietrek, “An In-Depth Look into the Win32 Portable Executable File Format,” MSDN Magazine, March 2002
[26] Web Service, http://msdn.microsoft.com/webservices/
[27] VM Ware, http://www.vmware.com/
[28] Chih-Chung Chang and Chih-Jen Lin, “LIBSVM: a Library for Support Vector Machines,” Dec. 2004
[29] Stefan Saroiu, Steven D. Gribble, and Henry M.Levy, “Measurement and Analysis of Spyware in a University Environment,” Proceedings of the 1st Symposium on Networked Systems Design and Implementation (NSDI), San Francisco, CA, March 2004.
[30] Spyware Webstie, http://mmbest.com/index.html
[31] Spyware Webstie, http://www.kobayashi.cjb.net/
[32] Spyware Webstie, http://www.xfocus.net/index.html
[33] Spyware Webstie, http://www.hf110.com/Index.html
[34] Spyware Webstie, http://www.hacker365.com/down.asp
[35] Spyware Webstie, http://www.eqla.demon.co.uk/trojanhorses.html
[36] Spyware Webstie, http://www.ttian.net
[37] Spyware Webstie, http://www.heibai.net/main.htm
[38] Spyware Webstie, http://www.chinesehack.org/
[39] Microsoft Corporation, “Portable Executable Formats,” Formats specification for Windows.