跳到主要內容

臺灣博碩士論文加值系統

(44.192.67.10) 您好!臺灣時間:2024/11/09 17:19
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

: 
twitterline
研究生:洪顥恆
研究生(外文):Hung, Hao-Heng
論文名稱:利用高斯混合模型執行異常偵測來偵測殭屍網路
論文名稱(外文):An Anomaly Detection Model to Detect Botnet Network Flows Using Gaussian Mixture Model
指導教授:曾文貴曾文貴引用關係
指導教授(外文):Tzeng, Wen-Guey
口試委員:曾文貴蔡錫鈞謝續平孫宏民
口試委員(外文):Tzeng, Wen-GueyTsai, Shi-ChunShieh, Shiuh-pyngSun, Hung-Min
口試日期:2018-08-27
學位類別:碩士
校院名稱:國立交通大學
系所名稱:網路工程研究所
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2018
畢業學年度:107
語文別:中文
論文頁數:39
中文關鍵詞:殭屍網路機器學習異常偵測高斯混合模型網路流量側寫
外文關鍵詞:BotnetMachine learningAnomaly detectionGaussian mixture modelnetwork flow profiling
相關次數:
  • 被引用被引用:0
  • 點閱點閱:381
  • 評分評分:
  • 下載下載:74
  • 收藏至我的研究室書目清單書目收藏:0
網路是讓現代社會快速發展非常重要的原因之一。網路讓大家即使分隔兩地,也可以非常快速即時地共享資訊,但是隨之而來的議題就是安全的問題。殭屍網路是其中非常嚴重的問題之一,因此大約從2010年開始,便有大量的研究人員從事相關研究,並發表了許多研究的成果。
然而,雖然殭屍網路並不少見,但是對於研究者來說,要取得殭屍網路的樣本與其流量卻是非常的困難。基於以上情形,本研究提出一個只需要一般正常網路流量作為訓練資料的機器學習模型。我們首先將不同類型的網路流分類,並且使用一般常見的特徵,例如:一個網路流的封包大小的總和、封包個數、第一個封包的大小等等,來為每一類建立一個高斯混合模型,以這些高斯混合模型來當作一般正常網路流量的側寫。當我們想要判斷一個未知的網路流是否為殭屍網路的網路流的時候,我們就會將此未知的網路流透過先前建立的高斯混合模型來和之前已看過的正常網路流的特徵做比較,若未達一定相似度,則將此未知網路流判斷為殭屍網路的網路流。
Internet is one of the most important reasons that modern society has been evolving so fast. Even if people are separated far away from each other, they can still communicate with each other via Internet. However, that’s where the Internet security issues come in. Botnet is one of the vital problems among them. As a result, researchers have devoted themselves into botnet detection related research since 2010.
Nevertheless, traditional botnet researches need botnet traffic as their training data, which is hard to collect. Because of that, we aim at proposing a botnet detection model that needs only normal network traffic as our training data. We first separate different types of network traffic into groups, and use the features that are commonly used in botnet detections, such as total packet size, total number of packets, or first packet size in a network flow, to create a Gaussian Mixture Model(GMM) as a profiling for each group. When we want to classify an unknown network flow, we compare the unknown one with all the normal ones we have seen before. If they are similar according to our profiling, then we classify the unknown flow as normal network flow, otherwise, as bot network flow.
目錄
摘 要 i
ABSTRACT ii
誌謝 iii
目錄 iv
表目錄 vi
圖目錄 vii
1. 介紹 1
1.1 背景介紹 1
1.2 研究動機 3
1.3 貢獻 4
1.4 全文架構 4
2. 相關研究 5
2.1 anomaly detection 5
2.2 signature based detection 5
2.3 machine learning based 5
3. 研究方法 7
3.1 異常偵測 7
3.2 高斯混合模型 (Gaussian Mixture Model, GMM) 7
4. 系統設計 9
4.1 總覽 9
4.2 前處理 10
4.3 訓練模式 10
4.4 偵測模式 11
5. 系統實作 12
5.1 使用工具介紹 12
5.1.1 sklearn 12
5.1.2 pandas 12
5.1.3 numpy 12
5.2程式流程 13
5.2.1 pcap檔案轉成txt檔案 13
5.2.2 封包轉成網路流 14
5.2.3 網路流特徵計算 15
5.2.4 網路流分組 19
5.2.5 訓練高斯混合模型 23
5.2.6 偵測未知網路流 24
5.3 GUI工具 25
6. 資料集與實驗 26
6.1 資料集介紹 26
6.2 評估指標介紹 27
6.3 實驗 28
6.3.1 殭屍網路與一般正常網路流量特徵觀察 28
6.3.2 不同類型流量的特徵觀察 29
6.3.3 有無將流量分類對於偵測不同殭屍網路的比較 32
6.3.4加入雜訊 35
6.3.5 School與Lab資料集實驗結果的比較 36
7.結論 37
參考資料 38
[1] Gernot Vormayr, Tanja Zseby, Joachim Fabini: Botnet Communication Patterns. IEEE Communications Surveys and Tutorials 19(4): 2768-2796 (2017)
[2] Sérgio S. C. Silva, Rodrigo M. P. Silva, Raquel Coelho Gomes Pinto, Ronaldo M. Salles: Botnets: A survey. Computer Networks 57(2): 378-403 (2013)
[3] Arash Habibi Lashkari, Gerard Draper-Gil, Jonathan Edward Keenan, Kenneth Fon Mbah, Ali A. Ghorbani: A Survey Leading to a New Evaluation Framework for Network-based Botnet Detection. International Conference on Communication and Network Security: 59-66 (2017)
[4] Weikeng Chen, Xiao Luo, A. Nur Zincir-Heywood: Exploring a service-based normal behaviour profiling system for botnet detection. IEEE IM: 947-952 (2017)
[5] Piotr Bazydlo, Krzysztof Lasota, Adam Kozakiewicz: Botnet Fingerprinting: Anomaly Detection in SMTP Conversations. IEEE Security & Privacy 15(6): 25-32 (2017)
[6] George Nychis, Vyas Sekar, David G. Andersen, Hyong Kim, Hui Zhang: An empirical evaluation of entropy-based traffic anomaly detection. Internet Measurement Conference: 151-156 (2008)
[7] Jan Goebel, Thorsten Holz: Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation. HotBots:8-8 (2007)
[8] Guofei Gu, Phillip A. Porras, Vinod Yegneswaran, Martin W. Fong, Wenke Lee: BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation. USENIX Security Symposium:1-16 (2007)
[9] Guofei Gu, Roberto Perdisci, Junjie Zhang, Wenke Lee: BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection. USENIX Security Symposium: 139-154 (2008)
[10] Sherif Saad, Issa Traoré, Ali A. Ghorbani, Bassam Sayed, David Zhao, Wei Lu, John Felix, Payman Hakimian: Detecting P2P botnets through network behavior analysis and machine learning. Privacy, Security, and Trust: 174-180 (2011)
[11] G. Kirubavathi Venkatesh, R. Anitha: Botnet detection via mining of traffic flow characteristics. Computers & Electrical Engineering 50: 91-101 (2016)
[12] Carl Livadas, Robert Walsh, David E. Lapsley, W. Timothy Strayer: Using Machine Learning Techniques to Identify Botnet Traffic. Local Computer Network: 967-974 (2006)
[13] N.S.Raghava, Divya Sahgal, and Seema Chandna: Classification of Botnet Detection Based on Botnet Architechture. Communication Systems and Network Technologies: 569-572 (2012)
[14] Sunny Behal, Amanpreet S. Brar, Krishan Kumar: Signature-based Botnet Detection and Prevention. International Symposium on Computer Engineering and Technology: 127-132 (2010)
[15] Elaheh Biglar Beigi Samani, Hossein Hadian Jazi, Natalia Stakhanova, Ali A. Ghorbani: Towards effective feature selection in machine learning-based botnet detection approaches. Communication and Network Security: 247-255 (2014)
[16] Sridhar Ramaswamy, Rajeev Rastogi, Kyuseok Shim: Efficient Algorithms for Mining Outliers from Large Data Sets. Special Interest Group on Management of Data: 427-438 (2000)
[17] Pedro A. Torres-Carrasquillo, Douglas A. Reynolds, John R. Deller Jr.: Language identification using Gaussian mixture model tokenization. International Conference on Acoustics, Speech and Signal Processing: 757-760 (2002)
[18] Yuan-Hsiang Su, Amir Rezapour, Wen-Guey Tzeng: The forward-backward string: A new robust feature for botnet detection. Dependable and Secure Computing: 485-492 (2017)
[19] Honeynet project, Know your Enemy: tracking Botnets, 2008, https://www.honeynet.org/papers/bots
[20] Information security and object technology (ISOT) research lab, https://www.uvic.ca/engineering/ece/isot/index.php
[21] Long Mai, and Minho Park: A Comparison of Clustering Algorithms for Botnet Detection Based on Network Flow. Ubiquitous and Future: 667-669 (2016)
[22] S. García, Martin Grill, Jan Stiborek, Alejandro Zunino: An empirical comparison of botnet detection methods. Computers & Security 45: 100-123 (2014)
[23] Di Zhuang, J. Morris Chang: PeerHunter: Detecting peer-to-peer botnets through community behavior analysis. Dependable and Secure Computing: 493-500 (2017)
[24] Omar Y. Al-Jarrah, Omar Alhussein, Paul D. Yoo, Sami Muhaidat, Kamal Taha, Kwangjo Kim: Data Randomization and Cluster-Based Partitioning for Botnet Intrusion Detection. IEEE Trans. Cybernetics 46(8): 1796-1806 (2016)
連結至畢業學校之論文網頁點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
無相關期刊