惡意域名受害族群估計－使用聯合超幾何最大似然估計法

FFSN是目前網路世界所面臨的極大威脅，其技術可以讓攻擊者隱藏在一群代理伺服器（agent）後面，這樣的方式可以讓攻擊者來躲避偵測使資訊安全人員偵測失敗，FFSN這項技術對犯罪份子的好處是惡意網站可以受到保護，進而延長惡意網站的壽命。所以FFSN的危害日益嚴重，要規模估計FFSN-Agent也相當不容易，且Flux-Agent本身可能是Bot節點，估計FFSN的規模也可以知道其威脅程度。本研究的核心為規模估計動態惡意域名服務網路（Fast-Flux Service Network，FFSN）的族群規模大小，藉由重複捕取法（Capture-Recapture Method，CRM）中的聯合超幾何最大似然估計法（Joint hypergeometric maximum likelihood estimator，JHE）來估計Flux-Agent的群體大小，其結果發現比普查的方式可以更快速找出整個族群大小。

關鍵字

重複捕取法；動態惡意域名服務網路；規模估計

並列摘要

FFSN is one of the enormous threats of internet. It can hide the attackers behind a group of agents and by this way the attackers can avoid being detected. The benefit of FFSN to attackers is the malicious websites can be protected and the survival time can be prolonged. The danger of FFSN is getting more serious and Flux-Agent could be a Bot note. To estimate the size of FFSN can find the danger degree but to estimate the size is not easy. The purpose of this study is to estimate the group size of Fast-Flux Service Network (FFSN.). Uses Joint hypergeometric maximum likelihood estimator (JHE) of Capture-Recapture Method (CRM) to estimate the group size of Flux-Agent. By computing the joint hypergeometric maximum likelihood estimator (JHE) of Program NOREMARK, the group size can be found. The experiment result can find the group size more quickly than census.