跳到主要內容

臺灣博碩士論文加值系統

(44.201.99.222) 您好!臺灣時間:2022/12/04 01:08
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

我願授權國圖
: 
twitterline
研究生:朱宇豐
研究生(外文):Yu-Feng Chu
論文名稱:動態產生惡意域名偵測之研究
論文名稱(外文):A Study of the Detection of Malicious Domain Name Generated by Dynamic Domain Name Generation Algorithm
指導教授:詹前隆詹前隆引用關係
指導教授(外文):Chien-Lung Chan
口試委員:潘人豪毛敬豪
口試委員(外文):Ren-Hao PanChing-Hao Mao
口試日期:2015-06-26
學位類別:碩士
校院名稱:元智大學
系所名稱:資訊管理學系
學門:電算機學門
學類:電算機一般學類
論文種類:學術論文
畢業學年度:103
語文別:中文
論文頁數:87
中文關鍵詞:殭屍網路殭屍病毒惡意軟體偵測動態網域名稱
外文關鍵詞:Domain name generation algorithmMaliciousBotnetMalware Detection
相關次數:
  • 被引用被引用:0
  • 點閱點閱:241
  • 評分評分:
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
現今有做系統的設備電腦或手機越來越普及,這些設備都可以安裝軟體,之中連結網際網路是必備的功能之一。所以許多惡意軟體也利用這樣常態功能來達到入侵破壞的能力,但這些惡意軟體需要跟控制端聯繫的技術極為重要,本研究就是針對於惡意軟體跟控制端連結的一種隱匿的技術,此技術是動態產生網域名稱演算法讓資訊安全人員混淆,無法即時或費時去鑑識追蹤控制端來源。
本研究突破舊有的字串亂度或者正常網域名稱字元組合來預測,舊有的方法對於字串亂度低或者對於字串的組合相似於正常網域名稱就很有可能無法判斷。所以提出之方法是依照惡意軟體產生之網域名稱萃取特徵值來分群,可以得到每個惡意軟體產生網域名稱特性,依照此特性訓練出機率模型,並且加入正常網域名稱的機率模型來做判斷分類,這樣每個機率模型會有特性,依特性分類得出更有效的判斷依據。經實驗證實對於8種動態產生網域名稱的惡意軟體有效偵測,並且對於字元組合相似於正常網域名稱的2個惡意軟體(MATSNU,ROVNIX),特徵值分群,到13群的時候準確率(Precision)達到0.9以上,表示可以偵測到90%以上的動態產生網域名稱。
In recent year, computer and mobile device are rapidly popular. However, these devices can be used to connect network. Attackers can use this characteristic to inject the malware for stealing privacy data. In order to achieve this goal, the connection of control-side becomes very important. In our study, we focus on a hiding technology for connection of control-side, which can dynamically generate the domain name to confuse the users. Moreover, this technology is too difficult to detect the source of connection of control-side.
Our research outperforms previous approaches for the combination of entropy-based string and regular character domain name.However, the previous approaches are unable to detect low random strings and strings similar to the normal domain name. Therefore, we proposed a novel method to extract the features based on the domain name generated from malicious applications, each generation of malicious applications can get a domain name properties, in accordance with the cluster to train the probability model(Markov model), and to combine the normal domain name to jude, so that each markov model has a characteristic and better effect.The experiments proved the CONFICKER, CRYPTOLOCKER, MATSNU, OTHERS, PUSHDO, RAMDO, RAMNITPCAP, ROVNIX, TINBA, ZEUS malicious applications do not cluster of the status of the group can have a good detection results. But to produce the character combination similar to normal domain name by two malware(MATSNU,ROVNIX) are difficult to detect, in accordance with the characteristic value will can have a good effect, when the 13 cluster above 0.9 value up, that can detect more than 90% of dynamically generated domain name.
動態產生惡意域名偵測之研究 i
論文口試委員審定書 ii
授權書 iii
中文摘要 vi
英文摘要 vii
致謝 ix
目錄 ix
表目錄 xii
圖目錄 xiii
第一章、 緒論 1
1.1研究背景與動機 1
1.2殭屍網路與動態網域產生演算法 3
1.4研究流程 5
第二章、 文獻探討 6
2.1殭屍網路 6
2.2殭屍網路與DGA的偵測 7
2.3 網路名稱 8
2.4序列化分析方法馬可夫鏈模型(Markov chain model) 8
2.4.1. 隨機過程(stochastic process) 9
2.4.2. 移轉機率(transition probabilities) 9
2.4.3. 移轉矩陣(transition matrix) 10
2.4.4. 移轉期間(transition period) 10
2.4.5. 馬可夫執行過程(Markov process) 10
2.4.6. 馬可夫鏈(Markov chain) 11
第三章、 動態域名隱藏之惡意程式偵測與追蹤方法 12
3.1. 網域特徵分群模組 12
3.2. 網域序列關聯塑模模組 21
3.3. 異常網域偵測模組 22
第四章、 究結果和實驗 24
4.1 資料描述 24
4.1.1 白名單 25
4.1.2 惡意軟體 27
4.1.3 惡意封包 29
4.1.4 自動產生之網域名稱資料集 32
4.2 實驗方法 35
4.2.1 實驗目的 35
4.2.2 實驗設計 35
4.3 評估方法 40
4.4 實驗結果 41
4.5 現有方法比較 56
第五章、 結論 60
5.1 貢獻 60
5.2 結論 60
5.3 未來研究方向 63
參考文獻 64
附錄一:惡意軟體描述 70
附錄二:動態網域名稱產生之惡意軟體描述 85
附錄二:GameOver Zeus的虛擬代碼(pseudocode)[18] 88
[1] McAfee Labs. McAfee threats Report: First Quarter 2013, 2013. URL http://www.mcafee.com/au/resources/reports/rp-quarterly-threat-q4-2013.pdf
[2] ENISA. ENISA threat Landscape, Mid-year 2013, 2013,URL https://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape/enisa-threat-landscape-mid-year-2013
[3] Louis Marinos and Andreas Sfakianakis, “ENISA Threat Landscape - Responding to the Evolving Threat Environment,” ENISA (The European Network and Information Security Agency), Sep. 2012.
[4] Chris Grier, Lucas Ballard, Juan Caballero, Neha Chachra, Christian J Dietrich, Kirill Levchenko, Panayiotis Mavrommatis, Damon McCoy, Antonio Nappa, Andreas Pitsillidis, et al. Manufacturing compromise: the emergence of exploit-as-a-service. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 821–832. ACM, 2012.
[5] Michele Spagnuolo. Bitiodine: Extracting intelligence from the bitcoin network. Master’s thesis, Politecnico Di Milano, Piazza Leonardo da Vinci 32, Milan, December 2013.
[6] Smith, Bryan. (2013). Cryptoviral Extortion. Written Project for COSC 374 –Applied Cryptography –Fall 2013..
[7] Maryam Feily, Alireza Shahrestani, and Sureswaran Ramadass. A survey of botnet and botnet detection. In Emerging Security Information, Systems and Technologies, 2009. SECURWARE ’09. Proceedings International Conference on, pages 268–273, June 2009. doi: 10.1109/SECURWARE.2009.48
[8] Elisan, Christopher. (2012). Malware, Rootkits &; Botnets A Beginner's Guide. McGraw Hill Professional.
[9] Stinson, Elizabeth, and John C. Mitchell. (2008). Towards Systematic Evaluation of the Evadability of Bot/Botnet Detection Methods. WOOT, 8, 1-9.
[10] Junjie Zhang, Roberto Perdisci, Wenke Lee†, Unum Sarfraz† and Xiapu Luo. (2011, June). Detecting stealthy P2P botnets using statistical traffic fingerprints. In Dependable Systems &; Networks (DSN), 2011 IEEE/IFIP 41st International Conference on (pp. 121-132). IEEE.
[11] YEN, Ting-Fang, et al. Beehive: Large-scale log analysis for detecting suspicious activity in enterprise networks. In: Proceedings of the 29th Annual Computer Security Applications Conference. ACM, 2013. p. 199-208.
[12] Manos Antonakakis‡, Roberto Perdisci†, Yacin Nadji, Nikolaos Vasiloglou, Saeed Abu-Nimeh, Wenke Lee and David Dagon (2012, August). From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware. In USENIX security symposium (pp. 491-506).
[13] RezaSharifnya and Mahdi Abadi (2013, October). A novel reputation system to detect DGA-based botnets. In Computer and Knowledge Engineering (ICCKE), 2013 3th International eConference on (pp. 417-423). IEEE.
[14] 惡意軟體、Rootkit和殭屍網路,Christopher C.Elisan, 2013-10
[15] Steinley, Douglas. "Classification, clustering, and data mining applications." (2007): 144-152.
[16] Alexa the Web Information Company. Available URL http://s3.amazonaws.com/alexa-static/top-1m.csv.zip.[July 28,2015].
[17] GameOver Zeus. contagioexchange Blog .Available URL http://contagioexchange.blogspot.tw/2012/03/010-crime-gameover-zeus-with-p2p-and.html. [July 28,2015].
[18] Andriesse, Dennis, et al. "Highly resilient peer-to-peer botnets are here: An analysis of Gameover Zeus." Malicious and Unwanted Software:" The Americas"(MALWARE), 2013 8th International Conference on. IEEE, 2013.
[19] Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski,Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna. (2009, November). Your botnet is my botnet: analysis of a botnet takeover. In Proceedings of the 16th ACM conference on Computer and communications security (pp. 635-647). ACM.
[20] Kazumasa Itabashi. How Trojan.Zbot.B!inf Uses the Crypto API, 2010.Technical Report, Symantec.
[21] Collection-of-pcap-files-from malware, contagioexchange Blog ,Available URl:http://contagiodump.blogspot.tw/2013/04/collection-of-pcap-files-frommalware.html.[July 28,2015].
[22] Lua, Ruiping, and Kin Choong Yow. Mitigating ddos attacks with transparent and intelligent fast-flux swarm network. Network, IEEE, 2011, 25.4: 28-33.
[23] Marsan, Robert. (2013). Android behind the scenes: revealing hidden malware with AndroMEDA.
[24] MARSAN, Robert. Android behind the scenes: revealing hidden malware with AndroMEDA. 2013.
[25] HUNG, Chien-Wei, et al. A QTE-based Solution to Keylogger Attacks. In: SECURWARE 2012, The Sixth International Conference on Emerging Security Information, Systems and Technologies. 2012. p. 62-67.
[26] GRIER, Chris, et al. Manufacturing compromise: the emergence of exploit-as-a-service. In: Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 2012. p. 821-832.
[27] Alazab, Mamoun. (2015). Profiling and classifying the behavior of malicious codes. Journal of Systems and Software, 100, 91-102.
[28] Sanatinia, Amirali, and Guevara Noubir. (2015). Profiling and classifying the behavior of malicious codes. Journal of Systems and Software, 100, 91-102.
[29] Shirazi, Reza. (2015). Botnet Takedown Initiatives: A Taxonomy and Performance Model. Technology Innovation Management Review, 5(1).
[30] Liu, Lei, Songqing Chen, Guanhua Yan, and Zhao Zhang. (2008). Bottracer: Execution-based bot-like malware detection. In Information Security (pp. 97-113). Springer Berlin Heidelberg.
[31] VirusTotal. Free Online Virus and Malware Scan. URL http://www.virustotal.com/.[July 28,2015].
[32] Andrewaeva . GitHub repository .Available URL https://github.com/Andrewaeva/DGA.[July 28,2015].
[33] Nickwallen . GitHub repository .Available URL https://github.com/nickwallen/botnet-dga-classifier.git. [July 28,2015].
[34] abuse.ch. ZeuS Gets More Sophisticated Using P2P Techniques. http://www.abuse.ch/?p=3499, 2011
[35] Yadav, Sandeep, Ashwath Kumar Krishna Reddy, and Supranamaya Ranjan. (2012). Detecting algorithmically generated domain-flux attacks with DNS traffic analysis. Networking, IEEE/ACM Transactions on, 20(5), 1663-1677.
[36] Ligh, Michael Hale, et al. (2014). The art of memory forensics: detecting malware and threats in Windows, Linux, and Mac memory. John Wiley &; Sons.
[37] Rodionov, DH Eugene, Aleksandr Matrosov, and David Harley. (2014). BOOTKITS: PAST, PRESENT &; FUTURE. In VB Conference.
[38] R. Kohavi and F. Provost, “Glossary of terms,” Machine Learning, Editorial for the Special Issue on Applications of Machine Learning and the Knowledge Discovery Process, Vol. 30, 1998, pp. 271-274.
[39] 葉進儀, 吳泰熙, and 李凱平. (2009): 109-134."結合模糊理論及馬可夫鏈評估顧客價值." 資訊管理學報 16.1.
[40] Watson, Jon. "Virtualbox: bits and bytes masquerading as machines." Linux Journal 2008.166 (2008): 1.
[41] Mark Hall, Eibe Frank, Geoffrey Holmes, Bernhard Pfahringer, Peter Reutemann, Ian H. Witten (2009); The WEKA Data Mining Software: An Update; SIGKDD Explorations, Volume 11, Issue 1.
[42] Farnstrom, Fredrik, James Lewis, and Charles Elkan. (2000). Scalability for clustering algorithms revisited. ACM SIGKDD Explorations Newsletter, 2(1), 51-57.
[43] Cover, Thomas M., and Joy A. Thomas. (2006). Elements of Information Theory (secondedition).
[44] Fygrave . GitHub repository .Available URL https://github.com/fygrave/dnslyzer .[July 28,2015].
[45] Yarochkin, F., Kropotov, V., Huang, Y., Ni, G. K., Kuo, S. Y., &; Chen, Y. (2013, June). Investigating DNS traffic anomalies for malicious activities. In Dependable Systems and Networks Workshop (DSN-W), 2013 43rd Annual IEEE/IFIP Conference on (pp. 1-7). IEEE.
[46] Angela, O., Gibert, R., Jay, B., &; Joshua, W. Wireshark &; Ethereal Network Protocol Analyzer Toolkit (Jay Beale's Open Source Security).
[47] Alkhatib, H. S. (2000). U.S. Patent No. 6,119,171. Washington, DC: U.S. Patent and Trademark Office.
[48] McAfee Labs. McAfee threats Report: First Quarter 2013, 2013. URL Daigle, L. (2004). WHOIS protocol specification.
[49] Porras, Phillip, Hassen Sa#westeur048#di, and Vinod Yegneswaran. (2009, April). A foray into Conficker’s logic and rendezvous points. In USENIX Workshop on Large-Scale Exploits and Emergent Threats.
[50] A. Lelli. Zeusbot/Spyeye P2P Updated, Fortifying the Botnet,2012. Technical Report, Symantec.http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet
[51] Zeus Gets More Sophisticated Using P2P Techniques,2011. Technical Report.http://www.abuse.ch/?p=3499
[52] Mayzner, Mark S., and Margaret Elizabeth Tresselt.(1965). Tables of single-letter and digram frequency counts for various word-length and letter-position combinations. Psychonomic Monograph Supplements.
[53] Mockapetris, Paul, and Kevin J. Dunlap. (1988). Development of the domain name system (Vol. 18, No. 4, pp. 123-133). ACM.
[54] Piscitello, D. (2010). Conficker summary and review. Tech. Rep.,ICANN, May, 7.
[55] Miller, Jan. (2014). Hybrid Analysis-NextGen Technology for Advanced Malware.
電子全文 電子全文(本篇電子全文限研究生所屬學校校內系統及IP範圍內開放)
連結至畢業學校之論文網頁點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top