跳到主要內容

臺灣博碩士論文加值系統

(34.204.180.223) 您好!臺灣時間:2021/08/05 23:53
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

: 
twitterline
研究生:蔡勇嶢
研究生(外文):Tsai, Yung Yao
論文名稱:基於語彙分析的Botnet惡意域名辨識
論文名稱(外文):Identification of Botnet domain name base on lexical feature
指導教授:曾俊元
指導教授(外文):Tseng,Chinyang
口試委員:方鄒昭聰賴錦慧曾俊元
口試委員(外文):Fang Tsou, ChaotsungLai, ChinhuiTseng,Chinyang
口試日期:2012-06-15
學位類別:碩士
校院名稱:國立臺北大學
系所名稱:資訊管理研究所
學門:電算機學門
學類:電算機一般學類
論文種類:學術論文
論文出版年:2012
畢業學年度:100
語文別:中文
論文頁數:40
中文關鍵詞:僵屍網路機器學習語彙分析域名黑名單
外文關鍵詞:BotnetMachine learningLexical analysisBlacklist
相關次數:
  • 被引用被引用:1
  • 點閱點閱:306
  • 評分評分:
  • 下載下載:51
  • 收藏至我的研究室書目清單書目收藏:0
個人電腦的運算與連線能力在近年來大幅提升,網際網路上的惡意攻擊發起者不再將主要的攻擊目標放在伺服器,轉而進行Botnet的架設,透過散布電腦蠕蟲、木馬程式的方式攻擊個人電腦,再透過C&C Channel控制受害電腦進行惡意行為的方式獲取利潤,其對網際網路的危害已經是全球性的問題。Botnet在近年來使用了加密流量、Domain fluxing的技術隱藏其流量,為了有效阻擋運用這些技術的Botnet,使用DNS域名黑名單來阻擋Botnet的C&C連線是最有效的Botnet防治策略之一,如何從DNS域名中分辨出Botnet惡意域名是對抗Botnet威脅的重要議題。
本文嘗試利用語彙分析方法對DNS域名進行分析,並以不同的特徵組合,運用決策樹模型進行訓練與評估,以找出最適合辨識Botnet惡意域名的語彙特徵組合。我們提出五個主要特徵:域名長度,音節數量,母音數量,母音比例,字元重複數。實驗結果發現,在兩兩比對特徵時,母音比例與母音數量最能區分黑名單與白名單的樣本。在計算誤報與漏報的比率時,也是母音比例與母音數量這個組合效果最好,誤報率只有0.01%,漏報率為4.3%,顯示本文方法可以充分辨識惡意域名。
Personal computer computation power and connection capability dramatically increase such that personal computers becomes malicious attack major targets instead of traditional servers. By using worms and Trojan horses infecting victim personal computers, attackers establish their Botnets, which remote control victims performing malicious activities in order to make money and thus become major Internet threats. Encryption and domain fluxing become current major evading techniques for Botnet. In order to defend Botnet, DNS black list is one of the most effective defensive strategies to hidden Botnet connections. Therefore, effectively identifying malicious domain names is a critical issue for Botnet detection. This paper presents lexical analysis approach to find domain name different patterns, and adopts decision tree models to train the best combination of malicious domain name lexical features.
We propose five major features: domain length, syllable count, vowel count, vowel ratio, character redundant. Experiment results show vowel ratio and vowel count can effectively differentiate black and white list samples while cross comparing them. While calculating false positive and negative rates, the combination of vowel ratio and vowel count provides the best results, 0.01% false positive rate and 4.3 % false negative rate, which show our approach can effectively identify malicious domain names.
謝詞 I
論文內容提要 II
ABSTRACT III
目次 IV
圖次 V
表次 VI

第一章 緒論 1
第一節 BOTNET的威脅 1
第二節 域名黑名單阻擋策略 3
第三節 研究動機與目的 4
第二章 文獻探討 7
第三章 研究方法 9
第一節 語彙特徵 9
第二節 C4.5機器學習演算法 13
第三節 評估辨識模型 15
第四節 辨識模型的佈署 17
第四章 實驗結果 19
第一節 資料來源與預處理 19
第二節 語彙特徵資料集 19
第三節 特徵評估結果 22
第四節 模型訓練結果 25
第五節 模型評估結果 27
第五章 結論與討論 29
參考文獻 30
附錄一 特徵擷取程式 33
附錄二 ORANGE實驗設定 38
簡歷 39
著作權聲明 40
1.Alexa the web information company. (2012), from http://www.alexa.com/
2.Baddeley, A., Sala, S. D., & Robbins, T. (1996). Working Memory and Executive Control [and Discussion]. Philosophical Transactions of the Royal Society of London. Series B: Biological Sciences, 351(1346), 1397-1404.
3.Bensoussan, A., Kantarcioglu, M., & Hoe, S. C. (2010). A game-theoretical approach for finding optimal strategies in a botnet defense model. Decision and Game Theory for Security, 135-148.
4.Binsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M., & Wang, L. (2010). On the analysis of the Zeus botnet crimeware toolkit. Paper presented at the Privacy Security and Trust (PST), Ottawa, ON.
5.Blum, A., Wardman, B., Solorio, T., & Warner, G. (2010). Lexical feature based phishing URL detection using online learning. Paper presented at the Proceedings of the 3rd ACM workshop on Artificial intelligence and security.
6.Cho, C. Y., & Caballero, J. (2009). Botnet Infiltration: Finding Bugs in Botnet Command and Control, 2011, from http://www.eecs.berkeley.edu/~chiayuan/cs261/cs261_cho.pdf
7.Choi, H., Lee, H., & Kim, H. (2007). Botnet detection by monitoring group activities in DNS traffic. Paper presented at the IEEE International Conference on Computer and Information Technology.
8.DNS-BH Malware Domain Blocklist. (2012), from http://www.malwaredomains.com/
9.Elz, R., & Bush, R. (1997). Clarifications to the DNS Specification, from http://www.ietf.org/rfc/rfc2181.txt
10.Fossl, M., Egan, G., Haley, K., Johnson, E., Mack, T., Adams, T., . . . Wood, P. (2011). Symantec Internet security threat report Trends for 2010, 2011, from http://msisac.cisecurity.org/resources/reports/documents/SymantecInternetSecurityThreatReport2010.pdf
11.Goebel, J., & Holz, T. (2007). Rishi: Identify bot contaminated hosts by irc nickname evaluation. Paper presented at the HotBots, Cambridge, MA.
12.Grizzard, J. B., Sharma, V., Nunnery, C., Kang, B. B. H., & Dagon, D. (2007). Peer-to-peer botnets: Overview and case study.
13.Gu, G., Perdisci, R., Zhang, J., & Lee, W. (2008). BotMiner: clustering analysis of network traffic for protocol-and structure-independent botnet detection. Paper presented at the USENIX Security Symposium.
14.Gu, G., Porras, P., Yegneswaran, V., Fong, M., & Lee, W. (2007). Bothunter: Detecting malware infection through ids-driven dialog correlation. Paper presented at the USENIX Security Symposium.
15.Gu, G., Zhang, J., & Lee, W. (2008). BotSniffer: Detecting botnet command and control channels in network traffic. Paper presented at the Annual Network and Distributed System Security Symposium.
16.Kohavi, R. (1995). A study of cross-validation and bootstrap for accuracy estimation and model selection. Paper presented at the International joint conference on Artificial intelligence (IJCAI).
17.Lee, J. S., Jeong, H. C., Park, J. H., Kim, M., & Noh, B. N. (2008). The activity analysis of malicious http-based botnets using degree of periodic repeatability. Paper presented at the Security Technology (SECTECH).
18.Li, Z., Liao, Q., & Striegel, A. (2009). Botnet economics: uncertainty matters. Managing Information Risk and the Economics of Security, 245-267.
19.Ma, J., Saul, L. K., Savage, S., & Voelker, G. M. (2009). Beyond blacklists: learning to detect malicious web sites from suspicious URLs. Paper presented at the Proceedings of the 15th ACM SIGKDD international conference on Knowledge discovery and data mining, Paris
20.Moore, D., Shannon, C., Brown, D. J., Voelker, G. M., & Savage, S. (2006). Inferring internet denial-of-service activity. ACM Transactions on Computer Systems (TOCS), 24(2), 115-139.
21.Nazario, J., & Holz, T. (2008). As the net churns: Fast-flux botnet observations. Paper presented at the International Conference on Malicious and Unwanted Software.
22.Orange. (2012) Retrieved 2/16, 2012, from http://orange.biolab.si/
23.Parket, L. (2010). Dutch National Crime Squad announces takedown of dangerous botnet, 2012, from http://www.om.nl/actueel/nieuws-_en/@154338/dutch_national_crime/
24.Ramachandran, A., Dagon, D., & Feamster, N. (2006). Can DNS-based blacklists keep up with bots. Paper presented at the Conference on Email and Anti-Spam.
25.Salzberg, S. L. (1994). C4. 5: Programs for Machine Learning by J. Ross Quinlan. Morgan Kaufmann Publishers, Inc., 1993. Machine Learning, 16(3), 235-240.
26.Sato, K., Ishibashi, k., Toyono, T., & Miyake, N. (2010). Extending black domain name list by using co-occurrence relation between dns queries. Paper presented at the USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more.
27.Wang, P., Sparks, S., & Zou, C. C. (2010). An advanced hybrid peer-to-peer botnet. Dependable and Secure Computing, IEEE Transactions on, 7(2), 113-127.
28.Yadav, S., Reddy, A. K. K., Reddy, A., & Ranjan, S. (2010). Detecting algorithmically generated malicious domain names. Paper presented at the Proceedings of the 10th annual conference on Internet measurement.
29.Zhu, Z., Yegneswaran, V., & Chen, Y. (2009). Using failure information analysis to detect enterprise zombies. Security and Privacy in Communication Networks, 185-206.
30.Zhuge, J., Holz, T., Han, X., Guo, J., & Zou, W. (2007). Characterizing the IRC-based botnet phenomenon, 2011
31.林佳宜, 黃俊穎, 鍾委璋, & 王省閔. (2011). 基於連線錯誤模型的殭屍主機偵測技術. 全國資訊安全會議, 14-23.
32.鄭孟元, 賴溪松 (2010). Disrupting Peer-to-Peer-based Botnet Communication using Strategic Poisoning: Storm Worm case study.

QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top