結合動態被動分析與主動探測之有效虛擬環境殭屍軟體及時偵測

Abstract

為了加強網路的資訊安全，許多網路攻擊的源頭─殭屍網路(botnet)已成為資安防治的重點之一。Botnet常被用於大規模網路攻擊，例如發動分散式阻斷服務攻擊(DDoS)、建置釣魚網站、寄送垃圾信件等。目前偵測botnet的主要應用方法有兩種：建置在個人電腦上的本機偵測系統(host-based)和監控網路行為的網路偵測系統(network-based)，兩者皆混合使用特徵碼和異常偵測來找出受感染的殭屍電腦(bot)。前者雖能較準確的偵測bot，但因須在本機上安裝軟體，容易被bot查覺到其存在；而後者雖能進行大規模的監控，卻會因bot對其網路傳輸內容進行加密或偽裝而無法達到有效的偵測。以上兩者皆屬於被動的偵測方法，需bot於本機或網路有所動靜才能偵測，而我們希望能提供一個不同於被動偵測的方法，主動發掘bot的存在，以降低botnet的整體威脅。又因為虛擬化技術的進步，企業組織開始將服務移往虛擬環境，我們設計並實作一個適用於虛擬環境的bot偵測系統，將偵測元件建置在虛擬軟體層，能達到監控作業系統的目的而不會被bot反向偵測。我們並結合被動與主動式bot偵測：主動式bot偵測藉由觀察和分析已知bot的本機行為和網路行為，從中萃取可以被觸發並採集到的行為，並將整個觸發過程製成bot的行為特徵(fingerprint)。偵測方法為啟動觸發條件，並觀察是否有預期的bot行為出現。本論文實驗結果顯示被動與主動偵測皆能及時且有效偵測殭屍電腦。

Defeating botnet is the key to secure the Internet. Many cyber crimes are launched by botnets, such as DDoS, spamming and click frauds. Although numerous network-based detection mechanisms are proposed and implemented, they still have some limitations due to their passive nature. Host-based detection agent can perform more precisely in bot detection; however, it’s intrusive and can be aware by the bot. In order to complement current solutions, we propose a mechanism called active bot fingerprinting. By setting certain specific stimulus to a host, we observe whether certain expected behavior is triggered to examine if the host is a bot. Since the virtualized environment is widely used for enterprises to host their service (e.g., private cloud), we propose and implement a bot detection system combining both passive and active detection approach for virtualized environment. The detection result of both passive detection and active detection shows a good detection rate with low false positive rate and low false negative rate.