標題: | 偵測模仿式惡意電子郵件 Detecting Mimicry Malicious Emails |
作者: | 黃麟鈞 謝續平 資訊科學與工程研究所 |
關鍵字: | 進階持續性滲透攻擊;惡意郵件;分群;Advanced Persistent Threat;Malicious Email;Clustering |
公開日期: | 2013 |
摘要: | 電子郵件一直以來都是方便及重要的通訊工具,但也成為近年來新興起的網路攻擊型式「進階式持續性威脅」的手段之一,此種攻擊通常利用電子郵件結合社交工程及惡意夾帶檔,利用與攻擊目標相關的郵件內容,誘使目標下載惡意的夾帶檔,進行個人電腦甚至是組織內部的滲透。不同於以往的垃圾郵件或是蠕蟲病毒會在網路上進行大量散布,目標式惡意郵件非常少量且針對不同的目標會有不同的攻擊樣本,且由於郵件內容通常包含個人隱私資訊,公開的攻擊樣本非常難以取得,使得這方面的研究非常稀少。本篇論文在於探討如何偵測模仿式目標攻擊信件,此類型信件的產生通常是攻擊者透過對目標收信習慣的了解,或是利用對已傳送過的郵件進行修改,並附加惡意檔案,使其與目標信箱內的郵件非常相似,難以分辨。但我們認為,由於攻擊者可能沒有辦法在有限的資訊下或為了隱藏其惡意行為,將信件完美地模仿,因此得有偵測出的可能。於本篇論文,我們利用其模仿的性質,提出利用對目標信箱內的郵件進行分群,並結合異常偵測方法來偵測模仿式惡意郵件。在我們的分群式異常偵測中,此種惡意的郵件被定義為會與其被模仿的信件類型群中心距離遙遠,而被正常的信件則與其歸屬之群中心距離較近。在分群的過程中我們嘗試透過使用者標記的少量惡意及正常郵件,結合演化式計算調整不同郵件特徵的權重,將攻擊者模仿不全的部分突顯出來,並以此做為往後偵測的依據。最後我們與一般的監督式分類器進行比較,結果顯示我們在少量的標記信件下,我們提出的方法有較佳的偵測率。 Email is the most popular and convenient way for communication on the Internet. In recent years, a newly developed security threat, namely Advanced Persistent Threats (APTs), has caused losses to many organizations, even including Google. Email is one of the favored attack vector because it is cheap and easy to forge. Attackers usually send the email with the personal relevant information to attract victims to open malicious attachment. In contract to the traditional email attack, spam or warm, these target malicious emails (so called TME) is small in quantity and varies when the receiver is different. The TME sample is hard to collect due to the contained privacy information, so such research is barely discussed. In this paper, we try to discuss how to detect the mimicry malicious email (MME), which is the subset of TME. MME is the mimicking received email in victim’s mailbox to increase the chance for attacks. We observe that MME must has distinguishable attributes for attack so the machine learning can be applied to recognize the features as anomaly. We propose an anomaly detection scheme based on clustering to detect MME. In this work, we assume that MME should be far away from the centroid of the clusters which they belong to, instead, the normal emails are close to the centroid. Our scheme complement conventional clustering based anomaly detection when a few labeled MME samples are collected. Moreover, the accuracy of our scheme can be improved by user feedback, and Genetic Algorithm is applied to find the proper weighting among attributes to generate a new detection model. The detection accuracy of the adjusted model is compared to the classical supervised Naïve Bayes classification. The result shows our work has better performance than the method only employing classification method. |
URI: | http://140.113.39.130/cdrfb3/record/nctu/#GT070156072 http://hdl.handle.net/11536/75605 |
顯示於類別: | 畢業論文 |