English  |  正體中文  |  简体中文  |  Items with full text/Total items : 27287/39131
Visitors : 2443426      Online Users : 32
RC Version 4.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Adv. Search
LoginUploadHelpAboutAdminister

Please use this identifier to cite or link to this item: http://ntour.ntou.edu.tw:8080/ir/handle/987654321/35760

Title: 被動式即時偵測匿蹤殭屍網路之技術研究
Real Time Fast-Flux Service Network Detection in Passive Mode
Authors: Shu-Ping Yu
余淑萍
Contributors: NTOU:Department of Computer Science and Engineering
國立臺灣海洋大學:資訊工程學系
Keywords: Botnet;Classification;DNS record;Fast-Flux;Measurement of Delays;Passive
Date: 2012
Issue Date: 2013-10-07T02:58:49Z
Abstract:   網際網路日益蓬勃發展,但伴隨而來的惡意行為也越來越多。除了釣魚網站(Phishing Site)、垃圾郵件(Spam)、殭屍網路(Botnet)等,近年來,殭屍網路的操控者更使用匿蹤技術(Fast-Flux)來逃避研究人員的檢測,進而延長惡意網站的存活時間和可用性。一個匿蹤殭屍網路所使用的網域名稱可對應到多台IP位址,這些受害電腦大部分為家用型電腦且分佈於全球;因此,儘管有些IP失去運作,只要還有其他殭屍電腦存活著,就無法完全杜絕殭屍網路。   現今的偵測方法大多數仰賴DNS記錄,需要耗費較多的時間收集資料,所以無法做到即時性的偵測以防止其他用戶受害。為了改善此缺點,雖然有研究者以用戶端的角度提出即時性的偵測方法,利用匿蹤殭屍網路需委外傳遞與處理資料的特性,測量時間延遲做為判斷的依據;但此方法需要用戶端主動地送出探測封包給網路主機,不適用於網路型偵測。   本論文所提出的方式不但可以針對單一客戶端做偵測,也能部署在網路的出入口對整個網路做監測,透過DNS資訊與延遲資訊的結合,以完全被動式的方式偵測匿蹤殭屍網路,同樣也能在數秒內判斷出合法與匿蹤殭屍網路的不同。經實驗結果顯示,我們的方法能正確區分兩者,其準確率高達0.95以上,而且錯誤率低於0.05。
  The rapid development and deployment of Internet creates a paradise for malicious attackers. In addition to traditional attacks like phishing, spam, and botnet, recently modern attackers leverage the fast-flux technique to prevent their attacks from being shutdown by network administrators. The use of fast-flux techniques is able to improve the lifetime and availability of malicious services. A fast-flux domain name is often mapped to a large number of IP addresses of vulnerable personal computers. These computers are spread world-wide so that the fast-flux domain cannot be easily shutdown if only some of them are disconnected from the Internet.   Most existing detection techniques are based on analyzing DNS records. However, these techniques requires a longer period of time to collect sufficient amount of DNS records and therefore they are not able to detect fast-flux domains in real time. Although Hsu et al. proposed a real-time detection solution based on the measurement of network delays, the solution has to send network probe packets actively so that it is not suitable to deploy in a large scale network.   The goal of this paper is to detect fast-flux domains in a passive and efficient manner. Therefore, it is not only applicable to a single host, it can be further used to detect fast-flux domains in a large scale network. By combining features collected from both DNS records and network delays, the proposed solution is able to differentiate benign and malicious domains within several seconds. Our experiments show that the proposed solution has high precision and recall rates (both higher than 0.95) and the error rate is lower than 0.05.
URI: http://ethesys.lib.ntou.edu.tw/cdrfb3/record/#G0019957044
http://ntour.ntou.edu.tw/handle/987654321/35760
Appears in Collections:[資訊工程學系] 博碩士論文

Files in This Item:

File Description SizeFormat
index.html0KbHTML133View/Open


All items in NTOUR are protected by copyright, with all rights reserved.

 


著作權政策宣告: 本網站之內容為國立臺灣海洋大學所收錄之機構典藏,無償提供學術研究與公眾教育等公益性使用,請合理使用本網站之內容,以尊重著作權人之權益。
網站維護: 海大圖資處 圖書系統組
DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - Feedback