Responsive image
博碩士論文 etd-0914112-080212 詳細資訊
Title page for etd-0914112-080212
論文名稱
Title
以螞蟻演算法偵測殭屍網路之命令與控制伺服器
Botnet Detection Based on Ant Colony
系所名稱
Department
畢業學年期
Year, semester
語文別
Language
學位類別
Degree
頁數
Number of pages
52
研究生
Author
指導教授
Advisor
召集委員
Convenor
口試委員
Advisory Committee
口試日期
Date of Exam
2012-07-26
繳交日期
Date of Submission
2012-09-14
關鍵字
Keywords
IP偵測、螞蟻演算法、殭屍網路
Ant algorithm, IP detection, Botnet
統計
Statistics
本論文已被瀏覽 5840 次,被下載 330
The thesis/dissertation has been browsed 5840 times, has been downloaded 330 times.
中文摘要
Botnet(殭屍網路)攻擊是現今網路不容小覷的威脅,Botmaster(殭屍電腦的主人、攻擊者)將自己撰寫的殭屍電腦病毒植入受害電腦中,讓該電腦成為受自己控制的Bot(殭屍電腦)後再利用公開的網路協定架設伺服器,在殭屍網路中此伺服器稱為命令與控制伺服器(Command and Control server,C&C),C&C扮演核心的協調控制角色,傳遞Botmaster輸入的指令、監控Bot狀態與回報Bot指令執行結果,將指令送到殭屍電腦上。Botmaster藉著C&C的協調運作進一步利用這些電腦執行複合性攻擊,像是DDoS、發佈垃圾郵件與釣魚郵件、竊取私人資訊等造成社會重大損失,若能偵測出C&C則能解除殭屍網路對社會所造成的災害。
螞蟻演算法模擬螞蟻群尋找食物的生物本能找出問題最佳解,演算法的搜尋模式為螞蟻從自己的巢穴出發並參考先前螞蟻遺留的Pheromone(費洛蒙,也稱信息素)當作自己選擇路徑的依據。若有較多數量的螞蟻行經某路徑,其所累積的費洛蒙濃度會較其他路徑多,也代表該路徑是最佳路徑的機率較高,故累積越多費洛蒙的路徑將會是最接近食物之路徑最佳解。這種演算法常常被使用在動態路由抑或是排程的研究上。本研究進一步將螞蟻演算法應用在區域網路向外偵測可疑IP的研究中,在每一台電腦佈建一個螞蟻巢穴,探索該電腦每一筆向外連線之流量資訊,再依據流量的資訊找尋可疑的IP來源,藉以提早防護資訊傳遞的安全性。
本研究殭屍網路Bot與C&C的連線具備以下三種重要之特徵:(1) 規律性連線至命令與控制伺服器;(2) 相似的回應內容;(3) 可疑抑或惡意的指令內容。螞蟻利用這三種特徵作為費洛蒙之依據,讓每台主機都可以有追尋的軌跡以鑑識傳遞訊息之安全性。本研究利用螞蟻群不斷探索在每一段時間內每一筆IP連線之內容可疑度並總結所有螞蟻群的結果來偵測出殭屍網路的命令與控制伺服器。
透過本研究的方法可以達到下列目標:(1) 偵測出命令與控制伺服器;(2) 確認區域網路中之殭屍電腦;(3) 找出被殭屍電腦攻擊的受害者以減低殭屍網路造成的損失。
Abstract
Botnet is the biggest threaten now. Botmasters inject bot code into normal computers so that computers become bots under control by the botmasters. Every bot connect to the botnet coordinator called Command and control server (C&C), the C&C delivers commands to bots, supervises the states of bots and keep bots alive. When C&C delivers commands from the botmasters to bots, bots have to do whatever botmasters want, such as DDoS attack, sending spam and steal private information from victims. If we can detect where the C&C is, we can prevent people from network attacking.
Ant Colony Optimization (ACO) studies artificial systems that take inspiration from the behavior of real ant colonies and which are used to solve discrete optimization problems. When ants walk on the path, it will leave the pheromone on the path; more pheromone will attract more ants to walk. Quick convergence and heuristic are two main characteristics of ant algorithm, are adopted in the proposed approach on finding the C&C node.
According to the features of connection between C&C and bots, ants select nodes by these features in order to detect the location of C&C and take down the botnet.
目次 Table of Contents
第一章 緒論 1
1.1研究背景 1
1.2研究動機 3
1.3研究目的 3
第二章 背景知識與相關研究 4
2.1殭屍網路 4
2.2殭屍網路相關研究 8
2.3螞蟻演算法 10
2.4螞蟻演算法相關研究 14
第三章 螞蟻演算法偵測C&C之應用 17
3.1系統架構及流程簡介 17
3.2系統流程 19
3.2.1流量介紹 19
3.2.2特徵資訊 21
3.2.3螞蟻演算法模組 23
3.2.4產生可疑名單報表 26
第四章 系統評估 28
4.1實驗設計 28
4.2實驗 30
4.2.1實驗一 單台C&C 30
4.2.2實驗二 多台C&C 36
4.2.3實驗三 從少量Bot偵測C&C 38
第五章 結論與未來展望 42
參考文獻 43
參考文獻 References
[1] Microsoft Security Essentials, http://windows.microsoft.com/en-US/windows/products/security-essentials.
[2] Damballa Labs, Damballa Labs reports findings and trends for advanced cyber threats for the first half of 2011, http://www.damballa.com/downloads/r_pubs/Damballa_Threat_Report-First_Half_2011.pdf.
[3] G. Gu, R. Perdisci, J. Zhang, and W. Lee, “BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection,” In Proceedings of 17th USENIX Security Symposium, 2008.
[4] R.Y. Zeng, “IRC Botnet Detection Based on Activity Correlation,” Master thesis, Univ. of National Cheng Kung, 2009.
[5] RFC Sourcebook -IRC, Internet Relay Chat Protocol. http://www.networksorcery.com/enp/protocol/irc.htm.
[6] F. Bégin, “BYOB: Build Your Own Botnet and learn how to mitigate the threat posed by botnets,” SANS InfoSec Reading Room, 2011.
[7] K. Chiang and L. Lloyd, “A case study of the rustock rootkit and spam bot,” In Proceedings of USENIX First Workshop on Hot Topics in Understanding Bonets, 2007.
[8] B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna, “Your botnet is my botnet: analysis of a botnet takeover,” In Proceedings of the 16th ACM conference on Computer and communications security, pp. 635-647, 2009.
[9] RFC Sourcebook-HTTP, HyperText Transfer Protocol, http://www.networksorcery.com/enp/protocol/http.htm
[10] G. Gu, J. Zhang, and W. Lee, “BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic,” In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08), 2008.
[11] K. Takemori, M. Fujinaga, and T. Sayama, “Host-based traceback; tracking bot and C&C server,” In Proceedings of the 3rd International Conference on Ubiquitous Information Management and Communication, 2009.
[12] W. Strayer, D. Lapsely, R. Walsh, and C. Livadas, “Botnet Detection Based on Network Behavior,” The Journal of Botnet Detection, Vol.36, pp. 1-24, 2008.
[13] Ant Colony Optimization. http://iridia.ulb.ac.be/~mdorigo/ACO/ACO.html.
[14] M. Dorigo, V. Maniezzo, and A. Colorni, “The Ant System:Optimization by a colony of cooperating agents,” The Journal of IEEE Transactions on Systems, Vol.26, pp. 1-13, 1996.
[15] M. Dorigo and L.M. Gambardella,”Ant colony system: a cooperative learning approach to the traveling salesman problem,” The Journal of IEEE Transactions on Evolutionary Computation, pp. 53-66, 1997.
[16] U. Chirico, “ A Java Framework For Ant Colony Systems,” In Proceedings of Ants2004: Forth International Workshop on Ant Colony Optimization and Swarm Intelligence, 2004.
[17] D. Subramanian, P. Druschel, and J. Chen, “Ants and reinforcement learning: A case study in routing in dynamic networks,” In Proceedings of International Joint Conference on Artificial Intelligence,” pp. 832-839, 1997.
[18] M. Gunes, U. Sorges, and I. Bouazizi, ARA – The Ant-Colony Based Routing Algorithm for MANETs, In Proceedings of Parallel Processing Workshops, pp. 79- 85, 2002.
[19] C.R. Yang, “Denial of Service Traceback: an Ant-Based Approach,” 2004.
[20] A. Taweesiriwate and B. Manaskasemsak,“Web Spam Detection Using Link-Based Ant Colony Optimization,” In Proceedings of 2012 IEEE 26th International Conference on Advanced Information Networking and Applications (AINA), pp. 868-873, 2012.
[21] GUIAnt-Miner, http://sourceforge.net/projects/guiantminer/.
[22] X. Wang, “Ant algorithm inspired immune intrusion detector generation algorithm,” In Proceedings of 2011 International Conference Network Computing and Information Security (NCIS), pp. 426- 437, 2011.
[23] KDD99 cup dataset, http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html.
[24] Network Emulation Testbed Home Testbed@TWISC, http://testbed.ncku.edu.tw/.
[25] mIRC, http://www.mirc.com/.
[26] Unreal IRCd, http://www.unrealircd.com/.
[27] Wireshark • Go deep, http://www.wireshark.org/.
電子全文 Fulltext
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。
論文使用權限 Thesis access permission:自定論文開放時間 user define
開放時間 Available:
校內 Campus: 已公開 available
校外 Off-campus: 已公開 available


紙本論文 Printed copies
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。
開放時間 available 已公開 available

QR Code