勒索軟體活動偵測與防禦

--- title: 勒索軟體活動偵測與防禦 tags: - 第一組 - Malware - Ransomeware --- ### Problem Definition 在許多研究中，檢測惡意軟體的問題已被展示為 NP-Cpmplete。[^A_comprehensive_review_on_malware_detection_approaches] #### A. Difficulty of Problem in Theory 早期的惡意軟體的檢測使用病毒的檢測方式。根據早期的研究，這種檢測方式是不可能且 NP-complete。會造成這樣的原因，是因為檢測病毒的程式有矛盾。假設有一個檢測者 $D$ 會去判斷程式 $P$ 是否為病毒。若 $P$ 是病毒，$D$ 會把它標記起來，讓他無法去與其他程式互動，就像非病毒的一般程式一樣。但若 $D$ 沒有將 $P$ 標記起來（由於 $P$ 表現得像非病毒），$P$ 就會去感染其他程式。[^Computer_viruses:_theory_and_experiments] - According to M. Chess and R. White, there is no program that detects all viruses without **false positives (FPs)** because viruses are polymorphic and can be exist in different forms[^An_undetectable_computer_virus]. - According to M. Adleman detecting a virus is **quite intractable and almost impossible**.[^An_abstract_theory_of_computer_viruses] This is because according to **Gödel numberings of the partial recursive functions**, it is not possible to create detecting mechanism. - Zuo et al. claim that there exist computer viruses whose detecting procedures have **sufficiently large time complexity**, and there are undecidable viruses which have **no minimal detecting procedure**.[^On_the_time_complexity_of_computer_viruses] #### B. Difficulty of Problem in Practice 惡意軟體的混淆分類： - Encryption 加密 - Oligrmorphic 寡態 - Polymorphic 多形 - Metamorphic 變質 - Stealth 隱身 - Packaging 打包 ### Malware Detection Techniques and Algorithms 檢測過程分為三個階段 - Malware Analysis - Feature extraction - The n -gram Model - Graph-Based Model - Malware Dataset - Classification #### A. Maleware Analysis - Static analysis - Dynamic analysis #### B. Malware Feature Extraction ##### 1)The $n$-gram Model $n$-gram 是一種解析特偵的方法，廣泛應用於惡意軟體分析，可以透過靜態（static）以及動態（dynamic）屬性建立特徵。建立連續的 system call 或 API 的子集。 ##### 2)Graph-Based Model 利用圖的節點 *V* 和邊 *E* 來轉換為圖形，*V* 通常為 system call，*E* 為通常 *V* (system call) 之間的關係。 ##### 3) Malware Dataset - NSL-KDD dataset (2009) - Drebin dataset (2014) - Microsoft malware classification challenge dataset (2015) - ClaMP (Classification of Malware with PE headers) dataset (2016) - AAGM dataset (2017) - EMBER dataset (2018) #### C. Malware Classification Machine learning ### Malware Detection Approaches ![螢幕擷取畫面 2024-07-22 155822](https://hackmd.io/_uploads/SyUF-5sdC.png) #### A. Signature-Based Malware Detection - Signature-Based Malware Detection - Behavior-Based Malware Detection - Heuristic-Based Malware Detection - Model Checking-Based Malware Detection - Deep Learning-Based Malware Detection - Cloud-Based Malware Detection - Mobile Devices-Based Malware Detection - IoT-Based Malware Detection ![image](https://hackmd.io/_uploads/H17vmq3dR.png) ![螢幕擷取畫面 2024-07-22 161142](https://hackmd.io/_uploads/ByXtNqs_0.png) ##### 1) Signature Generation Process ![image](https://hackmd.io/_uploads/B1cp45s_A.png) ![image](https://hackmd.io/_uploads/S1x5ckhO0.png) 常見的惡意軟體的靜態＆動態特徵[^I-mad:_Interpretable_malware_detector_using_galaxy_transformer] ## Dataset - [RISS: Ransomware Dataset](https://rissgroup.org/ransomware-dataset/) ## Reference - [Aslan, Ömer Aslan, and Refik Samet. "**A comprehensive review on malware detection approaches.**" IEEE access 8 (2020): 6249-6271.](https://ieeexplore.ieee.org/abstract/document/8949524) > 惡意軟體偵測 survey - [Li, Miles Q., et al. "**I-mad: Interpretable malware detector using galaxy transformer.**" Computers & Security 108 (2021): 102371.](https://www.sciencedirect.com/science/article/pii/S0167404821001954?casa_token=0PF1MELHld4AAAAA:2-C-FzjmaxiKccTVHDooVdocRg-H8p1KwAO0dachClr0pSVGTDoxAzp2DrAQQVv91WG4CSOvjdBq#bib0018) > 用 Transformer 來訓練偵測惡意軟體模型 - [Brewer, Ross. "**Ransomware attacks: detection, prevention and cure.**" Network security 2016.9 (2016): 5-9.](https://www.sciencedirect.com/science/article/pii/S1353485816300861#cesec50) > 有關勒索軟體的行為 - [Learning and Classification of Malware Behavior](https://link.springer.com/chapter/10.1007/978-3-540-70542-0_6) > 透過 ML 來分類惡意軟體的行為 - [Kok, S., et al. "**Ransomware, threat and detection techniques: A review.**" Int. J. Comput. Sci. Netw. Secur 19.2 (2019): 136.](https://d1wqtxts1xzle7.cloudfront.net/85021080/20190217-libre.pdf?1651031786=&response-content-disposition=inline%3B+filename%3DRansomware_Threat_and_Detection_Techniqu.pdf&Expires=1721705527&Signature=PPhlB4gN48h986w7P5SUIhbzgTHCBwxhfyIbJZZwiQJ4LjDYkIcoPyDqD6dfSDYBmc~P9y3Kdt3EgUbUdTnQlO-iZLg0ufD1dHaL0DErI9vZdCPbraH~vLIrMxl1ZCDfMvB06A3RgNRLXz3GTprfhw0ZpuxmIulffx1pHTvMiHD1IjfYII7on-3Qb0OkIMvk-8m2mQIPHNEZ0WcqAc-v7TT19Q1p2p4J4wtEnNMGw97cCw~DGWdg~-eiZQRTcE7bT3~slSVzkyGN-dZQSX~PaIqD3-dyQqu5dSCvTgzrqlMWzsnairnupWwo6vkGu8pQaRAB9IC0AEscf7rwPJM7Mw__&Key-Pair-Id=APKAJLOHF5GGSLRBV4ZA) - [Brewer, Ross. "**Ransomware attacks: detection, prevention and cure.**" Network security 2016.9 (2016): 5-9.](https://www.sciencedirect.com/science/article/pii/S1353485816300861#cesec50) ## TODO - [Sgandurra, Daniele, et al. "**Automated dynamic analysis of ransomware: Benefits, limitations and use for detection.**" arXiv preprint arXiv:1609.03020 (2016).](https://arxiv.org/abs/1609.03020) - [Ye, Y., Li, T., Adjeroh, D., & Iyengar, S. S. (2017). **A survey on malware detection using data mining techniques**. ACM Computing Surveys (CSUR), 50(3), 1-40.](https://dl.acm.org/doi/abs/10.1145/3073559) - [Christodorescu, M., Jha, S., Seshia, S. A., Song, D., & Bryant, R. E. (2005, May). **Semantics-aware malware detection**. In 2005 IEEE symposium on security and privacy (S&P'05) (pp. 32-46). IEEE.](https://ieeexplore.ieee.org/abstract/document/1425057) - [Tahir, R. (2018). **A study on malware and malware detection techniques**. International Journal of Education and Management Engineering, 8(2), 20.](https://profsandhu.com/cs5323_s17/im_2007.pdf) - [Moser, A., Kruegel, C., & Kirda, E. (2007, December). **Limits of static analysis for malware detection**. In Twenty-third annual computer security applications conference (ACSAC 2007) (pp. 421-430). IEEE.](https://ieeexplore.ieee.org/abstract/document/4413008/) - [Cohen, F. (1987). **Computer viruses: theory and experiments**. Computers & security, 6(1), 22-35.](https://www.sciencedirect.com/science/article/abs/pii/0167404887901222) - [Sihwail, Rami, Khairuddin Omar, and KA Zainol Ariffin. "**A survey on malware analysis techniques: Static, dynamic, hybrid and memory analysis.**" Int. J. Adv. Sci. Eng. Inf. Technol 8.4-2 (2018): 1662-1671.](https://core.ac.uk/download/pdf/325990564.pdf)   [^A_comprehensive_review_on_malware_detection_approaches]: [Aslan, Ö. A., & Samet, R. (2020). **A comprehensive review on malware detection approaches**. IEEE access, 8, 6249-6271.](https://ieeexplore.ieee.org/abstract/document/8949524)  [^Computer_viruses:_theory_and_experiments]: [Cohen, F. (1987). **Computer viruses: theory and experiments**. Computers & security, 6(1), 22-35.](https://www.sciencedirect.com/science/article/abs/pii/0167404887901222) [^An_undetectable_computer_virus]: [D. M. Chess and S. R. White, "**An undetectable computer virus**", Proc. Virus Bull. Conf., vol. 5, 2000.](https://www.audentia-gestion.fr/MIT/ChessWhite-AnUndetectableComputerVirus.pdf) [^An_abstract_theory_of_computer_viruses]: [L. M. Adleman, "**An abstract theory of computer viruses**" in Advances in Cryptology—CRYPTO, New York, NY, USA:Springer-Verlag, 1990.](https://link.springer.com/chapter/10.1007/0-387-34799-2_28) [^On_the_time_complexity_of_computer_viruses]: [Z. Zuo, Q. Zhu and M. Zhou, "**On the time complexity of computer viruses**", IEEE Trans. Inf. Theory, vol. 51, no. 8, pp. 2962-2966, Aug. 2005.](https://ieeexplore.ieee.org/abstract/document/1468320) [^I-mad:_Interpretable_malware_detector_using_galaxy_transformer]: [Li, M. Q., Fung, B. C., Charland, P., & Ding, S. H. (2021). **I-mad: Interpretable malware detector using galaxy transformer**. Computers & Security, 108, 102371.](https://www.sciencedirect.com/science/article/pii/S0167404821001954?casa_token=0PF1MELHld4AAAAA:2-C-FzjmaxiKccTVHDooVdocRg-H8p1KwAO0dachClr0pSVGTDoxAzp2DrAQQVv91WG4CSOvjdBq#bib0018)