本校學位論文庫
CITYU Theses & Dissertations
論文詳情
張揚宗
應作斌
數據科學學院
數據科學碩士學位課程(中文學制)
碩士
2022
惡意軟體注入檢測及程式網絡流量行為分析
Anteater: Malware Injection Detection with Program Network Traffic Behavior
惡意軟體注入檢測 ; 高級持久性威脅 ; 程式流量行為 ; 網絡安全
Malware Injection Detection ; Advanced Persistent Threat ; Program Traffic behavior ; Network Security, Anteater
最近的隱形攻擊將惡意行為隱藏在看似普通的連接背後,這些連接是由看似無害的應用程式提供的流行線上服務。這些攻擊無法通過傳統的網路監控或基於簽名的檢測技術檢測出來,因為攻擊者通常將C&C(Control & Command)伺服器隱藏在知名的雲計算供應商中,讓異常的流量看起來是正常的。 在本文中,我們提出了一個名為Anteater的應用級監控系統。Anteater為每個良性軟體的網路流量行為生成一個細微性的設定檔案,描述“預期”的網路流量行為。通過分析程式的網路流量配置,我們的Anteater可以快速確定程式異常訪問的IP位址,並即時攔截。Anteater在一個真實世界的企業數據集中實施,該數據集包含超過4億個真實世界的網路流量會話。評估結果表明,Anteater對惡意軟體注入的檢測率很高,真陽性率為94.5%,假陽性率小於0.1%。
Recent stealth attacks conceal malicious behaviors behind seemingly ordinary connections to popular online services provided by seemingly harmless applications. These attacks are undetectable via traditional network monitoring or signature-based detection techniques since attackers often conceal C&C servers in well-known cloud vendors to let the anomalous traffic appear to be normal. In this paper, we propose an application-level monitoring system named Anteater. Anteater generates a fine-grained profile of each benign software's network traffic behavior, describing the “expected” network traffic behavior. By analyzing the program's network traffic configuration, our Anteater can quickly determine the IP address of the program's abnormal access and intercept it instantly. Anteater was implemented in a real-world enterprise dataset containing over 400 million real-world network traffic sessions. The evaluation results indicate that Anteater has a high detection rate for the malware injection, with a true positive rate of 94.5% and a false positive rate of less than 0.1%.
2023
中文
74
致 謝 I
摘 要 II
Abstract III
圖目錄 VI
表目錄 VII
第一章 緒 論 8
1.1 研究背景 8
1.1.1 研究目的 9
1.1.2 研究貢獻 10
第二章 基本概念 12
2.1 相關工作 12
2.1.1 勒索軟體的階段性特點 12
第三章 威脅與動機 15
3.1 威脅模型和行為動機 15
3.1.1 規避主機檢查 15
3.1.2 可擕式可執行檔注入(PE INJECTION) 15
3.1.3 進程空心化(PROCESS HOLLOWING) 16
3.1.4 執行緒劫持行為(THREAD EXECUTION HIJACKING) 17
第四章 規避檢測分析 20
4.1規避IPS監控 20
4.1.1隱蔽的攻擊 20
4.1.2 威脅模型 21
第五章 Anteater系統模型 22
5.1 Anteater: 程式網路行為系統模型 22
5.1.1 Anteater設計方案和背景因素 22
5.1.2 Anteater: 數據收集系統 23
5.2 良性和惡意軟體的數據收集 24
5.3 數據預處理和統計 26
5.4 威睿虛擬化(VMware) 28
5.4.1計算伺服器 30
5.4.2存儲網路和磁碟陣列 30
5.4.3 IP網路 31
5.4.4 管理伺服器 31
5.4.5 虛擬數據中心架構 32
5.4.6 主機、群集和資源池 33
5.4.6 網路架構 35
5.5 Cobalt Strike 37
5.5.1 有效載荷神器和反病毒規避 39
5.5.2 流覽器中間人攻擊 40
5.5.3 跳板攻擊(Pivoting) 41
5.5.4 命令和控制信標 41
5.5.5 延展性過程注入 43
5.5.6 信標(Beacon)目的檔 46
5.5.6 攻擊者腳本(Aggressor Script) 50
第六章 網絡流量行為分析 51
6.1 剖析程式網路流量行為 51
6.2 頻率比和一致性比率 51
6.3 IP位址一致性比率 52
6.4 註冊人一致性比率 52
6.5 國家一致性比率 54
第七章 程序行為一致性評估 55
7.1 對一致性比率的評估 55
7.1.1 非互動式程式 55
7.1.2 互動式程式 56
7.2 IP網址類別型分析 57
7.3 識別一個程式的所有者IP位址 58
7.4 常用程式的IP網址類別型分佈 58
7.5 所有程式的IP網址類別型分佈 59
第八章 網絡流量策略有效性檢測 61
8.1 使用網路流量設定檔進行檢測 61
8.2 數據集和特徵 61
8.3 使用Anteater進行交叉驗證 62
8.4 關於POSHSPY的案例研究 64
第九章 展望與討論 65
9.1 未來研究方向和討論 65
9.2 現有檢測系統 65
9.3 互動式程式作為注射的目標 66
9.4 普遍性和局限性 66
第十章 總結 68
10.1 總結 68
參考文獻 69
作者簡歷 73
附 錄 74
1. CISA. Ransomware Awareness for Holidays and Weekends. https://www.cisa.gov/uscert/ncas/alerts/aa21-243a
2. Fortinet. (2021). Global Threat Landscape Report. 16.
3. Paloalto. (2017). Threat Brief: Why Ransomware Hurts So Much and Is So Hard to Stop. https://unit42.paloaltonetworks.com/threat-brief-ransomware-hurts-much-hard-stop/
4. McAfee.What Is Fileless Malware? https://www.mcafee.com/enterprise/en-us/security-awareness/ransomware/what-is-fileless-malware.html
5. Cobalt Strike | Adversary Simulation and Red Team Operations. Cobalt Strike Research and Development. https://www.cobaltstrike.com/
6. ESET. (2019, Oct 17). Operation Ghost: The Dukes aren’t back – they never left. WeLiveSecurity. https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/
7. Jirsik, T., & Velan, P. (2021). Host Behavior in Computer Network: One-Year Study. IEEE Transactions on Network and Service Management, 18(1), 822–838. https://doi.org/10.1109/TNSM.2020.3036528
8. Sun, Y., Jee, K., Sivakorn, S., Li, Z., Lumezanu, C., Korts-Parn, L., Wu, Z., Rhee, J., Kim, C. H., Chiang, M., & Mittal, P. (2020). Detecting Malware Injection with Program-DNS Behavior. 2020 IEEE European Symposium on Security and Privacy (EuroS P), 552–568. https://doi.org/10.1109/EuroSP48549.2020.00042
9. Jin, Y., Tomoishi, M., & Yamai, N. (2021). Anomaly Detection on User Terminals Based on Outbound Traffic Filtering by DNS Query Monitoring and Application Program Identification. 2021 International Conference on Human-Machine Interaction, 47–56. https://doi.org/10.1145/3478472.3478481
10. Norton. What is fileless malware and how does it work? https://us.norton.com/internetsecurity-malware-what-is-fileless-malware..html
11. MITRE. Process Injection, Technique T1055—Enterprise. https://attack.mitre.org/techniques/T1055/
12. Elastic. (2017, July 18). Ten process injection techniques: A technical survey of common and trending process injection techniques. Elastic Blog. https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
13. Detecting stealthier cross-process injection techniques with Windows Defender ATP: Process hollowing and atom bombing. (2017,July 13). Microsoft Security Blog. https://www.microsoft.com/security/blog/2017/07/12/detecting-stealthier-cross-process-injection-techniques-with-windows-defender-atp-process-hollowing-and-atom-bombing/
14. Rpt-apt29-hammertoss.pdf. https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
15. Kaspersky. (2020, June 17). Steganography in attacks on industrial enterprises (updated) | Kaspersky ICS CERT. https://ics-cert.kaspersky.com/publications/steganography-in-attacks-on-industrial-enterprises/
16. MITRE.. Kazuar, Software S0265 | MITRE ATT&CK®. https://attack.mitre.org/software/S0265/
17. MITRE. Turla, Group 88, Belugasturgeon, Waterbug, WhiteBear, VENOMOUS BEAR, Snake, Krypton, Group G0010 | MITRE ATT&CK®.https://attack.mitre.org/groups/G0010/
18. MITRE. Web Service, Technique T1102—Enterprise | MITRE ATT&CK®. https://attack.mitre.org/techniques/T1102/
19. MITRE. Empire, Software S0363 | MITRE ATT&CK®.https://attack.mitre.org/software/S0363/
20. Willems, C., Holz, T., & Freiling, F. (2007). Toward Automated Dynamic Malware Analysis Using CWSandbox. IEEE Security Privacy, 5(2), 32–39. https://doi.org/10.1109/MSP.2007.45
21. Bhatkar, S. B., Nanda, S., & Wilhelm, J. S. (54) TECHNIQUES FOR BEHAVIOR BASED. 16.
22. Goel, A., Feng, W.-C., Maier, D., Feng, W.-C., & Walpole, J. (2005). Forensix: A robust, high-performance reconstruction system. 25th IEEE International Conference on Distributed Computing Systems Workshops, 155–162. https://doi.org/10.1109/ICDCSW.2005.62
23. Kwon, Y., Wang, F., Wang, W., Lee, K. H., Lee, W.-C., Ma, S., Zhang, X., Xu, D., Jha, S., Ciocarlie, G., Gehani, A., & Yegneswaran, V. (2018). MCI: Modeling-based Causality Inference in Audit Logging for Attack Investigation. Proceedings 2018 Network and Distributed System Security Symposium. Network and Distributed System Security Symposium, San Diego, CA. https://doi.org/10.14722/ndss.2018.23306
24. Xu, Z., Wu, Z., Li, Z., Jee, K., Rhee, J., Xiao, X., Xu, F., Wang, H., & Jiang, G. (2016). High Fidelity Data Reduction for Big Data Security Dependency Analyses. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 504–516. https://doi.org/10.1145/2976749.2978378
25. Lyu, M., Gharakheili, H. H., Russell, C., & Sivaraman, V. (2021). Hierarchical Anomaly-Based Detection of Distributed DNS Attacks on Enterprise Networks. IEEE Transactions on Network and Service Management, 18(1), 1031–1048. https://doi.org/10.1109/TNSM.2021.3050091
26. Madariaga, D., Madariaga, J., Panza, M., Bustos-Jiménez, J., & Bustos, B. (2021). Detecting Anomalies at a TLD Name Server Based on DNS Traffic Predictions. IEEE Transactions on Network and Service Management, 18(1), 1016–1030. https://doi.org/10.1109/TNSM.2021.3051195
27. Yin, H., Song, D., Egele, M., Kruegel, C., & Kirda, E. (2007, 十月 28). Panorama: Capturing system-wide information flow for malware detection and analysis. https://doi.org/10.1145/1315245.1315261
28. ahelms. VMware vSphere 7.0 Release Notes. https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-vcenter-server-70-release-notes.html
29. HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. FireEye. https://www.fireeye.com/current-threats/apt-groups/rpt-apt29.html
30. Mandiant. Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY) | Mandiant. https://www.mandiant.com/resources/dissecting-one-ofap
31. Sivakorn, S., Jee, K., Sun, Y., Korts-Pärn, L., Li, Z., Lumezanu, C., Wu, Z., Tang, L.-A., & Li, D. (2019). Countering Malicious Processes with Process-DNS Association. NDSS.
32. Chawla, N. V., Bowyer, K. W., Hall, L. O., & Kegelmeyer, W. P. (2002). SMOTE: Synthetic Minority Over-sampling Technique. Journal of Artificial Intelligence Research, 16, 321–357. https://doi.org/10.1613/jair.953
33. Weimer, F. (2005). Passive DNS replication. FIRST conference on computer security incident, 98, 1–14.
34. Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., & Feamster, N. (2010). Building a Dynamic Reputation System for {DNS}. 19th USENIX Security Symposium (USENIX Security 10).
35. Bilge, L., Kirda, E., Kruegel, C., & Balduzzi, M. (2011). Exposure: Finding malicious domains using passive DNS analysis. Ndss, 1–17.
36. Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., & Dagon, D. (2012). From {Throw-Away} Traffic to Bots: Detecting the Rise of {DGA-Based} Malware. 21st USENIX Security Symposium (USENIX Security 12), 491–506.
37. Perdisci, R., Corona, I., Dagon, D., & Lee, W. (2009). Detecting malicious flux service networks through passive analysis of recursive DNS traces. 2009 Annual Computer Security Applications Conference, 311–320.
38. Plohmann, D., Yakdan, K., Klatt, M., Bader, J., & Gerhards-Padilla, E. (2016). A comprehensive measurement study of domain generating malware. 25th USENIX Security Symposium (USENIX Security 16), 263–278.
39. Bartos, K., Sofka, M., & Franc, V. (2016). Optimized invariant representation of network traffic for detecting unseen malware variants. 25th USENIX Security Symposium (USENIX Security 16), 807–822.
40. Christodorescu, M., & Jha, S. (2003). Static analysis of executables to detect malicious patterns. 12th USENIX Security Symposium (USENIX Security 03).
41. Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M. G., Liang, Z., Newsome, J., Poosankam, P., & Saxena, P. (2008). BitBlaze: A new approach to computer security via binary analysis. International conference on information systems security, 1–25.
42. Moser, A., Kruegel, C., & Kirda, E. (2007). Limits of static analysis for malware detection. Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), 421–430.
43. You, I., & Yim, K. (2010). Malware obfuscation techniques: A brief survey. 2010 International conference on broadband, wireless computing, communication and applications, 297–300.
44. Bayer, U., Kruegel, C., & Kirda, E. (2006). TTAnalyze: A tool for analyzing malware. Citeseer.
45. Vasudevan, A., & Yerraballi, R. (2006). Cobra: Fine-grained malware analysis using stealth localized-executions. 2006 IEEE Symposium on Security and Privacy (S&P’06), 15 pp. – 279.
46. Uncovering cross-process injection with Windows Defender ATP. (2017, March 9). Microsoft Security Blog. https://www.microsoft.com/security/blog/2017/03/08/uncovering-cross-process-injection-with-windows-defender-atp/
47. Microsoft. (2017, July 13). Detecting stealthier cross-process injection techniques with Windows Defender ATP: Process hollowing and atom bombing. Microsoft Security Blog. https://www.microsoft.com/security/blog/2017/07/12/detecting-stealthier-cross-process-injection-techniques-with-windows-defender-atp-process-hollowing-and-atom-bombing/
48. Firefox will block DLL Injections—GHacks Tech News. (2019, Jan 21). GHacks Technology News. https://www.ghacks.net/2019/01/21/firefox-will-block-dll-injections/
49. Google Chrome 72’s Code Injection Blocking Detailed. https://news.softpedia.com/news/google-chrome-72-s-code-injection-blocking-detailed-524759.shtml
50. Blog, M. E. (2015 Nov 17). Protecting Microsoft Edge against binary injection. Microsoft Edge Blog. https://blogs.windows.com/msedgedev/2015/11/17/microsoft-edge-module-code-integrity/