APT (Advanced Persistent Threat)攻擊是一種精緻且目標導向的網路攻擊，攻擊者利用受駭主機當作跳板入侵企業網路，以竊取更多寶貴的資料，因此愈早找出受駭主機，對企業造成的損失就愈小。然而APT往往能躲過現有的防禦或偵測機制，使用的惡意程式也是特製的，即便發現一台受駭主機，也難以透過製成惡意程式特徵碼來找出其他受駭主機。在沒有更好的防禦機制前，必須利用資安事件調查的力量盡早發掘潛在受駭主機。但發掘潛在受駭主機往往耗時，特別是主機數量多的大型企業，結果造成企業更多不必要的損失。
為解決這個問題，本研究探討如何利用一台APT受駭主機上的主機型特徵(例如惡意檔案名稱)或網路型特徵(例如惡意中繼站)，在歷史的行為資料中快速找出其他具相似特徵的受駭主機，這種概念稱為回溯式偵測。第一種稱為MalPEFinder，主要利用惡意檔案資訊及檔案間的關聯進行回溯式偵測；第二種稱為N-Victims，主要利用相似網路連線及惡意中繼站的關聯進行回溯式偵測。為證明本研究所提方法的可用性，我們利用已知的APT惡意程式及APT受駭案例進行實驗，並與知名商用的相似檔案搜尋工具Splunk及相似惡意中繼站比對方法N-Gram進行比較。實驗結果顯示，MalPEFinder比Splunk提高17%的偵測率，同時降低22%的誤報率。在找出前20個潛在受駭主機的假設下，N-Victims比N-Gram(N=2)提高90%偵測率。

Advanced persistent threats (APTs) are sophisticated and target-oriented cyber attacks which can evade most of the conventional prevention and detection mechanisms. The attackers leverage the victims as the stepping stone to intrude into the enterprise network for stealing valuable information. The more faster the victims are found, the lower the damages the APTs cause. However, the underlying malware of APT is customized; even if the malware is found, it is too unique to be used for detecting the other similar malware. Therefore, it requires incident investigations to play a role in uncovering the potential victims. Unfortunately, the investigations are often manual and take too much time to analyze the large volume incident data.
In this dissertation, we propose both host-based and a network-based retrospective detection approaches, called MalPEFinder and N-Victims, respectively. These approaches start with a known malware-infected computer in order to determine the potential victims. To prove the practicability, we test our approaches by the real-world APT malware samples and a real APT case that happened in a large enterprise network, consisting of several thousand computers, which run a commercial anti-virus system. The experimental results of MalPEFinder indicate that the detection rate can improve by 17% as compared to Splunk, which is a famous retrospective search tool, and a lower false-positive rate can be achieved (3% vs. 25%). The experimental results of N-Victims show that N-Victims can find more malware-infected computers than N-Gram-based approach, which are general bot detection approaches. In the top 20 detected computers, N-Victims also had a higher detection rate than N-Gram-based approaches (100% vs. 5%, under N=2).

[1] Dmitri Alperovitch, Revealed: operation shady RAT, Aug 3 2011, retrieved from http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf.
[2] Apache, Apache Lucene, Jun 30 2013, retrieved from http://lucene.apache.org.
[3] James M. Aquilina, Eoghan Casey and Cameron H. Malin, Malware forensics: investigating and analyzing malicious code, Syngress Publishing, 2008.
[4] Eric Baize, "Developing Secure Products in the Age of Advanced Persistent Threats", IEEE Security & Privacy, Vol. 10, pp. 88-92, 2012.
[5] Beth E. Binde, Russ McRee and Terrence J. O' Connor, Assessing Outbound Traffic to Uncover Advanced Persistent Threat, May 5 2011 retrieved from https://www.sans.edu/student-files/projects/JWP-Binde-McRee-OConnor.pdf.
[6] Keith Epstein Brian Grow, Chi-Chu Tschang, The New E-spionage Threat, Apri 9 2008, retrieved from http://www.businessweek.com/stories/2008-04-09/the-new-e-spionage-threat.
[7] Jos´e Brustoloni, Nicholas Farnan, Ricardo Villamar´ın-Salom´on et al., "Efficient Detection of Bots in Subscribers' Computers", IEEE International Conference on Communications, pp. 1-6, Dresden, Germany, 2009.
[8] Georgia Tech Information Security Center, Open Malware, Jun 30 2013, retrieved from http://www.offensivecomputing.net/.
[9] Michael K. Daly, The Advanced Persistent Threat, Nov 4 2009, retrieved from http://static.usenix.org/event/lisa09/tech/slides/daly.pdf.
[10] Damballa, Advanced Persistent Threats (APT), May, 30 2012, retrieved from http://www.damballa.com/knowledge/advanced-persistent-threats.php.
[11] Kelley Dempsey, Nirali Shah Chawla, Arnold Johnson et al., Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, National Institute of Standards and Technology U.S. Department of Commerce, 2011.
[12] Eldad Eilam, Reversing: secrets of reverse engineering, Wiley Publishing, Inc., 2005.
[13] E Filiol, Computer viruses: from theory to applications, Springer, 2005.
[14] FireEye, FireEye Malware Analysis System, Jun 30 2013, retrieved from http://www.fireeye.com/products-and-solutions/malware-analysis.html.
[15] Jan Goebel and Thorsten Holz, "Rishi: identify bot contaminated hosts by IRC nickname evaluation", Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, pp. 8-8, Cambridge, MA, 2007.
[16] Thomson Gordon, "APTs: a poorly understood challenge", Network Security, Vol. 2011, pp. 9-11, 2011.
[17] Jonathan L. Gross and Jay Yellen, Graph theory and its applications, CRC press, 2006.
[18] Guofei Gu, Junjie Zhang and Wenke Lee, "BotSniffer: Detecting botnet command and control channels in network traffic", Proceedings of the 15th Annual Network and Distributed System Security Symposium, pp. 1-18, CA, USA, 2008.
[19] Erik Hatcher and Otis Gospodnetic, Lucene in action, Manning Publications, 2004.
[20] Greg Hoglund, Advanced Persistent Threat, Feb 19 2010, retrieved from http://www.issa-sac.org/info_resources/ISSA_20100219_HBGary_Advanced_Persistent_Threat.pdf.
[21] Aghatise E. Joseph, Cybercrime definition, Jun 28 2008, retrieved from http://www.crime-research.org/articles/joseph06/.
[22] Ari Juels and Ting-Fang Yen, "Sherlock Holmes and The Case of the Advanced Persistent Threat", Proceedings of the 5th USENIX conference on Large-Scale Exploits and Emergent Threats, pp. 2-2, CA, USA, 2012.
[23] Mehmed Kantardzic, Data mining: concepts, models, methods, and algorithms, Wiley-IEEE Press, 2011.
[24] International Secure Systems Lab, Anubis: Analyzing Unknown Binaries, Jun 30 2013, retrieved from http://anubis.iseclab.org/.
[25] Robert Eugene Larson, CCSP: Cisco Certified Security Professional Certification All-in-One Exam Guide, McGraw Hill, 2003.
[26] Andrew W. Leung, Minglong Shao, Tim Bisson et al., "Spyglass: Fast, scalable metadata search for large-scale storage systems", Proccedings of the 7th conference on File and storage technologies, pp. 153-166, CA, USA, 2009.
[27] Frankie Li and Antonios Atlasis, A Detailed Analysis of an Advanced Persistent Threat Malware, Oct 13 2011, retrieved from http://www.sans.org/reading_room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware_33814.
[28] Frankie Li, Anthony Lai and Ddl Ddl, "Evidence of Advanced Persistent Threat: A case study of malware for political espionage", 2011 6th International Conference on Malicious and Unwanted Software, pp. 102-109, Fajardo, PR, USA, 2011.
[29] Shun-Te Liu and Yi-Ming Chen, "Retrospective Detection of Malware Attacks by Cloud Computing", 2010 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery, pp. 510-517, Huangshan, China, 2010.
[30] Shun-Te Liu, Yi-Ming Chen and Hui-Ching Hung, "N-Victims: An Approach to Determine N-Victims for APT Investigations", Lecture Notes in Computer Science, Vol. 7690, pp. 226-240, Springer Berlin Heidelberg, 2012.
[31] Justin Ma, Lawrence K. Saul, Stefan Savage et al., "Beyond blacklists: learning to detect malicious web sites from suspicious URLs", Proceedings of the 15th ACM SIGKDD international conference on Knowledge discovery and data mining, pp. 1245-1254, Paris, France, 2009.
[32] Ronny Merkel, Tobias Hoppe, Christian Kraetzer et al., "Statistical Detection of Malicious PE-Executables for Fast Offline Analysis", Communications and Multimedia Security, pp. 93-105, Linz, Austria, 2010.
[33] Microsoft, How to Use the Windiff.exe Utility, Jun 30 2013, retrieved from http://support.microsoft.com/?scid=kb%3Ben-us%3B159214&x=17&y=11.
[34] Matthias Neugschwandtner, Paolo Milani Comparetti and Christian Platzer, "Detecting malware's failover C&C strategies with squeeze", Proceedings of the 27th Annual Computer Security Applications Conference, pp. 21-30, Orlando, Florida, 2011.
[35] Jon Oberheide, Evan Cooke and Farnam Jahanian, "Cloudav: N-version antivirus in the network cloud", Proceedings of the 17th conference on Security symposium, pp. 91-106, CA, USA, 2008.
[36] Roberto Perdisci, Wenke Lee and Nick Feamster, "Behavioral clustering of HTTP-based malware and signature generation using malicious network traces", Proceedings of the 7th USENIX conference on Networked systems design and implementation, pp. 26-26, CA, USA, 2010.
[37] Donald L. Pipkin, Information Security: Protecting the Global Enterprise, Prentice Hall PTR, 2000.
[38] David Pogue, Google Takes on Your Desktop, Oct 21 2004, retrieved from http://www.nytimes.com/2004/10/21/technology/circuits/21stat.html.
[39] Costin Raiu, Igor Soumenkov, Kurt Baumgartner et al., The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor, Feb 27 2013, retrieved from http://www.securelist.com/en/downloads/vlpdfs/themysteryofthepdf0-dayassemblermicrobackdoor.pdf.
[40] Konrad Rieck, Guido Schwenk, Tobias Limmer et al., "Botzilla: detecting the "phoning home" of malicious software", Proceedings of the 2010 ACM Symposium on Applied Computing, pp. 1978-1984, Sierre, Switzerland, 2010.
[41] Mark Russinovich and Bryce Cogswell, Process Monitor, Jun 4 2013, retrieved from http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx.
[42] ME Russinovich and DA Solomon, Microsoft Windows Internals, Microsoft Press, 2005.
[43] Sam Shah, Craig A. N. Soules, Gregory R. Ganger et al., "Using provenance to aid in personal file search", 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference, pp. 1-14, CA, USA, 2007.
[44] Raja M. Khurram Shahzad, Syed Imran Haider and Niklas Lavesson, "Detection of Spyware by Mining Executable Files", 2010 International Conference on Availability, Reliability and Security, pp. 295-302, Krakow, Poland, 2010.
[45] Aditya K Sood and Richard J. Enbody, "Targeted Cyber Attacks - A Superset of Advanced Persistent Threats", Security & Privacy, IEEE, Vol. 99, pp. 1-3, 2012.
[46] Aditya K. Sood, Rohit Bansal and Richard J. Enbody, "Cybercrime : Dissecting the State of Underground Enterprise", IEEE Internet Computing, Vol. 17, pp. 60-68, 2013.
[47] Sophos, SOPHOS, Nov 25 2010, retrieved from http://www.sophos.com/.
[48] Craig A. N. Soules and Gregory R. Ganger, "Connections: using context to enhance file search", ACM SIGOPS Operating Systems Review, Vol. 39, pp. 119-132, 2005.
[49] Splunk, Splunk: The it search company, Nov 27 2010, retrieved from http://www.splunk.com/.
[50] Symantec, Security Response, Jun 30 2013, retrieved from http://www.symantec.com/ security_response/.
[51] Jiaqi Tan, Xinghao Pan, Soila Kavulya et al., "SALSA: analyzing logs as state machines", Proceedings of the First USENIX conference on Analysis of system logs, pp. 6-6, CA, USA, 2008.
[52] Colin Tankard, "Advanced Persistent threats and how to monitor and deter them", Network Security, Vol. 2011, pp. 16-19, 2011.
[53] Olivier Thonnard, Leyla Bilge, Gavin O’Gorman et al., "Industrial Espionage and Targeted Attacks: Understanding the Characteristics of an Escalating Threat Research in Attacks, Intrusions, and Defenses", Lecture Notes in Computer Science, Vol. 7462, pp. 64-85, Springer Berlin / Heidelberg, 2012.
[54] TrendMicro, Threat Encyclopedia, Dec 27 2010, retrieved from http://about-threats. trendmicro.com/ArchiveMalware.aspx?language=us&name=TROJ_MDROPPER.ZY.
[55] Carnegie Mellon University, Live View, Jun 30 2013, retrieved from http://liveview.sourceforge.net/.
[56] Amit Vasudevan, "MalTRAK: Tracking and Eliminating Unknown Malware", Proceedings of the 2008 Annual Computer Security Applications Conference, pp. 311-321, CA, USA, 2008.
[57] Martin Warmer, "Detection of web based command & control channels", University of TWENTE, 2011.
[58] websense, Advanced Persistent Threats and Other Advanced Attacks, Feb 10 2012, retrieved from http://www.websense.com/content/advanced-attacks-in-the-news.aspx.
[59] Tom White, Hadoop: The Definitive Guide, O'Reilly Media, 2009.
[60] Davey Winder, "Persistent and Evasive Attacks Uncovered", Infosecurity, Vol. 8, pp. 40-43, 2011.
[61] Sandeep Yadav, Ashwath Kumar Krishna Reddy, A.L. Narasimha Reddy et al., "Detecting Algorithmically Generated Domain-Flux Attacks With DNS Traffic Analysis", IEEE/ACM Transactions on Networking, Vol. 20, pp. 1663-1677, 2012.
[62] Kim Zetter, Google hack attack was ultra sophisticated, new details show, Jan 14 2010, retrieved from http://www.wired.com/threatlevel/2010/01/operation-aurora/.
[63] Zhaosheng Zhu, IL Evanston, Guohan Lu et al., "Botnet Research Survey", 32nd Annual IEEE International Computer Software and Applications, pp. 967-972, Turku, 2008.