Responsive image
博碩士論文 etd-0713113-145205 詳細資訊
Title page for etd-0713113-145205
論文名稱
Title
使用隱藏馬可夫模型偵測持續性滲透攻擊之研究
Persistent Threat Detection Using Hidden Markov Model
系所名稱
Department
畢業學年期
Year, semester
語文別
Language
學位類別
Degree
頁數
Number of pages
81
研究生
Author
指導教授
Advisor
召集委員
Convenor
口試委員
Advisory Committee
口試日期
Date of Exam
2013-07-24
繳交日期
Date of Submission
2013-08-13
關鍵字
Keywords
社交工程、BotHunter、進階持續性滲透攻擊、隱藏馬可夫模型、入侵偵測系統
Intrusion Detection System, Social Engineering, Hidden Markov Model, Advanced Persistent Threat, BotHunter
統計
Statistics
本論文已被瀏覽 5828 次,被下載 0
The thesis/dissertation has been browsed 5828 times, has been downloaded 0 times.
中文摘要
這幾年來,駭客攻擊的型態逐漸轉變成階段性的攻擊行為,因此,一種名為進階持續性滲透攻擊的攻擊策略開始出現。攻擊者大多為具有高度知識與資源的駭客組織,其攻擊目標通常具有針對性,大多是選擇政府和企業中重要的單位,攻擊的手法與媒介呈現多元化且會根據目標進行客製化。有時會伴隨著零時差漏洞攻擊,時間長達幾個月甚至幾年,主要目的在於竊取所需要的特定機密資訊,像是國家安全或是商業上的機密資訊等。
本研究為了進行進階持續性滲透攻擊的偵測,提出以隱藏馬可夫模型為基礎的偵測模型,透過狀態與觀察值的給定來進行狀態轉移,藉此找出是否有目標正遭受到攻擊。本研究根據學者與觀察真實世界中的案例綜合歸納出進階持續性滲透攻擊階段,分別為情報蒐集、滲透、命令與控制伺服器連結和資料竊取,接著根據這些攻擊階段進行隱藏馬可夫模型的偵測。
本研究透過真實企業組織中兩種不同入侵偵測系統的警訊紀錄收集相關資料,由於進階持續性滲透攻擊在進行滲透階段時,大多採用寄發社交工程信件的方式進行滲透,因此,本研究利用收集電子郵件的記錄讓偵測系統更符合進階持續性滲透攻擊的偵測。
透過本研究所提出的偵測方法,能夠補強傳統入侵偵測系統無法成功偵測到的進階持續性滲透攻擊,並且提供目前可能遭受到進階持續性滲透攻擊的可疑IP給資訊安全管理人員,讓他們能夠對這些可疑的IP進行數位安全鑑識,降低企業資料被竊取的機率。
最後本研究透過與BotHunter偵測系統進行比較,藉由這種比較方式來評估本研究系統在隱藏馬可夫模型狀態中命令與控制伺服器連結與攻擊重要伺服器這兩個狀態上的準確性。
Abstract
In recent years the types of attack has apparently moved from single attack behavior to more phased attack behavior, new attack type called Advanced Persistent Threat (APT) has increasingly been the object of study. Most hackers possess high knowledge and rich resource about attacked target such as important department of government or companies, and the major object is steal sensitive information. Such attack type usually accompanies Social Engineering or zero-day exploits attacks, and the intrude period may arrive several years.
In order to detect APT, this paper proposed a conceptual framework for observing the steps of APT and through these steps constructed a HMM-based (Hidden Markov Model) detection model. This paper collected e-mail records from Intrusion Detection System (IDS) to enhance the accuracy of detection. The experimental results show that the proposed model could recognize APT and provide the suspicious IP to administrator to enable them to carry out the digital security forensics and reduce the chances of data theft. This paper also compares with BotHunter to valuate accuracy of the proposed model.
目次 Table of Contents
論文審定書 ii
誌謝 iii
摘要 iv
Abstract v
第一章 緒論 1
第一節 研究背景 1
第二節 研究動機 7
第三節 研究目的 11
第二章 文獻探討 12
第一節 進階持續性滲透攻擊 12
第二節 殭屍網路偵測 17
第三節 入侵偵測系統(Intrusion Detection System) 20
第四節 隱藏馬可夫模型(Hidden Markov Model) 22
第三章 研究方法 26
第一節 進階持續性滲透攻擊階段 27
第二節 系統架構 31
第三節 隱藏馬可夫偵測模型 35
第四章 系統評估 39
第一節 模擬實驗 41
第二節 門檻值驗證 50
第三節 系統驗證 59
第四節 與BotHunter之比較 64
第五章 結論與未來展望 68
參考文獻 70
參考文獻 References
[1] D. Alperovitch, McAfee, “Revealed: Operation Shady RAT”, Available at: http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf, 2011.
[2] Symantec,” Symantec Intelligence Report: November 2011”, Available at: http://www.symanteccloud.com/mlireport/SYMCINT_2011_11_November_FINAL-en.pdf, 2011.
[3] Kaspersky,” The NeTTraveler”, Available at: http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf, 2011.
[4] K. Sood and R. J. Enbody, “Targeted Cyber Attacks: A Superset of Advanced Persistent Threats”, Published in Security & Privacy, IEEE, Volume: 11, 2012.
[5] “對抗APT進階持續性滲透攻擊”,Available at: http://www.trendmicro.tw/tw/enterprise/challenges/advance-targeted-attacks/#understand-the-apt-lifecycle.
[6] H. R. Zeidanloo and A. A. Manaf, "Botnet Command and Control Mechanisms”, Published in Computer and Electrical Engineering, ICCEE '09, Volume: 1, 2009.
[7] J. Goebel and T. Holz,”Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation”, Published in HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, 2007.
[8] W. Wang, B. Fang, Z. Zhang and C. Li, “A Novel Approach to Detect IRC-Based Botnets”, Published in Networks Security, Wireless Communications and Trusted Computing, NSWCTC '09, 2009.

[9] J.-S. Lee, H. Jeong, J.-H. Park, M. Kim and B.-N Noh, “The Activity Analysis of Malicious HTTP-based Botnets using Degree of Periodic Repeatability”, Published in Security Technology, SECTECH '08, 2008.
[10] R. F. Munir, N. A., A. Razzaq, A. Hur and F. Ahmad, “Detect HTTP Specification Attacks using Ontology”, Published in Frontiers of Information Technology (FIT), 2011.
[11] R. Ross, “Managing Information Security Risk: Organization, Mission, and Information System View”, Published in NIST Special Publication 800-39, 2011.
[12] MANDIANT, “Read M-Trends™ 2010: The Advanced Persistent Threat”, 2010.
[13] J. Andress,”Advanced Persistent Threat: Attacker Sophistication Continues to Grow? “, Published in Information Systems Security Association (ISSA) Journal, 2011.
[14] D. Zhaoa, I. Traore, B. Sayeda, W. Lub, S. Saada, A. Ghorbanic and D. Garantb,”Botnet detection based on traffic behavior analysis and flow intervals”, Published in Computers & Security, 2013.
[15] ISOT Research Lab, “ISOT Botnet Dataset”, Available at: http://www.uvic.ca/engineering/ece/isot/datasets/index.php, 2010.
[16] G. Gu, P. Porras, V. Yegneswaran, M. Fong and W. Lee,”BotHunter: Detecting Malware Infection through IDS-Driven Dialog Correlation”, In Proceedings of the 16th USENIX Security Symposium Security'07, 2007.
[17] H. R. Zeidanloo, M. J. Z. Shooshtari, P. V. Amoli, M. Safari and M. Zamani, ”A taxonomy of Botnet detection techniques”, Published in Computer Science and Information Technology (ICCSIT), Volume: 2, 2010.

[18] Y.-L. Ding, L. Li and H.-Q. Luo,”A novel signature searching for Intrusion Detection System using data mining”, Published in Machine Learning and Cybernetics, Volume: 1, 2009.
[19] A Websense White Paper, “Advanced Persistent Threats and Other Advanced Attacks: Threat Analysis and Defense Strategies for SMB, Mid-size, and Enterprise Organizations”, Available at: https://www.websense.com/assets/white-papers/whitepaper-websense-advanced-persistent-threats-and-other-advanced-attacks-en.pdf, 2011.
[20] Z. Anming and J. Chunfu,”Study on the Applications of Hidden Markov Models to Computer Intrusion Detection”, Published in World Congress Intelligent Control and Automation, WCICA 2004, 2004.
[21] L. R. Rabiner and B. H. Juang,”An introduction to Hidden Markov Models”, Published in ASSP Magazine, IEEE, 1986.
[22] P. Wang, L. Shi, B. Wang, Y. Liu and Y. Wu,” A method for HMM-based system calls intrusion detection based on hybrid training algorithm”, Published in Information and Automation (ICIA), 2011.
[23] A. H. Tai, W.-K. Ching and L.Y. Chan, “Detection of machine failure: Hidden Markov Model approach”, Published in Computers and Industrial Engineering, Volume: 57, 2009.
[24] S. Zhicai and X. Yongxiang, “A Novel Hidden Markov Model for Detecting Complicate Network Attacks”, Published in Wireless Communications, Networking and Information Security (WCNIS), 2010.
[25] X. D. Hoang, J. Hu and P. Bertok, “A program-based anomaly intrusion detection scheme using multiple detection engines and fuzzy inference”, Published in Journal of Network and Computer Applications, Volume: 32, 2009.

[26] RSA FraudAction Research labs, “Anatomy of an Attack”, Available at: http://blogs.rsa.com/rivner/anatomy-of-an-attack/, 2011.
[27] 臺灣學術網路危機處理中心團隊, “個案分析-C 大學的 C&C 分析報告”, Available at: http://cert.tanet.edu.tw/pdf/Case_Study-C&C.pdf, 2012.
[28] 臺灣學術網路危機處理中心團隊, “個案分析-C&C 分析報告”, Available at: http://cert.tanet.edu.tw/pdf/case-CC.pdf, 2013.
電子全文 Fulltext
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。
論文使用權限 Thesis access permission:自定論文開放時間 user define
開放時間 Available:
校內 Campus:永不公開 not available
校外 Off-campus:永不公開 not available

您的 IP(校外) 位址是 35.174.62.162
論文開放下載的時間是 校外不公開

Your IP address is 35.174.62.162
This thesis will be available to you on Indicate off-campus access is not available.

紙本論文 Printed copies
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。
開放時間 available 永不公開 not available

QR Code