請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/15791
完整後設資料紀錄
DC 欄位 | 值 | 語言 |
---|---|---|
dc.contributor.advisor | 孫雅麗(Yea-Li Sun) | |
dc.contributor.author | Yi-Ning Chen | en |
dc.contributor.author | 陳怡寧 | zh_TW |
dc.date.accessioned | 2021-06-07T17:52:12Z | - |
dc.date.copyright | 2012-08-22 | |
dc.date.issued | 2012 | |
dc.date.submitted | 2012-08-20 | |
dc.identifier.citation | [1] Douglas E. Comer and John C. Lin, “Probing TCP Implementations,” proceedings of USENIX Summer Conference, 199.4
[2] Jon Mark Allen, “OS and Application Fingerprinting Techniques,” 2007. [3] Testing for Web Application Fingerprint (OWASP-IG-004), https://www.owasp.org/index.php/Testing_for_Web_Application_Fingerprint_%28OWASP-IG-004%29 [4] Guofei Gu , Phillip Porras , Vinod Yegneswaran , Martin Fong , Wenke Lee, “BotHunter: detecting malware infection through IDS-driven dialog correlation,” Proceedings of 16th USENIX Security Symposium, 2007. [5] Gu, G., Zhang, J., Lee, W., “BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic,” 15th Annual Network and Distributed System Security Symposium (NDSS), 2008. [6] Guofei Gu , Roberto Perdisci , Junjie Zhang , Wenke Lee, “BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection,” Proceedings of the 17th conference on Security symposium, 2008. [7] Lei Liu, Songqing Chen, Guanhua Yan, and Zhao Zhang, “BotTracer: Execution-Based Bot-Like Malware Detection,” ISC, 2008. [8] Heng Yin, Dawn Song, Manuel Egele, Christopher Kruegel, and Engin Kirda, “Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis,” ACM CCS, 2007. [9] Konrad Rieck, Thorsten Holz, Carsten Willems, Patrick D‥ussel, and Pavel Laskov, “Learning and Classification of Malware Behavior”, DIMVA 2008. [10] Moheeb Abu Rajab, et al., “A Multifaceted Approach to Understanding the Botnet Phenomenon,” ACM IMC, 2006. [11] Carsten Willems, Thorsten Holz, and Felix Freiling, “Toward Automated Dynamic Malware Analysis Using CWSandbox,” IEEE Security & Privacy, 2007. [12] Dawn Song, David Brumley, Heng Yin, Juan Caballero, Ivan Jager, Min Gyung Kang, Zhenkai Liang, James Newsome, Pongsin Poosankam and Prateek Saxena, “Bitblaze: A new approach to computer security via binary analysis,” INFORMATION SYSTEMS SECURITY, Lecture Notes in Computer Science, 2008. [13] QEMU http://wiki.qemu.org [14] David Brumley, Cody Hartwig, Zhenkai Liang, James Newsome, Dawn Song, and Heng Yin, “Automatically Identifying Trigger-based Behavior in Malware,” BOTNET DETECTION, Advances in Information Security, 2008. | |
dc.identifier.uri | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/15791 | - |
dc.description.abstract | 為了加強網路的資訊安全,許多網路攻擊的源頭─殭屍網路(botnet)已成為資安防治的重點之一。Botnet常被用於大規模網路攻擊,例如發動分散式阻斷服務攻擊(DDoS)、建置釣魚網站、寄送垃圾信件等。目前偵測botnet的主要應用方法有兩種:建置在個人電腦上的本機偵測系統(host-based)和監控網路行為的網路偵測系統(network-based),兩者皆混合使用特徵碼和異常偵測來找出受感染的殭屍電腦(bot)。前者雖能較準確的偵測bot,但因須在本機上安裝軟體,容易被bot查覺到其存在;而後者雖能進行大規模的監控,卻會因bot對其網路傳輸內容進行加密或偽裝而無法達到有效的偵測。以上兩者皆屬於被動的偵測方法,需bot於本機或網路有所動靜才能偵測,而我們希望能提供一個不同於被動偵測的方法,主動發掘bot的存在,以降低botnet的整體威脅。又因為虛擬化技術的進步,企業組織開始將服務移往虛擬環境,我們設計並實作一個適用於虛擬環境的bot偵測系統,將偵測元件建置在虛擬軟體層,能達到監控作業系統的目的而不會被bot反向偵測。我們並結合被動與主動式bot偵測:主動式bot偵測藉由觀察和分析已知bot的本機行為和網路行為,從中萃取可以被觸發並採集到的行為,並將整個觸發過程製成bot的行為特徵(fingerprint)。偵測方法為啟動觸發條件,並觀察是否有預期的bot行為出現。本論文實驗結果顯示被動與主動偵測皆能及時且有效偵測殭屍電腦。 | zh_TW |
dc.description.abstract | Defeating botnet is the key to secure the Internet. Many cyber crimes are launched by botnets, such as DDoS, spamming and click frauds. Although numerous network-based detection mechanisms are proposed and implemented, they still have some limitations due to their passive nature. Host-based detection agent can perform more precisely in bot detection; however, it’s intrusive and can be aware by the bot. In order to complement current solutions, we propose a mechanism called active bot fingerprinting. By setting certain specific stimulus to a host, we observe whether certain expected behavior is triggered to examine if the host is a bot. Since the virtualized environment is widely used for enterprises to host their service (e.g., private cloud), we propose and implement a bot detection system combining both passive and active detection approach for virtualized environment. The detection result of both passive detection and active detection shows a good detection rate with low false positive rate and low false negative rate. | en |
dc.description.provenance | Made available in DSpace on 2021-06-07T17:52:12Z (GMT). No. of bitstreams: 1 ntu-101-R99725028-1.pdf: 1352667 bytes, checksum: efe0e6e865eccd80165a5c14a54dc924 (MD5) Previous issue date: 2012 | en |
dc.description.tableofcontents | 論文摘要 i
Thesis Abstract ii Table of Content iv Figure List vi Table List vii 1 Introduction 1 1.1 Background 1 1.2 Motivation and Goal 4 2 Related Work 8 2.1 Network-based Botnet Detection 8 2.2 Host-based Botnet Detection 8 2.3 Fingerprinting 9 3 Approach 10 3.1 Monitor Guest OS in Virtualized Environment 10 3.2 Learning-based Bot Behavior Profiling 11 3.3 Passive Bot Detection 11 3.4 Active Bot Fingerprinting 13 4 System Design 15 4.1 Passive Detection Agent 15 4.1.1 Process Tracing Module 16 4.1.2 API Hooking Module 17 4.2 Active Detection Agent 19 5 Implementation 20 6 Experiment 22 6.1 Data Source 22 6.2 Learning-based bot behavior profiling 22 6.3 Passive Bot Detection 24 6.3.1 Passive detection with behavior profile generated by multiple bot variants 24 6.3.2 Passive bot detection with behavior profile generated by single bot variant 26 6.4 Active Bot Detection 30 7 Conclusion 31 Reference 32 | |
dc.language.iso | en | |
dc.title | 結合動態被動分析與主動探測之有效虛擬環境殭屍軟體及時偵測 | zh_TW |
dc.title | Combing Dynamic Passive Analysis and Active Fingerprinting for Effective Bot Malware Detection in Virtualized Environments | en |
dc.type | Thesis | |
dc.date.schoolyear | 100-2 | |
dc.description.degree | 碩士 | |
dc.contributor.oralexamcommittee | 陳孟彰(Meng-Chang Chen),吳啟文(Chi-Wen Wu),潘育群(Yu-Chiun Pan) | |
dc.subject.keyword | 殭屍網路,主動式偵測,被動式偵測,虛擬環境, | zh_TW |
dc.subject.keyword | bot,active bot fingerprinting,passive detection,virtualized environment, | en |
dc.relation.page | 33 | |
dc.rights.note | 未授權 | |
dc.date.accepted | 2012-08-20 | |
dc.contributor.author-college | 管理學院 | zh_TW |
dc.contributor.author-dept | 資訊管理學研究所 | zh_TW |
顯示於系所單位: | 資訊管理學系 |
文件中的檔案:
檔案 | 大小 | 格式 | |
---|---|---|---|
ntu-101-1.pdf 目前未授權公開取用 | 1.32 MB | Adobe PDF |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。