以視窗登錄機碼為基礎之使用者行為異常偵測方法

(1)

[email protected] [email protected] [email protected]

! " #$ % & ' ( )#* + , -. /0 1 * +2 3 4 5 67 8 6 9 : ; 0 < = > ? 0 @ A B C D

E) F GHI (Windows Registry) J K A

Windows L M@ N ! " O

K PQ RSTUV W X Y Z $[\ ] ^ _ ` ab c@ de F GHIfg h ij F GHIkl m n oH(Support Vector

Machine, SVM)]p q -r s , D E5 67

8 6)tu v wEx y G F GHI` a?dz , 5 6D E{` aX | /} ;~ ` aX | E X | SVM 5 6 ?T T , D E 8 69 : )$ tu # F G HIk SVM T @ X | SVM )tu ¡¢£ , D E8 6r s ¤ ¥¦ § ¨ © ª « ¬? ® tu 0¯ 8 6 D E) _ °± ² , D EP F GHIPl m n o HP8 6r s

1.

³ ´ µ ¶ · ¸ · ¹ º » ´ ¼ ½ · ¾ ¸ L M 2 3 ¿ À Market Share 2006Á ÂÃ Ä [12]ÅÆ Ç È É Ê Ë ÌT ÍZ $6 ÎÏ Ð 2 Ñ )ÒÓ Ô * + Õ ÅÍ/ B C W Ö ;c# , × ÌØ [Ù Ú kÛ Ü ) x Ý Þ , A* +Í` a-ß à , 5 6D ET~ D EJ K 5 6D E ;áD Ek$5 6 ^ Ç â ?T 8 6D E )$¢ , D EM Å2 Aã ® , ä åÒ. ~ D Eæ Eç ß , ¡)èéÝ Þ , D Eê åë ì í ) F GHI [11] M @ [oÓÔ * + X Y /0T F GHI-J î 5 6D E x $¢5 6 - , D E 8 6ï ;ð ñ 8 6 ò r s Mó ¢ô v w) A F GHIM@ ! " F GHIU Å^ #Q °k°õö ÷ RSb cj e F GHI [2])ó ¢v ø , A * +c Åù RSú ûü 1 Eý þ ë , A ë ô p Q RS Âüü oüp RSô p þ TÍ , ^ RSxü , ë ô p MRS ü , p Q RS)ü W ú û q P Y Pi W M , A Å W ù [\ ] ë ^ Z $ u AF GHIÍG ë / B C RSAÖ D Å#F GHIMa ë ^ TF GHI?TE ¡8 6D EM X Y ) 1. A B C D E F q o x o o o o Y o o o o o o i 4 o o o o o o W o o x o x x ! " # N x o o o o o $ % W x x o x x o FTPW x x o o = & ' o ( ) W o o o $ * W x x + , Q x x x fhið¡' ( v w-é. /dRS

k F GHI0 a¨ ¥E5 6

X | 1 2 . l m n o H(Support Vector Machine, SVM) [8][9]D TJ î - 8 6D EM5 6 ) A , D E8 69 :¯ Í?0c T {3ô 9 ² (1)4 5 8 6¨ ¥²4 5 8 6¨ ¥ûÅ , 7 B C RS ò ) (2) , 5 ä D E6 7 ² , 5 8 9 k 6 ¨ ¥ ¡ ) (3)9 , 5 6D EJ K M ë : ; < ²û ; , % = áQ RSß E8 6¨ ¥ )$¨ ¥ë L fhiM> ? > @ )

(2)

TÍA3B ÅC B AfhiMb ß à E8 6D Etu 0x fhi ð¡Mv w TE8 6) fi]Eý D E {-AF D ;cG H F GHIA ò r s ÍQ TU , J K k SVM M^ _ ' ( )A3D ;. ® û T F GHIE j SVM 5 6 J K TUD E]p )AI D Efhið¡ v wJ K L . ® ÓM Nk OTU « ¨ ¥)AP D TQ ô ë ¨ © - T« ¬T « f' ( ð¡v wæ « 0 < ¡8 6 )2 Aý D ð¡ hUR -' ( v n )

2.

ö ÷ RS Sk F GHI 0 aTÅ# F GHI ` a ÅU V @ A [2][\ ]RS ARSW a P X 7 Y Z ¢[ @ d e F GH I\/d F GHI` a9 :] 0 1 Ö 9 :) A Apap [2]' ( Î, j ^ E RAD

(Registry Anomaly Detection) -_ ` RS#

F GHI@ d9 T¢ô a v w- ¯ ~ @ d¨ ¥ 8 6r s ¡B C W ) A F G H I M X Y Âb T ° õPÂb ô p PÂb c P¡Âb éd Re ^ fPTUÂb Ìg hX Y E-){E Âb MX Y 9 :² Process: aim.exe Query: QueryValue Key:HKCU\Software\AmericaOnline\AOLInstantMes senge(TM)\CurrentVersion\Users\aimuser\Login\Pass word Response: SUCCESS ResultValue: “ BCOFHIHBBAHF” TÍX Y üa aim.exeRSÂb Å@ N F GHIÎ i § i Iõtu ?z j Åk l E¢Ìg Âb TÅ i § i IõE“BCOFHIHBBAHF”) F GHI#_ ` Ï Ð D Em 6 <

Ain [2] ' ( , ðUZ E[" Ï

Ð RScj # F GH I9o 6 7 F GHIpì ûq 6 HKLM\Software\Microsoft\Windows\CurrentVersion\ RunTæ r Ï Ð RS0: A-HÍÖ Z $ [" Ï Ð RS ` aD E ¡8 6 F GHI@ dD E) SVM ¢ j H q s t u w ] p w [7][8][9]Z E ?1 v w x f 2 ë y z { \2 3 . 6 A8 6 ò r s | } M) ú û Chen [3] ~ SVM - ò r s , ; SVM k p . + , ] p 0 Ç â SVM ]p 0 p . + , )AWang [6] i G H ô T ¢ p l m n oH

(One-Class Support Vector MachinesOCSVM)

8 6 r s v w T ® Å r s 0 STIDE k ? 8 6r s ) . Í ^ _ ' ( ðñ X Y fhið ¡¢£ F GHIk SVM M T 0 : # , D E8 69 :0 < T)T {;G H fhi# F GHIM 9 . ® TU SVMô p d# M2 -z { )

3. !

!

"

#

SVM

3.1

¢Ó X | d# , D E -. éM NT¢Ó X | S ¢ ç 0ðñ 2 < ]

)AGoldring [4] i ðe¢Ó

, D EX | T{ B ² (1)pì ?T Ô p T? ¡ , ) (2) RSD ETU ^ _ ` a) (3)A" D M{0dz ` aX | ) (4)ÅX | R G ¡ ¢ L k £ ¤ M E ¥ ) (5)#¦" X | 0 T§ § 4 ) ~ ç X | 0â ; ü ¡ , D E9 :¨ ë 0© ª , D E ` aë 0§ « ARS` aü -üD , D E) F GHI ¬ ~ ç X | ô p Åç . ® û{² (1) F GHI` ay G , D RS Re ^ f® ¯ RS Re ^ f@ A\?$ ¡ , D E) (2)A F GHIÎ` ay G RSTUÅ ^ _ Re #F GHI@ d9 :T ë ° RS` aÅ^ _ Re ` ac y G{-) (3) L M E" ± Å{ F GHI0æ « y G R S` aX | ) (4)² 1 F GHIc e³ ´ £ ¤ OèÅ` aERSkÅ^ _ Re £ ¤ ë µ ¢¶ T £ ¤ EX | TÅy G £ ¤ X | ë · ¸ § ¹ ¦) ó ¢v ø F GHIº ë ° G¡ ¢ L (command line)¡ ¢ \Å R G ¡ ¢ L k £ ¤ M ) » ¼ ½ /° E 1 , D E9 #® ¯ R S\ å ? E¦" X | T§ § ¾ )

(3)

3.2

F GHIT¿ 9 À Á K OÌY Ó F GHI B fE° (key)TÅ @ Å^ #Q °õ)ÎRSA# F GHI Âb ÅÂb X Y {L P Âç õ² (1) Re ^ f² #@ de F GHIRe ^ f)?T $ T E 6 eMRS WRe ^ T¯ 8 6k ) (2) Âb ô p ² l Ã Ä F G H I Âb ô p û

QueryValuePCreateKeyPTU SetValue h)

/ k 6 ë Âb 9 : ? 0E8 6D E) (3) °õ² « Å Í @ de°õ, Æ )ü« RS @ d ` a #Ç / 8 6 ` a ° õ ?0E8 6¨ ¥) (4) k Q 9 :² Âb c û SuccessPNotfoundP T U Access deniedh)/¡ k 6k Q ë ¨ ¥ ?0E8 6¨ ¥) (5) k l c ² @ de°õÈ « Å õ) Aç dv ø fhiÉ d ü I Â-Etu #Ç ]ERe ^ fPÂb ô p P°õPk Q 9 :hI Â) · E ë dAP Óç Êk l c A F G H I M [ \ å Ë k Binary X | OÌ(Ì Í % 1) Ë X | üX Y ¸ Binary X | 7 aÉ " Î Ey Ï W þ K X Y Ðâ ë ü)Å \ å k l ^ fP, Æ hèÅÇ È ë É A ÍÑ õ[E \fhië T d $ç ) 1. 109375 !!!! """" #### $$$$ % %% %

3.3 SVM

OCSVM

Ò ¢p l m n oHÓOCSVMÔ¡ Î tu ° ¢ô p X | Õ Ö × ô p km × ô p MX | Å J î ;ë Å SVM p )Af' ( tu A , D E À [Ø O , D Eb 5 6 Ù ¦B C RSD E\A$ ¢ô p X | ÓÐ& 5 6D EX | Ô9 {tu Ú d OCSVM -E ]p q )

AQ OCSVM " Â³ ´ g 0(kernel

function)z T Û )OCSVM ðñ " Â³ ´ g 0

2 A v ] ; X | 9Ü ë s T d z ¥ ] p 9 )- é

LinearPPolynomialPRadial BasisPSigmoidP k

Precomputed Kernel hP Âtu SÝ AÅ Û

¢Ó , Ä Þ Î Ì T ¥ 5.2D ;#~ ¢B ¢M . ® )

3.4 SVM

tu RSA@ d F GHI Å ` a 9 : ÅU V @ A û T OpenKeyP

CreateKeyPCloseKey E¢` aMß à 9 :7 á

#^ F GHID ^ a~ ß à 9

:× Ì F GHI Data M ! " â ¨ ¥

@ A)

OCSVM A 5 6D EM

á ¦ E O(dL3_{) [5]}_A]p _` _a

A s ã X | 2 ÅeM á ¦ E

O(d(L+T)) Å d E e ä

L ü X | å T üs ã X | å )æ /tu 0 < X | ks ã X | o d [< ç

A OCSVM tu A5.1

D ;#$T« ¬. ® M)

4. $

$

%

&

'

#(

)

4.1

f -éT F GHIk SVM

A J K v ø -éT À [ÓX | 3 4 P5 6 J K k8 6r s F [Ö è OÌ) X | 3 4 - é T Registry MonitorPData

ConvertPRedundant Data Deletion 3Ó OO

Ì)5 6 ks ã X | ]p Ç #

j OCSVM k Timing Module -Ê Ì)T{

E J K % ²

(4)

% 2 ?$ ¡fhi-é?]EX | À [k8 6r s [\ ]T{;9$F [\ ] pì TL . ® kG H )

(1) À [

A$À [ce{L O²

(A)Registry Monitor²_ ` F GHI

` a9 :;My G{-TE X | é ¥)

(B)Data Convert²; Registry Monitor y G

-é ê X | ëì E OCSVM n

oX | ; eç í d¡-)

(C)Redundant Data Deletion²;ëì § 2 é

E á X | Þ T¾ Tj @ k )

(D)OCSVM² 5 6D E{5 6

)

(2) r s À [

A$À [ce{L O²

(A)OCSVM²Ar s ;s ã X | k5 6 D Ç #a) (B)Timing Module²j ë -#X | D î ï M2 }s ã X | r s Ç #)

4.2

T{9e . ® Q O. ® « U ¨ ¥²

Registry Monitor²Af' ( tu j

SysInternals ¡-Tñ Windows L M

Regmon.exe [10] E-éRS)Å

R S j API Hooking (Application Program

Interface Hooking) ð ñ -dz RS#F GH

I@ d` a¨ ¥)

Data Convert²$ OT Java -ég 0

;tu A Registry Monitor G{-F GHI

@ dGX | ëì aT] 0ñ OCSVM - ò c En o:X | ) Aëì § Ró ;tu éeç Tí d¡-}ëEn oX | :-é?]E ÓM N² (1) RS dF GHI@ dGT ç ô I~ È ç E 3.2 D õ Re ^ fPÂb ô p P ° õ Pk Q 9 :hI Â) (2) RS dF GHI@ dGkÍ¢M N ç ô I;F GHI@ dGë ì EOCSVM?j Mn o:X | )

Redundant Data Deletion²Å-ég 0A;

OCSVM ß Eë ô p X | cAX | 3 Ñ

y E (-1) ü8 6¨ ¥ )

8 6 r s \ å OCSVM k Timing

Module OÌ²

OCSVM²A3 ø . ® $ O 5 6

w8 6r s \ ] T OCSVM - D ]p a ó ß s ã X | k#Q 5 6 } Ts ã X | 8 6R )

Timing Module²$ O-é , A

ë Ö [Mc ë D E9 :Z $j ë Ö [- T9Ü Ö [-s ã X | Ç #)~ x w?;X | 9Ü ë Ö [-î ï T ] ] 0 X | oT OCSVM A Ìf)

5. (

(

*

+

,

5.1 !

!

A$. ® X | â ¾ « ¬ c ó t u j G F GHI@ dy G;$X | .

Redundant Data Deletion RS- T4

-é¾ #Ç EI ô ç b ^ X | ;. § 4 X | kR . § 4 X | D Ç # Tæ ã $¢4 v Së c! eX | æ kR -r s < 0) 2. )))) **** ++++ ,,,, ---- .... //// 0000 1111 2222 A A B B (KB) 2,304 513 4,551 85 65,536 14,580 129,450 2,392 (%) 99.99 99.97 100 100 <1 <1 28 <1 722 <1 13 <1 25 <1 311 <1 927 <1 ü 2 Gé ê A ké ê B] * + A k* + B y G{- F GHI` a X | Å* + A E[o Q RS * + B E ® ¯ RS` a Åo§ 2 ]Eo A ko

B)A. § o4 M2 A M ì o[ w é - 2,304 KB E 513 KBX | Ç é ó 65,536 åE 14,580 åEé ó M I ]M¢A B \ ]Å ì o[w é - 4,551 KB E 85 KBX | å é ó 129,450 åE 2,392 åEé ó Mý ]M ¢) Ç # c A \ åé ó 99.99% E 99.97% 5 æ È

(5)

0.02% B \ å ä A 100% 9 : { 7 a)

tu E~ x « ¬ c T{. ® ²A[ o Q RS9 {* + A Q RS ô p " \ F GHIß à 9 â èA. § o4 2 ? I ]M3X |

o w o æ È Ó{ 0.02%Ô) ~ x c Z E SVM A4 Íç có ¾ Ø õX | A. § oM2 Ø õü ë ® × Ì]p Í ) Aë Q RS9 {* + B 4 ° ® ¯ RSA D 9 :)Z $® ¯ RS â 9 " \ÅX | 0 · é ó ý ]M ¢Ç * + A oÇ ú é" TA æ È Í ) T~ x « ¬ c $ -ÅX | o2 ì o[ w ûÍ i . OCSVM A 5 6D EMF GHI@ dX | á ¦

E O(dL3₎_A]p _` _aÅeM

á ¦ E O(d(L+T))Ò A -. Å Eé ó (1/4)3 _Òð _Eé _-4 64 A ÍÅ o Eé ó I ]M¢)A B \ åÅ ð Eé -4 216 o Eé ó ý ]M¢)èA« Å SVM c#Å³ ´ g 0 d¿ À ë ³ ´ g 0 á ¦ c! Å4 T« Å o k X | á ¦ _ X | á ¦7 X | å " 4 " ) ² 1 AÍü« ¬ À M 8 ë [è « X | o " Å ;T¡ Ì ) W Õ ~ x c #ð OCSVM 4 ! Í0 ® ð )

5.2 OCSVM " # $ %

"

#

$

%

AÌ ß Ítu ;9Ü 5 6 J K k« Å ¨ © s ã X | c -1 " . ® )5 6 J K E EM2 Tñ Ä A¯ s ã X | 5 6k -éT# -$ o 5 æ kù æ [1]Afhi ¡ R % eÌ ß ! & ¡-?' R ü 3 Tx X | ( Q ô ë g 0kÌ O - 5 6 c Å # a u ) SE² # * 5 æ ]p MX | å + X | å 3. 3333 4444 5555 6666 7777 8888 g 0 O Ì # Radial basis 0.53 99.73% linear 0.01 98.99% polynomial 0.35 65% 2 tu ß A¢OÌ kg 0O ¡ É # E5 6 ß )

**5.3 & ' ( ) * ! + ,**

&

'

(

)

*

!

+

,

fhi¿ À ¢¶ , « Å * +?0 ¨ ¥O a {L ¨ © T 1 r s Ì< E )A X | G \ ]fhi; , Aù à © {Ø O Åà © R @ Å B C RS9 :{ T D ù Q RST,# ù g 0- T D Tæ r 0ü , ?0 D EE- . M X | )T{Ò ]T , P* + 9 P 9 , #I ô ë ¨ © -D « ¬² (1)ë , w p MÇ â ² tu . , * +MF GHI@ d Gj f' ( ð¡ / R TÇ #T Å 9 ^ tu T¢ , 0 [1 û X | Î X | T¢ , 2 [Îs ã X | T c -¬ tu ð¡ 0: 3 ¡¢ , D E S) (2)¢ , ^ * +4 5 D EÇ â ² x , A4 5 RS?0c « ú û5 ù 6 mp3 7 $ + , ! 7 hT ì í Ò?¯ ¡D E8 A~ 8 s ã X | tu T , * +5 9

û e F GHI Data ÎÌs ã X | -¬

tu 0 3 , ù 6 7 -8 ) (3) ë , ^ * +TE^ [² é E w , A * +Z :;$ ¢m w , j ~ Ó - $ * +Å^ _ ` a;c y G{-)m w , RSk w , 5 69 { ë ^ A w , M p?T O- T3 ã [ 8 6 ¨ ) (4) , ^ * + < = RS@ A² A~ ¨ © tu ª * +> % ? @ Blaster < = 9 T Blaster Ï Ð RS#R . patch A B Windows Ï Ð Ý Þ Å? @ < = 2 k5 6 D E B tu Ð?Tj tu J Þ C ? @ < = 2 8 69 :) A 1 û ; - . X | 2 t u T SVM(OCVM) OJ î 5 6 D E 1 2 ,#Q ¨ © 1 û Ms ã X | }D . SVM E 5 6 ks ã X | - TÇ #- 1 Å

(6)

8 60 E )ü 4 fhiAQ ¨ © ÍG s ã X | k X | Ç #2 8 6 A$ 8 6 ¡ k t u ¡ M 8 6 R 8 6 õ É üB ;5 6D E " ) ü4]L ¡Q ¨ © « ¬ « ¬ c ) 4. 9999 :::: ;;;; <<<< ==== >>>> « ¬¨ © 8 6 ¨ © ¢² , D EÇ â 0.55% ¨ © F ²4 5 D EÇ â 49.65% ¨ © 3² , :; 67.46% ¨ © I ² ? @ Blaster 29.23% TÍ« ¬ À ?j tu ?T ¢ , F D Ekë , F D E m 6 « 8 ¢ , AÅ D E SR 6 7 8 6R E 0.55%G A tu ì ! ¯ > @ Mp²èA ? @ Blaster+ = M2 Blastercq 6 \ ]F G

HIpì TH % Wa HRe . t u Å8 6R I J § , 5 6 {× Ì8 6R Z $tu ?T~ B ; , D EU > 8 6D E¨ ) TÍ« ¬ À ?j tu ð¡J K 0: < 4 5 6 , D E S{T0 < ÂC , D E8 69 TA? @ < = × Ì8 69 :{tu Ð?T Å× Ì8 6B ;D E r s ¡- 8 69 :@ A)

6. -

-

# ò r s -. û O a ¢£ < ³ ´ ST æ ¡8 6D E 2 3 [K _ L z { M¢ U z Í% & z { ¢ M N Á-_ L O B M¢ú ûá Vista] A% & z { Í" « P ) Z $fhið¡¢£ F GHI -¯ , D E 8 6¨ ¥ D E8 6r s v w)¦§ , D E8 6r s Ý B F GHIk SVM -J K 8 6D E3 ) ó A F GHIk SVM ÍZ Q ç tu ð¡ o v S-6 < 0z { æ « ð tu ð¡J K A X | @ k ¯ Í< 0)T. « ¬ ¬ f' ( ð¡J K æ « 0: < Ö ] , D E ST < 3 ¡?Q 8 6 D E 9 : Tf' ( ð ¡ J K ¯ Atu 0E % > @ Mp)) _ f' ( 2 ?0' ( v n tu ]E T{B D > ? ² (1) 5 aRS û F GHI` aX | -D 5 a R : tu ' ( R Ú X | 5 ts k á v S T AR . , X | Í R " > ? )/0;á X | 5 a X | Å ¡-5 6 ; É ¯ 0 ; ¬ , Î{D E S) (2) û T5 æ Ö [Tü , D E S : ûtu j T , D EU U c 6 7 éû ù æ ü , A¢Ö [ D E ¡ , D E7 R9À ; tu R -; T_ L V { M¢)

7. .

.

/

0

[1] R[q a s hkQ þ W ¡X Y 2001)

[2] Frank Apap, Andrew Honig, Shlomo Hershkop, Eleazar Eskin, Salvatore J. Stolfo. “Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses.”In Proceedings of the Fifth International Symposium on Recent Advances in Intrusion Detection, 2002.

[3] W.H. Chen, S.H. Hsu , H.P. Shen, Application of SVM and ANN for intrusion detection, Computers Operations Research, Volume 32, Issue 10, pp. 2617-2634, 2005

[4] Tom Goldring,”User Profiling for Intrusion Detection in Windows NT”, National Security Agency, 2003.

[5] Salvatore J. Stolfo, Frank Apap, Eleazar Eskin, Katherine Heller, Shlomo Hershkop, Andrew Honig, and Krysta Svore, "A comparative Evaluation of Two Algorithms for Windows Registry Anomaly Detection". Journal of Computer Security, 2005

[6] Yanxin Wang, Johnny Wong, Andrew Miner, “Anomaly intrusion detection using one class SVM”, In Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004.

[7] Andrew W. Moore, “Support Vector Machine”,

http://www.autonlab.org/tutorials/svm15.pdf

[8] Chih-Chung Chang and Chih-Jen Lin, LIBSVM : a library for support vector machines, 2001. Software available at

http://www.csie.ntu.edu.tw/~cjlin/libsvm

[9]Piaip's Using (lib)SVM Tutorial.

http://ntu.csie.org/~piaip/svm/svm_tutorial.html

[10]SysInternals. Regmon for Windows NT/9x. Online publication, 2000. http://www.sysinternals.com/ntw2k/source/regm on.shtml [11]Windows NT Registry http://www.microsoft.com/resources/

(7)

[12]Global Market Share Statistics Website http://marketshare.hitslink.com/report.aspx?qpri d

以視窗登錄機碼為基礎之使用者行為異常偵測方法





























































































































































