通過風險評估和流量分析來檢測網絡暴露

Fyodor Yarochkin; 費爾德

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/71251

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	郭斯彥(Kuo Sy-Yen)
dc.contributor.author	Fyodor Yarochkin	en
dc.contributor.author	費爾德	zh_TW
dc.date.accessioned	2021-06-17T05:01:01Z	-
dc.date.available	2018-08-01
dc.date.copyright	2018-08-01
dc.date.issued	2018
dc.date.submitted	2018-07-25
dc.identifier.citation	[1] A.K. Sood, R. Bansal, and R.J. Enbody, “Cybercrime: Dissecting the state of underground enterprise,”Internet Computing, IEEE, vol. 17, no. 1, pp. 60–68, 2013. [2] ContagioDump Team, “Exploit pack table,” http://contagiodump.blogspot.tw/2010/06/overviewof- exploit-packs-update.html, 2013. [3] Internet Census, “Port scanning /0 using insecure embedded devices: Carna botnet,” http://internetcensus2012.bitbucket.org/paper.html, 2012. [4] HD Moore, “Global Vulnerability Analysis: One Year of Internet Scanning,”https://scans.io/study/sonar.cio, 2013. [5] MaxMind, “Geolocation and geoip,”http://www.maxmind.com/, 2012. [6] Y. Tian, R. Dey, Y. Liu, and K.W. Ross, “China’s internet: Topology mapping and geolocating,” in INFOCOM, 2012 Proceedings IEEE, 2012, pp. 2531–2535. [7] S. Frei, M. May, U. Fiedler, and B. Plattner, “Large-scale vulnerability analysis,” in Proceedings of the 2006 SIGCOMM Workshop on Large-scale Attack Defense, New York, NY, USA, 2006, LSAD ’06, pp. 131–138, ACM. [8] M. J. Lewis, “Characterizing risk,” in Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop, New York, NY, USA, 2013, CSIIRW ’13, pp. 51:1–51:4, ACM. [9] D. Leonard and D. Loguinov, “Demystifying service discovery: implementing an internet-wide scanner,” in Proceedings of the 10th annual conference on Internet measurement, New York, NY, USA, 2010, IMC ’10, pp. 109–122, ACM. [10] K.T. Nakahira, T. Hoshino, and Y. Mikami, “Low-load server crawler: design and evaluation,”in Proceedings of the 17th international conference on World Wide Web, New York, NY, USA, 2008, WWW ’08, pp. 1207–1208, ACM. [11] B. Cheswick, H. Burch, and S. Branigan, “Mapping and visualizing the internet,” in Proceedings of the annual conference on USENIX Annual Technical Conference, Berkeley, CA, USA, 2000, ATEC’00, pp. 1–1, USENIX Association. [12] N. Hachem, Y. Ben Mustapha, G.G. Granadillo, and H. Debar, “Botnets: Lifecycle and taxonomy,”in Network and Information Systems Security (SAR-SSI), 2011 Conference on, may 2011, pp. 1 –8. [13] A. Dainotti, A. King, KC Claffy, F. Papale, and A. Pescapè, “Analysis of a '/0' stealth scan from a botnet,” in Proceedings of the 2012 ACM Conference on Internet Measurement Conference, New York, NY, USA, 2012, IMC ’12, pp. 1–14, ACM. [14] L. Deri, L.L. Trombacchi, M. Martinelli, and D. Vannozzi, “Towards a passive dns monitoring system,” in Proceedings of the 27th Annual ACM Symposium on Applied Computing, New York, NY, USA, 2012, SAC ’12, pp. 629–630, ACM. [15] D.W. Richardson, S.D. Gribble, and T. Kohno, “The limits of automatic os fingerprint generation,”in Proceedings of the 3rd ACM workshop on Artificial intelligence and security, New York, NY, USA, 2010, AISec ’10, pp. 24–34, ACM. [16] C. Schiller and J. Binkley, Botnets: The Killer Web Applications, Syngress Publishing, 2007. [17] H. Tu, Z.T. Li, and B. Liu, “Detecting botnets by analyzing dns traffic,” in Proceedings of the 2007 Pacific Asia conference on Intelligence and security informatics, Berlin, Heidelberg, 2007, PAISI’07, pp.323–324, Springer-Verlag. [18] E. Stalmans, S.O. Hunter, and B. Irwin, “Geo-spatial autocorrelation as a metric for the detection of fast-flux botnet domains.,” in ISSA, 2012. [19] Wei Lu, M. Tavallaee, and A.A. Ghorbani, “Automatic discovery of botnet communities on largescale communication networks,” in Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, New York, NY, USA, 2009, ASIACCS ’09, pp. 1–10, ACM. [20] H. Choi and H. Lee, “Identifying botnets by capturing group activities in dns traffic,” Comput. Netw., vol. 56, no. 1, pp. 20–33, Jan. 2012. [21] M. Antonakakis, R. Perdisci, Y. Nadji, N. Vasiloglou, S. Abu-Nimeh, Wenke Lee, and D. Dagon,“From throw-away traffic to bots: detecting the rise of dga-based malware,” in Proceedings of the 21st USENIX conference on Security symposium, Berkeley, CA, USA, 2012, Security’12, pp. 24–24, USENIX Association. [22] S. Yadav, A.K.K. Reddy, A.L.N. Reddy, and S. Ranjan, “Detecting algorithmically generated malicious domain names,” in Proceedings of the 10th ACM SIGCOMM conference on Internet measurement, New York, NY, USA, 2010, IMC ’10, pp. 48–61, ACM. [23] P. Butler, K. Xu, and D.D. Yao, “Quantitatively analyzing stealthy communication channels,” in Proceedings of the 9th international conference on Applied cryptography and network security, Berlin, Heidelberg, 2011, ACNS’11, pp. 238–254, Springer-Verlag. [24] G. Fedynyshyn, M.C. Chuah, and G. Tan, “Detection and classification of different botnet c2 channels,” in Proceedings of the 8th international conference on Autonomic and trusted computing, Berlin, Heidelberg, 2011, ATC’11, pp. 228–242, Springer-Verlag. [25] D. Rhoades, “Machine actionable indicators of compromise,” in 2014 International Carnahan Conference on Security Technology (ICCST), Oct 2014, pp. 1–5. [26] Q. Chen and R.A. Bridges, “Automated behavioral analysis of malware: A case study of wannacry ransomware,” in 2017 16th IEEE International Conference on Machine Learning and Applications(ICMLA), Dec 2017, pp. 454–460. [27] J.K. Jaiswal, R. Samikannu, and I. Paramasivam, “A survey on contemporary security threats in big data and information system,” in 2017 Second International Conference on Recent Trends and Challenges in Computational Models (ICRTCCM), Feb 2017, pp. 263–268. [28] Xu Chen, J. Andersen, Z. M. Mao, M. Bailey, and J. Nazario, “Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware,” in 2008 IEEE International Conference on Dependable Systems and NetworksWith FTCS and DCC (DSN), June 2008, pp. 177–186. [29] G. G. Granadillo, J. Garcia-Alfaro, H. Debar, C. Ponchel, and L. R. Martin, “Considering technical and financial impact in the selection of security countermeasures against advanced persistent threats (apts),” in 2015 7th International Conference on New Technologies, Mobility and Security (NTMS), July 2015, pp. 1–6. [30] C. Yoon, S. Lee, H. Kang, T. Park, S. Shin, V. Yegneswaran, P. Porras, and G. Gu, “Flow wars: Systemizing the attack surface and defenses in software-defined networks,” IEEE/ACM Transactions on Networking, vol. 25, no. 6, pp. 3514–3530, Dec 2017. [31] S. Manzoor, J. Luna, and N. Suri, “Attackdive: Diving deep into the cloud ecosystem to explore attack surfaces,” in 2017 IEEE International Conference on Services Computing (SCC), June 2017, pp.499–502. [32] T. Al-Salah, L. Hong, and S. Shetty, “Attack surface expansion using decoys to protect virtualized infrastructure,” in 2017 IEEE International Conference on Edge Computing (EDGE), June 2017, pp.216–219. [33] A. Iacovazzi, S. Sarda, D. Frassinelli, and Y. Elovici, “Dropwat: An invisible network flow watermark for data exfiltration traceback,” IEEE Transactions on Information Forensics and Security, vol. 13, no. 5, pp. 1139–1154, May 2018. [34] L. Rudman and B. Irwin, “Dridex: Analysis of the traffic and automatic generation of iocs,” in 2016 Information Security for South Africa (ISSA), Aug 2016, pp. 77–84. [35] L. Badger D. W. C. Johnson, “Nist special publication 800–150 (draft) guide to cyber threat information sharing (draft),” Accessed: 2018-04-10. [36] F. Maymí, R. Bixler, R. Jones, and S. Lathrop, “Towards a definition of cyberspace tactics, techniques and procedures,” in 2017 IEEE International Conference on Big Data (Big Data), Dec 2017, pp. 4674–4679. [37] A. Chiu, “Bedep lurking in angler’s shadows,” Accessed 2016-02. [38] B. Stone-Gross, “Lurk downloader malware and threat analysis,” Accessed 2017-02-01. [39] http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of fileless.html, “Angler ek : now capable of 'fileless' infection (memory malware),” Accessed 2017-02-01. [40] A. K. Sood and S. Zeadally, “Drive-by download attacks: A comparative study,” IT Professional,vol. 18, pp. 18–25. [41] H. Kikuchi, H. Matsumoto, and H. Ishii, “Automated detection of drive-by download attack,”2015 9th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, pp. 511–515. [42] W. Shim, L. Allodi, and F. Massacci, “Crime pays if you are just an average hacker,” 2012 International Conference on Cyber Security (CyberSecurity), pp. 62–68. [43] M. Hopkins and A. Dehghantanha, “Exploit kits: The production line of the cybercrime economy?,”2015 Second International Conference on Information Security and Cyber Forensics (InfoSec),pp. 23–27. [44] msft-mmpc msft-mmpc MSFT 66 and 290 Points 4 3 2 Recent Achievements First Forums Reply Blog Party Starter Blog Conversation Starter View Profile, “A journey to cve-2013-5330 exploit,”Microsoft Malware Protection Center. [45] http://malware.dontneedcoffee.com/2015/12/xxx-is-angler ek.html, “Xxx is angler ek,” . [46] T. Zhang, H. Zhang, and F. Gao, “A malicious advertising detection scheme based on the depth of url strategy,” 2013 Sixth International Symposium on Computational Intelligence and Design (ISCID),vol. 2, pp. 57–60. [47] M. N. Sakib and C. T. Huang, “Automated collection and analysis of malware disseminated via online advertising,” 2015 IEEE Trustcom/BigDataSE/ISPA, vol. 1, pp. 1411–1416. [48] http://blog.trendmicro.com/trendlabs-security-intelligence/deploying-a-smart-sandbox-forunknown- threats-and-zero-day attacks/, “Deploying a smart sandbox for unknown threats and zero-day attacks,” . [49] J. S. White and J. N. Matthews, “It’s you on photo?: Automatic detection of twitter accounts infected with the blackhole exploit kit,” 2013 8th International Conference on Malicious and Unwanted Software: 'The Americas (MALWARE), pp. 51–58. [50]https://www.virusbulletin.com/virusbulletin/2015/01/paper-ubiquitous-Flash-ubiquitousexploits-ubiquitous mitigation, “Virus bulletin :: Vb2014 paper: Ubiquitous flash, ubiquitous exploits, ubiquitous mitigation,” . [51]https://www.virustotal.com/en/url/acc41bcfe968704567f0533580088f776ed759574c97d5bcf1b845df65dee604/analysis/,“Scan report for http://hiltomo5es.in/0mskmdl at 2014-04-16 14:42:50 utc - virustotal,” . [52] https://krebsonsecurity.com/2013/12/meet-paunch-the-accused-author-of-the-blackholeexploit kit/, “Meet paunch: The accused author of the blackhole exploit kit—krebs on security,” [53] https://threatpost.com/inside-the-demise-of-the-angler-exploit kit/120222/, “Inside the demise of the angler exploit kit,” . [54] https://securelist.com/analysis/publications/75944/the-hunt-for Lurk/, “The hunt for lurk -securelist,” . [55] https://securelist.com/blog/research/75384/Lurk-a-danger-where-you-least-expect it/, “Lurk: a danger where you least expect it - securelist,” . [56] https://blog.kaspersky.com/bye-bye Lurk/12862/, “Catching the cybercriminals who created lurk,” . [57] http://www.securityweek.com/50-hackers-using-Lurk-banking-trojan-arrested russia, “50 hackers using lurk banking trojan arrested in russia \| securityweek.com,” . [58] N. Biasini, “Connecting the dots reveals crimeware shake-up,” . [59] R. Hakimi, Y. M. Saputra, and B. Nugraha, “Case study analysis on bgp: Prefix hijacking and transit as,” in 2016 10th International Conference on Telecommunication Systems Services and Applications (TSSA), Oct 2016, pp. 1–8. [60] P. A. Vervier, Q. Jacquemart, J. Schlamp, O. Thonnard, G. Carle, G. Urvoy-Keller, E. Biersack, and M. Dacier, “Malicious bgp hijacks: Appearances can be deceiving,” in 2014 IEEE International Conference on Communications (ICC), June 2014, pp. 884–889. [61] A. Ramachandran and N. Feamster, “Understanding the network-level behavior of spammers,”in Proceedings of the 2006 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, New York, NY, USA, 2006, SIGCOMM ’06, pp. 291–302, ACM. [62] A. Agrawall, K. Chaitanya, A. K. Agrawal, and V. Choppella, “Mitigating browser-based ddos attacks using corp,” in Proceedings of the 10th Innovations in Software Engineering Conference, New York, NY, USA, 2017, ISEC ’17, pp. 137–146, ACM. [63] T. Shimomura, “Ip spoofing attack at ucsd,” Accessed: 2016-10-30. [64] W. Y. Network Magazine, CHEN, “Did the mysterious redirects stop?,” Accessed: 2016-10-30. [65] “Msn redirect attacks were just a prelude to the fall of chunghwa telecom denied,” Accessed: 2016-10-30. [66] S. Y. Nam, D. Kim, and J. Kim, “Enhanced arp:preventing arp poisoning-based man-in-themiddle attacks,” IEEE Communications Letters, vol. 14, pp. 187–189. [67] “Tcp traffic on networks in asia redirected to malicious websites,” Accessed: 2016-10-30. [68] D. Formby, S.S. Jung, J. Copeland, and R. Beyah, “An empirical study of tcp vulnerabilities in critical power system devices,” in Proceedings of the 2Nd Workshop on Smart Energy Grid Security, New York, NY, USA, 2014, SEGS ’14, pp. 39–44, ACM. [69] Z. Qian, Z.M. Mao, and Y.L. Xie, “Collaborative tcp sequence number inference attack: How to crack sequence number under a second,” in Proceedings of the 2012 ACM Conference on Computer and Communications Security, New York, NY, USA, 2012, CCS ’12, pp. 593–604, ACM. [70] P. Du and A. Nakao, “Ddos defense deployment with network egress and ingress filtering,” 2010 IEEE International Conference on Communications (ICC), pp. 1–6. [71] R. Brandom, “Last night, github was hit with massive denial-of-service attack from china,” Accessed:2016-11-10. [72] C. Osborne, “Github suffers ’largest ddos’ attack in site’s history,” . [73] J. Zittrain and B. Edelman, “Internet filtering in china,” IEEE Internet Computing, vol. 7, pp. 70–77. [74] M. Husak and J. Cegan, “Phigaro: Automatic phishing detection and incident response framework,”in Availability, Reliability and Security (ARES), 2014 Ninth International Conference on, Sept 2014, pp. 295–302. [75] C. Xiang, B. Fang, P. Liao, and C. Liu, “Advanced triple-channel botnets: model and implementation,” in Proceedings of the 2012 ACM conference on Computer and communications security, New York, NY, USA, 2012, CCS ’12, pp. 1019–1021, ACM. [76] M. Neugschwandtner, P. Milani Comparetti, and C. Platzer, “Detecting malware’s failover c&c strategies with squeeze,” in Proceedings of the 27th Annual Computer Security Applications Conference, New York, NY, USA, 2011, ACSAC ’11, pp. 21–30, ACM. [77] A. Caglayan, M. Toothaker, D. Drapaeau, D. Burke, and G. Eaton, “Behavioral analysis of fast flux service networks,” in Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies, New York, NY, USA, 2009, CSIIRW ’09, pp. 48:1–48:4, ACM. [78] D. Dittrich, “So you want to take over a botnet,” in Proceedings of the 5th USENIX conference on Large-Scale Exploits and Emergent Threats, Berkeley, CA, USA, 2012, LEET’12, pp. 6–6, USENIX Association. [79] D. Watson, “Web app attacks: The evolution of web application attacks,” Netw. Secur., vol. 2007, no. 11, pp. 7–12, Nov. 2007. [80] Z. Huang, X. Zeng, and Y. Liu, “Detecting and blocking p2p botnets through contact tracing chains,” Int. J. Internet Protoc. Technol., vol. 5, no. 1/2, pp. 44–54, Apr. 2010. [81] McAfee Labs, “Quarterly threat q1 2012,” . [82] D. E. Eastlake, “Domain name system (dns) iana considerations,” November 2008. [83] M. Cova, C. Kruegel, and G. Vigna, “Detection and analysis of drive-by-download attacks and malicious javascript code,” in WWW10, 2010. [84] J. Bambenek, “Feed of malicious domain names,” http://osint.bambenekconsulting.com/feeds/, 2015. [85] A. V. Kumar, K. Vishnani, and K. V. Kumar, “Split personality malware detection and defeating in popular virtual machines,” in Proceedings of the Fifth International Conference on Security of Information and Networks, New York, NY, USA, 2012, SIN ’12, pp. 20–26, ACM. [86] F. Yarochkin, V. Kropotov, Y. Huang, G. K. Ni, S. Y. Kuo, and I. Y. Chen, “Investigating dns traffic anomalies for malicious activities,” in 2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop (DSN-W), June 2013, pp. 1–7. [87] S.Y. Dai, F. Yarochkin, J.S. Wu, C.H. Lin, Y.N. Huang, and S.Y. Kuo, “Holography: A hardware virtualization tool for malware analysis.,” in PRDC. 2009, pp. 263–268, IEEE Computer Society. [88] P. Ning, Y. Cui, Douglas S. R., and D. Xu, “Techniques and tools for analyzing intrusion alerts,”ACM Trans. Inf. Syst. Secur., vol. 7, no. 2, pp. 274–318, 2004. [89] J. Zhou, M. Heckman, B. Reynolds, A. Carlson, and M. Bishop, “Modeling network intrusion detection alerts for correlation,” ACM Trans. Inf. Syst. Secur., vol. 10, no. 1, pp. 4, 2007. [90] O. Arkin and F. Yarochkin, “A 'Fuzzy' Approach to Remote Active Operating System Fingerprinting,”available at http://www.sys-security.com/archive/papers/Xprobe2.pdf, 2002. [91] F. Veysset, O. Courtay, and O. Heen, “New Tool and Technique for Remote Operating System Fingerprinting,” http://www.intranode.com/site/techno/techno_articles.htm, 2002. [92] Fyodor, “Remote OS detection via TCP/IP Stack Finger Printing,”http://www.phrack.com/show.php?p=54&a=9, 1998. [93] O. Arkin and F. Yarochkin, “X - Remote ICMP based OS fingerprinting techniques,”http://www.sys-security.com/archive/papers/X_v1.0.pdf, 2001. [94] O. Arkin, “ICMP Usage in Scanning,” http://www.sys-security.com/html/projects/icmp.html,2001. [95] L. G. Greenwald and T. J. Thomas, “Toward undetected operating system fingerprinting,” in WOOT ’07: Proceedings of the first USENIX workshop on Offensive Technologies, Berkeley, CA, USA,2007, pp. 1–10, USENIX Association. [96] L. G. Greenwald and J.T. Tavaris, “Understanding and preventing network device fingerprinting,”Bell Labs Technical Journal, vol. 12, no. 3, pp. 149–166, 2007. [97] D. Crowley, “Advanced Application Level OS Fingerprinting: Practical Approaches and Examples,” http://www.x10security.org/appOSfingerprint.txt, 2002. [98] J. Jiao and W. Wu, “A Method of Identify OS Based On TCP/IP Fingerptint,” in UCSNS International Journal of Computer Science and Network Security, Vol.6 No. 7B, 2006. [99] G. Portokalidis and H. Bos, “Sweetbait: Zero-hour worm detection and containment using lowand high-interaction honeypots,” Comput. Netw., vol. 51, no. 5, pp. 1256–1274, 2007. [100] S. Kalia and M. Singh, “Masking approach to secure systems from Operating system Fingerprinting,”in TENCON 2005 IEEE Region 10 Conference, 2005. [101] O. Arkin and J. Anderson, “EtherLeak: Ethernet Frame Padding Information Leakage,”http://atstake.com/research/advisories/2003/atstake_etherleak_report.pdf, 2003. [102] D. Goldsmith and M. Shiffman, “Firewalking: A traceroute-like analysis of ip packet responses to determine access control lists,”http://www.packetfactory.net/firewalk/firewalk-final.html, 1998. [103] Dai Shih-Yao, Fyodor Yarochkin, Wu Ming-Wei, Huang Yennun, and Kuo Sy-Yen, “Holography: a behavior-based profiler for malware analysis,” Software: Practice and Experience, vol. 42, no. 9, pp. 1107–1136. [104] B. Stock, B. Livshits, and B. Zorn, “Kizzle: A signature compiler for detecting exploit kits,” in 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), June 2016, pp. 455–466. [105] F. Yarochkin, Y. Huang, Y. L. Hu, and S. Y. Kuo, “Mining large network reconnaissance data,” in 2013 IEEE 19th Pacific Rim International Symposium on Dependable Computing, Dec 2013, pp. 183–187.
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/71251	-
dc.description.abstract	本論文深入研究了網路防禦的基本原理，威脅獵捕(Threat Hunting)的概念，涵蓋了主動檢測的幾個案例研究和可用於網路基礎設施內網路暴露的分散式檢測技術。管理風險和暴露量測是大型組織內資訊安全計劃的主要目標。在全國範圍內管理安全風險是任何國家電腦應急響應小組（CERT）或電腦安全事件響應小組（CSIRT）的主要目標。透過這項工作，我們的目標是改進即時偵查網路暴露的過程和提早發現對手的活動。威脅搜尋和主動檢測旨在縮短網路違規與檢測此類漏洞之間的時間。這種方法在對手有意避開傳統安全產品的案例中特別有效。這項工作有助於自動執行主動監控、檢測和威脅搜尋領域中的選定任務。我們設計並實作分散式雲端平台，以處理大量要處理，存儲和分析的數據。並且嘗試了解大型網路風險評估的方法，使用大型網路數據集進行實際實驗。這項工作的主要貢獻是展示如何利用威脅獵捕和大型網路基礎設施偵察的幾種非侵入性方法來衡量分析網路中的風險和網路漏洞風險。	zh_TW
dc.description.abstract	This dissertation dives into basic principles of network defense, concepts of threat hunting, covers several case studies of proactive detection and techniques that can be used for a scalable detection of network exposures within network infrastructure. Managing risk and exposure levels is the primary objective of an Information Security Program within a large organization. Managing security risks at a country-wide level is a primary objective of any National Computer Emergency Response Team(CERT) or a Computer Security Incident Response Team (CSIRT). With this work we aim at improving the process of timely detection of network exposures and adversary activities at earlier stages. Threat hunting and proactive detection aims at shortening time between network breach and detection of such breach. This approach is particularly effective in cases when the adversary intentionally evades traditional security products. This work helps to automate selected tasks in the domains of proactive monitoring, detection and threat hunting. A scalable cloudbased platform was designed and implemented in order to cope with massive amount of data to be processed, stored and analyzed. In this study we try to understand methods of a large network risk evaluation and conduct practical experiments using a large network datasets. The main contribution of this work is to demonstrate how threat hunting and several non-intrusive methods of a large network infrastructure reconnaissance could be used to measure risk and network vulnerability exposures within the analyzed network.	en
dc.description.provenance	Made available in DSpace on 2021-06-17T05:01:01Z (GMT). No. of bitstreams: 1 ntu-107-D95921037-1.pdf: 6406798 bytes, checksum: 8f80b1ca551aa7c13b67d30c9e366765 (MD5) Previous issue date: 2018	en
dc.description.tableofcontents	誌謝............................................. 1 中文摘要.......................................... i Abstract........................................... ii 1 Introduction ...................................... 1 1.1.Problem Statement ................................ 4 1.2. RelatedWork ................................... 7 1.3.Proactive Detection ................................ 10 1.4.ProactiveThreatHunting ............................ 11 2 CaseStudyofa MaliciousCampaign ........................ 13 2.1. Activities overtime ................................ 15 2.1.1.2011andearly2012 ........................... 17 2.1.2.Mid2012untilMid2014 ........................ 23 2.2. Attackson Advertisement Networks ..................... 23 2.3. Evolutionofthe CriminalCampaign ...................... 34 2.3.1. Content-serving techniques ....................... 34 2.3.2. Intermediate victims ........................... 37 2.3.3.Exploit distributionpatterns ...................... 43 2.3.4.ChangeofURL patternsandTactics .................. 46 2.3.5.IntroducingFlashpayload ....................... 50 2.4.TakedownandGroupArrests .......................... 58 3TrafficAnalysis .................................... 60 3.1.CaseStudyofTraffic Injection ......................... 63 3.1.1.Historyof events ............................. 65 3.1.2.Tracingdownthe attackpoints ..................... 78 3.1.3. MitigationOfTCPspoofing attacks .................. 89 3.2. Passive MonitoringofDNS ........................... 92 3.3 MalicioususeofDNS .............................. 92 3.4 DetectionofDGAuseinDNS ......................... 94 3.4.1 Genericprotocol anomaly detection . . . . . . . . . . . . . . . . . 94 3.5 EvaluationofDGA detection algorithm ................... 101 3.5.1 Experimentaldata ........................... 102 3.6 ConclusionsonDGA Detection ........................ 104 4ProactiveScanning ..................................108 4.1. Developing Network Scanning and FingerprintingTool . . . . . . . . . . 110 4.2.ScanningandActiveOS fingerprinting ....................111 4.3.Architectureof the Active Network Scanning and DiscoveryTool . . . . . 114 4.4.PortScanningTechniques ............................ 116 4.5.ScanningTool Evaluation ............................121 iii 5 AutomaticRisk Evaluation Platform ........................ 124 5.1.ProgrammingModeland DataFlow ......................127 5.2.ExploitsandVulnerabilities ........................... 129 5.3.Cross-Mapping Results ............................. 129 5.4. Potentialfor SandboxTechnologies ...................... 134 5.5. Experimental Results ............................... 135 6 Conclusion .......................................138 References ......................................... 140 Appendices ........................................ 151 A.1 Observed Indicatorsof Compromisein Lurk . . . . . . . . . . . . . . . . 151 A.2 ExploitKit Statistics ............................... 167
dc.language.iso	en
dc.title	通過風險評估和流量分析來檢測網絡暴露	zh_TW
dc.title	Detecting Network Exposures through Risk Evaluation and Traffic Analysis	en
dc.type	Thesis
dc.date.schoolyear	106-2
dc.description.degree	博士
dc.contributor.oralexamcommittee	顏嗣鈞(Hsu-chun Yen),雷欽隆(Chin-Laung Lei),黃彥男(Yen-Nun Huang),陳俊良(Jiann-Liang Chen),鍾偉和(Wei-Ho Chung)
dc.subject.keyword	網域名稱生成演算法,風險評估,網路暴露,入侵檢測,惡意軟件,流量分析,	zh_TW
dc.subject.keyword	DGA,Risk Assessment,Network Exposures,Intrusion Detection,Malware,Traffic Analysis,	en
dc.relation.page	170
dc.identifier.doi	10.6342/NTU201801758
dc.rights.note	有償授權
dc.date.accepted	2018-07-25
dc.contributor.author-college	電機資訊學院	zh_TW
dc.contributor.author-dept	電機工程學研究所	zh_TW
顯示於系所單位：	電機工程學系

文件中的檔案：

檔案	大小	格式
ntu-107-1.pdf 目前未授權公開取用	6.26 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。