臺灣博碩士論文加值系統

網際網路迅速發展，使用者經由網路發送e-mail、檔案等資料，在傳送這些檔案的過程，不經意就會被植入木馬程式或間諜程式甚至是病毒等惡意程式，網路的惡意程式太過猖獗，但是個人用戶及企業或團體用戶常常疏於防範，導致遭惡意程式攻擊而不自知，最近幾年，惡意程式(病毒、木馬程式、間諜程式等等)迅速發展，造成企業、政府機關或是個人極大的損失。惡意程式不斷的新增以及變種，目前防毒軟體的偵測必須倚賴不斷的更新病毒碼來偵測新的病毒及變種。但是病毒碼更新的速度比不上病毒變種的速度，整體防禦弁鄐揭竟|洞。
本論文中，提出分散式惡意程式監控系統(Distributed Malware Monitor Systems)的架構，本系統可分兩部分，首先，系統監看一般使用者(Client)正在執行中的程式，來達到即時偵測惡意程式的目的。伺服器端(Server)會建立一個惡意程式的特徵資料庫，判斷一般使用者(Client)執行中的程式是否為惡意程式或企業內部禁止使用的程式，例如MSN。當伺服器端(Server)把該筆可疑程式跟特徵資料庫裡的資料進行比對，發現高於臨界值時，系統會認定其為惡意程式的變種，且會發通知一般使用者(Client)與管理者並進行刪除動作，並把該筆資料新增到特徵資料庫裡以做更新。
第二，假如經該系統判斷結果低於臨界值85%時，系統會把該筆資料送到data mining的系統去做二次分類判別，判斷該筆資料被歸類到惡意程式資料庫或是正常程式資料庫，以進行後續的處理動作，此方法可提高系統的防禦能力，有效的防禦變種病毒並提高系統的安全性。
本系統最大的優點是針對入侵的惡意程式進行即時防護，即時監控系統的變化，判斷該惡意程式是否為其變種病毒，並透過二次分類降低誤判機率，大幅提高系統的防禦能力，提高系統的安全性。

The internet’s rapid development and burgeoning popularity has led to the increased prevalence of e-mail and electronic file transfers among its users. Concomitantly, malware programs (e.g. Trojans, viruses and spyware) have evolved to infiltrate outgoing e-mails and files at data transmission time without the user’s knowledge and have flourished to rampancy. Malware has caused tremendous loss for personal users, enterprises, and government organizations in recent years. Moreover, malware’s variety is increasing rapidly with advancing technology. Currently, malware’s rapid mutation rate allows it to easily evade antivirus software’s detection since virus definition updates come out relatively slowly.
Here we propose a new framework for malware detection called Distributed Malware Monitor Systems (DMMS). In this framework, malware detection is achieved by monitoring all currently running programs. The server, with a signature database, discriminates whether the running programs contain malicious malware by comparing the suspicious programs with the data from the signature database. If the comparison result is above the malware detection threshold, the system notifies the client and administrator, blocks the program, and updates the signature database. However, if the comparison result is under the detection threshold, the system applies data mining techniques to further analyze the suspicious program and then determines the appropriate follow-up actions. Thus, the system’s defenses against evolving malware’s advance will be substantially improved.
To sum up, the proposed framework can raise the defense capability and security of enterprise workstations and network servers by providing efficient real-time malware detection and elimination.

第一章 緒論 1
1.1 背景 1
1.2 研究動機與目的 3
1.3 論文架構 5
第二章 技術簡介與相關文獻 6
2.1 Malware的分類 6
2.2 Spyware和virus的差異 10
2.3 傳統Malware的防禦方法 12
2.4 特徵資料庫建立與相似度量測 14
2.5 Data Mining分類方法及工具比較 17
第三章 分散式惡意程式監控系統設計 29
3.1 分散式惡意程式系統特性 30
3.2 DMMS系統架構 31
3.3 針對本機端防禦的基本架構 32
3.4 Data mining系統架構 36
3.5 特徵資料庫規劃 42
第四章 弁鉣褌?46
4.1 實驗目的與實驗環境 46
4.2 實驗方法 46
4.3 實驗結果 51
第五章 結論與未來研究 69
5.1 結論 69
5.2 未來工作 70
參考文獻 71

[1]EarthLink Inc., “EarthLink Spy Audit,”
http://www.earthlink.net/about/press/pr_spyAudit/ , April 2004.
[2]The Kaspersky Lab, http://www.kaspersky.com.
[3]McAfee, Inc, http://www.mcafee.com/us/.
[4]Trend Micro, Inc, http://www.trendmicro.com/en/home/us/enterprise.htm.
[5]Symantec Corporation, http://www.symantec.com/index.htm.
[6]J-Y. Xu, A. H. Sung, P. Chavez, S. Mukkamala, “Polymorphic Malicious Executable Scanner by API Sequence Analysis”, Fourth International Conference on Hybrid Intelligent Systems (HIS''04) , pp. 378-383.
[7]Matt Pietrek, “An In-Depth Look into the Win32 Portable Executable File Format”, MSDN Magazine, Feb. 2002.
[8]V. N. Vapnik, Statistical Learning Theory, John Wiley and Sons, New York, 1998.
[9]Jeremy Z. kolter & Marcus A. Maloof, “Learning to Detect Malicious Executables in the Wild”, ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Aug 2004, pp. 470 – 478.
[10]Tzu-Yen Wang, Shi-Jinn Horng, Ming-Yang Su, Chin-Hsiung Wu, Peng-Chu Wang and Wei-Zen Su,” A Surveillance Spyware Detection System Based on Data Mining Methods”, 2006 IEEE Congress on Evolutionary Computation Sheraton Vancouver Wall Centre Hotel, Vancouver, BC, Canada July 16-21, 2006
[11]J. Bergeron, M. Debbabi, J. Desharnais, M. Erhioui, Y.Lavoie, and N. Tawbi, “Static detection of malicious code in executable programs”, Symposium on Requirements Engineering for Information Security, Mar. 2001, pp. 1–8.
[12]C. Cifuentes, T. Waddington, M. Van Emmerik, “Computer Security Analysis through Decompilation and High-Level Debugging,” the 8th IEEE Working Conference on Reverse Engineering, Oct.2001, pp.375-380.
[13]Matthew G. Schultz, Eleazar Eskin, Erez Zadok, and Salvatore J. Stolfo, “Data Mining Methods for Detection of New Malicious Executables”, IEEE Symposium on Security and Privacy, May 2001, pp.38-49.
[14]Michael Weber, Matthew Schmid, Michael Schatz & David Geyer, “A Toolkit for Detecting and Analyzing Malicious Software”, Proceedings of the 18th Annual Computer Security Applications Conference, Dec. 2002, pp.423-.
[15]Stefan Saroiu, Steven D. Gribble, and Henry M.Levy, “Measurement and Analysis of Spyware in a University
[16]Alexander Strehl, Joydeep Ghosh, and Raymond Mooney, “Impact of Similarity Measures on Web-page Clustering”, AAAI-2000:Workshop of Artificial
[17]Quinlan, J.R., “Induction of Decision Tree”, Machine Learning, 1986, pp.81-106.Intelligence for Web Search, July 2000.
[18]資料採礦理論與實務 Michael J.A.Berry, Gordon S.Linoff合著,臺北市:數博網資訊股份有限公司,2001年6月
[19] Spyware Website, http://www.mmbest.com/index.html
[20] Spyware Website, http://www.hacker.org.tw/?c=download&sortid=1
[21] Spyware Webstie, http://www.kobayashi.cjb.net/
[22] Spyware Webstie, http://www.xfocus.net/index.html
[23] Spyware Webstie, http://www.hf110.com/Index.html
[24] Spyware Webstie, http:// www.hacker365.com
[25] Spyware Webstie, http://www.heibai.net/main.htm