前瞻性雲端動態防護、安全授權、與風險評估---子計畫四：虛擬化資料中心之在線式未知惡意程式偵測與隔離

Abstract

在實際營運系統上的線上惡意軟體保護機制主要是在軟體執行前，透過如特徵碼 比對、啟發式偵測或程式碼模擬等方法來判斷其是否為惡意軟體。這些偵測技術的效 能非常好。對已知惡意軟體的偵測率也非常的高，但面對未知的惡意軟體其偵測率卻 無法有令人滿意的表現。

許多基於行為模式分析惡意軟體的研究指出，未知的惡意軟體雖然在程式碼的體 現上千變萬化，但在關鍵的行為表現上常會與現有的惡意軟體具有相似之處，比如說 因為他們背後的目的也很相似（例如：散佈垃圾郵件），或是惡意軟體在撰寫時有使用 部分的共同程式碼等。然而，要分析惡意軟體的行為需要先將它運行起來，考慮到惡 意軟體可能對系統帶來的損害，基於行為模式的惡意軟體分析多半是進行於封閉的實 驗室環境中，不會在實際營運的系統上進行。

本計晝的目標是建立一個透過行為模式，動作於實際營運環境中的線上未知惡意 軟體偵測與隔離系統。這個系統將會基於我們先前所開發的Hypervisor IDS / IPS技 術，針對雲端虛擬化資料中心内實際營運系統提供線上的惡意軟體偵測與隔離保護。 這個計晝主要的挑戰包括如：監控惡意軟體的運行過程對系統效能會是一個不小的負 擔，如何用最有效率的方法來達到準確的行為分析是我們需要克服的挑戰。其次，現 有基於行為模式的惡意軟體分析工具的比對演算法多是用於離線的分析，在效能上恐 無法滿足在線式即時偵測的需求。我們需要調整這些演算法，使他們滿足在線式偵測 所需要的效能。最後，在行為觀察的同時，潛在的惡意軟已在實際營運的系統上運行 一陣子了。當確定其是惡意軟體的時候，該軟體恐已於系統多處造成傷害。要如何確 保系統内重要資料或是資源的安全以及清理惡意軟體所造成的傷害等工作也是本計晝 所必須處理的議題。

Online malware protection for production systems has been relying on detection techniques such as signature matching, heuristic, or code emulation to identify malware binaries prior to their execution or access. These detection techniques are very efficient and have decent detection accuracy with respect to well-known malware. However, these detection techniques all perform poorly with respect to unknown malware, where the corresponding signature or heuristic pattern is not known yet.

Research in the area of malware behavior analysis has shown that unknown malware can often feature behavior that is similar to some existing malware. They are likely designed for the same malicious purposes (e.g. e-mail spamming). Or, it is also quite common that one is in fact a variant of the other. However, the extraction of behavior pattern requires executing the malware in question. This cannot be safely carried out on a production system, as the malware may cause damages to the system. Along with the issue of significant performance overhead, behavior-based malware analysis has not yet been applied to production system for online malware protection.

The goal of this project is to develop a behavior-based unknown malware protection system. The system will be built on top of our hypervisor IDS/IPS infrastructure to provide online malware protection for production systems running in a virtualized datacenter environment. There are many challenges that need to be addressed in developing such a system. First, the extraction of malware's runtime behavior is a costly process (i.e. per-instruction tracing, taint-analysis, and etc.) How to attend an accurate behavior profile with minimal performance overhead is an issue we need to address. Second, existing malware behavior matching algorithms are mainly used in an offline setting. We need to adapt these algorithms to make them efficient enough for suiting the online detection mode. Third, the extraction of behavior requires running a potential malware on the production system. At the time when a malware is identified, damages could have been done to the system already. How to ensure the safety of critical system component and be able to clean up any aftereffect from running the malware are also challenges that we need to address.