Nội dung được dịch bởi AI, chỉ mang tính chất tham khảo
Phát hiện hành vi của mã độc: từ khảo sát đến phân loại được thiết lập
Tóm tắt
Phát hiện hành vi khác với phát hiện trên cơ sở hình dạng ở chỗ nó xác định các hành động được thực hiện bởi mã độc thay vì các dấu hiệu cú pháp. Việc xác định những hành động độc hại này và diễn giải mục đích cuối cùng của chúng là một quá trình suy luận phức tạp. Bài báo này tổng hợp một khảo sát về các kỹ thuật suy luận khác nhau được triển khai trong số các bộ phát hiện hành vi. Những bộ phát hiện này đã được phân loại theo một hệ thống phân loại mới được giới thiệu trong bài báo. Được lấy cảm hứng mạnh mẽ từ lĩnh vực kiểm tra chương trình, hệ thống phân loại này chia các bộ phát hiện hành vi thành hai gia đình chính: bộ phát hiện dựa trên mô phỏng và bộ phát hiện chính thức. Bên trong những gia đình này, các nhánh được hình thành dựa trên cơ chế thu thập dữ liệu, cách diễn giải dữ liệu, mô hình được áp dụng và cách sinh ra của nó, cũng như hỗ trợ ra quyết định.
Từ khóa
Tài liệu tham khảo
Cohen, F.: Computer viruses. Ph.D. thesis, University of South California (1986)
Cohen F.B. (1987). Computer viruses: Theory and experiments. Comput. Secur. 6(1): 22–35
Debar H., Dacier M. and Wespi A. (1999). Towards a taxonomy of intrusion-detection systems. Comput. Netw. Spl Issue Comput. Netw. Secur. 31(9): 805–822
Mé, L., Morin, B.: Intrusion detection and virology: an analysis of differences, similarities and complementariness. In: Bonfante, G., Marion, J.-Y. (eds.) J. Comput. Virol., vol. 3, no. 1, WTCV’06 Special Issue, pp. 39–49 (2007)
Anderson, J.: Computer security threat monitoring and surveillance. Tech. rep., James P. Anderson Company (1980)
Denning, D.: An intrusion–detection model. IEEE Trans. Softw. Eng., vol. SE-13 (1987)
Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusion using system calls: Alternative data models, In: Proceedings of IEEE Symposium on Security and Privacy, pp. 133–145 (1999)
Zanero, S.: Behavioral intrusion detection. In: Proceedings of the 19th International Symposium on Computer and Information Sciences (ISCIS), pp. 657–666 (2004)
Filiol, E.: Computer viruses: from theory to applications. Springer, Heidelberg, IRIS Collection (2005). ISBN:2-287-23939-1
Fortinet observatory. http://www.fortinet.com/FortiGuardCenter/
Malware outbreak trend report: Storm-worm, Commtouch Software Ltd (2007). http://www.commtouch.com/downloads/Storm-Worm_MOTR.pdf
Filiol, E.: Malware pattern scanning schemes secure against black-box analysis. In: Broucek, V., Turner, P. (eds.) J. Comput. Virol., vol. 2, no. 1, EICAR 2006 Special Issue, pp. 35–50 (2006)
Filiol, E. (2007). Techniques Virales Avancées. Springer, Heidelberg, IRIS Collection. ISBN:2-287-33887-8
Ször, P.: The Art of Computer Virus Research and Defense. Addison-Wesley, Reading (2005). ISBN:0-321-30454-3
Spinellis D. (2003). Reliable identification of boundedlength viruses is np-complete. IEEE Trans. Inf. Theory 49: 280–284
Filiol, E.: Metamorphism, formal grammars and undecidable code mutation. In: Proceedings of the International Conference on Computational Intelligence (ICCI), Published in the Int. J. Comput. Sci., vol. 2, issue 1, pp. 70–75 (2007)
Christodorescu, M., Jha, S.: Testing malware detectors, In: Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA), pp. 34–44, ACM Press, New York (2004)
Josse, S.: How to assess the effectiveness of your anti-virus? In: Broucek, V. (ed.) J. Comput. Virol., vol. 2, no. 1, EICAR 2006 Special Issue, pp. 51–65 (2006)
Filiol, E., Jacob, G., Liard, M.L.: Evaluation methodology and theoretical model for antiviral behavioural detection strategies. In: Bonfante, G., Marion, J.-Y. (eds.) J. Comput. Virol., vol. 3, no. 1, WTCV’06 Special Issue, pp. 23–37 (2007)
Kruegel, C., Mutz, D., Valeur, F., Vigna, G.: On the detection of anomalous system call arguments. In: Proceedings of the European Symposium on Research in Computer Security, pp. 326–343 (2003)
Hoglund, G., Butler, J.: Rootkits, Subverting the Windows Kernel. Addison-Wesley Professional, Reading (2006). ISBN: 0-321-29431-9
Vivanco, A.D.: Comprehensive non-intrusive protection with data-restoration: A proactive approach against malicious mobile code. Master’s thesis, Florida Institute of Technology (2002)
Wagner, M.E.: Behavior oriented detection of malicious code at run-time. Master’s thesis, Florida Institute of Technology (2004)
Norman’s sandbox malware analyzer. Norman ASA. http://www.norman.com/microsites/malwareanalyzer/fr/
Cwsandbox. Sunbelt Software. http://www.cwsandbox.org
Bayer, U., Moser, A., Kruegel, C., Kirda, E.: Dynamic analysis of malicious code. In: Broucek, V., Turner, P., (eds.) J. Comput. Virol., vol. 2, no. 1, EICAR 2006 Special Issue, pp. 67–77 (2006)
Rutkowska, J.: Red pill... or how to detect vmm using (almost) one cpu instruction (2005). http://invisiblethings.org/papers/redpill.html
Ferrie, P.: Attacks on virtual machine emulators. In: Proceedings of the AVAR Conference (2006)
Debbabi, M.: Dynamic monitoring of malicious activity in software systems. In: Proceedings of the Symposium on Requirements Engineering for Information Security (SREIS) (2001)
Nachenberg, C.: Behavior blocking: The next step in anti-virus protection, SecurityFocus, 2002. http://www.securityfocus.com/infocus/1557
Schmall, M.: Classification and identification of malicious code based on heuristic techniques utilizing meta-languages. Ph.D. thesis, University of Hamburg (2002)
Schmall, M.: Heuristic techniques in av solutions: An overview, SecurityFocus (2002). http://www.securityfocus.com/infocus/1542
Veldman, F.: Heuristic anti-virus technology. In: Proceedings of the International Virus Protection and Information Security Council (1994)
Zwienenberg, R.: Heuristics scanners: Artificial intelligence? In: Proceedings of the Virus Bulletin Conference, pp. 203–210 (1994)
Understanding heuristics: Symantec bloodhound technology. Tech. rep., Symantec White Paper Series, vol. XXXIV (1997)
Glover, F.W., Kochenberger, G.A.: Handbook of Metaheuristics. Springer, Heidelberg (2003). ISBN:1-402-07263-5
Charlier, B.L., Mounji, A., Swimmer, M.: Dynamic detection and classification of computer viruses using general behaviour patterns. In: Proceedings of the Virus Bulletin Conference (1995)
Sekar, R., Bendre, M., Bollineni, P., Dhurjati, D.: A fast automaton-based approach for detecting anomalous program behaviors. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 144–155 (2001)
Hopcroft, J., Motwani, R., Ullman, J.: Introduction to Automata Theory, Languages and Computation, 2nd edn. Addison Wesley, Reading (1995). ISBN:0-201-44124-1
Mazeroff, G., Cerqueira, V.D., Gregor, J., Thomason, M.G.: Probabilistic trees and automata for application behavior modeling. In: Proceedings of the 43rd ACM Southeast Conference (2003)
Kaspersky, K.: Hacker Disassembling Uncovered, 2nd edn. A-LIST, LLC (2007). ISBN:1-931-76964-8
Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. Tech. rep., Technical Report 148, Department of Computer Science, University of Auckland (1997)
Kruegel, C., Robertson, W., Valeur, F., Vigna, G.: Static disassembly of obfuscated binaries. In: SSYM’04: Proceedings of the 13th conference on USENIX Security Symposium, pp. 18–18 (2004)
Josse S. (2007). Secure and advanced unpacking using computer emulation, extended version from the avar conference. J. Comput. Virol. 3(3): 221–236
Preda, M.D., Christodorescu, M., Jha, S., Debray, S.: A semantic-based approach to malware detection. In: Proceedings of the 34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL) (2007)
Christodorescu, M., Jha, S., Seshia, S.A., Song, D., Bryant, R.E.: Semantic-aware malware detection. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 32–46 (2005)
Bruschi, D., Martignoni, L., Monga, M.: Detecting self-mutating malware using control-flow graph matching. In: Proceedings of the Conference on the Detection of Intrusions and Malwares and Vulnerability Assessment (DIMVA), pp. 129–143 (2006)
Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic worm detection using structural information of executables. In: International Symposium on Recent Advances in Intrusion Detection (RAID) (2005)
Periot, F.: Defeating polymorphism through code optimization. In: Proceedings of the Virus Bulletin Conference, pp. 142–159 (2003)
Bruschi, D., Martignoni, L., Monga, M.: Using code normalization for fighting self-mutating malware. In: Proceedings of the International Symposium on Secure Software Engineering, pp. 37–44, IEEE CS Press (2006)
Webster, M.: Algebraic specification of computer viruses and their environments. In: Selected Papers from the First Conference on Algebra and Coalgebra in Computer Science Young Researchers Workshop (CALCO-jnr 2005), University of Wales Swansea Computer Science Report Series (CSR 18-2005), pp. 99–113 (2005)
Webster M. and Malcolm G. (2006). Detection of metamorphic computer viruses using algebraic specification. J. Comput. Virol. 2(3): 149–161
Bergeron, J., Debbabi, M., Desharnais, J., Erhioui, M.M., Lavoie, Y., Tawbi, N.: Static detection of malicious code in executable programs. In: Proceedings of the Symposium on Requirements Engineering for Information Security (SREIS) (2001)
Singh, P., Lakhotia, A.: Static verification of worm and virus behavior in binary executables using model checking. In: Proceedings of the IEEE Information Assurance Workshop, pp. 298–300 (2003)
Clark, E., Grumberg, O., Long, D.: Model Checking. MIT Press, Cambridge (1999). ISBN:0-262-03270-8
Schnoebelen P. (2003). The complexity of temporal logic model checking. Adv. Modal Logic 4: 393–436
Kinder J., Katzenbeisser S., Schallhart C. and Veith H. (2005). Detecting malicious code by model checking. Lect. Notes Computer Sci. 3548: 174–187
Perdisci, R., Dagon, D., Fogla, P.W.L., Sharif, M.: Misleading worm signature generators using deliberate noise injection. In: Proceedings of IEEE Symposium on Security and Privacy (2006)
Lee, W., Stolfo, S., Chan, P.: Learning patterns from unix process execution traces for intrusion detection. In: Proceedings of the AAAI97 Workshop on AI Approaches to Fraud Detection and Risk Management, pp. 50–56. Addison Wesley, Reading (1997)
Schultz, M.G., Eskin, E., Zadok, E.: Data mining methods for detection of new malicious executables. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 38–49 (2001)
Wang, J.-H., Deng, P.S., Fan, Y.-S., Jaw, L.-J., Liu, Y.-C.: Virus detection using data mining techniques. In: Proceedings of IEEE on Security Technology, pp. 71–76 (2003)
Kolter, J., Maloof, M.: Learning to detect malicious executables in the wild. In: Proceedings of the 2004 ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 470–478. ACM Press, New York (2004)
Lee, T., Mody, J.: Behavioral classification. In: Proceedings of EICAR (2006)
Kirda, E., Kruegel, C., Banks, G., Vigna, G., Kemmerer, R.: Behavior-based spyware detection. In: Proceedings of the 15th USENIX Security Symposium (2006)
Frost&Sullivan, Protection en temps réel contre toutes les menaces, Tech. Rep., White Paper Eset
Avg anti-virus. Grisoft. http://www.grisoft.com/doc/39/lng/fr/tpl/tpl01
Viguard. Softed. http://www.viguard.com/detail_163_logiciel_antivirus_viguard-platinium#
Bitdefender antivirus technology, Tech. Rep., BitDefender White Paper
Host and network intrusion prevention, competitors or partners? Tech. rep., Mc Affee White Paper (2004)
Safe′n′sec antivirus. Safen Soft. http://www.safensoft.com/technology/
Truprevent. Panda Software. http://www.pandasoftware.com/products/truprevent_tec.htm?sitepanda=particulares
Virus keeper. AxBa. http://www.viruskeeper.com/fr/faq.htm