cym@mgt.ncu.edu.tw 92423036@cc.ncu.edu.tw catus@mis.mgt.ncu ...

yellowgreatAI and Robotics

Oct 16, 2013 (3 years and 9 months ago)

222 views






 

 
 

 

     

 

 
 

 

cym@mgt.ncu.edu.tw

92423036@cc.ncu.edu.tw

catus@mis.mgt.ncu.edu.tw





  
 
 
 !"#$ %&'()#*
+,-./0 1*+23
4567
869:;0<=>?0@ABCD
E)FGHI (Windows Registry)
JKA
 Windows L M@N!"O
K PQRSTUVWXYZ$[\]
 ^_`abc@deFGHIfgh
ijFGHIklmnoH(Support Vector
Machine, SVM)]pq-rs,DE
567
86)tuvwExyGFGHI`
a?dz,56DE{`aX|/}
;~`aX|EX| SVM 5
6?TT,DE

869:)$tu#FG
HIk SVM T@X
| SVM )tu
 ¡¢£,DE86rs ¤¥¦
§¨©ª«¬?­®tu 0¯86
DE)

_°±²,DEPFGHIPlmno
HP86rs

1.



³´µ¶·¸·¹º»´¼½·¾¸LM
23
 ¿ÀMarket Share
2006ÁÂÃÄ[12]ÅÆÇÈÉÊËÌT
ÍZ$
6ÎÏÐ2Ñ )ÒÓ
Ô*+ÕÅÍ/BCWÖ
;c#,×ÌØ[ÙÚkÛÜ)
xÝÞ,A*+Í`a-ßà
,56DET~DEJK56DE
;áDEk$56^Çâ?T

86DE)$¢,DEM
Å2Aã®,äåÒ
.
~DEæEçß,¡)èéÝÞ
,DE
êåëìí)FGHI [11] M
@[oÓÔ*+XY/0T
FGHI-Jî56DEx$¢5
6-,DE
86ï;ð
ñ86òrsMó¢ôvw)
AFGHIM@!"FGHIU
Å^#Q°k°õö÷RSbcj
eFGHI [2])ó¢vø,A*
+cÅùRSúûü 1 Eýþë
,AëôpQRSÂüü
oüpRSôpþTÍ,
^RSxü,ëôp
MRS
ü, p
QRS)ü
 W
úûqPYPiWM,
AÅWù[\]ë^Z$
uAFGHIÍGë/

BCRSAÖDÅ#FGHIMa
ë^TFGHI?TE¡86DEM
XY)
1. 




    



A

B

C

D

E

F
q o x

o o o

o
Y

o o o o o

o
i4

o o o o o

o
 W

o o x

o x

x
!"#N

x

o o o o

o
$%W

x

x

o x

x

o
FTPW

x

x

o 



o
=&' 







o


()W

o o o 




$*W

x

x








+,Q

x

x







x

fhið¡'(vw-é
./dRS
kFGHI0a¨¥E56
X|12.lmnoH(Support Vector
Machine, SVM) [8][9]DTJî-

86DEM56)
A,DE869:¯Í?0cT
{3ô9²
(1)4586¨¥²4586¨¥ûÅ
,7BCRSò)
(2),5äDE67²,589
k 6¨¥¡)
(3)9,56DEJKMë:;<²û
;,%=áQRSßE86¨¥
)$¨¥ëLfhiM>?>@)
TÍA3BÅCBAfhiMb
ßàE86DEtu0xfhi
ð¡MvwTE86)
fi]EýDE{-AFD;cGH
FGHIAòrsÍQTU,
JKk SVM M^_'()A3D;.®ûT
FGHIEj SVM 56
JKTUDE]p)AIDEfhið¡
vwJKL.®ÓMNkOTU
«¨¥)APDTQôë¨©-T«
¬T­«f'(ð¡vwæ«0<
¡86)2AýDð¡hUR-
'(vn)

2. 

ö÷RSSkFGHI
0aTÅ#FGHI`a

ÅUV@A [2][\]RSARSW
aPX7YZ¢[@deFGH
I\/dFGHI`a9:]0 1
Ö9:)
A Apap [2]'(Î,j^E RAD
(Registry Anomaly Detection) -_`RS#
FGHI@d9T¢ô avw-
¯~@d¨¥
86rs¡BCW)
AFGHIMXYÂb

õPÂbôpPÂbcP¡Âbéd
Re^fPTUÂb
ÌghXYE-){E
ÂbMXY
9:²

Process: aim.exe
Query: QueryValue
Key:HKCU\Software\AmericaOnline\AOLInstantMes
senge(TM)\CurrentVersion\Users\aimuser\Login\Pass
word
Response: SUCCESS
ResultValue: “ BCOFHIHBBAHF”

TÍXYüa
aim.exe RSÂbÅ@
NFGHIÎi§iIõtu
?zjÅklE¢ÌgÂbTÅi§i
IõE“BCOFHIHBBAHF”)
FGHI#_`ÏÐDE
m6<
 Ain [2] '(,ðUZE["Ï
ÐRScj #FGH
I9o67FGHIpìûq6
HKLM\Software\Microsoft\Windows\CurrentVersion\
RunTærÏÐRS0:A-HÍÖZ$
["ÏÐRS`aDE
¡86
FGHI@dDE)
SVM
¢jHqstuw]pw
[7][8][9]ZE?1vwxf 2ëyz{
\23.6A86òrs|}M)
úû Chen [3] ~ SVM -òrs,;
SVM kp.+,]p0Çâ
SVM ]p0p.+,)AWang [6]
iGH ôT¢plmnoH
(One-Class Support Vector MachinesOCSVM) 
86rsvwT­®Års0
STIDE k?86rs)
.Í^_'(ðñXYfhið
¡¢£FGHIk SVM M T0
:#,DE869:0<T)T
{;GHfhi#FGHIM9
.®TU SVMôpd#
M2-z{)

3.  !" !" !" !"####SVM
3.1 





¢ÓX|d#,DE
-.
éMNT¢ÓX|S
¢ç0ðñ2<]
)AGoldring [4] iðe¢Ó
,DEX|T{B²
(1)pì?TÔpT?¡,
 )
(2)RSDETU^_`a)
(3)A"D M{0dz
`aX|)
(4)ÅX|R G¡¢Lk £¤ME
¥)
(5)#¦"X|0T§§4)
~çX|0â;ü¡
,DE9:¨ë0©ª,DE
`aë0§ «ARS`aü
-üD,DE)FGHI
¬~
çX|ôpÅç­.®û{²
(1) FGHI`ayG,D
RSRe^f®¯RSRe
^f@A\?$¡,DE)
(2)AFGHIÎ`ayG RSTUÅ
^_Re#FGHI@d9:T
ë°
RS`aÅ^_Re`ac
yG{-)
(3) LM E"± 
Å{FGHI0æ«yGR
S`aX|)
(4)²1FGHIce³´ £¤
OèÅ`aERSkÅ^_Re
£¤ëµ¢¶T £¤EX|
TÅyG £¤X|ë·¸§¹¦)
ó¢vøFGHIºë°
G¡¢L
(command line)¡¢\ÅR G
¡¢Lk £¤M)
»¼½/°E 1,DE9#®¯R
S\å?E¦"X|T§§¾)
3.2 



    

FGHI
T¿9ÀÁKOÌY
ÓFGHIBfE° (key)TÅ
@Å^#Q°õ)ÎRSA#FGHI
ÂbÅÂbXY{LPÂç­õ²
(1) Re^f²
#@deFGHIRe^f)?T
$T
E 6eMRS 
WRe^T¯86k)
(2) Âbôp²
lÃÄFGHIÂbôpû
QueryValuePCreateKeyPTU SetValue h)
/k 6ëÂb9:?
0E86DE)
(3) °õ²
«ÅÍ@de°õ,Æ)ü«RS
@d`a#Ç/8 6`a°
õ?0E86¨¥)
(4) kQ9:²
Âbcû SuccessPNotfoundPTU
Access denied h)/¡k 6kQë¨
¥?0E86¨¥)
(5) klc²
@de°õÈ«Å õ)
Aç­dvøfhiÉdü
IÂ-Etu#Ç]ERe^
fPÂbôpP°õPkQ9:hIÂ)
·EëdAPÓç­Êklc

AFGHIM[\å
Ëk
Binary X|OÌ(ÌÍ%1)ËX|
üXY¸ Binary X|7aÉ"Î
EyÏWþKXYÐâëü)Å\
åkl^fP,ÆhèÅÇÈëÉ
AÍÑõ[E\fhiëTd
$ç­)














1. 109375 




 
 !"#
!"#!"#
!"#$
$$
$
%
%%
%

3.3 SVM 



OCSVM

Ò¢plmnoHÓOCSVMÔ
¡Î
tu°¢ôpX|ÕÖ×ôp
km×ôpMX|ÅJî;ë
Å SVM p)Af'(tuA
,DEÀ[
ØO,DEb
5
6 Ù¦BCRSDE\A$¢ôp
X|ÓÐ&
56DEX|Ô9{tu
Úd OCSVM -E]pq)
AQ OCSVM "³´g0(kernel
function)zTÛ)OCSVM ðñ"³´g0
2Av];X|9Üë s
Tdz¥]p9)-é
Linear PPolynomial PRadial BasisPSigmoidPk
Precomputed Kernel hPÂtuSÝAÅÛ
¢Ó,ÄÞÎÌ T
¥5.2 D;#~¢B¢M.®)

3.4 



SVM

tuRSA@dFGHI
Å`a9:ÅUV@AûT OpenKeyP
CreateKeyPCloseKey E¢`aMßà9:7á
#^FGHID^a~ßà9
:×ÌFGHI Data M!"â¨¥
@A)
 OCSVM A56DEM
ᦠE O(dL
3
) [5]A]p`a
AsãX|2ÅeMᦠE
O(d(L+T)) Å d Eeä
  L üX|å  T üsãX|
å )æ/tu0<X|ksãX
| o d[<ç
A OCSVM tuA5.1
D;#$T«¬.®M)

4. $%&'#($%&'#($%&'#($%&'#())))
4.1 

f -é
TFGHIk SVM 
A JKvø-é
TÀ[ÓX|34
P56JKk86rsF[ÖèOÌ)
X|34-é
T Registry Monitor PData
ConvertPRedundant Data Deletion 3ÓOO
Ì)56ksãX|]pÇ#

j OCSVM k Timing Module -ÊÌ)T{
E JK%²



 2. &$'(
&$'(&$'(
&$'(
% 2 ?$¡fhi-é?]EX|
À[k86rs[\]T{;9$F[\]
pìTL.®kGH)
(1) À[
A$À[ce{LO²
(A)Registry Monitor²_`FGHI
`a9:;MyG{-TE
X|é¥)
(B)Data Convert²; Registry Monitor yG
-éêX|ëìE OCSVM n
oX|;eç­íd¡-)
(C)Redundant Data Deletion²;ëì§2é
EáX|ÞT¾Tj 
@k)
(D)OCSVM²56DE{56
)
(2) rsÀ[
A$À[ce{LO²
(A)OCSVM²Ars;sãX|k56
DÇ#a)
(B)Timing Module²jë-#X|
DîïM2}sãX|rsÇ#)

4.2    

T{9e.®QO.®«U¨¥²
Registry Monitor²Af'(tu
j
SysInternals  ¡-Tñ Windows LM
  Regmon.exe [10] E-éRS)Å
R S j API Hooking (Application Program
Interface Hooking) ðñ-dzRS#FGH
I@d`a¨¥)
Data Convert²$OT Java  -ég0

;tuA Registry Monitor G{-FGHI
@dGX|ëìaT]0ñ OCSVM
-òcEno:X|)
Aëì§R
ó;tuéeç­
Tíd¡-}ëEnoX|:-é?]E
ÓMN²
(1) RSdFGHI@dGTç­
ôI~Èç­E 3.2 DõRe
^fPÂbôpP°õPkQ9:hI
Â)
(2) RSdFGHI@dGkÍ¢MN
ç­ôI;FGHI@dGë
ìEOCSVM?jMno:X|)
Redundant Data Deletion²Å-ég0A;
X|â¨¥T¾A~Otuj
JîFö¿vS;X|T÷eøá
\å¡áX|ùúX|û)
56ksãX|]pÇ#

j OCSVM -ÊÌ SVM ±
ü
[sýþ'( M libSVM [7]-E
«ÅÍ±)AX|4\åtuó
;Õ OCSVM M56X|bÑyE (+1)
ÓEÑyCàÔTj]pDÎs
ãX|kX|Ç#/
OCSVM ßEëôpX|cAX|3Ñ
yE (-1)ü86¨¥)
86rs\å
 OCSVM k Timing
Module O̲
OCSVM²A3ø.®$O56
w86rs\]
T OCSVM
-D]paóßsãX|k#Q
56}TsãX|86R )
Timing Module²$O-é
,A
ëÖ[McëDE9
:Z$jëÖ[-
T9ÜÖ[-sãX|Ç#)~x
w?;X|9ÜëÖ[-îïT
]]0X|oT OCSVM A
Ìf)

5. (*(*(*(*+,+,+,+,
5.1 !!!!

A$.®X|â¾«¬cót
ujGFGHI@dyG;$X|.
 Redundant Data Deletion RS-T4-
é¾#ÇEIôç­b^X|;.§
4X|kR.§4X|D
Ç#
Tæã$¢4vSëc!eX|æ
kR-rs<0)
 2. )*+,-./012)*+,-./012)*+,-./012)*+,-./012

A A B B
 (KB) 2,304 513 4,551 85
 65,536 14,580 129,450

2,392

 (%) 99.99 99.97 100 100
 <1  <1 
 28 

<1  722 

<1 
 13 

<1  25 

<1 
 311 

<1  927 

<1 

ü 2 Géê  A kéê  B]
*+ A k*+ B yG{-FGHI`a
X|Å*+ A E[oQRS
*+ B E®¯RS`a 
Åo§2 ]Eo  A ko 
B)A.§o4M2  A M ìo[
wé- 2,304 KB E 513 KBX|Ç 
éó 65,536 åE 14,580 åEéó M
I]M¢A  B \]Å ìo[wé
- 4,551 KB E 85 KBX|å éó
129,450 åE 2,392 åEéó Mý]M
¢)
Ç#c  A \å
éó
 99.99% E 99.97%5æÈ
0.02%  B \å
äA 100% 9:
{7a)
tuE~x«¬cT{.®²A[
oQRS9{*+ A QRS
ôp"\FGHIßà9â
èA.§o42? I]M3X|
owoæÈÓ{ 0.02%Ô)
~xc
ZE SVM A4Íçcó¾
ØõX|A.§oM2Øõü
ë®
×Ì]pÍ)
AëQRS9{*+ B 4°
®¯RSAD9:)Z$®¯RSâ
9"\ÅX|0·éóý]M
¢Ç*+ A oÇúé"TAæÈÍ
 )
T~x«¬c$-ÅX|o2ì
o[ wûÍi.OCSVM A
56DEMFGHI@dX|á¦
 E O(dL
3
) A]p`aÅeM
ᦠE O(d(L+T))Ò  A -.Å
Eéó (1/4)
3
Ò
ðEé-4
 64  AÍÅo
EéóI]M¢)A  B \åÅ
ðEé-4 216 o
Eéóý]M¢)èA«Å SVM
c#ų´g0d¿Àë³´g0
ᦠc!Å4 T«Å
okX|ᦠ_X|á
¦7
X|å "4")
²1AÍü«¬ ÀM8ë
[è«X|o"Å;T¡ Ì)
WÕ~xc#ð OCSVM 4!
 Í
0®
ð)

5.2 OCSVM"#$%
"#$%"#$%
"#$%

AÌ ßÍtu;9Ü56JK
k«Å¨©sãX|c-1".®)56
JK
E EM2TñÄA¯sãX|
56k-é
T# -$o5æ
kùæ [1]Afhi¡R%eÌ 
ß!&¡-?'R ü 3
Tx
X|(Qôëg0kÌ O-
56cÅ# au)SE²
# *
5æ]pMX|å + X|å

 3. 345678 345678 345678 345678
g0O Ì # 
Radial basis 0.53 99.73%
linear 0.01 98.99%
polynomial 0.35 65%

2tußA¢OÌ kg0O¡
É# E56ß)

5.3 &'()*!+,&'()*!+,&'()*!+,&'()*!+,

fhi¿À¢¶,«Å*+?0
¨¥Oa {L¨©T 1 rs
Ì<E)AX|G\]fhi
;
,Aùà©{ØOÅà©R@ÅBC
RS9:{TDùQRST,#
ùg0-TDTær0ü
,?0DEE-.MX|)T{Ò
]T,P*+9P9,
#Iôë¨©-D«¬²
(1)ë,wpMÇâ²
tu.,*+MFGHI@d
Gjf'(ð¡ /RTÇ#T
Å9
^tuT¢,
0[1ûX|ÎX|T¢
,2[ÎsãX|Tc-¬­tu
ð¡
0:3¡¢,
DES)
(2)¢,^*+45DEÇâ²
x,A45RS?0c

«úû5ù6mp3 7
$+,
!7hTìíÒ?¯¡DE8
A~8sãX|tuT,*+59
ûeFGHI Data ÎÌsãX|-¬­
tu03,ù67-8)
(3) ë,^*+TE^[²
éEw,A*+Z:;$
¢mw,j~Ó -$*
+Å^_`a;cyG{-)mw,
RS
kw,569{ë
^
Aw, M
p?TO-T3ã[86
¨)
(4) ,^*+<=RS@A²
A~¨©tuª*+>%?@Blaster
<=9T Blaster ÏÐRS#R.patch 
AB Windows  ÏÐÝÞÅ?@<
=2k56 DE
Btu
Ð?TjtuJ ÞC?@<=2
 869:)

A1û;-.X|2tuT
SVM(OCVM)OJî56DE12
,#Q¨©1ûMsãX|}D.SVM E
56ksãX|-TÇ#- 1Å
860E)ü 4
fhiAQ¨©ÍG
sãX|kX|Ç#286 A$
86 
¡ktu¡M86R
 86 õÉüB;56DE")
ü4 ]L¡Q¨©«¬«¬c)

4. 9:; <=> 9:; <=> 9:; <=> 9:; <=>
«¬¨© 86 

¨©¢²,DEÇâ 0.55%

¨©F²45DEÇâ 49.65%

¨©3²,:; 67.46%

¨©I² ?@Blaster 29.23%


TÍ«¬ À?jtu?T
¢,FDEkë,F
DEm6
«8¢,AÅ
DESR6786R E 0.55%GA
tuì!¯>@Mp²è
A ?@
Blaster +=M2 Blaster cq6\]FG
HIpìTH%Wa HRe.t
u Å86R IJ§,56
{×Ì86R Z$tu?T~

B;,DEU>86DE¨)
TÍ«¬ À?jtuð¡JK
0:<
456,DE
S{T0<ÂC,DE869
TA?@<=×Ì869:{tu
 Ð?TÅ×Ì86B;DE
rs¡-869:@A)

6. -
--
-

#òrs -.ûOa¢£<
³´STæ¡86DE

23[K_Lz{M¢
Uz Í%&z{¢
M
NÁ-_LOBM¢úûá
 Vista ]A%&z{Í"«P)
Z$fhið¡¢£FGHI
-¯,DE
86¨¥DE8
6rsvw)¦§,DE86rsÝB
FGHIk SVM-JK86D
E3 )
óAFGHIk SVMÍZQ
çtuð¡ ovS-6
 <0z{æ«ðtuð¡JKA
X|@k¯Í<0)T.«¬
¬­f'(ð¡JKæ«0:<Ö]
,DEST<3¡?Q86
DE9:Tf'(ð¡JK¯
Atu0E%>@Mp))
_f'(2?0'(vntu]E
T{BD>?²
(1) 5aRSûFGHI`aX|-D5a
R :
tu'(RÚX|5ts

kávSTAR.,X|
ÍR">?)/0;áX|5a
X|Å¡-56;
É¯0;¬,Î{DE
S)
(2) ûT5æÖ[Tü,DES :
ûtujT,DEUUc
67éûùæü,A¢Ö[
DE¡,DE7R9À;

tuR-;T_LV{M¢)

7. ./0./0./0./0
[1] R[q ashkQþW¡XY
2001)
[2] Frank Apap, Andrew Honig, Shlomo Hershkop,
Eleazar Eskin, Salvatore J. Stolfo. “Detecting
Malicious Software by Monitoring Anomalous
Windows Registry Accesses.”In Proceedings of
the Fifth International Symposium on Recent
Advances in Intrusion Detection, 2002.
[3] W.H. Chen, S.H. Hsu , H.P. Shen, Application of
SVM and ANN for intrusion detection,
Computers Operations Research, Volume 32,
Issue 10, pp. 2617-2634, 2005
[4] Tom Goldring,”User Profiling for Intrusion
Detection in Windows NT”, National Security
Agency, 2003.
[5] Salvatore J. Stolfo, Frank Apap, Eleazar Eskin,
Katherine Heller, Shlomo Hershkop, Andrew
Honig, and Krysta Svore, "A comparative
Evaluation of Two Algorithms for Windows
Registry Anomaly Detection". Journal of
Computer Security, 2005
[6] Yanxin Wang, Johnny Wong, Andrew Miner,
“Anomaly intrusion detection using one class
SVM”, In Proceedings from the Fifth Annual
IEEE SMC Information Assurance Workshop,
2004.
[7] Andrew W. Moore, “Support Vector Machine”,
http://www.autonlab.org/tutorials/svm15.pdf

[8] Chih-Chung Chang and Chih-Jen Lin, LIBSVM :
a library for support vector machines, 2001.
Software available at
http://www.csie.ntu.edu.tw/~cjlin/libsvm

[9]Piaip's Using (lib)SVM Tutorial.

http://ntu.csie.org/~piaip/svm/svm_tutorial.html

[10]SysInternals. Regmon for Windows NT/9x.
Online
publication, 2000.
http://www.sysinternals.com/ntw2k/source/regm
on.shtml

[11]Windows NT Registry

http://www.microsoft.com/resources/

[12]Global Market Share Statistics Website
http://marketshare.hitslink.com/report.aspx?qpri
d

=2