(54.236.58.220) 您好!臺灣時間:2021/02/27 11:49
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果

詳目顯示:::

我願授權國圖
: 
twitterline
研究生:吳伊苓
研究生(外文):Wu, Yi-Ling
論文名稱:在台灣學術網路環境中偵測網頁木馬之研究
論文名稱(外文):Detection Webshell in TANet
指導教授:陳彥宏陳彥宏引用關係
口試日期:2019-07-25
學位類別:碩士
校院名稱:臺北市立大學
系所名稱:資訊科學系碩士在職專班
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2019
畢業學年度:107
語文別:中文
論文頁數:54
中文關鍵詞:學術網路網頁木馬入侵偵測規則
外文關鍵詞:Taiwan Academic Network (TANet)WebshellSnort
相關次數:
  • 被引用被引用:0
  • 點閱點閱:84
  • 評分評分:系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔系統版面圖檔
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
綜整近期多起資安事件現地調研後發現一波針對對外服務網站所發起的攻擊;駭客先掃描網頁或系統弱點,利用弱點在目標主機上植入網頁木馬,而後透過所植入的網頁木馬建立具管理者權限的帳號,藉此以遠端桌面連線方式登入系統,再植入惡意後門程式與駭客工具,並在內部網路進行掃描擴散,最後再以該台被駭侵的電腦主機做為中繼站,持續對外攻擊其他政府機關或民間單位。本研究將以近期大專院校資安事件為基礎,剖析相關資安事件攻擊流程,詳細分析當前台灣學術網路中所面臨網頁木馬駭侵的攻擊樣態與特徵,最後以此提出對應的Snort IDS偵測規則,可供佈建於對外閘道上,當類似攻擊再次發生時能即時告警,有助於管理人員掌握駭侵情形,避免受害範圍擴散。本研究改善資安廠商FireEye提出的Detecting and Defeating the China Chopper Web Shell偵測報告中的偵測結果,透過修改Snort IDS偵測規則提高了FireEye分析網頁木馬報告中偵測樣態。
After majority of investigations on recent Computer Security incidents, a new skill of attacks on external service websites was discovered. First of all, a hacker scans web pages or system weaknesses, and uses the weaknesses to implant web trojans on target hosts in order to establish an account with administrator privileges. After that, the hacker uses the way of remote desktop protocol (RDP) to login to the target system and implants malicious backdoor programs and hacking tools to scan and lateral movement on the internal network. Finally, the hacker uses the target computer as a relay station to continuously attack government agencies or civil units. Based on the recent security incidents happened in colleges and universities, this study will analyze the attack process of related security incidents. Besides, the analysis of attack patterns and characteristics of the Trojans in the current academic network in Taiwan will also be included. Furthermore, corresponding Snort IDS detection rules will be designed to deploy on the external gateway. When the similar attack occurs again, it can be alerted immediately, that will help managers to grasp the intrusion situation and avoid the spread of victimization.This study improves the detection results of “Detecting and Defeating the China Chopper Web Shell” detection report proposed by the security manufacturer FireEye , and increases the detection pattern in the FireEye analysis webshell report by modifying the Snort IDS rule.
第一章 緒論 - 1
第一節 研究背景 - 1
第二節 研究動機 - 1
第三節 研究目的 - 2
第四節 論文架構 - 3
第二章 文獻探討 - 5
第一節 持續性滲透攻擊(APT ) - 5
第二節 網頁木馬(Webshell) - 7
第三節 網頁木馬(Webshell)連線工具研究 - 11
一、 中國菜刀工具研究 - 11
二、 中國蟻劍(AntSword)工具研究 - 14
第四節 Snort入侵偵測系統 - 15
第五節 OWASP文獻研究 - 20
第三章 研究方法 - 25
第一節 網頁木馬分析 - 25
第二節 Snort 規則分析 - 28
一、 封包分析 - 28
二、 規則設計 - 36
第四章 研究結果與討論 - 39
第一節 系統建置 - 39
第二節 功能驗證 - 41
第三節 防護建議 - 47
一、 網站管理 - 47
二、 網頁比對 - 47
三、 系統升級與更新 - 48
第五章 結論與建議 - 49
參考文獻 - 50
[1] Lemay, A., Calvet, J., Menet, F., Fernandez, J. M., Survey of publicly available reports on advanced persistent threat actors, Computers & Security 72, 26-59, 2018.
[2] Symantec Security Response Security Response Team, ISTR 23: Insights into the cyber security threat landscape, Online:https://www.symantec.com/blogs/threat-intelligence/istr-23-cyber-security-threat-landscape, 2017.
[3] Yang, X., Zhang, T., Yang, L.X., Wen, L., Tang, Y.Y., Assessing the risk of advanced persistent threats, Journal of Parallel and Distributed Computing, arXiv preprint arXiv:1709.02767, 2017.
[4] 行政院國家資通安全會報技術服務中心, 資安威脅趨勢及防護策略, online: https://s.itho.me/cybersec/2018/pdf/0315_201%20DE-1.pdf, 2018.
[5] 台灣電腦網路危機處理暨協調中心(TWCERT/CC, TWCERT/CC-2018年08月份資安情資電子報, Online: https://twcert.org.tw/subpages/ServeThePublic/public_document.aspx, 2018.
[6] Tu, T. D., Guang, C., Xiaojun, G., Wubin, P., Webshell detection techniques in web applications, In Fifth International Conference on Computing, Communications and Networking Technologies, 1–7, 2014.
[7] Muddu, S., Tryfonas, C., Lam, F., Apostolopoulos, G., Lateral movement detection for network security analysis, U.S. Patent Application No 10/015, 2018.
[8] Microsoft Azure, Web 應用程式防火牆 (WAF), Online:https://docs.microsoft.com/zh-tw/azure/application-gateway/application-gateway-web-application-firewall-overview, 2017.
[9] 黃靖雯, 基於ISO 27001之雲端校園資訊系統安全稽核管理研究-以新竹市某國中學務系統為例, 大葉大學資訊管理學系碩士班碩士論文, 2017.
[10] 謝佩玲, 基於ISO 27001之網路弱點防護管理研究-以桃園市某國中校園資訊系統為例, 大葉大學資訊管理學系碩士班碩士論文, 2015.
[11] 魏道楠, 基於資料探勘技術應用於網路異常偵測, 國立臺北教育大學資訊科學系碩士班碩士論文, 2017.
[12] Liu, Y., Chen, W. N., Hu, X. M., Zhang, J., An ant colony optimizing algorithm based on scheduling preference for maximizing working time of WSN, In Proceedings of the 2015 Annual Conference on Genetic and Evolutionary Computation, 41-48, 2015.
[13] Ma, Y., Chen, Y., Gu, B., An attributes-based allocation approach of software trustworthy degrees. In 2015 IEEE International Conference on Software Quality, Reliability and Security-Companion, 89-94, 2015.
[14] Lee, T., Ahl, I., Hanzlik, D., Detecting and defeating thechina chopper web shell, Online: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf, 2014.
[15] Snort, Snort, Online: https://www.snort.org/
[16] Rishabh G., Soumya S., Shubham V.,Swasti S., Intrusion detection system using Snort, In Proceeding of the International Research Journal of Engineering and Technology 4(4), 2100-2104 ,2017.
[17] 達友科技, 駭客APT攻擊防護方案, Online:https://www.docutek.com.tw/solution.php?pk=13
[18] Choi, J., Choi, C., Lynn, H. M., Kim, P., Ontology based APT attack behavior analysis in cloud computing, In 2015 10th International Conference on Broadband and Wireless Computing, Communication and Applications, 375-379, 2015.
[19] Haq, T., Zhai, J., Pidathala, V. K, Advanced persistent threat (APT) detection center, Washington, DC: U.S. Patent and Trademark Office, U.S. Patent No. 9,628,507, 2017.
[20] Zhao, G., Xu, K., Xu, L., Wu, B., Detecting APT malware infections based on malicious DNS and traffic analysis, IEEE access 3, 1132-1142, 2015.
[21] Xiao, L., Xu, D., Mandayam, N. B., Poor, H. V, Attacker-centric view of a detection game against advanced persistent threats, IEEE Transactions on Mobile Computing 17(11), 2512-2523, 2018.
[22] Yang, L. X., Li, P., Yang, X., Tang, Y. Y., A risk management approach to defending against the advanced persistent threat, IEEE Transactions on Dependable and Secure Computing, 2018.
[23] Trendmicro, 什麼是 APT進階持續性威脅 (Advanced Persistent Threat, APT), Online: https://blog.trendmicro.com.tw/?p=123&apt/什麼是-apt進階持續性威脅-advanced-persistent-threat-apt?, 2011.
[24] Chaudhari F., Patel, S., A Survey: trojan horse detection techniques in network, International Journal of Computer & Mathematical Sciences 6(9), 117-119, 2017.
[25] Sun, X., Lu, X., Dai, H., A matrix decomposition based webshell detection method, In Proceedings of the 2017 International Conference on Cryptography, Security and Privacy , 66-70, 2017.
[26] Wang, Z., Yang, J., Dai, M., Xu, R., Liang, X., A method of detecting webshell based on multi-layer perception, Academic Journal of Computing & Information Science 2(1), 81-91, 2019.
[27] Kuppa, Aditya, et al., Web shell detection, U.S. Patent Application No. 15/268, 523, 2018.
[28] Starov, O., Dahse, J., Ahmad, S. S., Holz, T., Nikiforakis, N. , No honor among thieves: a large-scale analysis of malicious web shells, In Proceedings of the 25th International Conference on World Wide Web, 1021-1032, 2016.
[29] 傅建明, 黎琳,王应军, 基于 CNN 的 Webshell 文件检测, 郑州大学学报 (理学版)2(1), 2019.
[30] Gore, J.R., Gore, C., File system and method for file system object customization which automatically invokes procedures in response to accessing an inode, Online:https://search.proquest.com/docview/32347038?accountid=44042, 2011.
[31] Yang, W., Sun, B., Cui, B. A, Webshell detection technology based on HTTP traffic analysis, In International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, 336-342, 2018.
[32] 戴桦, 李景, 卢新岱, 孙歆, 智能检测WebShell 的机器学习算法, 网络与信息安全学报 Chinese Journal of Network and Information Security 3(4), 00126-1 ~00126-7, 2017.
[33] 臺讀, 【新手科普】盤點常見的Web後門, Online:https://read01.com/zh-tw/26gA28.html#.Ws5RhC5ubtQ, 2017.
[34] Fang, Y., Qiu, Y., Liu, L., Huang, C., Detecting webshell based on random forest with fasttext, In Proceedings of the 2018 International Conference on Computing and Artificial Intelligence ,52-56, 2018.
[35] IT閱讀, 一句話木馬(webshell)是如何執行命令的, Online:http://www.itread01.com/content/1497601321.html, 2017.
[36] 新竹電腦維修, 什麼是後門程序, Online:http://computer-repair.hsinchu-web.info/doc/computer-repair/hardware/2010-04-22/5398.html, 2010.
[37] Dave M., Got WordPress? PHP C99 Webshell Attacks Increasin, Online:https://securityintelligence.com/got-wordpress-php-c99-webshell-attacks-increasing/, 2016.
[38] IBM Security, Understanding the webshell game, Online: http://awooo.moe/documents/index-of.es/Attacks/RFI%20injection%20attacks/webshell_game.pdf , 2016.
[39] NJCCIC, Ransomware: An Enduring Risk to Organizations and Individuals, Online:https://static1.squarespace.com/static/555b2d4ee4b011aa38092227/t/58b452d1cd0f68b719c6ef70/1488212697132/NJCCIC+%E2%80%93+Ransomware+%E2%80%93+An+Enduring+Risk+to+Organizations+and+Individuals, 2016.
[40] Sensepost, Regeorg, Online: https://sensepost.com/discover/tools/reGeorg/
[41] 仝青, 张铮, 张为华, 邬江兴, 拟态防御 Web 服务器设计与实现, Journal of Software 4, 883-897, 2017.
[42] 赵运弢, 徐春雨, 薄波, 刘书林, 基于流量的 WebShell 行为分析与检测方法, 网络安全技术与应用(4), 8-9, 2018.
[43] 牧马人, 中国菜刀 砍得网站千疮百孔, 计算机应用文摘 (27), 56-57, 2009.
[44] China chopper, 中國菜刀, Online: http://www.maicaidao.com/
[45] 維基百科, Unicode, Online:https://zh.wikipedia.org/wiki/Unicode, 2018.
[46] Cknife, 中國菜刀, Online: https://github.com/Chora10/Cknife
[47] KKNEWS, 中國新型WebShell 菜刀遭國外安全公司曝光, Online:https://kknews.cc/zh-tw/tech/oonpy5.html, 2016.
[48] Berners,L. T., Masinter, L., McCahill ,M., Uniform Resource Locators (URL), Online:http://www.hjp.at/doc/rfc/rfc1738.html , 1994.
[49] PHP , set_magic_quotes_runtime, Online:https://www.php.net/manual/en/function.set-magic-quotes-runtime.php
[50] AntSwordProject , AntSword, Online:https://github.com/AntSwordProject/antSword
[51] AntSword, 中国蚁剑, Online: https://doc.u0u.us/zh-hans/
[52] Stallman, R., GNU General Public License version 2, Online:https://opensource.org/licenses/gpl-2.0.php, 1991.
[53] Denning, D. E., An Intrusion-Detection Model, In Proceeding of the IEEE Transactions on Software Engineering, 222-232, 1987.
[54] Erturk, E., Kumar, M., New use cases for snort: Cloud and mobile environments, arXiv preprint arXiv:1802.02359, 2018.
[55] Yedukondalu, G., Chandulal, J. A., Rao, M. S., Host-based intrusion detection system using file signature technique, In Innovations in Computer Science and Engineering, 225-232, 2017.
[56] Olanrewaju, R. F., Khan, B. U. I., Najeeb, A. R., Zahir, K. N., Hussain, S., Snort-based smart and swift intrusion detection system, Indian Journal of Science and Technology 8 (1), 1-9, 2018.
[57] Shah, S. A. R., Issac, B., Performance comparison of intrusion detection systems and application of machine learning to Snort system, Future Generation Computer Systems, 80, 157-170,2018.
[58] Fleming, T., Wilander, H., Network intrusion and detection: An evaluation of snort, Online: http://liu.diva-portal.org/smash/record.jsf?pid=diva2%3A1175693&dswid=5819, 2018.
[59] Bijral, R., Gupta, A., Sharma, L. S., Study of vulnerabilities of ARP spoofing and its detection using Snort,” International Journal of Advanced Research in Computer Science 8(5), 2017.
[60] Hassan, Z., Odarchenko, R., Gnatyuk, S., Zaman, A., Shah, M., Detection of distributed Denial of Service attacks using Snort rules in cloud computing & remote control systems, In 2018 IEEE 5th International Conference on Methods and Systems of Navigation and Motion Control , 283-288, 2018.
[61] Gaddam, R., Nandhini, M., An analysis of various snort based techniques to detect and prevent intrusions in networks proposal with code refactoring snort tool in Kali Linux environment, In 2017 International Conference on Inventive Communication and Computational Technologies, 10-15, 2017.
[62] Khammas, B. M., Hasan, S., Ahmed, R. A., Bassi, J. S., Ismail, I., Accuracy improved malware detection method using Snort sub-signatures and machine learning techniques, In 2018 10th Computer Science and Electronic Engineering , 107-112, 2018.
[63] Ujjan, R. M. A., Pervez, Z., Dahal, K., Suspicious traffic detection in SDN with collaborative techniques of Snort and deep neural networks, In 2018 IEEE 20th International Conference on High Performance Computing and Communications; IEEE 16th International Conference on Smart City; IEEE 4th International Conference on Data Science and Systems , 915-920, 2018.
[64] OWASP, Category:OWASP Top Ten Project, Online:https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project, 2017.
[65] iThome, 新版OWASP十大網站安全風險排名出爐,微服務風潮帶來三大新安全風險, Online:https://www.ithome.com.tw/news/118411, 2017.
[66] Alwan, Z.S., Younis, M.F., Detection and prevention of SQL injection attack: a survey, International Journal of Computer Science and Mobile Computing 44, 1-10, 2017.
[67] Uwagbole, S. O., Buchanan, W. J., Fan, L., Applied machine learning predictive analytics to SQL injection attack detection and prevention, In 2017 IFIP/IEEE Symposium on Integrated Network and Service Management , 1087-1090, 2017
[68] Nguyen-Tuong, Anh, et al., Methods systems and computer readable media for detecting command injection attacks, U.S. Patent No. 9,635,033, 2017.
[69] IBM, 2018年 IBM X-Force 威脅情報指數, Online:https://www.ibm.com/tw-zh/security/news/x-force,2018.
[70] Web Technology Survey, W3Techs Usage of server-side programming languages for websites, Online:https://w3techs.com/technologies/overview/programming_language/all, 2018.
[71] 360互聯網安全中心, 2015年中國網站安全報告, Online: http://zt.360.cn/dl.php?filename=2015年中国网站安全报告.pdf, 2015.
[72] 秦英, 基于随机森林的WebShell 检测方法, 计算机系统应用 ISSN 1003-3254, CODEN CSAOBN Computer Systems & Applications 28(2), 240-245, 2019.
[73] Web Technology Survey, W3Techs, Online:https://w3techs.com/
[74] Riverbed, Wireshark, Online: https://www.wireshark.org/download.html
[75] Saxena, P., Sharma, S. K., Analysis of network traffic by using packet sniffing Ttool: Wireshark, International Journal of Advance Research, Ideas and Innovations in Technology, 804-808, 2017.
[76] URL Decode, URL decode and encode , Online: https://www.urldecoder.org/
[77] Base64Decode, Base64 decode and encode, Online:https://www.base64decode.org/
[78] MDN web docs, HTTP request methods, Online:https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods, 2018.
[79] HTTP Status Codes, HTTP Status Codes, Online:https://docs.microsoft.com/en-us/windows/win32/winhttp/http-status-codes
[80] 行政院國家資通安全會報技術服務中心, 106年Web應用程式安全參考指引, Online:https://www.nccst.nat.gov.tw/CommonSpecification?lang=zh, 2018.
[81] 行政院國家資通安全會報技術服務中心, 安全軟體發展流程指引, Online: http://download.nccst.nat.gov.tw/attachfilecomm/安全軟體發展流程指引.pdf, 2014.
[82] WinMerge, Download WinMerge, Online: http://winmerge.org/downloads/, 2013
電子全文 電子全文(網際網路公開日期:20241231)
連結至畢業學校之論文網頁點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
系統版面圖檔 系統版面圖檔