資訊管理學報
官大智;陳嘉玫;林家賓;王則堯;
頁: 567-589
日期: 2012/07
摘要: 由於即時通訊(Instant Messaging, IM)的普遍性及立即性,現今已成為駭客散佈惡意軟體(malware)的平台。並且為了躲避防毒軟體的偵測,已較少使用傳送惡意檔案的方式,而是以傳送惡意網址(malicious URL)為目前普遍的擴散途徑。這些惡意網址可能會下載病毒檔案或是連到釣魚網站(phishing website)。一旦使用者被IM惡意程式攻陷,惡意網址就會透過受害者的連絡人清單繼續擴散出去,而且有時候還會搭配社交工程的手法,使得收訊者很難判斷此連結是否為惡意。而目前缺乏有效的解決方案,能夠即時地偵測IM惡意網址。本研究提出一個即時偵測IM惡意網址的方法。此方法基於網址的異常特徵及傳訊者的異常行為,定義了一組行為模式來描述可能的惡意行為,並且利用計分演算法來評估異常特徵的重要性,藉此預測網址是否為惡意。為了增加偵測速度,惡意行為模式可以有效地用來識別已知的惡意網址,另外計分演算法產生的分數模型,可以被用來偵測未知的惡意網址。實驗結果顯示,本研究提出的方法能夠達到低誤警率(false positive rate)和低誤判率(false negative rate)。
關鍵字: 即時通訊;惡意網址;即時通訊蠕蟲;
Abstract: Instant messaging (IM) has been a platform of spreading malware for hackers due to its popularity and immediacy. To evade anti-virus detection, hacker might send malicious URL message, instead of malicious binary file. A malicious URL is a link pointing to a malware file or a phishing site, and it may then propagate through the victim's contact list. Moreover, hacker sometimes might use social engineering tricks making malicious URLs hard to be identified. The previous solutions are improper to detect IM malicious URL in real-time. Therefore, we propose a novel approach for detecting IM malicious URL in a timely manner based on the anomalies of URL messages and sender's behavior. Malicious behaviors are profiled as a set of behavior patterns and a scoring model is developed to evaluate the significance of each anomaly. To speed up the detection, the malicious behavior patterns can identify known malicious URLs efficiently, while the scoring model is used to detect unknown malicious URLs. Our experimental results show that the proposed approach achieves low false positive rate and low false negative rate.
Keywords: Instant Messaging;Malicious URL;IM Worms;
瀏覽次數: 8836 下載次數: 1736
引用 導入Endnote
頁: 567-589
日期: 2012/07
摘要: 由於即時通訊(Instant Messaging, IM)的普遍性及立即性,現今已成為駭客散佈惡意軟體(malware)的平台。並且為了躲避防毒軟體的偵測,已較少使用傳送惡意檔案的方式,而是以傳送惡意網址(malicious URL)為目前普遍的擴散途徑。這些惡意網址可能會下載病毒檔案或是連到釣魚網站(phishing website)。一旦使用者被IM惡意程式攻陷,惡意網址就會透過受害者的連絡人清單繼續擴散出去,而且有時候還會搭配社交工程的手法,使得收訊者很難判斷此連結是否為惡意。而目前缺乏有效的解決方案,能夠即時地偵測IM惡意網址。本研究提出一個即時偵測IM惡意網址的方法。此方法基於網址的異常特徵及傳訊者的異常行為,定義了一組行為模式來描述可能的惡意行為,並且利用計分演算法來評估異常特徵的重要性,藉此預測網址是否為惡意。為了增加偵測速度,惡意行為模式可以有效地用來識別已知的惡意網址,另外計分演算法產生的分數模型,可以被用來偵測未知的惡意網址。實驗結果顯示,本研究提出的方法能夠達到低誤警率(false positive rate)和低誤判率(false negative rate)。
關鍵字: 即時通訊;惡意網址;即時通訊蠕蟲;
Anomaly Based Malicious URL Detection in Instant Messaging
Abstract: Instant messaging (IM) has been a platform of spreading malware for hackers due to its popularity and immediacy. To evade anti-virus detection, hacker might send malicious URL message, instead of malicious binary file. A malicious URL is a link pointing to a malware file or a phishing site, and it may then propagate through the victim's contact list. Moreover, hacker sometimes might use social engineering tricks making malicious URLs hard to be identified. The previous solutions are improper to detect IM malicious URL in real-time. Therefore, we propose a novel approach for detecting IM malicious URL in a timely manner based on the anomalies of URL messages and sender's behavior. Malicious behaviors are profiled as a set of behavior patterns and a scoring model is developed to evaluate the significance of each anomaly. To speed up the detection, the malicious behavior patterns can identify known malicious URLs efficiently, while the scoring model is used to detect unknown malicious URLs. Our experimental results show that the proposed approach achieves low false positive rate and low false negative rate.
Keywords: Instant Messaging;Malicious URL;IM Worms;
瀏覽次數: 8836 下載次數: 1736
引用 導入Endnote