論文使用權限 Thesis access permission:自定論文開放時間 user define
開放時間 Available:
校內 Campus: 已公開 available
校外 Off-campus: 已公開 available
博碩士論文 etd-0712113-213905 詳細資訊
Title page for etd-0712113-213905
論文名稱 Title |
自動生成酬載模型之殭屍網路偵測 Automatically Generating Payload-based Models for Botnet Detection |
||
系所名稱 Department |
|||
畢業學年期 Year, semester |
語文別 Language |
||
學位類別 Degree |
頁數 Number of pages |
60 |
|
研究生 Author |
|||
指導教授 Advisor |
|||
召集委員 Convenor |
|||
口試委員 Advisory Committee |
|||
口試日期 Date of Exam |
2013-07-12 |
繳交日期 Date of Submission |
2013-08-12 |
關鍵字 Keywords |
酬載、網路安全、殭屍網路偵測、分群、命令與控制 Clustering, Command and Control, Payload, Network security, Botnet detection |
||
統計 Statistics |
本論文已被瀏覽 5745 次,被下載 529 次 The thesis/dissertation has been browsed 5745 times, has been downloaded 529 times. |
中文摘要 |
隨著資訊科技的發展,網路攻擊手法也漸漸衍生出許多型態的攻擊模式。近年來,殭屍網路已成為目前最具威脅的網路犯罪工具。在本論文中,我們提出一套方法能夠直接根據封包酬載的內容自動產生酬載模型,而非傳統人為調整的特徵模型。我們先根據封包酬載的大小對先前收集到的殭屍網路封包與良性封包進行分群,接著對群裡的封包酬載做特徵萃取以產生酬載模型,然後採用資訊獲利率與機率從模型中篩選出決策能力較高的特徵。最後利用這些酬載模型來偵測每一個待測封包藉以判斷是否具有潛在的殭屍網路行為。我們所提出的方法因為是針對單一封包進行分析,所以能夠很有效率地辨識出殭屍網路的行為。我們收集了真實殭屍網路流量資訊以及正常流量資訊來評估我們的方法。實驗結果顯示,我們所提出的方法對於殭屍網路的行為辨識,平均正確率高達96.4%,且對於正常網路行為只有0.9%的平均誤判率。 |
Abstract |
In recent years, botnet has become a popular technique for deploying cybercrime because it is hard to be prevented and easily cause devastating loss. Therefore, in this thesis, we proposed a novel approach that can automatically generate effective payload-based models purely based on the traffic of actual bot instances instead of signatures hand-tuned by human experts. In the learning phase, we group the packets of the botnet traffic and the benign traffic collected in advance according to their payload size and extract the signatures in the payload in order to generate the payload-based models. We then identify the high quality signatures to reduce the size of models via the information gain ratio and the probability. During the matching phase, the proposed approach uses these payload-based models to check each incoming packet. Moreover, these models can efficiently discriminate the malicious botnet traffic from the benign traffic since it doesn’t perform any correlation between different packets. The proposed approach was evaluated with several real-world network traces. Experimental results demonstrate that the proposed approach can detect botnet traffic traces successfully (about 96.4%) with high efficiency and an acceptable low false alarm rate (about 0.9%). |
目次 Table of Contents |
1. INTRODUCTION 1 2. BACKGROUND AND RELATED WORK 9 2.1 N-gram Analysis 9 2.2 Related Work 10 2.2.1 Signature-based Botnet Detection 10 2.2.2 Network-based Botnet Detection 11 3. THE PROPOSED APPROACH 15 3.1. Learning Phase 16 3.1.1 Packet Grouping 16 3.1.2 Payload Model Generation 17 3.1.3 Model Reduction 19 3.2. Matching Phase 22 4. EXPERIMENTAL EVALUATION 24 4.1 Metrics 24 4.2 Datasets 25 4.3 Quantitative Evaluation 30 4.3.1 Parameter selection with the Taguchi Method 30 4.3.2 Experiment of Information Gain Ratio 34 4.3.3 Comparison of the different Approaches 36 4.3.4 Experiment of Mixed Payload-based Models 38 5. CONCLUSIONS 47 REFERENCES 49 |
參考文獻 References |
[1] W. Sturgeon, Net pioneer predicts overwhelming botnet surge, 2007, http://www.zdnet.com/news/net-pioneer-predicts-overwhelming-botnet-surge/151044. [2] M. Fossi, G. Egan, K. Haley, E. Johnson, T. Mack, T. Adams, J. Blackbird, M.K. Low, D. Mazurek, D. McKinney, P. Wood, “Symantec internet security threat report – trends for 2010,” Technical Report Volume 16, Symantec, 2011. [3] G. Gu, J. Zhang, W. Lee. "Botsniffer: Detecting botnet command and control channels in network traffic." Proceedings of the 15th Annual Network and Distributed System Security Symposium, NDSS, 2008. [4] J. Goebel, T. Holz. "Rishi: Identify bot contaminated hosts by IRC nickname evaluation." Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, 2007. [5] Y. Kugisaki, Y. Kasahara, Y. Hori, K. Sakurai. "Bot detection based on traffic analysis." Intelligent Pervasive Computing, 2007. IPC. The 2007 International Conference on. IEEE, 2007. [6] P. Wurzinger, L. Bilge, T. Holz, J. Goebel, C. Kruegel, E. Kirda. "Automatically generating models for botnet detection. "Computer Security–ESORICS 2009. Springer Berlin Heidelberg, 2009. [7] Snort, Snort 2006, http://www.snort.org/ . [8] J. R. Binkley, S. Singh. "An algorithm for anomaly-based botnet detection." Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet. Vol. 2, 2006. [9] A. Karasaridis, B. Rexroad, D. Hoeflin. "Wide-scale botnet detection and characterization." Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets. Vol. 7, 2007. [10] W. T. Strayer, D. Lapsely, R. Walsh, C. Livadas. "Botnet detection based on network behavior." Botnet Detection. Springer US, 2008. [11] W. Lu, A. A. Ghorbani. "Botnets detection based on IRC-community." Global Telecommunications Conference, 2008. [12] D. Bolzoni, S. Etalle, P. Hartel. "Poseidon: a 2-tier anomaly-based network intrusion detection system." Information Assurance, 2006. IWIA 2006. Fourth IEEE International Workshop on. IEEE, 2006. [13] K. Wang, S. J. Stolfo. "Anomalous payload-based network intrusion detection." Recent Advances in Intrusion Detection. Springer Berlin Heidelberg, 2004. [14] K. Wang, J. J. Parekh, S. J. Stolfo. "Anagram: A content anomaly detector resistant to mimicry attack." Recent Advances in Intrusion Detection. Springer Berlin Heidelberg, 2006. [15] W. Wang, B. Fang, Z. Zhang, C. Li. "A novel approach to detect IRC-based botnets." Networks Security, Wireless Communications and Trusted Computing, 2009. NSWCTC'09. International Conference on. Vol. 1. IEEE, 2009. [16] G. Gu, P. Porras, V. Yegneswaran, M. Fong, W. Lee. "Bothunter: Detecting malware infection through ids-driven dialog correlation." Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium. USENIX Association, 2007. [17] C. Brew, D. McKelvie. Word-pair extraction for lexicography, 1996. [18] G. Gu, R. Perdisci, J. Zhang, W. Lee. "BotMiner: Clustering analysis of network traffic for protocol-and structure-independent botnet detection." Proceedings of the 17th conference on Security symposium, 2008. [19] X. Yu, X. Dong, G. Yu, Y. Qin, D. Yue, Y. Zhao. "Online Botnet Detection Based on Incremental Discrete Fourier Transform." Journal of Networks 5.5, 2010. [20] D. Zhao, I. Traore, B. Sayed, W. Lu, S. Saad, A. Ghorbani, D. Garant. "Botnet Detection based on Traffic Behavior Analysis and Flow Intervals." Computers & Security , 2013. [21] ISOT datasets, http://www.uvic.ca/engineering/ece/isot/datasets/index.php [22] Wireshark, http://www.wireshark.org/ [23] French chapter of honeynet, http://www.honeynet.org/chapters/france. [24] G. Szabó, D. Orincsay, S. Malomsoky, I. Szabó. "On the validation of traffic classification algorithms." Passive and Active Network Measurement. Springer Berlin Heidelberg, 2008. [25] LBNL enterprise trace repository, http://www.icir.org/enterprise-tracing, 2005. [26] B. Stone-Gross, T. Holz, G. Stringhini, G. Vigna. "The underground economy of spam: A botmaster’s perspective of coordinating large-scale spam campaigns." USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2011. |
電子全文 Fulltext |
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。 |
紙本論文 Printed copies |
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。 開放時間 available 已公開 available |
QR Code |
國立中山大學 圖書與資訊處 │ 諮詢服務:2452 論文審查小組 │ 服務信箱 │ 系統開發維運:圖資處知識創新組
Office of Library and Information Services, National Sun Yat-sen University │ Contact Us : 2452 Thesis Format Review Team , Mail │ Development and operations : Knowledge Innovation Division, LIS