基於HTTP協定之可疑流量偵測研究

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：20

、訪客IP：3.149.229.253

姓名

趙健智(Jian-Zhi Zhao) 查詢紙本館藏

畢業系所

資訊管理學系

論文名稱

基於HTTP協定之可疑流量偵測研究
(On the Study of HTTP Based Suspicious Traffic Detection Mechanism)

相關論文

★ 應用數位版權管理機制於數位影音光碟內容保護之研究	★ 以應用程式虛擬化技術達成企業軟體版權管理之研究
★ 以IAX2為基礎之網頁電話架構設計	★ 應用機器學習技術協助警察偵辦詐騙案件之研究
★ 擴充防止詐欺及保護隱私功能之帳戶式票務系統研究-以大眾運輸為例	★ 網際網路半結構化資料之蒐集與整合研究
★ 電子商務環境下網路購物幫手之研究	★ 網路安全縱深防護機制之研究
★ 國家寬頻實驗網路上資源預先保留與資源衝突之研究	★ 以樹狀關聯式架構偵測電子郵件病毒之研究
★ 考量地區差異性之隨選視訊系統影片配置研究	★ 不信任區域網路中數位證據保留之研究
★ 入侵偵測系統事件說明暨自動增加偵測規則之整合性輔助系統研發	★ 利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研究
★ 一種網頁資訊擷取程式之自動化產生技術研發	★ 應用XML/XACML於工作流程管理系統之授權管制研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

在現網際路普及的世界下，大多企業資料都儲存內部主機而這些在現網際路普及的世界下，大多企業資料都儲存內部主機而這些在現網際路普及的世界下，大多企業資料都儲存內部主機而這些在現網際路普及的世界下，大多企業資料都儲存內部主機而這些在現網際路普及的世界下，大多企業資料都儲存內部主機而這些主機勢必與網路直接或間的聯繫，雖然方便存取和管理主機勢必與網路直接或間的聯繫，雖然方便存取和管理主機勢必與網路直接或間的聯繫，雖然方便存取和管理，但也促使網路駭客，但也促使網路駭客利用網際網路盜取企業內部資料，造成嚴重外洩網路盜取企業內部資料，造成嚴重外洩網路盜取企業內部資料，造成嚴重外洩。近幾年來，駭客為了隱藏自己的行蹤常近幾年來，駭客為了隱藏自己的行蹤常近幾年來，駭客為了隱藏自己的行蹤常近幾年來，駭客為了隱藏自己的行蹤常近幾年來，駭客為了隱藏自己的行蹤常近幾年來，駭客為了隱藏自己的行蹤常利用 HTTP協定，透過惡意軟體入侵受害者使得企業資料外洩或是網站誘協定，透過惡意軟體入侵受害者使得企業資料外洩或是網站誘協定，透過惡意軟體入侵受害者使得企業資料外洩或是網站誘協定，透過惡意軟體入侵受害者使得企業資料外洩或是網站誘協定，透過惡意軟體入侵受害者使得企業資料外洩或是網站誘協定，透過惡意軟體入侵受害者使得企業資料外洩或是網站誘協定，透過惡意軟體入侵受害者使得企業資料外洩或是網站誘協定，透過惡意軟體入侵受害者使得企業資料外洩或是網站誘協定，透過惡意軟體入侵受害者使得企業資料外洩或是網站誘使用者輸入個人或是機密資料等，而這些行為均會產生使用者輸入個人或是機密資料等，而這些行為均會產生使用者輸入個人或是機密資料等，而這些行為均會產生 HTTP流量，如何及早偵測該可流量，如何及早偵測該可流量，如何及早偵測該可疑流量已成為資訊安全領域上極為重要的問題。
本研究提出以 Support Vector Machine進行 HTTP流量偵測的系統。此的系統。此的系統。此利用 HTTP協定上的特徵建立一個可以有效偵測那些能是在進行惡意活動疑流量，並且協定上的特徵建立一個可以有效偵測那些能是在進行惡意活動疑流量，並且協定上的特徵建立一個可以有效偵測那些能是在進行惡意活動疑流量，並且改善一般在建立正常模型時需要大量主機資料的研究限制。和一般在建立正常模型時需要大量主機資料的研究限制。和一般在建立正常模型時需要大量主機資料的研究限制。和其他研究不同之處在於我們以不同類型的 HTTP請求封包及 HTTP回應封包建立各自的異常偵測模型，再將類回應封包建立各自的異常偵測模型，再將類回應封包建立各自的異常偵測模型，再將類封包重組回一個 HTTP流量，流量，最後以一個完整的 HTTP流量觀點，來辨認該流量是否惡意。觀點，來辨認該流量是否惡意。觀點，來辨認該流量是否惡意。觀點，來辨認該流量是否惡意。本研究的實驗證我們提出的系統能夠僅用四名使者流量資料建立分類模型，並且偵提出的系統能夠僅用四名使者流量資料建立分類模型，並且偵提出的系統能夠僅用四名使者流量資料建立分類模型，並且偵測來自惡意軟體的可疑流量，其偵率達到 88%。

摘要(英)

In the era of Internet, the most enterprise data is stored within the enterprise hosts, and these hosts is bound directly or indirectly linked with the network. Although there are convenient access and management, it also promotes hackers to steal enterprise data by the use of Internet, resulting in serious leakage of information. In recent years, in order to hide the trace, hackers often use HTTP protocol as the channel of attacking and control victims with malicious software, causing leakage of corporate data or confidential information. Because these actions all generate HTTP traffic, how early detection of the suspicious traffic will be an important issue in the field of information security.
This study proposes a HTTP traffic detection system which is based on Support Vector Machine and characterized by the use of the HTTP protocol establishment which may be carrying suspicious traffic. We lessen the restriction of the establishment of normal model. The restriction is that requiring a lot of traffic logs to be analyzed for the relationship establishment between hosts in the Internet. Unlike previous research literature about detecting malicious packets, this study proposes to establish the anomaly detection model by different type of the HTTP request packets, then reassemble packets to a complete HTTP traffic. The experiments in this study show that we can establish the HTTP traffic anomaly detection model, which detect suspicious traffic caused by malicious software with detection rate is 88%.

關鍵字(中)

★ HTTP協定
★ 可疑流量
★ 支援向量機
★ 異常偵測

關鍵字(英)

★ HTTP Protocol
★ Suspicious HTTP Traffic
★ Support Vector Machine
★ Anomaly Detection

論文目次

論文摘要..............................i
Abstract.............................ii
誌謝.................................iii
目錄.................................iv
圖目錄...............................vi
表目錄...............................viii
第一章緒論............................1
1-1 研究背景...........................1
1-2 動機與目的.........................2
1-3 研究貢獻...........................3
1-4 章節架構...........................4
第二章相關研究.........................5
2-1 HTTP協定...........................5
2-2 以域名特徵偵測之可疑流量研究.........7
2-3 以主機行為偵測之可疑流量研究.........10
2-4 利用 HTTP協定偵測可疑封包研究........14
2-5 綜合分析...........................18
第三章以 SVM進行 HTTP流量異常偵測......22
3-1 偵測流程與系統架構..................22
3-1-1 資料蒐集階段.....................23
3-1-2 封包分類階段.....................24
3-1-3 流量分類階段.....................25
3-2 HTTP協定特徵選取和計算.............25
3-2-1 請求封包特徵....................26
3-2-2 回應封包特徵....................33
3-2 SVM的使用-OCSVM..................34
第四章實驗與討論.....................37
4-1 實驗資料和工具....................37
4-1-1 實驗資料........................37
4-1-2 實驗工具........................40
4-2 實驗設計..........................40
4-3 實驗結果評估和說明.................41
第五章結論與未來研究..................50
5-1 結論.............................50
5-2 研究限制.........................51
5-3 未來研究.........................51
參考文獻.............................53

參考文獻

[1] Apostolis Zarras,Papadogiannakis, Antonis , Gawlik, Robert and Holz, Thorsten., “Automated generation of models for fast and precise detection of http-based malware,” in Proc. of the 12th Annual International Conference on Privacy, Security and Trust, PST, pp. 249–256, 2014.
[2] Alomari, Esraa, Manickam, Selvakumar, Gupta, B.B., Singh, Parminder and Anbar, Mohammed. Design, deployment and use of HTTP-based botnet (HBB) testbed. In: 16th International Conference on Advanced Communication Technology. IEEE, 2014. p. 1265-1269.
[3] Cai, Tao; Zou, Futai. Detecting HTTP botnet with clustering network traffic. In:Wireless Communications, Networking and Mobile Computing (WiCOM), 2012 8th International Conference on. IEEE, 2012. p. 1-7.
[4] Chiba, Daiki, Yagi, Takeshi, Akiyama, Mitsuaki, Aoki, Kazufumi, Hariu Takeo and Goto, Shigeki. BotProfiler: Profiling Variability of Substrings in HTTP Requests to Detect Malware-Infected Hosts. In: Trustcom/BigDataSE/ISPA, 2015 IEEE., p. 758-765.
[5] Eslahi, Meisam, Hashim H and Tahir NM. An efficient false alarm reduction approach in HTTP-based botnet detection. In: Computers & Informatics (ISCI), 2013 IEEE Symposium on. IEEE, 2013. p. 201-205.
[6] Gao, Cuixia; LI, Zhitang. Discovering host anomalies in multi-source information. In: 2009 International Conference on Multimedia Information Networking and Security. IEEE, 2009. p. 358-361.
[7] Grill, Martin; Rehak, Martin. Malware detection using HTTP user-agent discrepancy identification. In: 2014 IEEE International Workshop on Information Forensics and Security (WIFS). IEEE, 2014. p. 221-226.
[8] Hiruta S., Yamaguchi Y., Shimada H and Takakura H. Evaluation on Malware Classification by Combining Traffic Analysis and Fuzzy Hashing of Malware Binary. In: Proceedings of the International Conference on Security and Management (SAM). The Steering Committee of The World Congress in Computer Science, Computer Engineering and Applied Computing (WorldComp), 2015. p. 89.
[9] Huang, Shin-Ying, Yu, Fang, Tsaih, Rua-Huan and Huang, Yennun. Network-traffic anomaly detection with incremental majority learning. In: 2015 International Joint Conference on Neural Networks (IJCNN). IEEE, 2015. p. 1-8.
[10] Kheir, Nizar. Behavioral classification and detection of malware through http user agent anomalies. Journal of Information Security and Applications, 2013, 18.1: 2-13.
[11] Ma, Justin, Saul Lawrence, Savage, Stefan and Voelker, Geoffrey M. Beyond blacklists: learning to detect malicious web sites from suspicious URLs. In: Proceedings of the 15th ACM SIGKDD international conference on Knowledge discovery and data mining. ACM, 2009. p. 1245-1254.
[12] Marchal, Samuel, Jérôme François, Radu State and Thomas Engel. PhishStorm: Detecting Phishing With Streaming Analytics. Network and Service Management, IEEE Transactions on, 2014, 11.4: 458-471.
[13] Nataliani, Yessica and Wellem, Theophilus. HTTP Traffic Graph Clustering using Markov Clustering Algorithm. International Journal of Computer Applications, 2014, 90.2
[14] Nelms, Terry; Perdisci, Roberto; AHAMAD, Mustaque. ExecScent: Mining for new C&C domains in live networks with adaptive control protocol templates. In: Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13). 2013. p. 589-604.
[15] Perdisci, Roberto; LEE, Wenke; FEAMSTER, Nick. Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces. In: NSDI. 2010. p. 391-404.
[16] Tran, Manh Cong; NAKAMURA, Yasuhiro. Web Access Behaviour Model for Filtering Out HTTP Automated Software Accessed Domain. In: Proceedings of the 10th International Conference on Ubiquitous Information Management and Communication. ACM, 2016. p. 67.
[17] Qin Tao, Guan, Xiaohong, Wang, Chenxu and Liu Zhaoli. MUCM: multilevel user cluster mining based on behavior profiles for network monitoring. IEEE Systems Journal, 2015, 9.4: 1322-1333.
[18] Xu, Kuai; Wang, Feng; Gu, Lin. Behavior analysis of internet traffic via bipartite graphs and one-mode projections. Networking, IEEE/ACM Transactions on, 2014, 22.3: 931-942.
[19] Yamauchi, Kazumasa; HORI, Yoshiaki; SAKURAI, Kouichi. Detecting HTTP-Based Botnet Based on Characteristic of the C & C Session Using by SVM. In:Information Security (Asia JCIS), 2013 Eighth Asia Joint Conference on. IEEE, 2013. p. 63-68.
[20] Zhao, Guodong, Xu Ke, Xu Lei and Wu, Bo. Detecting APT Malware Infections Based on Malicious DNS and Traffic Analysis. IEEE Access, 2015, 3: 1132-1142.
[21] Tobias Lewis et al.(2013) HTTP header heuristics for malware detection. Available from : https://www.sans.org/reading-room/whitepapers/detection/http-header-heuristics-malware-detection-34460
[22] Roland Zegers et al.(2015). HTTP Header Analysis. Available from : http://www.delaat.net/rp/2014-2015/p91/report.pdf
[23] LibSVM software . Available from : http://www.csie.ntu.edu.tw/~cjlin/libsvm
[24] Parkour, M. (2013). Collection of Pcap files from malware analysis. Available from http://contagiodump.blogspot.co.uk/2013/04/collection-of-pcap-files-frommalware.html
[25] McAfee Labs. (2013) Periodic connections to control server offer new way to detect botnets. Available : http://blogs.mcafee.com/mcafee-labs/periodic-links-to-controlserver-offer-new-way-to-detect-botnets
[26] RFC2616: TCP Protocol Available: https://tools.ietf.org/html/rfc2616
[27] TrendLabs2015年資訊安全總評” Available : http://www.trendmicro.tw/cloud-content/tw/pdfs/security-intelligence/reports/rpt-setting-the-stage.pdf
[28] Weka software. Available from : http://www.cs.waikato.ac.nz/ml/weka/
[29] Scikitlearn. Available from: http://scikit-learn.org
[30] 趨勢科技研究報告: 鎖定目標攻擊所使用的後門程式技。Available from http://blog.trendmicro.com.tw/wp-content/uploads/2014/10/wp-backdoor-use-in-targeted-attacks.pdf

指導教授

陳奕明(Yi-Ming Chen)

審核日期

2016-8-29

推文