利用域名查詢失敗及封包特性之殭屍網路偵測法

Chun-Yi Cheng; 鄭君毅

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/22259

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	雷欽隆(Chin-Laung Lei)
dc.contributor.author	Chun-Yi Cheng	en
dc.contributor.author	鄭君毅	zh_TW
dc.date.accessioned	2021-06-08T04:14:31Z	-
dc.date.copyright	2010-08-18
dc.date.issued	2010
dc.date.submitted	2010-08-10
dc.identifier.citation	[1] B. Kang, E. Chan-Tin, C. Lee, J. Tyra, H. Kang, C. Nunnery, Z. Wadler, G. Sinclair, N. Hopper, D. Dagon, and Y. Kim. Towards complete node enumeration in a peer-to-peer botnet. In ACM Symposium on Information, Computer & Communication Security（ASIACCS 2009）, 2009. [2] C. Pierce, Owning Kraken Zombies, a Detailed Dissection, http://dvlabs.tippingpoint.com/blog/2008/04/28/owning-kraken-zombies, 2008. [3] Cyber-TA, http://www.cyber-ta.org/releases/malware-analysis/public/2009-10-17-public/DNS_QueryList.summary [4] D. McGrath, M. Gupta., Behind Phishing An Examination of Phisher Modi Operandi, In Proceedings of the USENIX Workshop on Large-scale Exploits and Emergent Threats, 2008. [5] DNSBL, http://www.dnsbl.info/dnsbl-database-check.php [6] E. Cooke, F. Jahanian, and D. McPherson. The zombie roundup: Understanding, detecting, and disrupting botnets. in Proceedings of USENIX WOrkshop on Steps to Reducinng Unwanted Traffic on the Internet, pp. 39-44, USENIX, July 2005. [7] Eggdrop: Open source IRC bot. http://www.eggheads.org/, 1993 [8] F. Giroire, J. Chandrashekar, N. Taft, E. Schooler, and K. Papagiannaki. Exploiting Temporal Persistence to Detect Covert Botnet Channels. In 12th International Symposium on Recent Advances in Intrusion Detection （RAID’09）, 2009. [9] G. Gu, J. Zhang, and W. Lee. BotSniffer: Detecting botnet command and control channels in network traffic. In Proceedings of the 15th Annual Network and Distributed System Security Symposium （NDSS'08）, 2008. [10] G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee. BotHunter: Detecting malware infection through ids-driven dialog correlation. In Proceedings of the 16th USENIX Security Symposium （Security'07）, 2007 [11] G. Gu, R. Perdisci, J. Zhang, W. Lee. Botminer: Clustering analysis of network trafﬁc for protocol- and structure-independent botnet detection. In Proceedings of the USENIX Security Symposium (August 2008), 2008. [12] H. Choi, H. Lee, H. Lee, and H. Kim. Botnet detection by monitoring group activities in dns traffic. In proceedings of the 7th IEEE international Conference on Computer and Information Technology （CIT’07), Washington, DC, October 2007. [13] J. B. Grizzard, V. Sharma, C. nunnery, B. B. Kang, and D. Dagon. Peer-to-peer botnets: Overview and case study. In proceedings of USENIX HotBots’07, 2007. [14] J. Lee , H. Jeong , J. Park , M. Kim , B. Noh. The Activity Analysis of Malicious HTTP-based Botnets using Degree of Periodic Repeatability, Security Technology, 2008. SECTECH ‘08. International Conference on, December 2008. [15] J. Nazario. BlackEnergy DDoS Bot Analysis. Arbor Networks, 2007. [16] J. Oikarinen and D. Reed. RFC 1459: Internet Relay Chat Protocol, 1993. [17] J. Park, Connecting The Dots: Downadup/Conficker Variants. Symantec. http://www.symantec.com/connect/blogs/w32downadupc-pseudo-random-domain-name-generation#A258 , 2009. [18] N. Immorlica, K. Jain, M. Mahdian, K. Talwar, Click Fraud Resistant Methods for Learning Click-Through Rates, Lecture Notes In Computer Science. Springer-Verlag, New York, 34-45, 2005. [19] Offensive Computing, http://www.offensivecomputing.net/ [20] P. Barford and S. Singh. An Inside Look at Botnets. Special Workshop on Malware Detection, Advances in Information Security, Springer Verlag, 2006. [21] S. Weng, Inside Dark Clouds. In Workshop on Understanding Botnets of Taiwan 2010 （BoT 2010）, 2010. [22] ShadowServer, http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100129 [23] symantec, http://www.symantec.com/zh/tw/about/news/release/article.jsp?prid=20100428_01 [24] T. Holz, C. Gorecki, K. Rieck, and F. Freiling. Measuring and Detecting Fast-Flux Service Networks. In NDSS, 2008. [25] T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling. Measurements and mitigation of peer-to-peer-based botnets: A case study on storm worm. In proceedings of the First USENIX Workshop on Large-Scale Exploites and Emergent Threats（LEET’08）, 2008. [26] tcpdump/libpcap, http://www.tcpdump.org/ [27] ThreatExpert, http://www.threatexpert.com/ [28] Trend Micro, http://blog.trendmicro.com/botnet-research-on-waledac-and-pushdo/ [29] Trusteer, http://www.securitywatch.co.uk/2010/04/22/trusteer-detects-new-zeus-zbot-password-stealing-trojan/ [30] Z. Zhu, V. Yegneswaran, Y. Chen, Using Failure Information Analysis to Detect Enterprise Zombies. In secureComm’09, Athens, Greece, 2009.
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/22259	-
dc.description.abstract	最近幾年，殭屍網路（botnet）成為了網際網路上的主要威脅，駭客使用殭屍網路來進行像分散式（DDoS）網路不法行為，而使用者經常要等到事態嚴重時才會發現，這是因為駭客控制殭屍網路的流量是不易被發覺的。本篇論文針對殭屍網路藏匿在正常網路流量下的行為提出偵測方法，我們分析了殭屍（bot）找尋指揮與控制伺服器（command and control server）的方法，以及殭屍和指揮與控制伺服器通訊的特性，提出了以域名服務（DNS）查詢失敗為基礎的偵測方式，並描述了一種用來偵測殭屍網路指揮與控制的流量的方法。我們計算時間持續性以及封包差異性來找出長時間內經常連線且通訊封包大小相似的IP配對，並使用向量支援機（SVM）分類。我們的方法不需要事先對於此殭屍網路通訊方式的了解，也不需要檢視封包內容，就能偵測出數種殭屍網路。最後，我們收集了多個殭屍網路的流量，以及真實世界的流量來評估我們系統的正確性，並和知名的殭屍網路偵測系統BotHunter比較正確性。實驗結果顯示我們提出的系統能強化現存的偵測系統。	zh_TW
dc.description.abstract	In recent years, botnets have become a major threat to the internet, hacker use botnets to carry out a variety of illegal activities on the Internet, and users will not be found until the situation worsens, because it is difficult to find the botnet’s C&C traffic on Internet. This thesis proposes a detection method to detect botnets hiding in the normal network traffic. We analyzed the way of bots to find C&C server, and features of those bots’ communication with C&C server. We calculated temporal persistence and packet difference to find out IP pairs connect frequently and exchange packets in similar size. The system uses an SVM-based classification engine to identify C&C traffic and normal traffic. Our method does not require a-priori information about botnet communications, nor do we require payload inspection. Finally, we collected a number of botnet network traffic and real-world traffic trace to evaluate our system’s accuracy, and compare accuracy with BotHunter. The experimental results show that our proposed system can strengthen the existing detection system.	en
dc.description.provenance	Made available in DSpace on 2021-06-08T04:14:31Z (GMT). No. of bitstreams: 1 ntu-99-R97921068-1.pdf: 3055873 bytes, checksum: b83c30edaca51693a4fb94502380d605 (MD5) Previous issue date: 2010	en
dc.description.tableofcontents	口試委員會審定書 # 誌謝 i 中文摘要 ii ABSTRACT iii CONTENTS iv LIST OF FIGURES vi LIST OF TABLES viii Chapter 1 簡介 1 1.1 研究背景 1 1.2 研究動機 2 1.3 研究目的 3 1.4 論文架構 4 Chapter 2 Botnet介紹與相關研究 5 2.1 Bot及botnet介紹 5 2.1.1 Botnet名詞介紹 5 2.1.2 典型的botnet行為模式 6 2.2 Botnet種類 9 2.2.1 集中控管型 9 2.2.2 點對點型 11 2.3 Botnet偵測方法相關研究 12 Chapter 3 偵測系統 14 3.1 Botnet特性 14 3.2 DNS監視 15 3.3 時間持續性 17 3.4 封包差異性 18 3.5 正常使用者的行為 21 3.6 偵測流程 27 Chapter 4 實驗與討論 28 4.1 流量收集與環境 28 4.2 實驗數據 31 4.3 結果評估 32 Chapter 5 結論與未來工作 34 5.1 結論 34 5.2 未來工作 35 參考文獻 36
dc.language.iso	zh-TW
dc.subject	異常行為	zh_TW
dc.subject	殭屍網路	zh_TW
dc.subject	指揮與控制伺服器	zh_TW
dc.subject	域名服務	zh_TW
dc.subject	向量支援機	zh_TW
dc.subject	網路流量	zh_TW
dc.subject	C&C server	en
dc.subject	abnormal behavior	en
dc.subject	network traffic	en
dc.subject	DNS	en
dc.subject	SVM	en
dc.subject	botnet	en
dc.title	利用域名查詢失敗及封包特性之殭屍網路偵測法	zh_TW
dc.title	Botnet Detection Based on DNS Query Failures and Packet Characteristics	en
dc.type	Thesis
dc.date.schoolyear	98-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	郭斯彥(Sy-Yen Kuo),顏嗣鈞(Hsu-chun Yen),楊中皇(Chung-Huang Yang),黃俊穎(Chun-Ying Huang)
dc.subject.keyword	殭屍網路,指揮與控制伺服器,域名服務,向量支援機,網路流量,異常行為,	zh_TW
dc.subject.keyword	botnet,C&C server,SVM,DNS,network traffic,abnormal behavior,	en
dc.relation.page	38
dc.rights.note	未授權
dc.date.accepted	2010-08-11
dc.contributor.author-college	電機資訊學院	zh_TW
dc.contributor.author-dept	電機工程學研究所	zh_TW
顯示於系所單位：	電機工程學系

文件中的檔案：

檔案	大小	格式
ntu-99-1.pdf 未授權公開取用	2.98 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。