Ziffersystem : A Novel Malware Distribution Detection System

碩士 === 國立臺灣科技大學 === 資訊工程系 === 104 === The cyber-criminals infect victim machines successfully under any circumstances, they must disperse and install malware into victim machines as many as possible. Through the drive-by download attack is a direct way to accomplish installing malware programs by al...

Full description

Bibliographic Details
Main Authors: Tzu-Hsien Chuang, 莊子賢
Other Authors: Hahn-Ming Lee
Format: Others
Language:en_US
Published: 2016
Online Access:http://ndltd.ncl.edu.tw/handle/rvnda6
id ndltd-TW-104NTUS5392046
record_format oai_dc
spelling ndltd-TW-104NTUS53920462019-05-15T23:01:17Z http://ndltd.ncl.edu.tw/handle/rvnda6 Ziffersystem : A Novel Malware Distribution Detection System 創新的可識別惡意軟體分發系統 Tzu-Hsien Chuang 莊子賢 碩士 國立臺灣科技大學 資訊工程系 104 The cyber-criminals infect victim machines successfully under any circumstances, they must disperse and install malware into victim machines as many as possible. Through the drive-by download attack is a direct way to accomplish installing malware programs by allure victims into to the infected Web page, when victims access those Web pages, and trigger the injected shellcode, the drive-by download attacks is automatically downloaded and springs the malware program as soon as it can. Even if the Antivirus solutions and blacklists can defend drive-by download attack, the effect of solutions is not availability. Because the Cyber-criminals uses the obfuscated variants of malware technology and quickly churning through domains or IP address technology to evade antivirus solutions and blacklists detection. In recent years, the researchers propose a new direction to identify the drive-by-download attacks in the installation phase by "zoom-out" view of drive-by-download behaviors. However, current soloutions need considerable number of browsing records from users of ISP scale. This solution may not work in the enterprise scale of network environment or insufficient historical browsing data. In this study, we propose "Ziffersystem", a system that detects infections in the targeted enterprise. "Ziffersystem" work on the insufficient network traffic and have good effect to result. "Ziffersystem" includes two modules, i.e.: Malicious Orchestrated Behaviors Modeling and Orchestrated Behaviors Detector. The Malicious Orchestrated Behaviors Modeling help "Ziffersystem" getting the stronger “evil seed” to modeling malicious construction and this system do not need a large scale networks data(e.g. IPS traffic) to model the malicious activity, specifically the enterprise which has few network traffic and high sensitivity data or low security protect. Then our system structures the malicious neighbor construction, this malicious neighbor construction will display the malicious download behavior feature that cannot identify by single malicious download.The Orchestrated Behaviors Detector of the "Ziffersystem" is focus on detect the telltale signs of the malicious network infrastructures that orchestrate these malware installations that become apparent when looking at the collective traffic produced and becomes apparent when looking at the collective traffic produced by many users in the targeted enterprise. This system calculates how the input data are close to malicious candidates, and assesses whether it is the Malware Distribution. We rank the input data by network traffic features(e.g. Server IP, Domain, Path) to decide their score, and input data that similar with Malware Distribution have the potential of exposing distinct parts of the malicious activity, which may otherwise remain undetected. Our system analyze 78,033,562 URL from the government Proxy logs with 4,624 real hosts. we detect a total of 37 malicious domain. The 37 malicious domain include 26 detected also by antivirus products labeled, We also implement a Malware Distribution Identification tool named "Ziffersystem" that automate the describing of Malware Distribution and the assessment of malicious orchestrated behaviors. Hahn-Ming Lee 李漢銘 2016 學位論文 ; thesis 48 en_US
collection NDLTD
language en_US
format Others
sources NDLTD
description 碩士 === 國立臺灣科技大學 === 資訊工程系 === 104 === The cyber-criminals infect victim machines successfully under any circumstances, they must disperse and install malware into victim machines as many as possible. Through the drive-by download attack is a direct way to accomplish installing malware programs by allure victims into to the infected Web page, when victims access those Web pages, and trigger the injected shellcode, the drive-by download attacks is automatically downloaded and springs the malware program as soon as it can. Even if the Antivirus solutions and blacklists can defend drive-by download attack, the effect of solutions is not availability. Because the Cyber-criminals uses the obfuscated variants of malware technology and quickly churning through domains or IP address technology to evade antivirus solutions and blacklists detection. In recent years, the researchers propose a new direction to identify the drive-by-download attacks in the installation phase by "zoom-out" view of drive-by-download behaviors. However, current soloutions need considerable number of browsing records from users of ISP scale. This solution may not work in the enterprise scale of network environment or insufficient historical browsing data. In this study, we propose "Ziffersystem", a system that detects infections in the targeted enterprise. "Ziffersystem" work on the insufficient network traffic and have good effect to result. "Ziffersystem" includes two modules, i.e.: Malicious Orchestrated Behaviors Modeling and Orchestrated Behaviors Detector. The Malicious Orchestrated Behaviors Modeling help "Ziffersystem" getting the stronger “evil seed” to modeling malicious construction and this system do not need a large scale networks data(e.g. IPS traffic) to model the malicious activity, specifically the enterprise which has few network traffic and high sensitivity data or low security protect. Then our system structures the malicious neighbor construction, this malicious neighbor construction will display the malicious download behavior feature that cannot identify by single malicious download.The Orchestrated Behaviors Detector of the "Ziffersystem" is focus on detect the telltale signs of the malicious network infrastructures that orchestrate these malware installations that become apparent when looking at the collective traffic produced and becomes apparent when looking at the collective traffic produced by many users in the targeted enterprise. This system calculates how the input data are close to malicious candidates, and assesses whether it is the Malware Distribution. We rank the input data by network traffic features(e.g. Server IP, Domain, Path) to decide their score, and input data that similar with Malware Distribution have the potential of exposing distinct parts of the malicious activity, which may otherwise remain undetected. Our system analyze 78,033,562 URL from the government Proxy logs with 4,624 real hosts. we detect a total of 37 malicious domain. The 37 malicious domain include 26 detected also by antivirus products labeled, We also implement a Malware Distribution Identification tool named "Ziffersystem" that automate the describing of Malware Distribution and the assessment of malicious orchestrated behaviors.
author2 Hahn-Ming Lee
author_facet Hahn-Ming Lee
Tzu-Hsien Chuang
莊子賢
author Tzu-Hsien Chuang
莊子賢
spellingShingle Tzu-Hsien Chuang
莊子賢
Ziffersystem : A Novel Malware Distribution Detection System
author_sort Tzu-Hsien Chuang
title Ziffersystem : A Novel Malware Distribution Detection System
title_short Ziffersystem : A Novel Malware Distribution Detection System
title_full Ziffersystem : A Novel Malware Distribution Detection System
title_fullStr Ziffersystem : A Novel Malware Distribution Detection System
title_full_unstemmed Ziffersystem : A Novel Malware Distribution Detection System
title_sort ziffersystem : a novel malware distribution detection system
publishDate 2016
url http://ndltd.ncl.edu.tw/handle/rvnda6
work_keys_str_mv AT tzuhsienchuang ziffersystemanovelmalwaredistributiondetectionsystem
AT zhuāngzixián ziffersystemanovelmalwaredistributiondetectionsystem
AT tzuhsienchuang chuàngxīndekěshíbiéèyìruǎntǐfēnfāxìtǒng
AT zhuāngzixián chuàngxīndekěshíbiéèyìruǎntǐfēnfāxìtǒng
_version_ 1719139235656630272