98級-許雅婷-以誘捕系統為基礎的惡意網頁偵測

張貼者: alexchiang 4.24.2013 標籤: ,
98級-許雅婷-以誘捕系統為基礎的惡意網頁偵測

[ 摘要 ]
隨著資訊科技以及網際網路(Internet)的快速發展及普遍,已經改變了人們溝通模式,對網路的依賴程度升高,安全問題也隨之而來。近年來Web應用程式快速發展,應用的層面越來越廣,功能越來越複雜,人們對網頁應用程式的依賴度越來越高。一旦使用者的個人電腦抵抗力不佳時,如防護軟體辨識能力不足、或作業系統的安全漏洞未更新等,就可能受到感染。生活網路化的時代,任何人隨時都可能進入高風險的感染雷區,卻毫無警覺。近年來一種新型態的網路攻擊出現,當用戶端存取遠端惡意伺服器時,伺服器回應用戶端請求,同時有一部份的惡意攻擊程式也被傳送至用戶端,即啟動了強迫下載(Drive-by-download)的攻擊。如果成功,惡意伺服器將可以在用戶端執行任何程式。惡意網頁通常又會搭配混淆機制以逃避基於特徵比對(Signature-base)為基礎的偵測系統,網頁的混淆程度日漸複雜甚至延伸至多媒體檔案(JPG、Flash、PDF等),在這種情況下,若不是真正的瀏覽該網頁致使惡意程式引發某些特定行為,單只對網頁內容解析是非常難以判別出惡意行為的,加上網頁資料繁多,攻擊手法又一再翻新。本研究基於用戶端誘捕系統為研究基礎,提出能主動判別網頁是否屬於惡意的模型,提出一種檢測方法以提升判斷惡意網頁的準確性,並先以靜態內容分析加快分析速度,再搭配用戶端誘捕系統實際瀏覽網頁進行更為深層的探測讓使用者在瀏覽網頁時,能確保本身的安全。

[ 英文摘要 ]
With the information technology and the Internet the rapid development and widespread mode of communication has changed the people dependence on the Internet increased, security issues will follow. In recent years the rapid development of Web applications, the application level became more widely and the functions became more complex, people dependence on web applications is increasing. Once the user''s PC resistance is poor, such as the identification of a lack of protective software, or operating system vulnerabilities such as not updated, it may be infected by malicious code. In this networked age, each person may enter at any time minefields of high risk of infection, but no alert. In recent years a new kind of network attacks occur when a malicious client access to remote server, the server response to client requests, while a majority of malicious attacks has also sent to the client program, the Drive-by-download attacks. If infected, the malicious server to comment client that will be able to execute any program. Malicious Web page often confused with Signature-base mechanism to evade detection systems, increasingly complex web of confusion and even extended to the level of multimedia files (JPG, Flash, PDF, etc.).In this situation, if the website is really a result of certain malicious behavior caused, but only on the content analysis is very difficult to distinguish a malicious act. However, many Web data and methods of attack repeatedly renovated. This study is based on client honeypot system, this research can take the initiative to determine whether a malicious Web page model and a detection method to improve the malicious Web page to judge the accuracy and content analysis to speed up the first static analysis speed, and then with the client honeypot system actually visit the website for more in-depth probe allows users to browse the web, can ensure their own safety.