标题: 对混淆后之僵尸网路及恶意软体自动化分析与分类
Automatic Analysis and Classification of Obfuscated Bots and Malware Binaries
作者: 江易达
Chiang, Yi-Ta
林盈达
Lin, Ying-Dar
网路工程研究所
关键字: 僵尸网路;系统函数;最长共同子字串演算法;Botnet;System Call;LCS Algorithm
公开日期: 2009
摘要: 在网际网路中,僵尸网路是一个很严重的威胁。为了要侦测僵尸网路,我们需要一个有效率的方法来分析他的行为。然而僵尸可以用混淆程式,轻易的改变其二进位程式码,因此重复分析同种类的程式会浪费许多时间。目前已有人提出分类演算法来解决此问题,但这些方法大都不能正确分类混淆后的程式。因此我们提出一套方法来正确的分类。首先收集其呼叫之系统函数序列,之后依据此序列计算最常共同子字串及间隔分布计算相似度。同时利用片段辨识的方法增加辨识率。实验显示在分别不同样本时,可以达到 94% 的正确率,而对同一种样本伪装后,也有90%能正确辨识为同一种样本。
Botnet is a serious threat on the Internet. In order to find a way to defect botnet, we need an efficient method to analysis its behavior. However, bots can easily transform its binary code by obfuscation, and waste the time to analysis many different bots obfuscated from the same origin. Some classifying algorithms are proposed to solve this problem, but many of them cannot classify obfuscated bots well. We propose a method to classify them. First we collect the system call sequence of malware, then we calculating LCS and Gap shift distribution to decide the similarity of two samples. We also use Segment identification for improving the correctness. Experiment shows our algorithm can achieve 94% correctness rate on distinguish different samples, and 90% correctness rate on identifying class of bot variants.
URI: http://140.113.39.130/cdrfb3/record/nctu/#GT079756503
http://hdl.handle.net/11536/45993
显示于类别:Thesis


文件中的档案:

  1. 650301.pdf

If it is a zip file, please download the file and unzip it, then open index.html in a browser to view the full text content.