博碩士論文 103423022 詳細資訊




以作者查詢圖書館館藏 以作者查詢臺灣博碩士 以作者查詢全國書目 勘誤回報 、線上人數:11 、訪客IP:54.162.10.211
姓名 趙健智(Jian-Zhi Zhao)  查詢紙本館藏   畢業系所 資訊管理學系
論文名稱 基於HTTP協定之可疑流量偵測研究
(On the Study of HTTP Based Suspicious Traffic Detection Mechanism)
檔案 [Endnote RIS 格式]    [Bibtex 格式]    [檢視]  [下載]
  1. 本電子論文使用權限為同意立即開放。
  2. 已達開放權限電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。
  3. 請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。

摘要(中) 在現網際路普及的世界下,大多企業資料都儲存內部主機而這些 在現網際路普及的世界下,大多企業資料都儲存內部主機而這些 在現網際路普及的世界下,大多企業資料都儲存內部主機而這些 在現網際路普及的世界下,大多企業資料都儲存內部主機而這些 在現網際路普及的世界下,大多企業資料都儲存內部主機而這些 主機勢必與網路直接或間的聯繫,雖然方便存取和管理 主機勢必與網路直接或間的聯繫,雖然方便存取和管理 主機勢必與網路直接或間的聯繫,雖然方便存取和管理 ,但也促使網路駭客 ,但也促使網路駭客 利用網際 網路盜取企業內部資料,造成嚴重外洩 網路盜取企業內部資料,造成嚴重外洩 網路盜取企業內部資料,造成嚴重外洩 。近幾年來,駭客為了隱藏自己的行蹤常 近幾年來,駭客為了隱藏自己的行蹤常 近幾年來,駭客為了隱藏自己的行蹤常 近幾年來,駭客為了隱藏自己的行蹤常 近幾年來,駭客為了隱藏自己的行蹤常 近幾年來,駭客為了隱藏自己的行蹤常 利用 HTTP協定,透過惡意軟體入侵受害者使得企業資料外洩或是網站誘 協定,透過惡意軟體入侵受害者使得企業資料外洩或是網站誘 協定,透過惡意軟體入侵受害者使得企業資料外洩或是網站誘 協定,透過惡意軟體入侵受害者使得企業資料外洩或是網站誘 協定,透過惡意軟體入侵受害者使得企業資料外洩或是網站誘 協定,透過惡意軟體入侵受害者使得企業資料外洩或是網站誘 協定,透過惡意軟體入侵受害者使得企業資料外洩或是網站誘 協定,透過惡意軟體入侵受害者使得企業資料外洩或是網站誘 協定,透過惡意軟體入侵受害者使得企業資料外洩或是網站誘 使用者輸入個人或是機密資料等,而這些行為均會產生 使用者輸入個人或是機密資料等,而這些行為均會產生 使用者輸入個人或是機密資料等,而這些行為均會產生 HTTP流量,如何及早偵測該可 流量,如何及早偵測該可 流量,如何及早偵測該可 疑流量已成為 資訊安全領域上極為重要的問題。
本研究提出以 Support Vector Machine進行 HTTP流量偵測 的系統 。此的系統 。此的系統 。此利用 HTTP協定上的特徵建立一個可以有效偵測那些能是在進行惡意活動疑流量,並且 協定上的特徵建立一個可以有效偵測那些能是在進行惡意活動疑流量,並且 協定上的特徵建立一個可以有效偵測那些能是在進行惡意活動疑流量,並且 改善 一般在建立正常模型時需要大量主機資料的研究限制。和 一般在建立正常模型時需要大量主機資料的研究限制。和 一般在建立正常模型時需要大量主機資料的研究限制。和 其他研究不同之處在於我們 以 不同類型的 HTTP請求 封包 及 HTTP回應封包建立各自的異常偵測模型 ,再將類回應封包建立各自的異常偵測模型 ,再將類回應封包建立各自的異常偵測模型 ,再將類封 包重組回一個 HTTP流量, 流量, 最後 以一個完整的 HTTP流量 觀點,來辨認該流量是否惡意。 觀點,來辨認該流量是否惡意。 觀點,來辨認該流量是否惡意。 觀點,來辨認該流量是否惡意。 本研究的實驗證我們 提出的系統能夠僅用四名使者流量資料建立分類模型,並且偵 提出的系統能夠僅用四名使者流量資料建立分類模型,並且偵 提出的系統能夠僅用四名使者流量資料建立分類模型,並且偵 測來自惡意軟體的可疑流量,其偵率達到 88%。
摘要(英) In the era of Internet, the most enterprise data is stored within the enterprise hosts, and these hosts is bound directly or indirectly linked with the network. Although there are convenient access and management, it also promotes hackers to steal enterprise data by the use of Internet, resulting in serious leakage of information. In recent years, in order to hide the trace, hackers often use HTTP protocol as the channel of attacking and control victims with malicious software, causing leakage of corporate data or confidential information. Because these actions all generate HTTP traffic, how early detection of the suspicious traffic will be an important issue in the field of information security.
This study proposes a HTTP traffic detection system which is based on Support Vector Machine and characterized by the use of the HTTP protocol establishment which may be carrying suspicious traffic. We lessen the restriction of the establishment of normal model. The restriction is that requiring a lot of traffic logs to be analyzed for the relationship establishment between hosts in the Internet. Unlike previous research literature about detecting malicious packets, this study proposes to establish the anomaly detection model by different type of the HTTP request packets, then reassemble packets to a complete HTTP traffic. The experiments in this study show that we can establish the HTTP traffic anomaly detection model, which detect suspicious traffic caused by malicious software with detection rate is 88%.
關鍵字(中) ★ HTTP協定
★ 可疑流量
★ 支援向量機
★ 異常偵測
關鍵字(英) ★ HTTP Protocol
★ Suspicious HTTP Traffic
★ Support Vector Machine
★ Anomaly Detection
論文目次 論文摘要..............................i
Abstract.............................ii
誌謝.................................iii
目錄.................................iv
圖目錄...............................vi
表目錄...............................viii
第一章 緒論............................1
1-1 研究背景...........................1
1-2 動機與目的.........................2
1-3 研究貢獻...........................3
1-4 章節架構...........................4
第二章 相關研究.........................5
2-1 HTTP協定...........................5
2-2 以域名特徵偵測之可疑流量研究.........7
2-3 以主機行為偵測之可疑流量研究.........10
2-4 利用 HTTP協定偵測可疑封包研究........14
2-5 綜合分析...........................18
第三章 以 SVM進行 HTTP流量異常偵測......22
3-1 偵測流程與系統架構..................22
3-1-1 資料蒐集階段.....................23
3-1-2 封包分類階段.....................24
3-1-3 流量分類階段.....................25
3-2 HTTP協定特徵選取和計算.............25
3-2-1 請求封包特徵....................26
3-2-2 回應封包特徵....................33
3-2 SVM的使用-OCSVM..................34
第四章 實驗與討論.....................37
4-1 實驗資料和工具....................37
4-1-1 實驗資料........................37
4-1-2 實驗工具........................40
4-2 實驗設計..........................40
4-3 實驗結果評估和說明.................41
第五章 結論與未來研究..................50
5-1 結論.............................50
5-2 研究限制.........................51
5-3 未來研究.........................51
參考文獻.............................53
參考文獻 [1] Apostolis Zarras,Papadogiannakis, Antonis , Gawlik, Robert and Holz, Thorsten., “Automated generation of models for fast and precise detection of http-based malware,” in Proc. of the 12th Annual International Conference on Privacy, Security and Trust, PST, pp. 249–256, 2014.
[2] Alomari, Esraa, Manickam, Selvakumar, Gupta, B.B., Singh, Parminder and Anbar, Mohammed. Design, deployment and use of HTTP-based botnet (HBB) testbed. In: 16th International Conference on Advanced Communication Technology. IEEE, 2014. p. 1265-1269.
[3] Cai, Tao; Zou, Futai. Detecting HTTP botnet with clustering network traffic. In:Wireless Communications, Networking and Mobile Computing (WiCOM), 2012 8th International Conference on. IEEE, 2012. p. 1-7.
[4] Chiba, Daiki, Yagi, Takeshi, Akiyama, Mitsuaki, Aoki, Kazufumi, Hariu Takeo and Goto, Shigeki. BotProfiler: Profiling Variability of Substrings in HTTP Requests to Detect Malware-Infected Hosts. In: Trustcom/BigDataSE/ISPA, 2015 IEEE., p. 758-765.
[5] Eslahi, Meisam, Hashim H and Tahir NM. An efficient false alarm reduction approach in HTTP-based botnet detection. In: Computers & Informatics (ISCI), 2013 IEEE Symposium on. IEEE, 2013. p. 201-205.
[6] Gao, Cuixia; LI, Zhitang. Discovering host anomalies in multi-source information. In: 2009 International Conference on Multimedia Information Networking and Security. IEEE, 2009. p. 358-361.
[7] Grill, Martin; Rehak, Martin. Malware detection using HTTP user-agent discrepancy identification. In: 2014 IEEE International Workshop on Information Forensics and Security (WIFS). IEEE, 2014. p. 221-226.
[8] Hiruta S., Yamaguchi Y., Shimada H and Takakura H. Evaluation on Malware Classification by Combining Traffic Analysis and Fuzzy Hashing of Malware Binary. In: Proceedings of the International Conference on Security and Management (SAM). The Steering Committee of The World Congress in Computer Science, Computer Engineering and Applied Computing (WorldComp), 2015. p. 89.
[9] Huang, Shin-Ying, Yu, Fang, Tsaih, Rua-Huan and Huang, Yennun. Network-traffic anomaly detection with incremental majority learning. In: 2015 International Joint Conference on Neural Networks (IJCNN). IEEE, 2015. p. 1-8.
[10] Kheir, Nizar. Behavioral classification and detection of malware through http user agent anomalies. Journal of Information Security and Applications, 2013, 18.1: 2-13.
[11] Ma, Justin, Saul Lawrence, Savage, Stefan and Voelker, Geoffrey M. Beyond blacklists: learning to detect malicious web sites from suspicious URLs. In: Proceedings of the 15th ACM SIGKDD international conference on Knowledge discovery and data mining. ACM, 2009. p. 1245-1254.
[12] Marchal, Samuel, Jérôme François, Radu State and Thomas Engel. PhishStorm: Detecting Phishing With Streaming Analytics. Network and Service Management, IEEE Transactions on, 2014, 11.4: 458-471.
[13] Nataliani, Yessica and Wellem, Theophilus. HTTP Traffic Graph Clustering using Markov Clustering Algorithm. International Journal of Computer Applications, 2014, 90.2
[14] Nelms, Terry; Perdisci, Roberto; AHAMAD, Mustaque. ExecScent: Mining for new C&C domains in live networks with adaptive control protocol templates. In: Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13). 2013. p. 589-604.
[15] Perdisci, Roberto; LEE, Wenke; FEAMSTER, Nick. Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces. In: NSDI. 2010. p. 391-404.
[16] Tran, Manh Cong; NAKAMURA, Yasuhiro. Web Access Behaviour Model for Filtering Out HTTP Automated Software Accessed Domain. In: Proceedings of the 10th International Conference on Ubiquitous Information Management and Communication. ACM, 2016. p. 67.
[17] Qin Tao, Guan, Xiaohong, Wang, Chenxu and Liu Zhaoli. MUCM: multilevel user cluster mining based on behavior profiles for network monitoring. IEEE Systems Journal, 2015, 9.4: 1322-1333.
[18] Xu, Kuai; Wang, Feng; Gu, Lin. Behavior analysis of internet traffic via bipartite graphs and one-mode projections. Networking, IEEE/ACM Transactions on, 2014, 22.3: 931-942.
[19] Yamauchi, Kazumasa; HORI, Yoshiaki; SAKURAI, Kouichi. Detecting HTTP-Based Botnet Based on Characteristic of the C & C Session Using by SVM. In:Information Security (Asia JCIS), 2013 Eighth Asia Joint Conference on. IEEE, 2013. p. 63-68.
[20] Zhao, Guodong, Xu Ke, Xu Lei and Wu, Bo. Detecting APT Malware Infections Based on Malicious DNS and Traffic Analysis. IEEE Access, 2015, 3: 1132-1142.
[21] Tobias Lewis et al.(2013) HTTP header heuristics for malware detection. Available from : https://www.sans.org/reading-room/whitepapers/detection/http-header-heuristics-malware-detection-34460
[22] Roland Zegers et al.(2015). HTTP Header Analysis. Available from : http://www.delaat.net/rp/2014-2015/p91/report.pdf
[23] LibSVM software . Available from : http://www.csie.ntu.edu.tw/~cjlin/libsvm
[24] Parkour, M. (2013). Collection of Pcap files from malware analysis. Available from http://contagiodump.blogspot.co.uk/2013/04/collection-of-pcap-files-frommalware.html
[25] McAfee Labs. (2013) Periodic connections to control server offer new way to detect botnets. Available : http://blogs.mcafee.com/mcafee-labs/periodic-links-to-controlserver-offer-new-way-to-detect-botnets
[26] RFC2616: TCP Protocol Available: https://tools.ietf.org/html/rfc2616
[27] TrendLabs2015年資訊安全總評” Available : http://www.trendmicro.tw/cloud-content/tw/pdfs/security-intelligence/reports/rpt-setting-the-stage.pdf
[28] Weka software. Available from : http://www.cs.waikato.ac.nz/ml/weka/
[29] Scikitlearn. Available from: http://scikit-learn.org
[30] 趨勢科技研究報告: 鎖定目標攻擊所使用的後門程式技。Available from http://blog.trendmicro.com.tw/wp-content/uploads/2014/10/wp-backdoor-use-in-targeted-attacks.pdf
指導教授 陳奕明(Yi-Ming Chen) 審核日期 2016-8-29
推文 facebook   plurk   twitter   funp   google   live   udn   HD   myshare   reddit   netvibes   friend   youpush   delicious   baidu   
網路書籤 Google bookmarks   del.icio.us   hemidemi   myshare   

若有論文相關問題,請聯絡國立中央大學圖書館推廣服務組 TEL:(03)422-7151轉57407,或E-mail聯絡  - 隱私權政策聲明