論文使用權限 Thesis access permission:自定論文開放時間 user define
開放時間 Available:
校內 Campus: 已公開 available
校外 Off-campus: 已公開 available
博碩士論文 etd-0906112-214543 詳細資訊
Title page for etd-0906112-214543
論文名稱 Title |
以隱藏馬可夫模型偵測殭屍網路聯合攻擊之研究 Detecting Botnet-based Joint Attacks by Hidden Markov Model |
||
系所名稱 Department |
|||
畢業學年期 Year, semester |
語文別 Language |
||
學位類別 Degree |
頁數 Number of pages |
61 |
|
研究生 Author |
|||
指導教授 Advisor |
|||
召集委員 Convenor |
|||
口試委員 Advisory Committee |
|||
口試日期 Date of Exam |
2012-07-26 |
繳交日期 Date of Submission |
2012-09-06 |
關鍵字 Keywords |
隱藏馬可夫模型、殭屍網路、入侵偵測系統 Intrusion Detection System, Botnet, Hidden Markov Chain |
||
統計 Statistics |
本論文已被瀏覽 5798 次,被下載 650 次 The thesis/dissertation has been browsed 5798 times, has been downloaded 650 times. |
中文摘要 |
網路安全在惡意攻擊與偵測防禦的領域上相互較勁已經持續多年,近年來隨著資訊技術的發展,許多網路惡意攻擊事件由原先的單一攻擊來源,進化成為自動化而具智慧型的多點聯合攻擊模式,這類的模式大多由殭屍網路所發動。本研究發現一種有別於以往來自單一主機的攻擊手法,此類攻擊手法聯合殭屍網路內的其他機器進行合同攻擊,用以規避以往的偵測模式。本研究針對此種偵察者與侵入者聯合攻擊,根據攻擊的手法訂定隱藏序列以及其對應的特徵對應的機率,以隱藏式馬可夫鏈進行模型的建立與調整,並以此對殭屍網路的攻擊進行偵測,增加防範的能力。 |
Abstract |
We present a new detection model include monitoring network perimeter and hosts logs to counter the new method of attacking involve different hosts source during an attacking sequence. The new attacking sequence we called “Scout and Intruder” involve two separate hosts. The scout will scan and evaluate the target area to find the possible victims and their vulnerability, and the intruder launch the precision strike with login activities looked as same as authorized users. By launching the scout and assassin attack, the attacker could access the system without being detected by the network and system intrusion detection system. In order to detect the Scout and intruder attack, we correlate the netflow connection records, the system logs and network data dump, by finding the states of the attack and the corresponding features we create the detection model using the Hidden Markov Chain. With the model we created, we could find the potential Scout and the Intruder attack in the initial state, which gives the network/system administrator more response time to stop the attack from the attackers. |
目次 Table of Contents |
第一章 緒論 .................................................................................................................... 1 第一節 研究背景 ...................................................................................................... 1 第二節 研究動機 ...................................................................................................... 4 第三節 問題描述 ...................................................................................................... 5 第四節 研究目的 ...................................................................................................... 5 第二章 文獻探討 ............................................................................................................. 7 第一節 殭屍網路簡介 ................................................................................................ 7 第二節 傳統殭屍網路防禦相關研究 ........................................................................ 10 第三節 殭屍網路的聯合入侵模式 ............................................................................ 15 第四節 殭屍網路聯合入侵攻擊偵測與防禦技術的重要性 ......................................... 18 第五節 隱藏式馬可夫模型....................................................................................... 19 第三章 系統設計 ........................................................................................................... 22 第一節 系統架構 ..................................................................................................... 22 第二節 偵測變數彙整方式說明 ............................................................................... 23 第三節 聯合攻擊狀態與偵測模型 ............................................................................ 31 第四章 實證評估 ............................................................................................................ 38 第一節 偵測系統成效評估解釋 ........................................................................... 38 第二節 系統驗證 ..................................................................................................... 40 第三節 比較驗證 ..................................................................................................... 42 第四節 實地驗證 ..................................................................................................... 45 第五章 結論與未來工作 ................................................................................................. 48 參考文獻 ....................................................................................................................... 51 |
參考文獻 References |
[1] M. Castells, The Rise of the Network Society: The Information Age: Economy, Society, and Culture Volume I, 2nd Edition with a New Preface. Wiley-Blackwell, 2009 [2] Shadowserver, “Botnets,” http://www.shadowserver.org/wiki/pmwiki.php/Information/Botnets, 2005 [3] H-security, "Botnet attacks pizza delivery service," http://www.h-online.com/security/news/item/Botnet-attacks-pizza-delivery-service-1330816.html, 2011. [4] MSNBC.COM, "Sources: US decides cyber attack can be 'act of war'," http://www.msnbc.msn.com/id/43224451/ns/us_news-security/t/sources-us-decides-cyber-attack-can-be-act-war/#.TtUAqGO4o64, 2011. [5] Defence Intelligence, “ Mariposa Botnet Analysis,” http://defintel.blogspot.tw/2009/10/mariposa-botnet-analysis.html, 2009 [6] Wikipedia,"Mariposa Botnet," http://en.wikipedia.org/wiki/Mariposa_botnet, 2011. [7] Newswire, "Panda Security and Defence Intelligence Coordinate Massive Botnet Shutdown with International Law Enforcement," http://www.prnewswire.com/news-releases/panda-security-and-defence-intelligence-coordinate-massive-botnet-shutdown-with-international-law-enforcement-86189032.html, 2011. [8] eWeek, "Microsoft Claims Rustock Botnet Takedown," http://www.eweek.com/c/a/Windows/Microsoft-Claims-Rustock-Botnet-Takedown-825397/, 2011. [9] Infosec Island, “Operation Payback Launches DDoS Attack on Amazon,” http://www.infosecisland.com/blogview/10124-Operation-Payback-Launches-DDoS-Attack-on-Amazon.html, 2010. [10] Technet, “Operation b107 – Rustock Botnet Takedown,” http://blogs.technet.com/b/mmpc/archive/2011/03/18/operation-b107-rustock-botnet-takedown.aspx , 2011 [11] Z. Li, Q. Lai, A. Striegel, "Botnet Economics: Uncertainty Matters," In Managing Information Risk and the Economics of Security, 2009, pp. 245-267. [12] Krebs on Security, "Rent-a-Bot Networks Tied to TDSS Botnet," http://krebsonsecurity.com/2011/09/rent-a-bot-networks-tied-to-tdss-botnet/, 2011 [13] M. Feily, A. Shahrestani, S. Ramadass, “A Survey of Botnet and Botnet Detection,” Proceeding SECURWARE ’09 Proceedings of the 2009 Third International Conference on Emerging Security Information, Systems and Technologies, 2009, pp. 268-273 [14] G. Gu, P. P., V. Yegneswaran, M. Fong, and W. Lee, "BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation," In Proceedings of the 16th USENIX Security Symposium Security'07, 2007 [15] G. Gu, R. Perdisci, J. Zhang, Wenke Lee, “BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection,” Proceedings of the 17th USENIX Security Symposium Security'08, USENIX Association, 2008, pp. 139-154. [16] A. Ramachandran, S. Seetharaman, “Fast monitoring of traffic subpopulations,” Proceedings of the 8th ACM SIGCOMM conference on Internet measurement ACM, 2008, pp. 257-270. [17] G. Gu, V. Y., P. Porras, J. Stoll, W. Lee, "Active Botnet Probing to Identify Obscure Command and Control Channels." Proceedings of the 16th USENIX Security Symposium Security'07, 2007 [18] G. Gu, J. Z., W. Lee, "BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic," Proceedings of the Annual Network and Distributed System Security Symposium NDSS'08, 2007 [19] C. Hyunsang, L. Hanwoo, “Botnet Detection by Monitoring Group Activities in DNS Traffic,” Computer and Information Technology, 2007, 7th IEEE International Conference, 2007 [20] M.S. Crouse, R.D. Nowak, R.G. Baraniuk, “Wavelet-Based Statistical Signal Processing Using Hidden Markov Models,” Singal Processing, IEEE Transactions on, 1998, pp. 886 - 902 [21] N. Ye, Y. Zhang, C. M. Borror, “Robustness of the Markov-Chain Model for Cyber-Attack Detection,” IEEE Transactions on Reliability, 2004, pp. 116-123. [22] Q. Zhang, D. Man, W. Yang, “Using HMM for Intent Recognition in Cyber Security Situation Awareness,” Proceeding KAM’ 09 Proceedings of the 2009 Second International Symposium on Knowledge Acquisition and Modeling – Volume 02, 2009, pp. 166-169. [23] X. Zan, F. Gao, J. Han, Y. Sun, “A Hidden Markov Model based framework for tracking and predicting of attack intention,” Proceeding MINES ’09 Proceedings of the 2009 International Conference on Multimedia Information Networking and Security – Volume 02, 2009, pp. 498-501. [24] S. Zhicai, X. Yongxiang, “Novel Hidden Markov Model for Detecting Complicate Network Attacks,” Wireless Communications, Networking and Information Security(WCNIS), 2010 IEEE International Conference, 2010 [25] M. Geraily, M. V. Jahan, “Fuzzy Detection of Malicious Attacks on Web Applications based on Hidden Markov Model Ensemble,” Proceeding ISMS’ 12 Proceedings of the 2012 Third International Conference on Intelligent Systems Modelling and Simulation, 2012, pp. 102-108. [26] Wikipedia, “Netflow,” http://en.wikipedia.org/wiki/NetFlow, 2012 |
電子全文 Fulltext |
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。 |
紙本論文 Printed copies |
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。 開放時間 available 已公開 available |
QR Code |
國立中山大學 圖書與資訊處 │ 諮詢服務:2452 論文審查小組 │ 服務信箱 │ 系統開發維運:圖資處知識創新組
Office of Library and Information Services, National Sun Yat-sen University │ Contact Us : 2452 Thesis Format Review Team , Mail │ Development and operations : Knowledge Innovation Division, LIS