現代物聯網僵屍網路行為的深度分析：利用多個蜜罐進行研究

王棠葳; Tang-Wei Wang

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/88839

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	雷欽隆	zh_TW
dc.contributor.advisor	Chin-Laung Lei	en
dc.contributor.author	王棠葳	zh_TW
dc.contributor.author	Tang-Wei Wang	en
dc.date.accessioned	2023-08-15T17:59:58Z	-
dc.date.available	2023-11-09	-
dc.date.copyright	2023-08-15	-
dc.date.issued	2023	-
dc.date.submitted	2023-08-08	-
dc.identifier.citation	[1] Virustotal. https://www.virustotal.com/. [2] Telnet Protocol Specification. RFC 854, May 1983. [3] Putty. https://www.putty.org/, 2022. [4] libssh: The ssh library! https://www.libssh.org/, 2023. [5] libssh2: the ssh library. https://www.libssh2.org/, 2023. [6] M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J. Cochran, Z. Du-rumeric, J. A. Halderman, L. Invernizzi, M. Kallitsis, et al. Understanding the mirai botnet. In 26th {USENIX} security symposium ({USENIX} Security 17), pages 1093–1110, 2017. [7] AsyncSSH. Asynchronous ssh for python. https://asyncssh.readthedocs.io/en/latest/, 2023. [8] M. Başer, E. Y. Güven, and M. A. Aydın. Ssh and telnet protocols attack analysis using honeypot technique: Analysis of ssh and telnet honeypot. In 2021 6th International Conference on Computer Science and Engineering (UBMK), pages 806–811. IEEE, 2021. [9] W. Z. Cabral, C. Valli, L. F. Sikos, and S. G. Wakeling. Advanced cowrie configuration to increase honeypot deceptiveness. In ICT Systems Security and Privacy Protection: 36th IFIP TC 11 International Conference, SEC 2021, Oslo, Norway, June 22–24, 2021, Proceedings, pages 317–331. Springer, 2021. [10] K. Chanda. Password security: an analysis of password strengths and vulnerabilities. International Journal of Computer Network and Information Security, 8(7):23, 2016. [11] D. Dagon, C. C. Zou, and W. Lee. Modeling botnet propagation using time zones. In NDSS, volume 6, pages 2–13, 2006. [12] droberson. ssh-honeypot. https://github.com/droberson/ssh-honeypot, 2022. [13] Go. ssh. https://pkg.go.dev/golang.org/x/crypto/ssh, 2023. [14] S. Kemppainen and T. Kovanen. Honeypot utilization for network intrusion detection. Cyber Security: Power and Technology, pages 249–270, 2018. [15] M. Knöchel and S. Wefel. Analysing attackers and intrusions on a high-interaction honeypot system. In 2022 27th Asia Pacific Conference on Communications(APCC), pages 433–438. IEEE, 2022. [16] C. M. Lonvick and T. Ylonen. The Secure Shell (SSH) Transport Layer Protocol. RFC 4253, Jan. 2006. [17] Oosterhof. cowrie. https://github.com/cowrie/cowrie, 2023. [18] Y. M. P. Pa, S. Suzuki, K. Yoshioka, T. Matsumoto, T. Kasama, and C. Rossow. Iotpot: Analysing the rise of iot compromises. Emu, 9(1), 2015. [19] A. Puig. Cybersecurity advice to protect your connected devices and accounts. https://consumer.ftc.gov/consumer-alerts/2022/03/cybersecurity-advice-protect-your-connected-devices-and-accounts, 2022. [20] J. Salvio and R. Taya. Rapperbot ddos botnet expands into cryptojacking. https://www.fortinet.com/blog/threat-research/rapperbot-ddos-botnet-expands-into-cryptojacking, 2023. [21] O. Surnin, F. Hussain, R. Hussain, S. Ostrovskaya, A. Polovinkin, J. Lee, and X. Fernando. Probabilistic estimation of honeypot detection in internet of things environment. In 2019 International Conference on Computing, Networking and Communications (ICNC), pages 191–196. IEEE, 2019. [22] A. Z. Tabari and X. Ou. A first step towards understanding real-world attacks on iot devices. arXiv preprint arXiv:2003.01218, 2020. [23] A. Vetterl, R. Clayton, and I. Walden. Counting outdated honeypots: Legal and useful. In 2019 IEEE Security and Privacy Workshops (SPW), pages 224–229. IEEE, 2019. [24] B. Wang, Y. Dou, Y. Sang, Y. Zhang, and J. Huang. Iotcmal: Towards a hybrid iot honeypot for capturing and analyzing malware. In ICC 2020-2020 IEEE International Conference on Communications (ICC), pages 1–7. IEEE, 2020.	-
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/88839	-
dc.description.abstract	隨著物聯網（IoT）設備數量的急速增加，它們已成為網路攻擊的目標，例如botnet中的「Mirai」和「Gafgyt」。這些攻擊通常利用物聯網設備的漏洞，並透過SSH或Telnet傳播，這是許多路由器和IP攝像頭等設備常用的通訊協定。為了防範這類攻擊，蜜罐（honeypot）被證明是一個有用的工具。它通過模擬能被攻擊的平台、機器或服務，作為誘餌來吸引攻擊者。蜜罐不僅能夠誤導攻擊者，使其轉移對真實目標的注意力，而且還使防禦者能夠更深入地分析攻擊者使用的策略和技術。在這個實驗中，我們同時部署了四個不同配置的SSH/Telnet蜜罐，使我們能夠更深入地了解攻擊者的行為。結果，我們在實驗中識別出至少54種不同類型的攻擊，並依據其出現頻率從中挑選了14種攻擊，進行更深入的分析。我們指出了一些有用的特徵，並整理了一份簡單的指南，以幫助人們抵禦當前的botnet威脅。	zh_TW
dc.description.abstract	With the rapid increase in the number of IoT devices, they have become targets for cyber attacks, such as the botnets "Mirai" and "Gafgyt." These attacks often exploit vulnerabilities in IoT devices, particularly through SSH or telnet connections commonly used by devices like routers and IP cameras. To defend against such attacks, a honeypot proves to be a valuable tool. It operates by simulating a vulnerable platform, machine, or service, serving as a decoy to lure attackers. Not only does the honeypot mislead attackers by diverting their attention from the real target, but it also enables defenders to analyze the strategies and techniques employed by the attackers in greater depth. In our case, we deployed four SSH/telnet honeypots with different configurations simultaneously, allowing us to gain deeper insights into the behavior of attackers. As a result, we identified at least 54 distinct types of attacks that occurred during our experiment and picked 14 of them based on appearance frequency to perform deeper analysis. We pointed out some useful features and arranged a simple guideline to help people defend against the current botnet threats.	en
dc.description.provenance	Submitted by admin ntu (admin@lib.ntu.edu.tw) on 2023-08-15T17:59:58Z No. of bitstreams: 0	en
dc.description.provenance	Made available in DSpace on 2023-08-15T17:59:58Z (GMT). No. of bitstreams: 0	en
dc.description.tableofcontents	摘要 i Abstract iii Contents v List of Figures vii List of Tables ix Chapter 1 Introduction 1 Chapter 2 Related work 5 Chapter 3 Background 7 3.1 SSH and Telnet protocol . . . . . . . . . . . . . . . . . . . . . . . . 7 3.2 Cowrie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Chapter 4 Methodology 11 4.1 Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 4.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 4.3 Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Chapter 5 Analysis 17 5.1 Overview of captured data . . . . . . . . . . . . . . . . . . . . . . . 17 5.2 Classification based on command sequence . . . . . . . . . . . . . . 19 5.3 SSH identification string . . . . . . . . . . . . . . . . . . . . . . . . 24 5.4 Parallel intrusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 5.5 Password length . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 5.6 Cooperative intrusion . . . . . . . . . . . . . . . . . . . . . . . . . . 28 5.7 Single source intrusion and download . . . . . . . . . . . . . . . . . 31 5.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 5.9 Comparison with other works . . . . . . . . . . . . . . . . . . . . . 33 5.10 Guideline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Chapter 6 Conclusion and Future Work 37 References 39	-
dc.language.iso	en	-
dc.subject	蜜罐	zh_TW
dc.subject	Cowrie	zh_TW
dc.subject	殭屍網路	zh_TW
dc.subject	物聯網	zh_TW
dc.subject	Telnet	zh_TW
dc.subject	SSH	zh_TW
dc.subject	反蜜罐	zh_TW
dc.subject	Anti-honeypot	en
dc.subject	SSH	en
dc.subject	Botnet	en
dc.subject	Cowrie	en
dc.subject	Telnet	en
dc.subject	IoT	en
dc.subject	Honeypot	en
dc.title	現代物聯網僵屍網路行為的深度分析：利用多個蜜罐進行研究	zh_TW
dc.title	Deep Analysis of Modern IoT Botnet Behavior with Multiple Honeypots	en
dc.type	Thesis	-
dc.date.schoolyear	111-2	-
dc.description.degree	碩士	-
dc.contributor.oralexamcommittee	郭斯彥;王銘宏	zh_TW
dc.contributor.oralexamcommittee	Sy-Yen Kuo;Ming-Hung Wang	en
dc.subject.keyword	蜜罐,反蜜罐,SSH,Telnet,物聯網,殭屍網路,Cowrie,	zh_TW
dc.subject.keyword	Honeypot,Anti-honeypot,SSH,Telnet,IoT,Botnet,Cowrie,	en
dc.relation.page	41	-
dc.identifier.doi	10.6342/NTU202303073	-
dc.rights.note	同意授權(全球公開)	-
dc.date.accepted	2023-08-09	-
dc.contributor.author-college	電機資訊學院	-
dc.contributor.author-dept	電機工程學系	-
顯示於系所單位：	電機工程學系

文件中的檔案：

檔案	大小	格式
ntu-111-2.pdf	638.5 kB	Adobe PDF	檢視/開啟

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。