Responsive image
博碩士論文 etd-0719115-145411 詳細資訊
Title page for etd-0719115-145411
論文名稱
Title
異常HTTP標頭為基礎之殭屍網路偵測
Botnet Detection Based on HTTP Header Anomaly
系所名稱
Department
畢業學年期
Year, semester
語文別
Language
學位類別
Degree
頁數
Number of pages
58
研究生
Author
指導教授
Advisor
召集委員
Convenor
口試委員
Advisory Committee
口試日期
Date of Exam
2015-08-04
繳交日期
Date of Submission
2015-08-25
關鍵字
Keywords
DBScan、螞蟻演算法、HTTP殭屍網路、連線行為分析、HTTP標頭
Ant Colony Optimization, Behavior of botnets, HTTP Header, HTTP Botnet, DBScan
統計
Statistics
本論文已被瀏覽 5909 次,被下載 73
The thesis/dissertation has been browsed 5909 times, has been downloaded 73 times.
中文摘要
殭屍網路利用被病毒感染的殭屍電腦當作魁儡,當魁儡的數量夠多時,攻擊者就可以透過命令與控制伺服器,利用這群殭屍軍隊來為所欲為,近代殭屍網路喜歡選擇使用P2P服務或是流經80埠的HTTP服務來進行資料傳輸,而流經HTTP的殭屍網路連線數量及技術更是歷久彌新。
本研究為了能夠找出HTTP中殭屍網路和命令與控制伺服器間的連線,以殭屍網路連線的行為模式以及其傳送的資料特徵進行分析,偵測出殭屍網路與其命令與控制伺服器間的連線,系統將分析流經80埠的網路流量行為,並以其HTTP標頭及所傳送內容進行特徵比對分析。
本研究將殭屍網路的連線行為以DBScan演算法先分為四個樣態,用以判斷連線是否規律,並以螞蟻演算法分析連線是否異常,接著分析連線的HTTP標頭是否異常,由於本研究僅需要取得流量中的連線時間資料、封包大小以及HTTP標頭資料來進行分析,並配合現有特徵及正規表達式來進行快速偵測,減少了需要分析的內容,也增加了分析速度。本研究同時採用流量行為分析以及特徵分析兩種方法來搭配觀察數據,相較只單純使用行為偵測或是特徵偵測方法而言,可以得到更高的準確率,並得到更少的誤判率。
Abstract
Nowadays, botnets use virus to infect computers all around the world and turn them into bots. By controlling the large number of bots, attacker can do whatever they want. Most of the botnets receive and send messages through HTTP or P2P channel. No matter which kind of botnet they are, the technology and number of the botnet keep rising in these years.
In this paper, our target is to find the connection between bots and C&C Server in HTTP. We will analyze the behavior and signature of the traffic which one computer connect to one server through HTTP, and detect the malicious connections.
In the study, we will analyze the traffic by the following steps. First, we will use DBSCAN to analyze the behavior of traffic, and distribute them into 4 classes. Next, we will use Ant Colony Optimization to detect whether the connection is suspicious or not. Last, we will analyze the HTTP Header’s signature in the traffic. In this study, we can detect the botnets with less information but with a faster speed, and get higher detection rate through analyzing the behavior and signature at the same time.
目次 Table of Contents
論文審定書 i
中文摘要 ii
英文摘要 iii
第一章 緒論 1
第一節 研究背景 1
第二節 問題描述 2
第二章 背景知識與相關研究 4
第一節 殭屍網路 4
第二節 HTTP 流量 6
第三節 殭屍網路偵測 11
第三章 系統設計 20
第四章 系統評估 35
第一節 實驗一:預設參數 36
第二節 實驗二:預設參數分析樣本 39
第三節 實驗三:修改參數分析樣本 41
第四節 實驗四:即時分析流量 42
第五節 實驗五:流量探索時間區間 43
第五章 結論 46
參考文獻 47
參考文獻 References
[1] Li, C., Jiang, W., & Zou, X. (2009, December). Botnet: Survey and case study. In Innovative Computing, Information and Control (ICICIC), 2009 Fourth International Conference on (pp. 1184-1187). IEEE.
[2] Cai, T., & Zou, F. (2012, September). Detecting HTTP botnet with clustering network traffic. In Wireless Communications, Networking and Mobile Computing (WiCOM), 2012 8th International Conference on (pp. 1-7). IEEE.
[3] Crotti, M., Dusi, M., Gringoli, F., & Salgarelli, L. (2007, June). Detecting http tunnels with statistical mechanisms. In Communications, 2007. ICC'07. IEEE International Conference on (pp. 6162-6168). IEEE.
[4] Al-Bataineh, A., & White, G. (2012, October). Analysis and detection of malicious data exfiltration in web traffic. In Malicious and Unwanted Software (MALWARE), 2012 7th International Conference on (pp. 26-31). IEEE.
[5] Zeidanloo, Hossein Rouhani, and Azizah Abdul Manaf. "Botnet command and control mechanisms." Computer and Electrical Engineering, 2009. ICCEE'09. Second International Conference on. Vol. 1. IEEE, 2009.
[6] 蔡孟翰 (2013) . Tracking Botnet From Taiwan 2013. Workshop on Understanding Botnets of Taiwan 2013, National Tsing Hua University. Retrieved February 9, 2015, from http://anti-botnet.edu.tw/content/confs/BoT2013.html
[7] Wikipedia(2013). List of HTTP Header fields. Wikipedia. Retrieved August 19, 2015, http://en.wikipedia.org/wiki/List_of_HTTP_header_fields.
[8] Wikipedia(2014). 超文本傳輸協定. Wikipedia. Retrieved August 19, 2015, https://zh.wikipedia.org/wiki/超文本传输协议
[9] Eslahi, M., Hashim, H., & Tahir, N. M. (2013, April). An efficient false alarm reduction approach in HTTP-based botnet detection. In Computers & Informatics (ISCI), 2013 IEEE Symposium on (pp. 201-205). IEEE.
[10] Lee, J. S., Jeong, H., Park, J. H., Kim, M., & Noh, B. N. (2008, December). The activity analysis of malicious http-based botnets using degree of periodic repeatability. In Security Technology, 2008. SECTECH'08. International Conference on (pp. 83-86). IEEE.
[11] Koo, T. M., Chang, H. C., & Wei, G. Q. (2011, June). Construction P2P firewall HTTP-Botnet defense mechanism. In Computer Science and Automation Engineering (CSAE), 2011 IEEE International Conference on (Vol. 1, pp. 33-39). IEEE.
[12] Ding, Y. J., & Cai, W. D. (2011, May). A method for HTTP-tunnel detection based on statistical features of traffic. In Communication Software and Networks (ICCSN), 2011 IEEE 3rd International Conference on (pp. 247-250). IEEE.
[13] Oza, A., Ross, K., Low, R. M., & Stamp, M. (2014). HTTP attack detection using n-gram analysis. Computers & Security, 45, 242-254.
[14] Perdisci, R., Ariu, D., & Giacinto, G. (2013). Scalable fine-grained behavioral clustering of HTTP-based malware. Computer Networks, 57(2), 487-500.
[15] Niklas Särökaari(2012). How to identify malicious HTTP Requests. SANS Institute Reading Room site.Retrieved August 19, 2015, from http://www.sans.org/reading-room/whitepapers/detection/identify-malicious-http-requests-34067
[16] Tony Lee(2013). Detecting Botnet Propagation How to confirm maliciousness. McAfee® White Papers. Retrieved August 19, 2015, from http://www.mcafee.com/kr/resources/white-papers/foundstone/wp-detecting-botnet-propagation.pdf
[17] Gu, G., Zhang, J., & Lee, W. (2008). BotSniffer: Detecting botnet command and control channels in network traffic.
[18] Xie, Y., Tang, S., Huang, X., & Tang, C. (2013). Modeling Web Session for Detecting Pseudo HTTP Traffic. Journal of Computers, 8(2), 341-348.
[19] Villeneuve, N., & Bennett, J. (2012). Detecting apt activity with network traffic analysis. Trend Micro Incorporated [pdf] Available at:< http://www. trendmicro. com/cloud-content/us/pdfs/securityintelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis. pdf>[Accessed 31 October 2013].
[20] Li, Y. Y. (2012). Botnet Detection Based on Ant Colony.
[21] Francois, J., Wang, S., Bronzi, W., State, R., & Engel, T. (2011, November). BotCloud: detecting botnets using MapReduce. In Information Forensics and Security (WIFS), 2011 IEEE International Workshop on (pp. 1-6). IEEE.
[22] Dorrigo, M., & Gambardella, L. M. (1997). A Cooperative Learning Approach to the Traveling Salesman Problem. In Libre de Bruxelles Univ..
[23] Silva, S. S., Silva, R. M., Pinto, R. C., & Salles, R. M. (2013). Botnets: A survey. Computer Networks, 57(2), 378-403.
[24] Microsoft(2015). HTTP 標頭參照. Microsoft .Retrieved August 19, 2015, from
https://msdn.microsoft.com/zh-tw/library/aa287673(v=vs.71).aspx
[25] Ashley, D. (2011). An algorithm for http bot detection. Daryl Ashley Senior Network Security Analyst University of Texas at Austin-Information Security Office ashley@ infosec. utexas. edu.
[26] IANA(2015). Message Headers. IANA. Retrieved August 19, 2015, from http://www.iana.org/assignments/message-headers/message-headers.xml#perm-headers|Message
[27] Wikipedia(2014). 傳輸層安全協議. Wikipedia. Retrieved August 19, 2015, from https://zh.wikipedia.org/wiki/傳輸層安全協議
[28] Cyber Systems and Technology Group (2000). DARPA Intrusion Detection Data Sets. Cyber Systems and Technology Group. Retrieved August 19, 2015, from http://www.ll.mit.edu/ideval/data/
[29] Mila(2015). Collection of Pcap files from malware analysis. CONTAGIO. Retrieved August 19, 2015, from http://contagiodump.blogspot.tw/2013/04/collection-of-pcap-files-from-malware.html
[30] ISOT Research Lab(2010). Datasets. ISOT Research Lab. Retrieved August 19, 2015, from
http://www.uvic.ca/engineering/ece/isot/datasets/index.php#section0-0
電子全文 Fulltext
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。
論文使用權限 Thesis access permission:自定論文開放時間 user define
開放時間 Available:
校內 Campus: 已公開 available
校外 Off-campus: 已公開 available


紙本論文 Printed copies
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。
開放時間 available 已公開 available

QR Code