簡易檢索 / 詳目顯示

回結果列表
研究生: 陳裕傑
Yu-jie Chen
論文名稱: 混合式隱藏式馬可夫模型應用於殭屍網路流量行為之早期偵測
Early Detection for Botnet Traffic Behavior Based on Hybrid Hidden Markov Model
指導教授: 李漢銘
Hahn-Ming Lee
口試委員: 徐讚昇
Tsan-sheng Hsu
賴溪松
Chi-Sung Laih
陳振楠
Jenn-Nan Chen
李育杰
Yuh-Jye Lee
學位類別: 碩士
Master
系所名稱: 電資學院 - 資訊工程系
Department of Computer Science and Information Engineering
論文出版年: 2008
畢業學年度: 96
語文別: 英文
論文頁數: 68
中文關鍵詞: 殭屍網路命令和控制聊天室隱藏式馬可夫模型
外文關鍵詞: command and control, C&C, IRC
相關次數: 點閱:234下載:5
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 由於駭客透過一般使用者聊天傳送訊息的機制傳遞指令控制殭屍網路(Botnet),其產生的網路流量和一般正常聊天的流量混淆不清,因此根據網路封包辨識殭屍網路命令及控制通道(command and control channel)存在相當大的挑戰,對於殭屍網路早期命令和控制的偵測,更因為溝通行為的多樣性(diverse of communication behavior)而不易於從正常流量分佈(normal distribution)中區隔出來。因此在本研究中,我們提出一種早期偵測殭屍網路的方法,其根據殭屍網路溝通階段產生不同的動作和突發流量(bursty traffic) 塑模殭屍網路的溝通行為。由於殭屍網路的溝通具有時間性,因此我們除了考慮溝通產生的循序的特性之外,亦考慮每個溝通動作中的前後關係特性。針對這些需求,我們提出了混合式隱藏式馬可夫模型(HHMM, Hybrid Hidden Markov Model)演算法,它是一種序列式塑模(model)的方法,根據網路封包之間的因果關係而導致的順序側寫(profile)流量中的溝通行為,用於辨識網路流量中早期的殭屍網路溝通行為。因此透過偵測早期的殭屍網路溝通的動作清除網域中的遭受控制的電腦,可以防止大規模的攻擊產生及降低產生或遭受攻擊後所需的修復成本。上述方法也在實際實驗中證明遭受控制的殭屍電腦可以於早期的殭屍網路溝通時偵測出來,並且驗證本研究所提出的序列式塑模方法較傳統非序列式方法更有效的側寫(profile)網路流量中的溝通行為。

    Identifying Botnet in Command and Control (C&C) channel from network traffic still remains a main difficulty due to ambiguous traffics between Botnet and normal communications. In the early stage of Botnet C&C, however, the diverse behaviors are hard to be detected and difficult to be distinguished from usual fluctuations. In this study, we propose a novel approach for Botnet early detection by modeling the phenomena of bursty traffic within different phases of behaviors of bot. Since communication of Botnet is temporal interdependencies, we consider that network traffic is sequential and has to be seen as time series task. Therefore, the Hybrid Hidden Markov Model (HHMM), a sequential profiling method, is applied to identify Botnet C&C behaviors as early as possible without losing detecting capability; so that the affection of Botnet can be reduced before invoking large-scale distributed attacks. Experimental results demonstrate the proposed method not only indeed outperforms than other non-sequential methods but also capable to detect compromised hosts with bots in the early phase under an acceptable level of false positive rate.

    Abstract………………………………………………………………………………II Acknowledgements……………………………………………………………………IV Content…………………………………………………………………………………V List of Figures……………………………………………………………………VII List of Tables……………………………………………………………………VIII Chapter 1 Introduction……………………………………………………………1 1.1 Motivation ………………………………………………………………………1 1.2 Challenge…………………………………………………………………………2 1.3 Related Work ……………………………………………………………………3 1.4 Concepts …………………………………………………………………………7 1.5 Contribution ……………………………………………………………………9 1.6 Outline of the Thesis ………………………………………………………10 Chapter 2 Background ……………………………………………………………11 2.1 Internet Relay Chat (IRC) …………………………………………………11 2.2 Bots and Botnets………………………………………………………………13 2.3 IRC Botnet Structure and Attack Flow……………………………………18 Chapter 3 Botnet Early Detection Using Hybrid Hidden Markov Model Algorithm………………………………………………………………20 3.1 Bursty Traffic in Botnet Communication…………………………………20 3.2 C&C Early Detection Based on Hybrid Hidden Markov Model (HHMM) …………………………………………………………………………………………25 3.2.1 Bursty Feature Extractor…………………………………………………25 3.2.2 HHMM Parameter Estimator…………………………………………………26 3.2.3 Traffic Profile ……………………………………………………………29 3.2.4 Idle State Estimator………………………………………………………30 3.3 Summary …………………………………………………………………………31 Chapter 4 Experiments and Results……………………………………………32 4.1 Datasets…………………………………………………………………………32 4.2 Performance Measurements……………………………………………………35 4.3 Feature Coding of Comparison Algorithms ………………………………36 4.4 Identification of Traffic of Normal Chat and C&C Communication…39 4.5 Evaluation on Early Detection ……………………………………………44 4.6 Evaluation after Launching Attacks………………………………………46 Chapter 5 Conclusion and Further Work………………………………………50 5.1 Conclusions ……………………………………………………………………50 5.2 Limitation………………………………………………………………………51 5.3 Further Work……………………………………………………………………52 References……………………………………………………………………………54 Vita……………………………………………………………………………………58

    [1] Agobot. URL:http://www.sophos.com/virusinfo/analyses/trojagobotib.html.
    [2] J. R. Binkley. “Anomaly-based botnet server detection,” in Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet, 2006, pp.7-12.
    [3] J. R. Binkley and S. Singh. “An algorithm for anomaly-based botnet detection,” in Proceedings of USENIX Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI), 2006, pp. 43–48.
    [4] L Bridges. “The changing face of malware,” Network Security, vol. 1, issue 1, pp. 17-20, 2008.
    [5] P. Baecher, M. Koetter, T. Holz, M. Dornseif, F. C. Freiling. “The nepenthes platform: An efficient approach to collect malware,” in Proceedings of the 9th Int’l Symp. on Recent Advances in Intrusion Detection (RAID), 2006. pp. 165-184.
    [6] P. Barford, V. Yegneswaran. “An inside look at Botnets,” in Proceedings of Special Workshop on Malware Detection, Advances in Information Security, Springer Verlag, 2006.
    Available at: http://pages.cs.wisc.edu/~pb/botnets_final.pdf
    [7] K. Chiang, L. Lloyd. “A case study of the rustock rootkit and spam bot,” in Proceedings of USENIX Workshop on Hot Topics in Understanding Botnets (HotBots), 2007. Available at:
    https://www.usenix.org/events/hotbots07/tech/full_papers/chiang/chiang.pdf
    [8] E. Cooke, F. Jahanian, and D. McPherson. “The zombie roundup: Understanding, detecting, and disrupting botnets,” in Proceedings of Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI), 2005. Available at:
    http://www.usenix.org/event/sruti05/tech/full_papers/cooke/cooke_html/
    [9] N. Daswani, M. Stoppelman M, the Google Click Quality and Security Teams. “The anatomy of Clickbot.A,” in Proceedings of USENIX Workshop on Hot Topics in Understanding Botnets (HotBots), 2007.
    Available at: http://portal.acm.org/citation.cfm?id=1323139
    [10] S. T. Eckmann, G. Vigna, and R. A. Kemmerer. “Statl: An attack language for state-based intrusion detection,” Journal of Computer Security, vol. 10, pp. 71-103, 2002.
    [11] Y. Ephraim and N. Merhav. “Hidden Markov processes,” IEEE Trans. on Information Theory, vol. 48, pp. 1518-1569, 2002.
    [12] F. Freiling, T. Holz, and G. Wicherski. “Botnet Tracking: Exploring a root-cause methodology to prevent denial-of-service attaks,” in Proceedings of 10th European Symposium on Research in Computer Security, ESORICS, 2005, pp. 319–335.
    [13] G. Gu, P. Porras, V. Yegneswaran, M. Fong, W. Lee. “BotHunter: Detecting malware infection through IDS-driven dialog correlation,” in Proceedings of the 16th USENIX Security Symp (Security), 2007.
    Available at: https://www.usenix.org/events/sec07/tech/full_papers/gu/gu.pdf
    [14] J. Goebel and T. Holz. “Rishi: Identify bot contaminated hosts by irc nickname evaluation,” in Proceedings of USENIX Workshop on Hot Topics in Understanding Botnets (HotBots), 2007. Available at:
    http://www.usenix.org/event/hotbots07/tech/full_papers/goebel/goebel.pdf
    [15] H. Husna, S. Phithakkitnukoon, R. Dantu. “Traffic shaping of spam Botnets,” in Proceedings of Consumer Communications and Networking Conference (CCNC), 2008, pp. 786-787.
    [16] Honeynet Project and Research Alliance. “Know your enemy: Tracking Botnets,” March 2005.
    Available at: http://www.honeynet.org/papers/bots/
    [17] Internet Relay Chat Protocol.
    URL: http://www.irchelp.org/irchelp/rfc/rfc.html
    [18] R. R. Kompella, S. Singh and G. Varghese. "On scalable attack detection in the network," IEEE/ACM Trans. on networking, vol. 15, issue 1, pp. 14-25, 2007.
    [19] S. Kondo and N. Sato. “Botnet traffic detection techniques by C&C session classification using SVM,” in Proceedings of the 2nd International Workshop on Security (IWSEC), 2007, pp. 91-104.
    [20] C. Livadas, R. Walsh, D. Lapsley, and W. T. Strayer. “Using machine learning techniques to identify botnet traffic,” in Proceedings of the 2nd IEEE LCN Workshop on Network Security (WoNS), 2006, pp. 967-974.
    [21] J. Levine, J. Grizzard, and H. Owen. “A nethodology to characterize kernel-level rootkit exploits involving redirection of the system call table,” in Proceedings of 2nd Information Assurance Workshop, 2004, pp. 107–125.
    [22] I. V. Onut and A. A. Ghorbani. “SVision: A novel visual network-anomaly identification technique,” Computers and security, vol. 26, issue 3, pp. 201-212, 2007.
    [23] P. Pietikäinen and L Huttunen. “Behavioral study of bot obedience using causal relationship analysis,” in Proceedings of Annual Forum for Incident Response and Security Teams (FIRST), 2006. Available at:
    http://www.ee.oulu.fi/research/ouspg/frontier/sota/first-2006/paper.pdf
    [24] A. Ramachandran and N. Feamster. “Understanding the network-level behavior of spammers,” in Proceedings of Special Interest Group on Data Communications (SIGCOMM), 2006, pp. 291 - 302.
    [25] A. Ramachandran, N. Feamster, D. Dagon. “Revealing botnet membership using DNSBL counter-intelligence,” in Proceedings of the USENIX Workshop on Steps to Reducing Unwanted Traffic in the Internet (SRUTI), 2006. Available at:
    http://www.usenix.org/events/sruti06/tech/ramachandran.html
    [26] M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. “A multifaceted approach to understanding the botnet phenomenon,” in Proceedings of ACM SIGCOMM/USENIX Internet Measurement Conference (IMC), pp. 41-52, 2006.
    [27] M. A. Rajab, J. Zarfoss, F. Monrose, A. Terzis. “My botnet is bigger than yours (maybe, better than yours): Why size estimates remain challenging,” in Proceedings of USENIX Workshop on Hot Topics in Understanding Botnets (HotBots). 2007. Available at:
    http://www.usenix.org/event/hotbots07/tech/full_papers/rajab/rajab.pdf
    [28] E. Stinson and J. C. Mitchell. “Characterizing bots’ remote control behavior,” in Proceedings of GI SIG SIDAR Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2007, pp. 89-108.
    [29] J. Stewart. “Storm worm DDoS attack,”
    available at: http://www.secureworks.com/research/threats/storm-worm, 2007.
    [30] S. Staniford, J. Hoagland, and J. McAlerney. “Practical automated detection of stealthy portscans,” Journal of Computer Security, vol. 10, pp. 105-136, 2002.
    [31] S. Sellke, N. B. Shroff and S. Bagchi. “Modeling and automated containment of worms,” IEEE Transactions on Dependable and Secure Computing, vol. 5, issue 2, pp. 71-86, 2008.
    [32] T. Strayer, R. Walsh, C. Livadas, D. Lapsley. “Detecting botnets with tight command and control,” in Proceedings of the 31st IEEE Conf. on Local Computer Networks (LCN’06), 2006. pp. 195-202.
    [33] W. T. Strayer, D. Lapsley, R. Walsh, and C. Livadas, Botnet detection based on network behavior, Springer-Verlag, pp. 1-24,2008.
    [34] Testbed at NCKU. URL:http://testbed.ncku.edu.tw/
    [35] The Honeynet Project. URL:http://www.honeynet.org/
    [36] The International Collaboration for Advancing Security Technology (iCAST). URL:http://www.icast.org.tw/
    [37] The International Collaboration for Advancing Security Technology (iCAST) botnet dataset wiki. URL:http://140.118.19.59/trac/ideasds/wiki/BotnetDataset
    [38] N. Vanderavero, X. Brouckaert, O. Bonaventure and B. L. Charlier. “The HoneyTank: a scalable approach to collect malicious internet traffic,” International Journal of Critical Infrastructures, vol. 4, pp. 185-205, 2008.
    [39] WEKA. URL:http://www.cs.waikato.ac.nz/ml/weka/

    QR CODE