前瞻性雲端安全儲存、防護、行為分析與觀測平台---子計畫二：基於機器碼之Windows惡意程式行為分析雲端平台(I)

Abstract

由於雲端計算在應用上提供平台服務（PaaS），不管是客戶或是終端使用者皆有可能放置檔案到雲端平台，並藉由此平台進行傳遞、交換、散播等動作，這些方式與傳統網際網路上檔案交換並無太大差異，造成雲端平台上也有傳統網路攻擊的疑慮。對於雲端提供商與雲端平台客戶來說，若是在雲端上發生類似傳統網路的蠕蟲攻擊，營運上的損失與對商譽的傷害將是無法想像的巨大。因此，放置在雲端平台上的檔案安全與否變得格外重要。因此本研究計畫之首要目標擬研發惡意程式行為分析技術，並探討可應用於大規模雲端分析平台之方法，以偵測多面向且日新月異多變隱藏於雲端檔案的惡意程式。 在雲端計算服務技術上，全系統層次的動態汙染行為分析技術可比以往技術更精確的判斷執行檔案行為是否影響系統安全，提供了服務的可信賴性與雲端應用層的安全防禦，藉此為雲端服務技術的安全性把關。對於雲端計算平台技術來說，雲端虛擬化技術（Virtualization）是其中一項相當關鍵的觀念。本研究將探討此技術如何結合我們提出之方法，以適用於切割分析工作並平均分派給雲端內的虛擬單元進行計算，藉此大幅加速分析速度與有效利用雲端的強大計算能力。有別於傳統的軟體即服務（SaaS）模式，除了提供被動式可疑檔案上傳平台介面外，本研究計畫預期開發出一主動式服務，針對網際網路上現有檔案進行蒐集與分析，除了可提出一依據供使用者下載檔案時判斷安全性，也可讓資安人員用來驗證其開發出的檢測軟體是否做出正確的判斷。 本研究計畫共有三大研究目標：（一）用於可疑惡意程式行為分析之雲端平台設計、（二）適用於雲端平台之動態汙染行為分析技術研發、（三）雲端分析加速研究與惡意程式行為判讀。執行期間規劃為三年，並預計每年完成一單項研究目標。在第一年度中，我們將研發一用於可疑惡意程式行為分析之雲端平台提供可疑檔案安全分析服務並探討雲端分析負載平衡，而後於第二年同時研發全系統的動態汙染行為分析技術與研究如何整合現有安全分析工具於雲端平台，並實際應用產出之系統進行線上的分析偵測工作。並於第三年研究適用於加速動態汙染分析過程之雲端虛擬化技術，以期消除因追蹤污染造成的效能負擔，並針對分析出的行為進一步做惡意程度判讀。

As providing the application of cloud computing platform services (PaaS), regardless of the customers’ or end-users’ files should be placed on the cloud platform, and are passed, exchanged, and disseminated through this platform. These behaviors are not much different than the traditional Internet file swapping ways. It causes that cloud platforms also have the traditional concerns of network attacks. For cloud providers and customers, if there is an attack on a cloud which is similar to traditional network worms, the damage by operational and goodwill losses will be incredible. Therefore, it is very important to guarantee the file security in the cloud platform. The primary objective of this research is to develop a platform for cloud analysis and integration of security analysis technology to take into account the multifaceted and ever-changing cloud files. With cloud computing service technology, whole-system-level dynamic tainting behavior analysis is more accurate than previous techniques to determine whether the file execution affects the system security. By providing services to the trustworthiness of the application layer and cloud security defense, our techniques can provide cloud security checks. For cloud computing platform technology, the cloud virtualization is one of the key concepts. This research will explore how to combine our approaches in this technological method to apply to divide analysis works and assign evenly to the virtual computation units in a cloud to compute. By above method, we can enhance the analysis speed largely and effective use of cloud computing capacity. Unlike traditional software as a service (SaaS) model, in addition to providing passive suspicious file upload interface platform, this research project is expected to develop a proactive service for the Internet to collect and analyze existing files. The analysis results can provide a security judge for users before they download files, and it will also allow us to verify the security testing software is developed will or not. There are three major research objectives of this research project: (1) design a security analysis cloud platform for suspicious files, (2) develop a cloud dynamic tainting analysis tool, (3) cloud analysis acceleration and malicious behavior recognition. The duration of the implementation planning is three years, and we expect to complete an individual research goal each year. In the first year, we will develop a security analysis platform for cloud files and discuss the cloud load balancing. In the second year, we will develop a whole-system-wide dynamic tainting analysis tool and integration of existing security analysis tools with the platform. And in the third year, we will do research to accelerating the processing with cloud virtualization technology to eliminate the heavy load of dynamic tainting analysis.