Please use this identifier to cite or link to this item:
Real Time Fast-Flux Service Network Detection in Passive Mode
|Authors: ||Shu-Ping Yu|
|Contributors: ||NTOU:Department of Computer Science and Engineering|
|Keywords: ||Botnet;Classification;DNS record;Fast-Flux;Measurement of Delays;Passive|
|Issue Date: ||2013-10-07T02:58:49Z
|Abstract: || 網際網路日益蓬勃發展，但伴隨而來的惡意行為也越來越多。除了釣魚網站(Phishing Site)、垃圾郵件(Spam)、殭屍網路(Botnet)等，近年來，殭屍網路的操控者更使用匿蹤技術(Fast-Flux)來逃避研究人員的檢測，進而延長惡意網站的存活時間和可用性。一個匿蹤殭屍網路所使用的網域名稱可對應到多台IP位址，這些受害電腦大部分為家用型電腦且分佈於全球；因此，儘管有些IP失去運作，只要還有其他殭屍電腦存活著，就無法完全杜絕殭屍網路。 現今的偵測方法大多數仰賴DNS記錄，需要耗費較多的時間收集資料，所以無法做到即時性的偵測以防止其他用戶受害。為了改善此缺點，雖然有研究者以用戶端的角度提出即時性的偵測方法，利用匿蹤殭屍網路需委外傳遞與處理資料的特性，測量時間延遲做為判斷的依據；但此方法需要用戶端主動地送出探測封包給網路主機，不適用於網路型偵測。 本論文所提出的方式不但可以針對單一客戶端做偵測，也能部署在網路的出入口對整個網路做監測，透過DNS資訊與延遲資訊的結合，以完全被動式的方式偵測匿蹤殭屍網路，同樣也能在數秒內判斷出合法與匿蹤殭屍網路的不同。經實驗結果顯示，我們的方法能正確區分兩者，其準確率高達0.95以上，而且錯誤率低於0.05。|
The rapid development and deployment of Internet creates a paradise for malicious attackers. In addition to traditional attacks like phishing, spam, and botnet, recently modern attackers leverage the fast-flux technique to prevent their attacks from being shutdown by network administrators. The use of fast-flux techniques is able to improve the lifetime and availability of malicious services. A fast-flux domain name is often mapped to a large number of IP addresses of vulnerable personal computers. These computers are spread world-wide so that the fast-flux domain cannot be easily shutdown if only some of them are disconnected from the Internet. Most existing detection techniques are based on analyzing DNS records. However, these techniques requires a longer period of time to collect sufficient amount of DNS records and therefore they are not able to detect fast-flux domains in real time. Although Hsu et al. proposed a real-time detection solution based on the measurement of network delays, the solution has to send network probe packets actively so that it is not suitable to deploy in a large scale network. The goal of this paper is to detect fast-flux domains in a passive and efficient manner. Therefore, it is not only applicable to a single host, it can be further used to detect fast-flux domains in a large scale network. By combining features collected from both DNS records and network delays, the proposed solution is able to differentiate benign and malicious domains within several seconds. Our experiments show that the proposed solution has high precision and recall rates (both higher than 0.95) and the error rate is lower than 0.05.
|Appears in Collections:||[資訊工程學系] 博碩士論文|
Files in This Item:
All items in NTOUR are protected by copyright, with all rights reserved.