臺灣博碩士論文加值系統

隨著網際網路被運用在商業的頻率越來越高，網路攻擊所造成的利益損害已經逐漸擴大。駭客運用著網際網路從事非法的活動，像是木馬、病毒散播、分散式阻斷服務攻擊、垃圾郵件與釣魚網站的威脅等，為了獲取龐大的利益，犯罪者對於非法活動的需求日漸成長，而為了讓這些詐欺行為具有高度的隱蔽性，犯罪者開始使用一種稱為Fast-Flux Service Networks的攻擊手法，FFSN是由一群被用來當作代理轉向服務的傀儡網路(botnet)所組成，利用這些受感染的傀儡主機便可以將使用者重新導向至犯罪者所架設的惡意內容。
本研究實作建置一系統，以本研究所探討之偵測特徵搭配既有特徵為偵測基準，針對Malware Domain List及ATLAS資料來源偵測FFSN惡意網域，探討當前網路犯罪中FFSN被犯罪者應用的實際情形、並分析偵測效益並挑選出最佳方案作為日後之偵測基準。

With the Internet being used more frequently in the business, network attack have caused damage to the interests gradually expanded. Hackers use the Internet for illegal activities, such as Trojan, viruses, DDoS attacks, spam and phishing, etc. In order to obtain huge benefits, the offender’s demand for illegal activities growth, and to make such fraud a high degree of concealment, the offender began to use the attack tactics called Fast-Flux Service Network (FFSN). FFSN is composed by who is used by a group of agents to service as a proxy of the botnet. Use these infected host can redirect the user to the malicious content that offender set.
In this thesis we implemented a system, we use the detection feature discuss in this thesis and the features that is already discussed in other study to detect whether the data which are from Malware Domain List and ATLAS are belong to FFSN or not. Also, we investigate the utilization of FFSN by miscreants on the Internet, and analyze the detection performance and select the best case as the baseline of detection in the future.

中文摘要 i
英文摘要 ii
誌 謝 iii
目錄 iv
表目錄 vii
圖目錄 viii
一、緒論 1
1.1 研究背景 1
1.2 研究動機 2
1.4 研究流程 2
二、文獻探討 4
2.1 DNS 4
2.1.1 DNS Query 5
2.1.2 DNS Query回應資訊 7
2.1.3 Round Robin DNS(RR-DNS) 8
2.1.4 Autonomous Systems 9
2.2 Botnet 9
2.2.1 Botnet定義 10
2.2.2 IRC-based Botnet 10
2.2.3 Peer to Peer botnet (P2P botnet) 11
2.2.4 Http botnet 12
2.3 FFSN 13
2.3.1 FFSN運作過程 15
2.4 FFSN偵測特徵值探討： 19
三、研究方法 21
3.1 研究架構 21
3.1.1資料來源 21
3.1.2先行實驗數據 22
3.1.3系統架構 28
3.2 系統設計 29
3.3 系統偵測方法 30
3.4 系統實作與預期成果 32
3.4.1實作流程 32
3.4.2 預期成果 33
3.5可行性評估 33
四、實驗結果與討論 34
4.1 實驗資料分析 35
4.2偵測特徵分析 36
4.2.1 Nip(多次DNS Query中不重複的A Record數) 36
4.2.2 TTL(DNS Record的TTL) 38
4.2.3 Nasn(A Record所對應到的相異ASN數量) 39
4.3偵測準確度分析與討論 40
4.3.1系統偵測準確率分析 40
4.3.2 實驗討論 42
五、結論與未來發展 43
5.1 結論 43
5.2 未來研究方向 44
參考文獻 45

[1]曾仲強, DNS舊技術新玩法-Fast-Flux. 資安人雜誌, 2009. 66: p. 74-78.
[2]蕭淵隆, 陳彥錚, and 黃景煌, 採用RR-DNS 機制的網路服務可用性之研究, in 2003年台灣網際網路研討會. 2003.
[3]Netman網中人. DNS協定. 2001; Available from: http://www.pcnet.idv.tw/pcnet/network/network_ip_dns.htm.
[4]Consortium, I.S. Dimain information groper(DIG). Available from: https://www.isc.org/software/bind.
[5]Zilong, W., et al., The Detection of IRC Botnet Based on Abnormal Behavior, in 2010 Second International Conference on MultiMedia and Information Technology. 2010.
[6]Duan, J., et al., Descriptive Model of Peer-to-Peer Botnet Structures, in 2010 1nternational Conference on Educational and Information Technology (lCEIT 2010). 2010.
[7]Lee, J.-S., et al., The Activity Analysis of Malicious HTTP-based Botnets using Degree of Periodic Repeatability, in 2008 International Conference on Security Technology. 2008.
[8]Project, T.H. Know Your Enemy: Fast-Flux Service Networks. 2007; Available from: http://www.honeynet.org/papers/ff.
[9]ATLAS. Global Fast Flux. 2010; Available from: http://atlas.arbor.net/summary/fastflux.
[10]Holz, T., et al., Measuring and Detecting Fast-Flux Service Networks, in NDSS. 2008.
[11]Scharrenberg, P., Analyzing Fast-Flux Service Networks. 2008, RWTH Aachen University.
[12]Passerini, E., et al., FluXOR: detecting and monitoring fast-flux service networks. Lecture Notes in Computer Science, 2008. 5137: p. 186-206.
[13]Alexa-Internet. The top 500 sites. 2010; Available from: www.alexa.com/topsites.
[14] Nazario, J., & Holz, T. 2008, As the net churns: Fast-flux botnet observations,
MALWARE 2008, 3rd International Conference on.
[15] Zhou, C., et al., 2009, Collaborative Detection of Fast Flux Phishing Domains, Journal of Networks, pp.75.