近年來勒索病毒(Ransomware)肆虐全球，駭客最常透過電腦作業系統的漏洞散佈惡意連結或檔案，或將病毒挾帶於E-mail附件等手法來進行感染，受害者的電腦中毒後，病毒會系統性地對硬碟上的檔案進行加密，藉此綁架組織重要資料，進行勒索金錢或比特幣，尤其鎖定商業銀行、醫療機構與上市櫃公司，造成人心惶惶並增加企業資訊安全管理的高風險！
故本研究主要針對近期造成重大資安危害的惡意勒索病毒(Ransomware)威脅蒐集50個病毒家族，透過沙盒及正規化概念分析法建立勒索病毒之行為特徵矩陣以提供模式預訓練(pre-training)，再透過深度學習網路(Deep Learning Networks)之LeNet-5卷積神經網路(Convolutional Neural Networks, CNNs)進行病毒行為的學習及特徵影像識別。實驗結果證明病毒之行為特徵矩陣能明確定義病毒與其攻擊行為特徵之間的關聯，透過知識本體抽象資料模型可作為勒索病毒分類(classification) 與變種鑑定的參考依據，並將其轉化為規則可應用於網路入侵偵測系統之病毒即時偵測，提高偵測的精確度並降低誤判率。

Ransomware has spreaded the world in recent years, because hackers most often spread malicious links or files through weak points in computer operating systems, or bring viruses to e-mail attachments to infect them. After the victim’s computer is comoproised. As a result, the files on the host were encrypted that hackers kidnap important information of the organization to extort money or bitcoin, especially targets on commercial banks, medical institutions and companies that caused high risks of the enterprise information security management.
In our study, we collected 50 virus families from the recent threats of malicious Ransomware that caused major security attacks, and established behavioral features of ransomware through dynamic analyses of sandbox and formalized conceptual analysis to provide pre-training on LeNet-5 for viral behavior learning and feature image recognition. The experimental results show that the virus's behavior feature matrix can evidently define the relations between behavioral features and Ransomware classes. In other words, the experimental results can be used as a reference basis for ransom virus classification and variant identification through the ontology abstract data model. In further, the results can be converted into detction rulesused in real-time virus detection of NIDS to improve detection accuracy and reduce false positive rate.

摘　　要 I
Abstract II
誌 謝 III
目　錄 IV
表　目　錄 V
圖　目　錄 VI
第一章、緒論 1
1.1 研究背景 1
1.2 研究動機 3
1.3 研究目的 3
1.4 論文架構 4
第二章、文獻與技術探討 6
2.1 病毒動態行為特徵分析技術 6
2.1.1靜態分析 6
2.1.2沙盒技術 6
2.2深度學習網路 7
2.3 LeNet-5卷積神經網路 8
2.4卷積神經網路應用於網路病毒與威脅偵測 12
第三章、研究方法 15
3.1 實驗規劃 15
3.2 行為特徵篩選 16
3.3 研究過程 17
3.3.1研究工具 18
第四章、勒索病毒家族之行為特徵 20
4.1實驗資料來源 20
4.2病毒行為特徵擷取 22
4.3病毒分類與辨識 28
第五章、結論與建議 35
5.1 研究結論 35
5.2 後續議題探討 36
參考文獻 37

[1] Fortinet Crop., Fortinet 2018 年第二季網路威脅報告, 取自： https://m.fortinet.com.tw/site/%E5%AE%B6%E7%94%A8%E7%89%A9%E8%81%AF%E7%B6%B2%E8%A8%AD%E5%82%99%E7%82%BA%E5%8A%AB%E6%8C%81%E6%8C%96%E7%A4%A6%E7%9A%84%E9%A6%96%E8%A6%81%E6%94%BB%E6%93%8A%E7%9B%AE%E6%A8%99/
[2] 李震華(2018)。從台積電病毒事件看近年企業資安威脅之轉變。財團法人資訊工業策進會，產業情報研究所。取自： https://mic.iii.org.tw/industry.aspx?id=310&list=75
[3] 趨勢科技(2017)。2017年資安總評：弔詭的網路威脅資安總評報告。取自：
https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup
[4] 刑事警察局(2019)。反勒索，有解藥!勒索病毒來襲免緊張。取自：
https://www.cib.gov.tw/News/BulletinDetail/8186
[5] 陳智德(2018)。醫療產業駭客威脅日益增加 零信任網路成為安全架構之一。DIGITIMES。取自： https://www.digitimes.com.tw/iot/article.asp?cat=158&cat1=20&id=0000525540_9IT4KNVC5HNXBAL6NI23B
[6] 陳坤中、洪嘉璟(2017)。出席2017年物聯網資訊安全高峰會出國報告。國家通訊傳播委員會。取自： https://www.ncc.gov.tw/chinese/files/18010/3928_38523_180105_1.pdf
[7] 電週文化事業(2019)。徹底揭露2019年臺灣最大規模病毒攻擊事件。取自： https://www.ithome.com.tw/news/134108
[8] 吳保樺，林文暉，王平(2018)。應用卷積深度神經網路於DDoS攻擊偵測。崑山科技大學資訊管理系，碩士論文。
[9] 洪維謙，王平(2019)。以正規化概念分析為基礎之網路勒索病毒行為分析，崑山科技大學資訊管理系，碩士論文。.
[10] NEC。人臉辨識系統解決方案。取自： http://tw.nec.com/zh_TW/solutions/security/neoface.html
[11] 鍾張涵、譚偉晟(2017)。中日兩大現場 直擊AI三大最夯亮點,今周刊。取自：http://www.businesstoday.com.tw/article/category/80394/post/201711150016
[12] 周秉誼(2016)。淺談Deep Learning原理及應用。國立台灣大學電子計算中心電子報，第0038期。取自：http://www.cc.ntu.edu.tw/chinese/epaper/0038/20160920_3805.html
[13] MoneyDJ(2017)。深度學習助網路攻擊偵測率升至 99%，NVIDIA 出資力挺。科技新報。取自： https://technews.tw/2017/07/13/nvidia-investment-deep-instinct/
[14] NVIDIA Corp. (2015)。NVIDIA GPU驅動Facebook最新深度學習機器。NVIDIA 新聞。取自：https://www.nvidia.com/zh-tw/about-nvidia/press-releases/2015/nvidia-gpus-power-facebook-deep-learning-machine-20151215/
[15] 韓曉光，曲武，姚宣霞等(2014)。基於紋理指紋的惡意程式碼變種檢測方法研究。通信學報，35(8): 125-136。
[16] 寇廣,湯光明,王碩,宋海濤,邊媛(2016)。深度學習在僵屍雲檢測中的應用研究。通信學報，37 (11):114~128, Nov. 2016。

-------英文文獻開始處
[17] Yuval Nativ.theZoo, (available online at https://github.com/ytisf/theZoo)
[18] Endermanch,MalwareDatabase, (available online at https://github.com/Enderm anch/MalwareDatabase)
[19] ANY.RUN - Interactive Online Malware Sandbox (available online at https://app. any.run/)
[20] Tutorial Jinni | Hub of Tutorials (available online at https://www.tutorialjinni.com/)
[21] Standard university.Protégé, website:https://protege.stanford.edu/
[22] HoneyNet.Cuckoo Sandbox, (available online at https://github.com/ cuckoosandbox/cuckoo)
[23] Yann LeCun,Leon Bottou,Yoshua Bengio,and Patrick Haffne(1998).GradientBased Learning Applied to Document Recognition
[24] Wikipedia.Deep Learning, website:https://en.wikipedia.org/wiki/Deep_learning
[25] S. Greengard (2016).Cybersecurity Gets Smart, Communications of the ACM, Vol. 59, No.5, Technology, DOI:10.1145/2898969
[26] A. Rosebrock, Rants (2014). Get off the deep learning bandwagon and get some perspective, Machine Learning, website:https://www.pyimagesearch.com/2014/06/09/get-deep-learning- bandwagon-get- perspective/
[27] C.Szegedy, V.Vanhoucke, S. Ioffe, Z. Wojna (2016). Rethinking the Inception Architecture for Computer Vision, in Proceedings of the IEEE on Computer Vision and Pattern Recognition (CVPR), WA, USA, arXiv:1512.00567.
[28] Wikipedia (2017). Convolutional neural network, website:https://en.wikipedia.org/wiki/ Convolutional_neural_network
[29] Wikipedia (2017).Softmax function. website:https://en.wikipedia.org/wiki/Softmax_function
[30] Z. Y. Tan (2013). Detection of denial-of-service attacks based on computer vision techniques,Sydney: University of Technology.
[31] J. E.Yan, C. Y.Yuan, H. Y.Xu, et al.(2013). Method of detecting IRC botnet based on the multi- features of traffic flow, Journal on communications, 2013, 34(10): 49-64.
[32] J. Saxe, K. Berlin (2015), Deep Neural Network Based Malware Detection Using Two Dimensional Binary Program Features,
website:https://arxiv.org/abs/1508.03096v2
[33]A. Y. Javaid, Q. Niyaz,W. Sun, M. Alam (2015). A Deep Learning Approach for Network Intrusion Detection System, Proceedings of the 9th EAI International Conference on Bio-inspired Information and Communications Technologies, New York, December, 2015
[34] Y. Wang, W. D. Cai, P. C. Wei (2016).A deep learning approach for detecting malicious javascript code[J]. Security & Communication Networks, 2016, 51(8): 28656-28667.