| 摘要: | 惡意域名一直以來都是網路犯罪活動,例如散發垃圾郵件、財務詐欺、釣魚網站等的踏腳石。一個企業每天對外會有無數連線,但由於近年來駭客猖獗地利用各種方式讓惡意程式蔓延,例如Advanced Persistent Threat(APT)與BotNet等,導致眾多企業雖已受駭但仍不自覺。因此如何在眾多的對外連線中,及早發現可疑域名已成為一件極重要的企業資安問題。
為了及早發現可疑域名,有不少學者使用Passive DNS機制來識別惡意域名並且皆有卓越的偵測率。但是Passive DNS最大的限制在於域名資源記錄(Resource Recode, RR)日誌通常僅限ISP業者才能獲得,導致一般研究單位或是民間企業在實作上具有困難。此外現有方法大多都僅應用於偵測於一般的殭屍網路域名,反之對於近年來猖狂的APT並未多加著墨。因此,本研究提出一個(Suspicious Domain Name Detector, SDND)可疑域名偵測系統, SDND不僅能偵測殭屍網路域名與APT域名,同時也能克服Passive DNS機制的使用門檻,讓域名資源記錄不再需要依賴 ISP業者提供。SDND採用了本研究所提出之Semi-Passive DNS架構並使用機器學習的方法來評估域名是否近似於已知的殭屍網路域名與APT域名。本研究於實驗中使用了Alexa top、DNS-BH等相關機構所提供的域名清單進行內部測試與外部測試,證實SDND在惡意網域的偵測上擁有98.9的正確率以及僅有0.09的誤判率,代表了SDND在偵測可疑的域名上確實用有實用價值。
關鍵字:進階持續性滲透攻擊, 殭屍網路, 半被動式域名資源紀錄蒐集機制
;Malicious domain name always useful for criminal activity, such as spamming, financial fraud and phishing sites. Attackers always use sophisticated methods to find a way in, and lead most victims are compromised for months before they discover it. Therefore, early to detect the malicious domain name become more and more important issue for most enterprises.
In order to address the malicious domain name issues, there are many academic literatures start to use the technology of passive DNS replication to identified malicious domain name, such as NOTOS, Kopis, EXPOSURE, Segugio and IDnS. Those are famous systems for malicious domain name detection and with high accuracy. Although those systems improve the issue of malicious domain name, it also brings another issues for detection, such as high barriers to apply the passive DNS and never academic try to use passive DNS to detect the Advanced Persistent Threat (APT) attack.
In this paper we propose Semi-Passive DNS replication and Suspicious Domain Name Detector (SDND) which can reduce the high barriers of apply the passive DNS, and also can efficiently to detect malicious domain name. Our results show that SDNS can identify malicious domain names with high accuracy (true positive rate of 98.9%) and low false positive rate (0.09%).
Keyword: Advanced Persistent Threat, BotNet, Semi-Passive DNS |
