博碩士論文 103423039 詳細資訊




以作者查詢圖書館館藏 以作者查詢臺灣博碩士 以作者查詢全國書目 勘誤回報 、線上人數:10 、訪客IP:3.95.131.208
姓名 朱奕叡(Yi-Rui Zhu)  查詢紙本館藏   畢業系所 資訊管理學系
論文名稱 基於Semi-Passive DNS機制之可疑域名偵測研究
(On the study of Semi-Passive DNS-based Suspicious Domain Name Detection Mechanism)
相關論文
★ 應用數位版權管理機制於數位影音光碟內容保護之研究★ 以應用程式虛擬化技術達成企業軟體版權管理之研究
★ 以IAX2為基礎之網頁電話架構設計★ 應用機器學習技術協助警察偵辦詐騙案件之研究
★ 網際網路半結構化資料之蒐集與整合研究★ 電子商務環境下網路購物幫手之研究
★ 網路安全縱深防護機制之研究★ 國家寬頻實驗網路上資源預先保留與資源衝突之研究
★ 以樹狀關聯式架構偵測電子郵件病毒之研究★ 考量地區差異性之隨選視訊系統影片配置研究
★ 不信任區域網路中數位證據保留之研究★ 入侵偵測系統事件說明暨自動增加偵測規則之整合性輔助系統研發
★ 利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研究★ 一種網頁資訊擷取程式之自動化產生技術研發
★ 應用XML/XACML於工作流程管理系統之授權管制研究★ 快速建置SIP服務的設計與實作研究
檔案 [Endnote RIS 格式]    [Bibtex 格式]    [相關文章]   [文章引用]   [完整記錄]   [館藏目錄]   [檢視]  [下載]
  1. 本電子論文使用權限為同意立即開放。
  2. 已達開放權限電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。
  3. 請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。

摘要(中) 惡意域名一直以來都是網路犯罪活動,例如散發垃圾郵件、財務詐欺、釣魚網站等的踏腳石。一個企業每天對外會有無數連線,但由於近年來駭客猖獗地利用各種方式讓惡意程式蔓延,例如Advanced Persistent Threat(APT)與BotNet等,導致眾多企業雖已受駭但仍不自覺。因此如何在眾多的對外連線中,及早發現可疑域名已成為一件極重要的企業資安問題。

為了及早發現可疑域名,有不少學者使用Passive DNS機制來識別惡意域名並且皆有卓越的偵測率。但是Passive DNS最大的限制在於域名資源記錄(Resource Recode, RR)日誌通常僅限ISP業者才能獲得,導致一般研究單位或是民間企業在實作上具有困難。此外現有方法大多都僅應用於偵測於一般的殭屍網路域名,反之對於近年來猖狂的APT並未多加著墨。因此,本研究提出一個(Suspicious Domain Name Detector, SDND)可疑域名偵測系統, SDND不僅能偵測殭屍網路域名與APT域名,同時也能克服Passive DNS機制的使用門檻,讓域名資源記錄不再需要依賴 ISP業者提供。SDND採用了本研究所提出之Semi-Passive DNS架構並使用機器學習的方法來評估域名是否近似於已知的殭屍網路域名與APT域名。本研究於實驗中使用了Alexa top、DNS-BH等相關機構所提供的域名清單進行內部測試與外部測試,證實SDND在惡意網域的偵測上擁有98.9的正確率以及僅有0.09的誤判率,代表了SDND在偵測可疑的域名上確實用有實用價值。

關鍵字:進階持續性滲透攻擊, 殭屍網路, 半被動式域名資源紀錄蒐集機制
摘要(英) Malicious domain name always useful for criminal activity, such as spamming, financial fraud and phishing sites. Attackers always use sophisticated methods to find a way in, and lead most victims are compromised for months before they discover it. Therefore, early to detect the malicious domain name become more and more important issue for most enterprises.
In order to address the malicious domain name issues, there are many academic literatures start to use the technology of passive DNS replication to identified malicious domain name, such as NOTOS, Kopis, EXPOSURE, Segugio and IDnS. Those are famous systems for malicious domain name detection and with high accuracy. Although those systems improve the issue of malicious domain name, it also brings another issues for detection, such as high barriers to apply the passive DNS and never academic try to use passive DNS to detect the Advanced Persistent Threat (APT) attack.
In this paper we propose Semi-Passive DNS replication and Suspicious Domain Name Detector (SDND) which can reduce the high barriers of apply the passive DNS, and also can efficiently to detect malicious domain name. Our results show that SDNS can identify malicious domain names with high accuracy (true positive rate of 98.9%) and low false positive rate (0.09%).

Keyword: Advanced Persistent Threat, BotNet, Semi-Passive DNS
關鍵字(中) ★ 進階持續性滲透攻擊
★ 殭屍網路
★ 半被動式域名資源紀錄蒐集機制
關鍵字(英) ★ Advanced Persistent Threat
★ BotNet
★ Semi-Passive DNS
論文目次 論文摘要 vi
Abstract vii
誌謝 viii
目錄 ix
圖目錄 xii
表目錄 xiv
第一章 緒論 1
1-1 研究背景 1
1-2 動機與目的 4
1-3 研究貢獻 5
1-4 章節架構 6
第二章 相關研究 7
2-1 異常域名偵測 7
2-1-1 NOTOS 7
2-1-2 KOPIS 9
2-1-3 Segugio 11
2-2快速通量偵測 12
2-2-1 CROflux 12
2-2-2 Fast Flux Domain Detector (FFDD) 14
2-3網域通量偵測 16
2-3-1 EXPOSURE 16
2-3-2其餘Domain Flux Detection之相關文獻 18
2-4 進階持續性攻擊之域名偵測 19
2-4-1 IDnS 19
2-4-2其餘APT Domain Detection之相關文獻 22
2-5 Passive DNS Module相關研究之比較 23
2-5-1特徵應用之趨勢 23
2-5-2系統架構之趨勢 25
第三章 Semi-Passive DNS 域名資源記錄蒐集機制與SDND可疑域名偵測系統 26
3-1 Semi-Passive DNS 域名資源記錄蒐集機制 26
3-2 SDND系統架構 29
3-3 域名分類規則建立 29
3-3-1訓練樣本的選擇 30
3-3-2訓練樣本之域名資源記錄蒐集 31
3-3-3訓練樣本之域名特徵向量萃取與貼標籤 32
3-3-4域名分類規則建立 33
3-4 未知域名偵測 34
3-4-1未知域名資源記錄蒐集 34
3-4-2未知域名特徵萃取 35
3-4-3可疑域名指數評估 37
第四章 實驗與討論 39
4-1 實驗環境 39
4-2 特徵選取 40
4-3 篩選分類器訓練樣本 43
4-4 分類器模型評估與實驗 44
4-5不同分類器的效能差異與選擇 55
第五章 結論與未來研究 58
5-1 結論與研究貢獻 58
5-2 研究限制 59
5-3 未來研究 59
參考文獻 61
參考文獻 [1] Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., & Feamster, N. (2010, August). Building a Dynamic Reputation System for DNS. In USENIX security symposium (pp. 273-290).

[2] Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou II, N., & Dagon, D. (2011, August). Detecting Malware Domains at the Upper DNS Hierarchy. In USENIX security symposium (p. 16).

[3] Bilge, L., Sen, S., Balzarotti, D., Kirda, E., & Kruegel, C. (2014). EXPOSURE: a passive DNS analysis service to detect and report malicious domains. ACM Transactions on Information and System Security (TISSEC), 16(4), 14.

[4] Chen, C. M., Huang, J. J., & Ou, Y. H. (2015). Efficient suspicious URL filtering based on reputation. Journal of Information Security and Applications, 20, 26-36.

[5] Ghafir, I., & Prenosil, V. (2014, November). DNS query failure and algorithmically generated domain-flux detection. In Frontiers of Communications, Networks and Applications (ICFCNA 2014-Malaysia), International Conference on (pp. 1-5). IET.

[6] Grill, M., Nikolaev, I., Valeros, V., & Rehak, M. (2015, May). Detecting DGA malware using NetFlow. In Integrated Network Management (IM), 2015 IFIP/IEEE International Symposium on (pp. 1304-1309). IEEE.

[7] Gržnić, T., Perhoč, D., Marić, M., Vlašić, F., & Kulcsar, T. (2014, May). CROFlux—Passive DNS method for detecting fast-flux domains. In Information and Communication Technology, Electronics and Microelectronics (MIPRO), 2014 37th International Convention on (pp. 1376-1380). IEEE.

[8] Hsu, F. H., Wang, C. S., Hsu, C. H., Tso, C. K., Chen, L. H., & Lin, S. H. (2014). Detect fast-flux domains through response time differences. IEEE Journal on Selected Areas in Communications, 32(10), (pp.1947-1956). IEEE.

[9] Janbeglou, M., Naderi, H., & Brownlee, N. (2014, May). Effectiveness of DNS-based security approaches in large-scale networks. In Advanced Information Networking and Applications Workshops (WAINA), 2014 28th International Conference on (pp. 524-529). IEEE.

[10] Kwon, J., Kim, J., Lee, J., Lee, H., & Perrig, A. (2014, October). PsyBoG: Power spectral density analysis for detecting botnet groups. In Malicious and Unwanted Software: The Americas (MALWARE), 2014 9th International Conference on (pp. 85-92). IEEE.

[11] Rahbarinia, B., Perdisci, R., & Antonakakis, M. (2015, June). Segugio: Efficient Behavior-Based Tracking of Malware-Control Domains in Large ISP Networks. In Dependable Systems and Networks (DSN), 2015 45th Annual IEEE/IFIP International Conference on (pp. 403-414). IEEE.

[12] Schales, D. L., Christodorescu, M., Hu, X., Jang, J., Rao, J. R., Sailer, R., ... & Wang, T. (2014, August). Stream computing for large-scale, multi-channel cyber threat analytics. In Information Reuse and Integration (IRI), 2014 IEEE 15th International Conference on (pp. 8-15). IEEE.

[13] Soska, K., & Christin, N. (2014). Automatically detecting vulnerable websites before they turn malicious. In 23rd USENIX Security Symposium (USENIX Security 14) (pp. 625-640).

[14] Weimer, F. (2005, April). Passive DNS replication. In FIRST conference on computer security incident (p. 98).

[15] Yu, B., Smith, L., & Threefoot, M. (2014). Semi-supervised time series modeling for real-time flux domain detection on passive DNS traffic. In Machine Learning and Data Mining in Pattern Recognition (pp. 258-271). Springer International Publishing.

[16] Zhao, Guodong, Xu, K., Xu, L., & Wu, B. (2015). Detecting APT Malware Infections Based on Malicious DNS and Traffic Analysis. In IEEE Access : Big Data for Green Communications and Computing, (pp. 1132-1142). IEEE.
相關網站

[17] “Alexa - Actionable Analytics for the Web” [Online]. Available: http://www.alexa.com/

[18] “APT簡介”. [Online]. Available: http://www.cert.org.tw/assets/pdf/apt.pdf

[19] “HAMMERTOSS:Stealthy Tactics Define a Russian Cyber Threat Group” [Online]. Available: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf

[20] “Malwr.com”. [Online]. Available: https://malwr.com/

[21] “Malware Domain Blocklist” [Online]. Available: http://www.malwaredomains.com/

[22] “Network sniffer that logs all DNS server replies for use in a passive DNS setup” [Online]. Available: https://github.com/gamelinux/passivedns

[23] “Passive DNS” [Online]. Available: http://meetings.apnic.net/__data/assets/pdf_file/0017/45521/05-Merike-Kaeo-Passive-DNS.pdf

[24] “Passive DNS Data Collection”. [Online]. Available: https://www.isc.org/blogs/join-the-global-passive-dns-pdns-network-today-gain-effective-tools-to-fight-against-cyber-crime/

[25] “Targeted Cyberattacks Logbook”. [Online]. Available: https://apt.securelist.com/#firstPage

[26] “virustotal”. [Online]. Available: https://virustotal.com/
指導教授 陳奕明(Yi-Ming Chen) 審核日期 2016-7-21
推文 facebook   plurk   twitter   funp   google   live   udn   HD   myshare   reddit   netvibes   friend   youpush   delicious   baidu   
網路書籤 Google bookmarks   del.icio.us   hemidemi   myshare   

若有論文相關問題,請聯絡國立中央大學圖書館推廣服務組 TEL:(03)422-7151轉57407,或E-mail聯絡  - 隱私權政策聲明