透過您的圖書館登入
IP:3.235.227.36
  • 學位論文

在網路行為中以PSO+K-means偵測殭屍網路之機制

An Network Behavior-Based Botnet Detection Mechanism Using PSO and K-means

指導教授 : 李興漢
若您是本文的作者,可授權文章由華藝線上圖書館中協助推廣。

摘要


Botnet現在已成為網路安全最大的威脅,Botnet除了可以發動阻斷服務攻擊癱瘓重要網站外,也可將受害電腦本身的機密資料偷走,或以釣魚網頁手法騙取他人帳號密碼,發送大量廣告信、點擊詐欺等網路犯罪,但隨著許多新的偵測技術和解決方案出現,仍然無法有效降低Botnet所帶來的威脅。現今的偵測方法主要是透過分析封包內容與網路流量的特徵,但這些方法所面臨的問題是Botnet可以很容易的改變這些封包內容和流量特徵以躲避偵測系統,而且還會面臨封包加密及隱私權問題。本研究提出了一個機制,可在封包加密、封包或流量特徵被改變、不侵犯隱私權的情況下偵測到問題,首先藉由文獻探討與分析受害電腦在網路的活動找出三項重要的網路行為特徵,分別為長期通訊行為(ActBehavior)、連線失敗行為(FailBehavior)、網路掃描行為(ScanBehavior),隨即透過網路設備從網路層及傳輸層的網路資料中萃取出這些網路行為特徵,這些網路行為在Botnet運作產生變化時也不會影響到本方法之偵測效果,接著透過PSO(Particle Swarm Optimization)結合K-means演算法尋找組織網路內的Botnet成員。本研究以某學術機構網路作為個案進行分析,結果顯示本方法可以有效達到:(1)找出組織內部網路中Botnet的成員;(2)當Botnet為了避免被偵測到而對封包加密或改變流量特徵時,仍可以找出Botnet成員;(3)在Botnet的成員尚未被其他資安系統偵測到時,可以提早發現。由於本方法只使用網路流量進行分析,而且不會侵犯隱私權問題,也不需在使用者電腦安裝程式,因此很適合應用在宿舍網路、電信業者提供給家庭用戶的網路、手機使用的3G網路等。

並列摘要


Nowadays, Botnet has become one of the greatest threats to the network security. Network attackers can use Botnet to launch the distributed denial of service (DDoS) to paralyze the important websites or to steal the confidential data from infected computer, use fishing attacking to steal the sensitive information such as the account and password, send bulk email advertising or conduct click fraud. Even though the detection technology has got improved and some solutions to Internet security have been proposed, the threat of Botnet still exists. Most previous studies used the packet contents or the features of network flows to analyze to detect Botnet. However, there are still some problems with packet encryption and privacy, i.e., Botnet can easily change the packet contents and flow features to avoid the detection system. This study proposes a solution to those problems and develops a mechanism of Botnet detection step-by-step. First of all, three important network behaviors including long communication behavior (ActBehavior), connection failure behavior (FailBehavior), and network scanning behavior (ScanBehavior) are defined in this study by reviewing the related literatures and analyzing the network activities of infected computer. Secondly, the features of network behaviors are extracted from the flow records of Network-Layer and Transport-layer in the network equipment. Finally, Particle Swarm Optimization (PSO) and K-means algorithm are used to detect the members of Botnet in the organization's network. This study uses campus network as a case study. The experimental results show that this mechanism can find out the Botnet members on the network of an organization even the packet encryption or changed features of flows, find out the Botnet members prior to the detection of the other information security systems. Moreover, the mechanism in this study is and simple to implement and can be used in student dormitory network, home network and mobile 3G network as well.

並列關鍵字

Network Traffic Analysis Botnet PSO K-means

參考文獻


[5] Barford, P. & Yegneswaran, V. (2006). An inside look at botnets. In Special Workshop on Malware Detection Advances in In-formation Security.
[6] Bhatia, J.S., Sehgal,R.K., & Kumar, S. (2011). Honeynet Based Botnet Detection Using Command Signatures. Communications in Computer and Information Science, Vol.154, Part1, 69-78.
[7] Brezo, F., Santos, I., Bringas, P.G. & del Val, J.L. (2011). Challenges and Limitations in Current Botnet Detection. The 22nd International Workshop on Database and Expert Systems Applications, 95-101.
[12] Chin-Tser Huang, Han, K.J., & Perretta, J. (2011). Automatic Selection of Routers for Placing Early Filters of Malicious Traffic. Global Telecommunications Conference, 1-5.
[17] Dagon, D., Gu, G., Lee, C.P. & Lee, W. (2007). A Taxonomy of Botnet Structures. Twenty-Third Annual Computer Security Applications Conference, 325-339.

延伸閱讀