藉由檢視DNS及HTTP流量以偵測HTTP殭屍網路

殭屍網路因為其聚集大量計算資源的能力，已逐漸被視為是現今對網路安全最大的威脅之一。而由於各種網路應用服務之興起，使得新出現的殭屍網路越來越常使用 HTTP 作為傳遞命令及控制的管道，因為可以藉此將殭屍網路之流量混雜在大量的一般網路流量中以避免偵測。而殭屍網路流量與一般網路流量的不同點在於，由一群殭屍網路成員所組成的群體，其流量會有一定的規律性。因此，為了有效地偵測以 HTTP 為基礎的殭屍網路，本研究提出了一套以檢視網路中 DNS 及 HTTP 流量之團體特性為根基之方法。先從 DNS 流量中找出可能的殭屍網路群體，再針對此群體中的 HTTP 流量作檢測，觀察其是否符合我們所定義的特徵，來判斷此群體是殭屍網路或正常的使用者。經過以真實世界中的殭屍網路流量來做實驗後，證明了此方法可以有效地偵測出以 HTTP 為基礎的殭屍網路。

關鍵字

殭屍網路； DNS 流量； HTTP 流量；團體特性；流量規律性

並列摘要

Because of the ability to assemble a tremendous amount of aggregate computing power, botnets have been recognized as one of the largest threat to Internet security today. With the prevalence of various network services, HTTP-based botnets take up a considerable portion of newly appeared botnets because botnet traffic can be hidden in vast majority of web traffic to evade detection. The difference between botnet traffic and normal traffic is that traffic of a group composed of bots shows regularity. As a result, in order to detect HTTP-based botnets effectively, this study proposes an approach based on monitoring the group features of DNS and HTTP traffic on Internet. It first finds possible groups of botnets from DNS traffic and then checks HTTP traffic of these groups. It observes group features of HTTP traffic to judge this group is a botnet or not. After evaluating with real-world botnet traces, we prove this approach can detect HTTP-based botnets effectively.

並列關鍵字

Botnets ； DNS traffic ； HTTP traffic ； Group characteristics ； Regularity in traffic

參考文獻

and S. Yamaguchi. A proposal of metrics for botnet detection based on its

[4] K. Chiang and L. Lloyd. A case study of the rustock rootkit and spam bot. In

activities in dns traﬃc. In Proceedings of the 7th IEEE International Conference

[7] E. Cooke, F. Jahanian, and D. McPherson. The zombie roundup: Understand-

ing, detecting, and disrupting botnets. In Proceedings of the 1st Workshop on

國際替代計量

藉由檢視DNS及HTTP流量以偵測HTTP殭屍網路

全文下載

主題瀏覽