惡意程式的感染是資訊安全中最嚴重的威脅之一, 對於惡意程式的分析和偵測是研究人員、政府單位、企業組織都重視的議題。近年來, 最為嚴重的就是著名的APT(Advanced Persistent Threat) 攻擊, 許多著名企業都曾經是該攻擊手法的目標。APT是指針對性的目標式攻擊, 也就是鎖定企業或是組織內特定目標, 針對目標所設計的後門程式, 其攻擊手法是利用電子郵件夾帶設計過的漏洞, 一旦受害者的該特定應用程式存有弱點, 便會觸發此漏洞, 進而植入特殊設計過的後門程式。由於此後門程式是專門為特定受害者設計的惡意程式, 所以任何防毒軟體皆沒有相對應的病毒碼可以偵測。當受害主機被APT 攻擊的惡意程式感染後, 駭客便可以利用這些受害主機進行惡意行為, 最重要的目的就是竊取使用者存在電腦中的重要資訊。但在這些被感染的機器收到命令以前, 它們必須先獲得控制命令伺服器的IP 位址, 所以DNS 流量背後有很多惡意程式的資訊和行為模式。因此, 我們利用關於惡意程式的一些時間特徵來分析主機是否被惡意程式感染。所設計的方法不僅可以偵測APT 攻擊, 也能有效偵測現今其他的惡意程式。

Recently, malware infection has become one of the most serious threats against information security. Analysis and detection against malware are regarded as an important issue by the researchers, government units, and enterprises. In recent years, the APT (Advanced Persistent Threats) attack is seen as a notorious attack made by hackers and quite many well-known enterprises or organizations have become the victims. APT adopts a target attack model that focuses on some specific target in organization. Hackers design exclusive malware to invade specific targets through the e-mails with the function of embedded software exploits. Once any weakness exists in the specific application, the exploit will be triggered and further automatically install delicately customized malware. Due to the fact that the malware is primarily programmed for a specific victim, any anti-virus software is not capable of detecting the malware with corresponding signatures. When a compromised host was infected by malware, the hacker can utilize the infected individual to conduct some malicious activities, in which the primary intention is to steal the confidential
information in some (key) user’s computer. Before the compromised hosts receive any commands, they must obtain the IP address of the C&C server (Control and Command server), and therefore there are a lot of behaviors and information of APT malware behind DNS traffic. Considering this situation, we attempt to utilize some time features of the malware to analyze whether the hosts were infected by malware or backdoor programs. The method we design can not only detect the APT malware, but also recognize its variation efficiently.

Contents
論文審定書i
誌謝iii
中文摘要iv
英文摘要v
1 Introduction 1
1.1 Procedures of APT Attacks . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 The Difficulty of Finding an APT Attack . . . . . . . . . . . . . . . . 4
1.3 Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2 Related Works 7
2.1 Botnet and Fast-Flux . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2 Related Researches . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3 Time Frequency-Based APT Detection Scheme 17
3.1 System Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.2 DNS Query Time Record Aggregator . . . . . . . . . . . . . . . . . . 20
3.3 Domain Pre-Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.4 Frequency-Based Domain Analysis . . . . . . . . . . . . . . . . . . . 22
3.4.1 Frequency Entropy Tester . . . . . . . . . . . . . . . . . . . . 28
3.4.2 ANOVA CRD Frequency Tester . . . . . . . . . . . . . . . . . 33
4 Evaluation Result and Analysis 41
4.1 Data Set Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.2 Evaluation Metric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
4.3 Experiment Result . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.4 Parameter Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4.4.1 Entropy Threshold Parameter . . . . . . . . . . . . . . . . . . 57
4.4.2 ANOVA Parameter . . . . . . . . . . . . . . . . . . . . . . . 58
4.5 Evasion Technique . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
5 Conclusions and Future Works 67
5.1 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
5.2 Future Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Bibliography .....................................................................70

[1] M. Bailey, J. Oberheide, J. Andersen, Z. M. Mao, F. Jahanian, and J.Nazario. Automated Classification and Analysis of Internet Malware. In Recent Advances in Intrusion Detection, pages 178-197, 2007.
[2] L. Bilge, Network Based Botnet Detection. Ph.D. thesis. In TELECOM ParisTech, 2011.
[3] C. Choi, H. Lee, H. Lee, and H. Kim. Botnet Detection by Monitoring Group Activities in DNS Traffic. In Botnet detection by monitoring group activities in DNS traffic. Computer and Information Technology, pages 715-720, 2007.
[4] P. Correia, E. Rocha, A. Nogueira, and P. Salvador. Statistical Characterization of the Botnets C&C Traffic. In Procedia Technology 1, pages 158-166, 2012.
[5] C. J. Dietrich, C. Rossow, and N. Pohlmann. CoCoSpot: Clustering and Recognizing Botnet Command and Control Channels using Traffic Analysis. In Computer Networks, 2012.
[6] M. Feily, A. Shahrestani, and S. Ramadass. A Survey of Botnet and Botnet Detection. In Emerging Security Information, Systems and Technologies, 2009. SECURWARE’09, pages 268-273, 2009.
[7] P. Giura and W. Wang. Using Large Scale Distributed Computing to Unveil Advanced Persistent Threats. In Science Journal 1.3, pages 93-105, 2012.
[8] J. B. Grizzard, V. Sharma, C. Nunnery, B. B. Kang, and D. Dagon. Peerto-peer Botnets: Overview and Case Study. In Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, pages 1-8, 2007.
[9] G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee. Bothunter: Detecting Malware Infection through Ids-driven Dialog Correlation. In Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium. USENIX Association, 2007.
[10] G. Gu, J. Zhang, and W. Lee. BotSniffer: Detecting botnet command and control channels in network traffic. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08), 2008.
[11] G. Gu, R. Perdisci, J. Zhang, and W. Lee. Botminer: Clustering Analysis of Network Traffic for Protocol and Structure Independent Botnet Detection. In Proceedings of the 17th USENIX Security Symposium, pages 139-154, 2008.
[12] T. Holz, C. Gorecki, K. Rieck, and F. C. Freiling. Measuring and Detecting Fast-Flux Service Networks. In Proceedings of the Network Distributed System Security Symposium, 2008.
[13] C. H. Hsu, C. Y. Huang, and K. T. Chen. Fast-Flux Bot Detection in Real Time. In Recent Advances in Intrusion Detection, pages 464-483, 2010.
[14] S. Y. Huang, C. H. Mao, and H. M. Lee. Fast-flux Service Network Detection based on Spatial Snapshot Mechanism for Delay-free Detection.
In Proceedings of the 5th ACM Symposium on Information, ACM, pages 101-111, 2010.
[15] H. Choi and H. Lee. Identifying Botnets by Capturing Group Activities in DNS Traffic. In Computer Networks, 56(1) pages 20-33, 2012.
[16] W. M. Li, M. Chen, F. Liu, and Z. M. Lei. Analysis on the Time-domain Characteristics of Botnets Control Traffic. In The Journal of China Universities of Posts and Telecommunications 18.2, pages 106-113, 2011.
[17] F. Li, A. Lai, and D. Ddl. Evidence of Advanced Persistent Threat: A Case Study of Malware for Political Espionage. In Malicious and Unwanted Software (MALWARE), 2011 6th International Conference on. IEEE, pages 102-109, 2011.
[18] S. Marchal, J. Francois, C. Wagner, R. State, A. Dulaunoy, T. Engel, and O. Festor. DNSSM: A Large Scale Passive DNS Security Monitoring Framework. In Network Operations and Management Symposium (NOMS), pages 988-993, 2012.
[19] Y. Musashi, F. Hequet, D. A. L. Romana, S. Kubota, and K. Sugitani. Detection of Host Search Activity in PTR Resource Record based DNSQuery Packet Traffic. In Information and Automation (ICIA), pages 1284-1288, 2010.
[20] E. Passerini, R. Paleari, L. Martignoni, and D. Bruschi. FluXOR: Detecting and Monitoring Fast-Flux Service Networks. In Detection of intrusionsand malware, and vulnerability assessment, pages 186-206, 2008.
[21] R. Perdisci, I. Corona, D. Dagon, and W. Lee. Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces. In Computer Security Applications Conference, ACSAC’09. Annual, pages 311-320, 2009.
[22] R. Perdisci, I. Corona, and G. Giacinto. Early Detection of Malicious Flux Networks via Large-Scale Passive DNS Traffic Analysis. In Dependable and Secure Computing, pages 714-726, 2012.
[23] E. Stalmans and B. Irwin. A Framework for DNS based Detection and Mitigation of Malware Infections on a Network. In Information Security South Africa (ISSA) 2011, pages 1-8, 2011.
[24] S. Suwa, N. Yamai, K. Okayama, and M. Nakamura. DNS Resource Record Analysis of URLs in E-Mail Messages for Improving Spam Filtering. In Applications and the Internet (SAINT), pages 439-444, 2011.
[25] R. Villamarin-Salomon and J. C. Brustoloni. Identifying Botnets using Anomaly Detection Techniques Applied to DNS Traffic. In Consumer Communications and Networking Conference, 2008, pages 476-491, 2008.
[26] N. Villeneuve and J. Bennett. Detecting APT Activity with Network Traffic Analysis. In Trend Micro Incorporated Research Paper, pages 1-13, 2012.
[27] P. Wang, S. Sparks, and C. C. Zou. An Advanced Hybrid Peer-to-Peer Botnet. In Dependable and Secure Computing, pages 113-127, 2010.
[28] S. Yadav, A. K. K. Reddy, A. L. N. Reddy, and S. Ranjan. Detecting Algorithmically Generated Domain-Flux Attacks with DNS Traffic Analysis. In IEEE/ACM Transactions on Networking (TON) 20.5, pages 1663-1677, 2012.
[29] Z. Zhu, V. Yegneswaran, and Y. Chen. Using Failure Information Analysis to Detect Enterprise Zombies. In Security and Privacy in Communication Networks, pages 185-206, 2009.
[30] Z. Zhu, G. Lu, Y. Chen, Z. J. Fu, P. Roberts, and K. Han. Botnet Research Survey. In Computer Software and Applications, 2008, pages 967-972, 2008.
[31] 黃小紅, 姜衛東. 空間目標RCS 序列週期性判定與提取. In 航天電子對抗21.2 (2005), pages 29-30, 2005.