標題: 對混淆後之殭屍網路及惡意軟體自動化分析與分類
Automatic Analysis and Classification of Obfuscated Bots and Malware Binaries
作者: 江易達
Chiang, Yi-Ta
林盈達
Lin, Ying-Dar
網路工程研究所
關鍵字: 殭屍網路;系統函數;最長共同子字串演算法;Botnet;System Call;LCS Algorithm
公開日期: 2009
摘要: 在網際網路中,殭屍網路是一個很嚴重的威脅。為了要偵測殭屍網路,我們需要一個有效率的方法來分析他的行為。然而殭屍可以用混淆程式,輕易的改變其二進位程式碼,因此重複分析同種類的程式會浪費許多時間。目前已有人提出分類演算法來解決此問題,但這些方法大都不能正確分類混淆後的程式。因此我們提出一套方法來正確的分類。首先收集其呼叫之系統函數序列,之後依據此序列計算最常共同子字串及間隔分布計算相似度。同時利用片段辨識的方法增加辨識率。實驗顯示在分別不同樣本時,可以達到 94% 的正確率,而對同一種樣本偽裝後,也有90%能正確辨識為同一種樣本。
Botnet is a serious threat on the Internet. In order to find a way to defect botnet, we need an efficient method to analysis its behavior. However, bots can easily transform its binary code by obfuscation, and waste the time to analysis many different bots obfuscated from the same origin. Some classifying algorithms are proposed to solve this problem, but many of them cannot classify obfuscated bots well. We propose a method to classify them. First we collect the system call sequence of malware, then we calculating LCS and Gap shift distribution to decide the similarity of two samples. We also use Segment identification for improving the correctness. Experiment shows our algorithm can achieve 94% correctness rate on distinguish different samples, and 90% correctness rate on identifying class of bot variants.
URI: http://140.113.39.130/cdrfb3/record/nctu/#GT079756503
http://hdl.handle.net/11536/45993
Appears in Collections:Thesis


Files in This Item:

  1. 650301.pdf