- 學位論文
結合動態被動分析與主動探測之有效虛擬環境殭屍軟體及時偵測
Combing Dynamic Passive Analysis and Active Fingerprinting for Effective Bot Malware Detection in Virtualized Environments
若您是本文的作者,可授權文章由華藝線上圖書館中協助推廣。
摘要
為了加強網路的資訊安全,許多網路攻擊的源頭─殭屍網路(botnet)已成為資安防治的重點之一。Botnet常被用於大規模網路攻擊,例如發動分散式阻斷服務攻擊(DDoS)、建置釣魚網站、寄送垃圾信件等。目前偵測botnet的主要應用方法有兩種:建置在個人電腦上的本機偵測系統(host-based)和監控網路行為的網路偵測系統(network-based),兩者皆混合使用特徵碼和異常偵測來找出受感染的殭屍電腦(bot)。前者雖能較準確的偵測bot,但因須在本機上安裝軟體,容易被bot查覺到其存在;而後者雖能進行大規模的監控,卻會因bot對其網路傳輸內容進行加密或偽裝而無法達到有效的偵測。以上兩者皆屬於被動的偵測方法,需bot於本機或網路有所動靜才能偵測,而我們希望能提供一個不同於被動偵測的方法,主動發掘bot的存在,以降低botnet的整體威脅。又因為虛擬化技術的進步,企業組織開始將服務移往虛擬環境,我們設計並實作一個適用於虛擬環境的bot偵測系統,將偵測元件建置在虛擬軟體層,能達到監控作業系統的目的而不會被bot反向偵測。我們並結合被動與主動式bot偵測:主動式bot偵測藉由觀察和分析已知bot的本機行為和網路行為,從中萃取可以被觸發並採集到的行為,並將整個觸發過程製成bot的行為特徵(fingerprint)。偵測方法為啟動觸發條件,並觀察是否有預期的bot行為出現。本論文實驗結果顯示被動與主動偵測皆能及時且有效偵測殭屍電腦。
並列摘要
Defeating botnet is the key to secure the Internet. Many cyber crimes are launched by botnets, such as DDoS, spamming and click frauds. Although numerous network-based detection mechanisms are proposed and implemented, they still have some limitations due to their passive nature. Host-based detection agent can perform more precisely in bot detection; however, it’s intrusive and can be aware by the bot. In order to complement current solutions, we propose a mechanism called active bot fingerprinting. By setting certain specific stimulus to a host, we observe whether certain expected behavior is triggered to examine if the host is a bot. Since the virtualized environment is widely used for enterprises to host their service (e.g., private cloud), we propose and implement a bot detection system combining both passive and active detection approach for virtualized environment. The detection result of both passive detection and active detection shows a good detection rate with low false positive rate and low false negative rate.
參考文獻
[1] Douglas E. Comer and John C. Lin, “Probing TCP Implementations,” proceedings of USENIX Summer Conference, 199.4
[5] Gu, G., Zhang, J., Lee, W., “BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic,” 15th Annual Network and Distributed System Security Symposium (NDSS), 2008.
[7] Lei Liu, Songqing Chen, Guanhua Yan, and Zhao Zhang, “BotTracer: Execution-Based Bot-Like Malware Detection,” ISC, 2008.
[9] Konrad Rieck, Thorsten Holz, Carsten Willems, Patrick D‥ussel, and Pavel Laskov, “Learning and Classification of Malware Behavior”, DIMVA 2008.
[10] Moheeb Abu Rajab, et al., “A Multifaceted Approach to Understanding the Botnet Phenomenon,” ACM IMC, 2006.
延伸閱讀
- 蘇上全(2015)。在軟體定義網路環境下偵測點對點殭屍網路〔碩士論文,國立交通大學〕。華藝線上圖書館。https://doi.org/10.6842/NCTU.2015.00101
- 郭振忠、林季偉、姚書涵、楊竹星(2016)。設計與實作基於埠號監控的殭屍網路惡意程式偵測框架。載於國立東華大學(主編),TANET2016 臺灣網際網路研討會(頁1059-1064-190)。國立東華大學。https://doi.org/10.6679/TANET.2016.190
- 陳富展(2020)。基於流量行為分析之殭屍網路即時檢測系統〔碩士論文,逢甲大學〕。華藝線上圖書館。https://doi.org/10.6341/fcu.M0706687
- Lee, N. Y., & Chiang, H. J. (2010). Malware Detection Method Based on Reverse Engineering. In 南台科技大學資訊管理學系 (Ed.), 數位教學暨資訊實務研討會 (pp. 16-26). 南台科技大學資訊管理學系. https://doi.org/10.29839/SWJX.201003.0016
- 林志鴻、楊中皇(2011)。Design and Implementation of Malware Collection Systems for Network Forensic Analysis。載於中華民國資訊安全學會(主編),全國資訊安全會議(頁191-198)。中華民國資訊安全學會。https://doi.org/10.29615/CISC.201105.0191