跳到主要內容

臺灣博碩士論文加值系統

(44.222.64.76) 您好!臺灣時間:2024/06/17 09:13
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

我願授權國圖
: 
twitterline
研究生:鄧鈞岱
研究生(外文):Chun-Dai Teng
論文名稱:自動化資安威脅情報萃取與知識本體產製
論文名稱(外文):Automated Extraction of Cyber Threat Intelligence and Its Ontology Generation
指導教授:孫雅麗孫雅麗引用關係
指導教授(外文):Yeali S. Sun
口試委員:陳俊良李育杰李漢銘陳孟彰
口試委員(外文):Jiann-Liang ChenYuh-Jye LeeHahn-Ming LeeMeng-Chang Chen
口試日期:2020-07-28
學位類別:碩士
校院名稱:國立臺灣大學
系所名稱:資訊管理學研究所
學門:電算機學門
學類:電算機一般學類
論文種類:學術論文
論文出版年:2020
畢業學年度:108
語文別:中文
論文頁數:101
中文關鍵詞:惡意程式依存關聯分析威脅行為萃取知識本體執行序列分析
外文關鍵詞:MalwareDependency ParserThreat Action ExtractionOntologyExecution Trace Analysis
DOI:10.6342/NTU202003257
相關次數:
  • 被引用被引用:0
  • 點閱點閱:305
  • 評分評分:
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
近年來對惡意程式的研究,大多基於一個給定的惡意程式樣本,利用沙箱技術做動態紀錄,分析樣本在系統內的執行的高階函式呼叫序,以瞭解該惡意程式活動的實際作為,然而此方法存在侷限性,例如內容量過大、低階資訊細節過多、分析成本過高、呈現格式不一等…,即使是各家大型資訊安全公司產出的技術報告也面臨同樣問題。
為從高階與宏觀角度,探討惡意程式攻擊的來龍去脈,須充分瞭解惡意程式行為特徵及接觸的系統資源,本研究設計一套自動化威脅情報萃取方法,彙整、分析MITRE ATT&CK框架資源中每一個攻擊戰略 (Tactic) 下的攻擊手法 (Technique) 收錄之攻擊事件案例 (Procedure Example) 內容,擷取出一或多個可辨識該攻擊戰略及攻擊手法的惡意行為,並結合哲學領域中用於描述領域知識的本體論 (Ontology),建立用於描述惡意活動攻擊手法與企圖的威脅知識本體 (Threat Ontology)。藉由威脅知識本體,便可針對一惡意程式樣本執行序,比對、整理兩者間互相對應的惡意活動資訊,最後產製具備時間脈絡、具體化、結構化特性之TTP (Tactic, Technique, Procedure) 技術摘要報告,呈現該惡意程式在其生命週期內經歷的重要活動過程。
實驗結果展現了研究流程產製的威脅知識本體,確實能提供低階惡意程式活動具體威脅與高階惡意程式生命週期資訊,並且證明能夠應用於實際惡意程式樣本的惡意行為偵測任務,藉此快速、有效率地提供易於人類解讀的威脅情資,對於資安管理者的情報掌握與傳遞,或是一般人學習資安專業知識皆能有所助益。
In recent years, the researches on malware mostly use sandbox to make dynamic records, and analyze the tracelog to understand the actual activity that malware perform based on a given malicious executable sample. However, this approach has limitations, such as too much content, too detailed information, too high analysis cost (time, manpower), different presentation formats, and so on. Technical reports which are generated by threat intelligence companies even face the same problem.
In order to explore the ins and outs of malware attacks from a high-level and macro perspective, it is necessary to fully understand the behavioral characteristics of malware and the system resources which it contacts. This research designed an automated threat intelligence extraction method to analyze the technical and tactical content proposed in the MITER ATT&CK framework. Then, we extract one or more attack event cases (process examples) , and identify the malicious behavior of the attack strategy and method. When the extracted malicious behaviors are combined with the ontology, the threat ontology can be established to describe the attack methods and attempts. With the threat ontology, malicious activities corresponding to the malware's tracelog can be found. Finally, we can procduce the TTP (Tactic, Technique, Procedure) summary report. This report reflects the important process of the malware during its life cycle with som characteristics including time sequential, specific, and structured.
The experiment result shows the threat ontology produced by the research process, which can indeed provide specific information about low-level malware’s activities and high-level malware’s lifecycle. In addition, the threat ontology has been proven to be applicable to malicious behavior detection of actual malware samples. In this way, it is possible to quickly and effectively provide easy-to-understand threat intelligence, which is helpful for security managers to collect and transmit information, and it is also conducive for ordinary people to acquire knowledge of cyber security.
誌謝 一
中文摘要 二
ABSTRACT 三
目錄 五
表目錄 七
圖目錄 八
第一章 介紹 1
1.1 研究動機 1
1.2 研究目的 3
1.3 研究貢獻 4
第二章 背景知識 5
2.1 MITRE ATT&CK 5
2.2 知識本體論 13
2.3 淪陷指標 14
第三章 文獻探討 15
第四章 研究方法與系統架構 18
4.1 Web Page Crawling功能模組 19
4.2 Sentence Splitter功能模組 21
4.3 Special Token Identification and Replacement功能模組 22
4.4 Analyzing Grammatical Structure of a Sentence功能模組 25
4.5 Search for Attack Action-Object Relations功能模組 27
4.5.1 Select Dependency Relation Types of Interest子模組 28
4.5.2 Search for Candidate Relation Tuples in a Dependency Tree子模組 35
4.6 Threat Ontology Base Categorization功能模組 40
4.7 Threat Ontology Modeling功能模組 46
第五章 實驗 54
5.1 實驗環境 54
5.2 實驗資料與前處理 54
5.3 自然語言資訊分析 55
5.4 行為萃取 70
5.5 行為篩選 74
5.6 知識本體產製 76
5.7 惡意程式樣本TTP技術摘要分析 (以Registry為例) 84
第六章 結論 97
參考文獻 98
[1]Kaspersky. (2013, March). Incidents Military Hardware and Men-s Health. Retrieved from https://securelist.com/military-hardware-and-men-s-health/67055/
[2]Kaspersky. (2017, August). Steganography in contemporary cyberattacks. Retrieved from https://securelist.com/steganography-in-contemporary-cyberattacks/79276/
[3] Willems, C., Holz, T., & Freiling, F. (2007). Toward automated dynamic malware analysis using cwsandbox. IEEE Security & Privacy, 5(2), 32-39.
[4] Bläsing, T., Batyuk, L., Schmidt, A. D., Camtepe, S. A., & Albayrak, S. (2010, October). An android application sandbox system for suspicious software detection. In 2010 5th International Conference on Malicious and Unwanted Software (pp. 55-62). IEEE.
[5]Uhrıcek, D. LiSa–Multiplatform Linux Sandbox for Analyzing IoT Malware.
[6] Karnouskos, S. (2011, November). Stuxnet worm impact on industrial cyber-physical system security. In IECON 2011-37th Annual Conference of the IEEE Industrial Electronics Society (pp. 4490-4494). IEEE.
[7]Trend Micro. (2017, April). How can Advanced Sandboxing Techniques Thwart Elusive Malware? Retrieved from https://www.trendmicro.tw/vinfo/se/security/news/security-technology/how-can-advanced-sandboxing-techniques-thwart-elusive-malware
[8]MITRE. (2019, October). MITRE ATT&CK®. Retrieved from https://attack.mitre.org/versions/v6/
[9]RSA Conference. (2019, March). Lessons from Applying MITRE ATT&CK in the Wild. Retrieved from https://www.rsaconference.com/usa/us-2019/agendalanding/lessons-from-applying-mitre-attck-in-the-wild
[10]Strom, B. E., Applebaum, A., Miller, D. P., Nickels, K. C., Pennington, A. G., & Thomas, C. B. (2018). MITRE ATT&CK: Design and Philosophy. MITRE Product MP, 18-0944.
[11]Strom, B. E., Battaglia, J. A., Kemmerer, M. S., Kupersanin, W., Miller, D. P., Wampler, C., ... & Wolf, R. D. (2017). Finding cyber threats with ATT&CK-based analytics. Technical Report MTR170202, MITRE.
[12]MITRE. (2019, October). Scheduled Task. Retrieved from https://attack.mitre.org/versions/v6/techniques/T1053/
[13]Trend Micro. Indicators of Compromise. Retrieved July 19, 2020, from https://www.trendmicro.com/vinfo/us/security/definition/indicators-of-compromise
[14]Nate Lord. (2018). What are Indicators of Compromise? Retrieved from https://digitalguardian.com/blog/what-are-indicators-compromise
[15]Milajerdi, S. M., Gjomemo, R., Eshete, B., Sekar, R., & Venkatakrishnan, V. N. (2019, May). Holmes: real-time apt detection through correlation of suspicious information flows. In 2019 IEEE Symposium on Security and Privacy (SP) (pp. 1137-1152). IEEE.
[16]Hutchins, E. M., Cloppert, M. J., & Amin, R. M. (2011). Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Leading Issues in Information Warfare & Security Research, 1(1), 80.
[17]Saxe, J., Turner, R., & Blokhin, K. (2014, October). CrowdSource: Automated inference of high level malware functionality from low-level symbols using a crowd trained machine learning model. In 2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE) (pp. 68-75). IEEE.
[18]Zhu, Z., & Dumitraş, T. (2016, October). Featuresmith: Automatically engineering features for malware detection by mining the security literature. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (pp. 767-778).
[19]Husari, G., Al-Shaer, E., Ahmed, M., Chu, B., & Niu, X. (2017, December). Ttpdrill: Automatic and accurate extraction of threat actions from unstructured text of cti sources. In Proceedings of the 33rd Annual Computer Security Applications Conference (pp. 103-115).
[20]Zhu, Z., & Dumitras, T. (2018, April). Chainsmith: Automatically learning the semantics of malicious campaigns by mining threat intelligence reports. In 2018 IEEE European Symposium on Security and Privacy (EuroS&P) (pp. 458-472). IEEE.
[21] virustotal. (2004). VirusTotal. Retrieved from https://www.virustotal.com/
[22]IBM Security. (2014). IBM® X-Force Exchange. Retrieved from https://exchange.xforce.ibmcloud.com/
[23] MITRE. (2007). CAPEC™. Retrieved from https://capec.mitre.org/
[24] MITRE. (2006). CWE™. Retrieved from https://cwe.mitre.org/
[25] MITRE. (1999). CVE®. Retrieved from https://cve.mitre.org/
[26]Williams, I., Yuan, X., Mcdonald, J. T., & Anwar, M. (2016). A method for developing abuse cases and its evaluation.
[27]Regainia, L., & Salva, S. (2018, October). A Practical Way of Testing Security Patterns.
[28]Mohsin, M., & Anwar, Z. (2016, December). Where to kill the cyber kill-chain: An ontology-driven framework for iot security analytics. In 2016 International Conference on Frontiers of Information Technology (FIT) (pp. 23-28). IEEE.
[29]Manning, Christopher D., Mihai Surdeanu, John Bauer, Jenny Finkel, Steven J. Bethard, and David McClosky. 2014. The Stanford CoreNLP Natural Language Processing Toolkit In Proceedings of the 52nd Annual Meeting of the Association for Computational Linguistics: System Demonstrations, pp. 55-60.
[30]MITRE. (2019, October). Registry Run Keys / Startup Folder. Retrieved from https://attack.mitre.org/versions/v6/techniques/T1060/
[30]MITRE. (2019, October). Disabling Security Tools. Retrieved from https://attack.mitre.org/versions/v6/techniques/T1089/
[31]MITRE. (2019, October). Windows Matrix. Retrieved from https://attack.mitre.org/versions/v6/matrices/enterprise/windows/
[32]Microsoft. (2016, August). At. Retrieved from https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc772590(v=ws.11)
[33]virustotal. VirusTotal Detection. Retrieved July 19, 2020, from https://www.virustotal.com/gui/file/1d798e14c7dcd3d37d95dcdcaa09984a86312f8d366195e0ac9bc6914a2ef9e2/detection
連結至畢業學校之論文網頁點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top