- 學位論文
利用域名查詢失敗及封包特性之殭屍網路偵測法
Botnet Detection Based on DNS Query Failures and Packet Characteristics
若您是本文的作者,可授權文章由華藝線上圖書館中協助推廣。
摘要
最近幾年,殭屍網路(botnet)成為了網際網路上的主要威脅,駭客使用殭屍網路來進行像分散式(DDoS)網路不法行為,而使用者經常要等到事態嚴重時才會發現,這是因為駭客控制殭屍網路的流量是不易被發覺的。 本篇論文針對殭屍網路藏匿在正常網路流量下的行為提出偵測方法,我們分析了殭屍(bot)找尋指揮與控制伺服器(command and control server)的方法,以及殭屍和指揮與控制伺服器通訊的特性,提出了以域名服務(DNS) 查詢失敗為基礎的偵測方式,並描述了一種用來偵測殭屍網路指揮與控制的流量的方法。我們計算時間持續性以及封包差異性來找出長時間內經常連線且通訊封包大小相似的IP配對,並使用向量支援機(SVM)分類。我們的方法不需要事先對於此殭屍網路通訊方式的了解,也不需要檢視封包內容,就能偵測出數種殭屍網路。 最後,我們收集了多個殭屍網路的流量,以及真實世界的流量來評估我們系統的正確性,並和知名的殭屍網路偵測系統BotHunter比較正確性。實驗結果顯示我們提出的系統能強化現存的偵測系統。
並列摘要
In recent years, botnets have become a major threat to the internet, hacker use botnets to carry out a variety of illegal activities on the Internet, and users will not be found until the situation worsens, because it is difficult to find the botnet’s C&C traffic on Internet. This thesis proposes a detection method to detect botnets hiding in the normal network traffic. We analyzed the way of bots to find C&C server, and features of those bots’ communication with C&C server. We calculated temporal persistence and packet difference to find out IP pairs connect frequently and exchange packets in similar size. The system uses an SVM-based classification engine to identify C&C traffic and normal traffic. Our method does not require a-priori information about botnet communications, nor do we require payload inspection. Finally, we collected a number of botnet network traffic and real-world traffic trace to evaluate our system’s accuracy, and compare accuracy with BotHunter. The experimental results show that our proposed system can strengthen the existing detection system.
參考文獻
[6] E. Cooke, F. Jahanian, and D. McPherson. The zombie roundup: Understanding, detecting, and disrupting botnets. in Proceedings of USENIX WOrkshop on Steps to Reducinng Unwanted Traffic on the Internet, pp. 39-44, USENIX, July 2005.
[4] D. McGrath, M. Gupta., Behind Phishing An Examination of Phisher Modi Operandi, In Proceedings of the USENIX Workshop on Large-scale Exploits and Emergent Threats, 2008.
[12] H. Choi, H. Lee, H. Lee, and H. Kim. Botnet detection by monitoring group activities in dns traffic. In proceedings of the 7th IEEE international Conference on Computer and Information Technology (CIT’07), Washington, DC, October 2007.
[9] G. Gu, J. Zhang, and W. Lee. BotSniffer: Detecting botnet command and control channels in network traffic. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08), 2008.
[14] J. Lee , H. Jeong , J. Park , M. Kim , B. Noh. The Activity Analysis of Malicious HTTP-based Botnets using Degree of Periodic Repeatability, Security Technology, 2008. SECTECH ‘08. International Conference on, December 2008.
延伸閱讀
- 蘇永護(2010)。以DNS封包內涵為基礎之殭屍網路封包行為之偵測與阻擋〔碩士論文,大同大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0081-3001201315105804
- 蘇上全(2015)。在軟體定義網路環境下偵測點對點殭屍網路〔碩士論文,國立交通大學〕。華藝線上圖書館。https://doi.org/10.6842/NCTU.2015.00101
- 陳富展(2020)。基於流量行為分析之殭屍網路即時檢測系統〔碩士論文,逢甲大學〕。華藝線上圖書館。https://doi.org/10.6341/fcu.M0706687
- 林佳宜、黃俊穎、鍾委璋、王省閔(2011)。基於連線錯誤模型的殭屍主機偵測技術。載於中華民國資訊安全學會(主編),全國資訊安全會議(頁14-23)。中華民國資訊安全學會。https://doi.org/10.29615/CISC.201105.0014
- 黃勝獅(2011)。Botnet Traffic Analysis and Dectection by Using OpenFlow Switch〔碩士論文,國立中央大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0031-1903201314430887