現有IP(Internet Protocol, IP)溯源定位的研究,均假設網路服務供應商(Internet Service Provider, ISP)會充分合作,提供完整的路由器記錄,溯源追蹤攻擊者。實務上,假設ISP會合作牽涉聯合協防的情報交換,因此須假設在缺乏足夠路由器的記錄下,探討溯源定位的問題。本研究運用修正螞蟻演算法(Ant Colony Optimization, ACO)逆向追溯殭屍網路控制中心(Command and Control, C&C),建立一殭屍網路攻擊路徑之分析數學模式。其特點為整合誘捕系統或路由器之事件記錄,重建殭屍網路可能攻擊路徑(attack paths),並估算各攻擊路徑之支持度與信心度,防止假冒網址(spoofed IP)的欺騙。系統驗證以NS2(Network Simulator, version2)模擬工具,使用假冒網址進行殭屍網路攻擊,驗證系統之有效性。經實驗證明所研提的方法可於動態網路環境中反向推導最可能之攻擊路徑及殭屍網路控制中心。
Available botnet detection schemes all supposed that ISPs would be cooperative to record or generate the necessary routing information for path reconstruction. In practice, ISP’s service constantly is a mutual benefit for intelligence exchange. Therefore the constraint, require cooperation between ISPs, ought to be relaxed. A new IP traceback scheme based on ant colony optimization (ACO) algorithm is proposed for incomplete attack information formed by routing honeypots or routers’ logs. The aim of our work is to develop an analysis model for reconstruction of attack paths to traceback the botnet Command and Control (C&C) via ant-inspired collective intelligence to find possible routes with support and confidence degree. The validation of model uses NS2 (Network Simulator, version2) complied by dark IP map, to simulate the scenario of spoofed IP attacks, to test the effectiveness of model. Furthermore, sensitivity analysis is conducted to investigate significant parameters’ effect on the output of attack paths. Experimental results show that the proposed approach effectively suggests the best attack path and Command and Control of botnet in a dynamic network environment.