跳到主要內容

臺灣博碩士論文加值系統

(44.210.149.205) 您好!臺灣時間:2024/04/17 08:11
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

我願授權國圖
: 
twitterline
研究生:曾煜鈞
研究生(外文):Yu-Chun Tseng
論文名稱:植基於DoT查詢行為之物聯網殭屍網路偵測機制
論文名稱(外文):IoT Botnet Detection Based on the Behaviors of DNS over TLS Queries
指導教授:范俊逸范俊逸引用關係
指導教授(外文):Fan, Chun-I
學位類別:碩士
校院名稱:國立中山大學
系所名稱:資訊工程學系資訊安全碩士班
論文種類:學術論文
論文出版年:2022
畢業學年度:110
語文別:英文
論文頁數:63
中文關鍵詞:物聯網殭屍網路網域名稱系統隱私DoT 網域查詢機器學習網域產生演算法
外文關鍵詞:Internet of Things (IoT)BotnetDomain Name System (DNS) PrivacyDNS over TLS QueryMachine LearningDomain Generation Algorithm (DGA)
相關次數:
  • 被引用被引用:0
  • 點閱點閱:79
  • 評分評分:
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
過去 DNS 查詢存在如網域名稱攔截攻擊等問題,因此除了透過 DNSSEC 、 DNSCrypt 等防禦機制來保護域名查詢的完整性外,IETF 在 2016 年和 2018 年分別制定 DNS over TLS(DoT)以及 DNS over HTTPS(DoH)兩項傳輸安全協定,保護網域名稱查詢的通訊過程之機密性與可用性,以防止中間人攻擊及保證使用者隱私。然而近年來物聯網殭屍網路威脅擴大,相關研究指出殭屍網路經常利用網域產生演算法(Domain Generation Algorithm,DGA)和命令與控制伺服器(Command-and-Control Server)進行溝通。其中 DNS 作為殭屍網路溝通的重要媒介,受感染裝置可能利用傳輸安全協定來隱藏網域名稱主要特徵,造成辨識上的困難。
在本文中,我們指出物聯網透過隱蔽通道來規避偵測的問題,提出植基於 DoT 查詢之殭屍網路偵測機制。針對加密後的 DNS 流量,利用隨機森林和 SVM 進行判斷,結果顯示所提出的機制能有效地分辨網站網域名稱、物聯網網域名稱以及 DGA 網域名稱,使網路管理人員能夠在加密流量中即時偵測殭屍網路流量及裝置,以防止相關攻擊發生與感染擴散。
The problems of DNS queries, such as domain name interception attacks existed. Therefore, in order to protect the integrity of domain name queries through defense mechanisms DNSSEC and DNSCrypt, IETF furthermore established two transmission security protocols DNS over TLS (DoT) and DNS over HTTPS (DoH) in 2016 and 2018, respectively. These protocols protect the confidentiality and availability of the communication process of domain name queries, prevent man-in-the-middle attacks, and ensure user privacy. However, in recent years, the threat of IoT botnets has expanded, and studies have shown that botnets often use Domain Generation Algorithm (DGA) and Command-and-Control server to communicate. Among them, DNS is an essential medium for botnet communication, and infected devices may use transmission security protocols to hide the main features of domain names, causing difficulties in identification.
Therefore, the proposed thesis shows that IoT evades detection through covert channels and propose a botnet detection scheme based on DoT queries. Furthermore, the results show that the proposed scheme can effectively distinguish among website domain names, IoT domain names, and DGA domain names. We enable network administrators to detect botnet traffic and devices in encrypted DNS traffic in real-time to prevent related attacks and the spread of infection.
論文審定書 i
Acknowledgment iv
摘要 v
Abstract vi
List of Figures ix
List of Tables x
List of Listings xi
Chapter 1 Introduction 1
1.1 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Chapter 2 Preliminaries 5
2.1 DNS Security Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1.1 DNNSEC and DNSCrypt . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.1.2 DNS over TLS / HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1.3 DNS-Based Website Fingerprinting . . . . . . . . . . . . . . . . . . . 10
2.2 DNS in IoT Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2.1 IoT Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2.2 IoT Domain Naming . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2.3 Using DoT in IoT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
vii2.2.4 Extension Mechanisms for DNS . . . . . . . . . . . . . . . . . . . . . 13
2.3 DNS Query Based IoT Botnet Behavior . . . . . . . . . . . . . . . . . . . . . 13
2.3.1 Botnet Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.3.2 Fast Flux DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.3.3 Domain Generation Algorithm . . . . . . . . . . . . . . . . . . . . . . 17
2.4 Machine Learning Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.4.1 Support Vector Machine . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.4.2 Random Forest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Chapter 3 Related Works 22
3.1 Siby et al.’s Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.2 Houser et al.’s Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.3 Patsakis et al.’s Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.4 Bushart et al.’s Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Chapter 4 DoT Query Based Botnet Detection Scheme 25
4.1 Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4.2 Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4.3 Experimental Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.4 Feature Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4.4.1 Feature Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.5 Algorithm Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Chapter 5 Evaluation 34
5.1 Performance Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
5.2 Experiment Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.3 Comparison and Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Chapter 6 Conclusion 41
Bibliography 43
Appendix A Another Performance of Detecting Each Domain Name Type 49
[1] P. Mockapetris, “Domain names: Concepts and facilities,” RFC 882, RFC Editor, November 1983. https://www.rfc-editor.org/rfc/rfc882.txt.
[2] P. Mockapetris, “Domain names: Implementation specification,” RFC 883, RFC Editor, November 1983. https://www.rfc-editor.org/rfc/rfc883.txt.
[3] P. Mockapetris, “Domain names: Concepts and facilities,” STD 13, RFC Editor, November 1987. https://www.rfc-editor.org/rfc/rfc1034.txt.
[4] P. Mockapetris, “Domain names: Implementation and specification,” STD 13, RFC Editor, November 1987. https://www.rfc-editor.org/rfc/rfc1035.txt.
[5] N. P. Hoang, A. A. Niaki, J. Dalek, J. Knockel, P. Lin, B. Marczak, M. Crete-Nishihata, P. Gill, and M. Polychronakis, “How great is the Great Firewall? Measuring China’s DNS censorship,” in 30th USENIX Security Symposium (USENIX Security 21), pp. 3381–3398, 2021.
[6] M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J. Cochran, Z. Durumeric, J. A. Halderman, L. Invernizzi, M. Kallitsis, D. Kumar, C. Lever, Z. Ma, J. Mason, D. Menscher, C. Seaman, N. Sullivan, K. Thomas, and Y. Zhou, “Understanding the Mirai botnet,” in 26th USENIX Security Symposium (USENIX Security 17), pp. 1093–1110, 2017.
[7] T.-S. Wang, H.-T. Lin, W.-T. Cheng, and C.-Y. Chen, “DBod: Clustering and detecting DGA-based botnets using DNS traffic analysis,” Computers & Security, vol. 64, pp. 1–15, 2017.
[8] Y. N. Soe, Y. Feng, P. I. Santosa, R. Hartanto, and K. Sakurai, “Machine learning-based IoT-botnet attack detection with sequential architecture,” Sensors, vol. 20, no. 16, p. 4372, 2020.
[9] M. Alaeiyan, S. Parsa, P. Vinod, and M. Conti, “Detection of algorithmically-generated domains: An adversarial machine learning approach,” Computer Communications, vol. 160, pp. 661–673, 2020.
[10] S. Siby, M. Juarez, C. Diaz, N. Vallina-Rodriguez, and C. Troncoso, “Encrypted DNS =) privacy? A traffic analysis perspective,” Network and Distributed System Security Symposium (NDSS), 2019.
[11] R. Houser, Z. Li, C. Cotton, and H. Wang, “An investigation on information leakage of DNS over TLS,” in Proceedings of the 15th International Conference on Emerging Networking Experiments And Technologies, pp. 123–137, 2019.
[12] C. Patsakis, F. Casino, and V. Katos, “Encrypted and covert DNS queries for botnets: Challenges and countermeasures,” Computers & Security, vol. 88, p. 101614, 2020.
[13] C. Hesselman, M. Kaeo, L. Chapin, K. Claffy, M. Seiden, D. McPherson, D. Piscitello, A. McConachie, T. April, J. Latour, and R. Rasmussen, “The DNS in IoT: Opportunities, risks, and challenges,” IEEE Internet Computing, vol. 24, no. 4, pp. 23–32, 2020.
[14] K. Aucklah, A. Mungur, S. Armoogum, and S. Pudaruth, “The impact of internet of things on the nomain name system,” in 2021 5th International Conference on Intelligent Computing and Control Systems (ICICCS), pp. 449–454, IEEE, 2021.
[15] N. Apthorpe, D. Reisman, and N. Feamster, “A smart home is no castle: Privacy vulnerabilities of encrypted IoT traffic,” arXiv preprint arXiv:1705.06805, 2017.
[16] G. Zhao, K. Xu, L. Xu, and B. Wu, “Detecting APT malware infections based on malicious DNS and traffic analysis,” IEEE access, vol. 3, pp. 1132–1142, 2015.
[17] G. Huston, “DNSSEC validation revisited,” March 2 2020 [Online]. https://blog.apnic.net/2020/03/02/dnssec-validation-revisited/, [Accessed on 16-Nov-2021].
[18] Asia Pacific Network Information Centre (APNIC) LABS, “Use of DNSSEC validation for world (XA).” https://stats.labs.apnic.net/dnssec/, [Accessed on 16-Nov-2021].
[19] J. Postel, “Internet protocol,” STD 5, RFC Editor, September 1981. https://www.rfc-editor.org/rfc/rfc791.txt.
[20] Z. Hu, L. Zhu, J. Heidemann, A. Mankin, D. Wessels, and P. Hoffman, “Specification for DNS over Transport Layer Security (TLS),” RFC 7858, RFC Editor, May 2016. https://www.rfc-editor.org/rfc/rfc7858.txt.
[21] P. Hoffman and P. McManus, “DNS queries over HTTPS (DoH),” RFC 8484, RFC Editor, October 2018. https://www.rfc-editor.org/rfc/rfc8484.txt.
[22] E. Commission, “The EU’s cybersecurity strategy for the digital decade,” December 16 2020 [Online]. https://digital-strategy.ec.europa.eu/en/library/eus-cybersecurity-strategy-digital-decade-0, [Accessed on 30-Apr-2022].
[23] G. Huston, “DNSSEC ‘and’ DNS over TLS,” August 20 2018 [Online]. https://blog.apnic.net/2018/08/20/dnssec-and-dns-over-tls/, [Accessed on 26-Mar-2022].
[24] D. Wagner and B. Schneier, “Analysis of the SSL 3.0 protocol,” in The Second USENIX Workshop on Electronic Commerce Proceedings, vol. 1, pp. 29–40, 1996.
[25] D. Herrmann, R. Wendolsky, and H. Federrath, “Website fingerprinting: Attacking popular privacy enhancing technologies with the multinomial na¨ıve-bayes classifier,” in Proceedings of the 2009 ACM workshop on Cloud computing security, pp. 31–42, 2009.
[26] A. Panchenko, L. Niessen, A. Zinnen, and T. Engel, “Website fingerprinting in onion routing based anonymization networks,” in Proceedings of the 10th annual ACM workshop on Privacy in the electronic society, pp. 103–114, 2011.
[27] M. Juarez, S. Afroz, G. Acar, C. Diaz, and R. Greenstadt, “A critical evaluation of website fingerprinting attacks,” in Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 263–274, 2014.
[28] A. Panchenko, F. Lanze, J. Pennekamp, T. Engel, A. Zinnen, M. Henze, and K. Wehrle, “Website fingerprinting at Internet scale.,” in Network and Distributed System Security Symposium (NDSS), 2016.
[29] P. Sirinam, M. Imani, M. Juarez, and M. Wright, “Deep fingerprinting: Undermining website fingerprinting defenses with deep learning,” in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1928–1943, 2018.
[30] X. Luo, P. Zhou, E. W. Chan, W. Lee, R. K. Chang, and R. Perdisci, “HTTPOS: Sealing information leaks with browser-side obfuscation of encrypted flows.,” in Network and Distributed System Security Symposium (NDSS), vol. 11, 2011.
[31] K. P. Dyer, S. E. Coull, T. Ristenpart, and T. Shrimpton, “Peek-a-boo, I still see you: Why efficient traffic analysis countermeasures fail,” in 2012 IEEE symposium on security and privacy, pp. 332–346, IEEE, 2012.
[32] A. Sivanathan, H. H. Gharakheili, F. Loi, A. Radford, C. Wijenayake, A. Vishwanath, and V. Sivaraman, “Classifying IoT devices in smart environments using network traffic characteristics,” IEEE Transactions on Mobile Computing, vol. 18, no. 8, pp. 1745–1759, 2018.
[33] M. Gajewski and P. Krawiec, “Identification and access to objects and services in the IoT environment,” in Internet of Things (IoT) in 5G Mobile Technologies, pp. 275–297, Springer, 2016.
[34] D. Smetters and V. Jacobson, “Securing network content,” tech. rep., Citeseer, 2009.
[35] K. Lee, S. Kim, J. P. Jeong, S. Lee, H. Kim, and J.-S. Park, “A framework for DNS naming services for Internet-of-Things devices,” Future Generation Computer Systems, vol. 92, pp. 617–627, 2019.
[36] A. Hounsel, P. Schmitt, K. Borgolte, and N. Feamster, “Can encrypted DNS be fast?,” in International Conference on Passive and Active Network Measurement, pp. 444–459, Springer, 2021.
[37] J. Damas, M. Graff, and P. Vixie, “Extension mechanisms for DNS (EDNS(0)),” STD 75, RFC Editor, April 2013. https://www.rfc-editor.org/rfc/rfc6891.txt.
[38] A. Mayrhofer, “The EDNS(0) padding option,” RFC 7830, RFC Editor, May 2016. https://www.rfc-editor.org/rfc/rfc7830.txt.
[39] A. Mayrhofer, “Padding policies for extension mechanisms for DNS (EDNS(0)),” RFC 8467, RFC Editor, October 2018.
[40] J. Bushart and C. Rossow, “Padding ain’t enough: Assessing the privacy guarantees of encrypted DNS,” in 10th USENIX Workshop on Free and Open Communications on the Internet (FOCI 20), 2020.
[41] P. Wang, S. Sparks, and C. C. Zou, “An advanced hybrid peer-to-peer botnet,” IEEE Transactions on Dependable and Secure Computing, vol. 7, no. 2, pp. 113–127, 2008.
[42] S. Hilt, F. Merces, M. Rosario, and D. Sancho, “Worm war: The botnet battle for IoT territory,” Trend Micro, p. 30, 2020. https://documents.trendmicro.com/assets/white_papers/wp-worm-war-the-botnet-battle-for-iot-territory.pdf, [Accessed on 30-Apr-2022].
[43] The MITRE Corporation, “T1568.001 Dynamic resolution: Fast flux DNS,” 2020. [Online]. https://attack.mitre.org/techniques/T1568/001/, [Accessed on 18-Mar-2021].
[44] R. H. Janos Szurdi and D. Liu, “Fast flux 101: How cybercriminals improve the resilience of their infrastructure to evade detection and law enforcement takedowns,” March 2 2021 [Online]. https://unit42.paloaltonetworks.com/fast-flux-101/, [Accessed on 02-Apr-2022].
[45] The MITRE Corporation, “T1568.002 Dynamic resolution: Domain generation algorithms,” 2020. [Online]. https://attack.mitre.org/techniques/T1568/002/, [Accessed on 18-Mar-2021].
[46] D. Plohmann, K. Yakdan, M. Klatt, J. Bader, and E. Gerhards-Padilla, “A comprehensive measurement study of domain generating malware,” in 25th USENIX Security Symposium (USENIX Security 16), pp. 263–278, 2016.
[47] S. Hao, N. Feamster, and R. Pandrangi, “Monitoring the initial DNS behavior of malicious domains,” in Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference, pp. 269–278, 2011.
[48] V. L. Pochat, T. Van Goethem, S. Tajalizadehkhoob, M. Korczynski, and W. Joosen, “Tranco: A research-oriented top sites ranking hardened against manipulation,” Network and Distributed System Security Symposium (NDSS), 2019.
[49] getdns Team, “Stubby.” https://github.com/getdnsapi/stubby.
[50] B. Anderson, S. Paul, and D. McGrew, “Deciphering malware’s use of TLS (without decryption),” Journal of Computer Virology and Hacking Techniques, vol. 14, no. 3, pp. 195–211, 2018.
[51] L. Deri and D. Sartiano, “Monitoring IoT encrypted traffic with deep packet inspection and statistical analysis,” in 2020 15th International Conference for Internet Technology and Secured Transactions (ICITST), pp. 1–6, IEEE, 2020.
[52] M. MontazeriShatoori, L. Davidson, G. Kaur, and A. H. Lashkari, “Detection of DoH tunnels using time-series classification of encrypted traffic,” in The 5th IEEE Cyber Science and Technology Congress, pp. 63–70, IEEE, 2020
電子全文 電子全文(網際網路公開日期:20250804)
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
無相關期刊