FFRTD: Beat Fast-Flux by Response Time Differences

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：13

、訪客IP：3.145.156.46

姓名

林松輝(Song-Hui Lin) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

(FFRTD: Beat Fast-Flux by Response Time Differences)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統	★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks	★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
★ Shark: Phishing Information Recycling from Spam Mails	★ Antivirus Software Shield against Antivirus Terminators
★ MAC-YURI : My ACcount, YoUr ResponsIbility	★ KKBB: Kernel Keylogger Bye-Bye
★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment	★ PrivacyGuard：A Kernel-based Solution to Enhance the User Privacy When Using Private Browsing

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 ( 永不開放)

摘要(中)

近年來，Fast-Flux Service Network (FFSN) 在網際網路上已經造成重大的威脅，它的成員主要來自大量遭惡意程式感染的電腦。攻擊者利用這類攻擊手法發起一系列的違法行為，舉凡分散式阻斷服務攻擊、發送垃圾郵件、架釣魚網站和散佈惡意程式等。由於 FFSN 本身具有高度的隱蔽性，我們難以將攻擊者繩之以法，也無法輕易摘除整個有害的網路服務。
在本篇論文中，我們發現一種簡單且新穎的特徵─difference，它是用來衡量一個 fast-flux 網域名稱其對應所有主機之負載平衡的變化程度。我們也提出了一套偵測系統 FFRTD，它使用 difference 特徵搭配 DNS 的查詢結果，讓我們可以在兩小時以內將一個全新的網域名稱分類成「正常 (benign)」或「fast-flux」。而由我們的方法中，在做分類的同時，並不需要存取資料庫，只需要利用培訓資料 (training data) 過程中所產生的門檻值 (ff-score threshold)。本研究的實驗結果證明，我們所提出的偵測系統能夠準確地判斷出身陷 FFSNs 的網域名稱，並且我們也開拓一個新的觀察視野，對於了解一個 fast-flux 網域名稱將會很有幫助。

摘要(英)

FFSNs have become severe threats on the Internet in recent years. They consist of a large amount of compromised hosts for malicious activities such as launching DDoS, delivering spam mails, hosting phishing sites and distributing malicious programs. As a result of the highest concealment of FFSNs, it is really difficult to find out attackers and foil down the entire illegal networks. In this paper, we discovered a novel and simple feature, difference, which measures the degree of the load balance of all IP addresses in a domain name. And we also present FFRTD that can make a brand-new domain name be classified into benign and fast-flux ones by the difference with DNS lookup results within two hours. With our method, there is no need to access database but use the ff-score threshold we generated in the training phase while classifying domain names. According to experimental results, our proposed detection system, FFRTD, is able to accurately detect FFSNs. Furthermore, we contribute a new vision to observe the behavior of a fast-flux domain name.

關鍵字(中)

關鍵字(英)

★ FFSN
★ RRDNS
★ CDN

論文目次

摘要................................................i
Abstract...........................................ii
Table of Contents.................................iii
List of Figures.....................................v
List of Tables....................................vii
1. Introduction..................................1
2. Background....................................4
2.1 Related DNS Techniques.......................4
2.1.1 DNS........................................4
2.1.2 FQDN.......................................4
2.1.3 DNS Responses..............................5
2.1.4 RRDNS......................................6
2.1.5 CDNs.......................................7
2.2 Fast Flux....................................9
2.2.1 FFSNs......................................9
2.2.2 Two Types of FFSNs........................11
2.2.3 The Threat on FFSNs.......................13
3. Related Work.................................15
4. Design of FFRTD..............................18
4.1 Feature Extraction..........................18
4.1.1 Related to the Feature of Real Time.......18
4.1.2 Discover a Feature of Short Time..........21
4.2 Measure the Difference for Analysis.........23
4.3 Architecture of FFRTD.......................26
4.3.1 Three Major Components....................26
4.3.2 Two Process Phases........................31
5. Experimental Results.........................33
5.1 Training Data Sets..........................33
5.2 Testing Data Sets...........................37
5.3 Evaluation..................................41
5.3.1 Detection Accuracy........................41
5.3.2 Detection Performance.....................42
6. Discussion...................................43
6.1 Limitations.................................43
6.2 Deployment..................................43
6.3 Future work.................................44
6.4 Conclusion..................................45
Reference..........................................46

參考文獻

[1] Franklin, J., Paxson, V., Perrig, A., and Savage, S., "An inquiry into the nature and causes of the wealth of internet miscreants", in Proceedings of the 14th ACM conference on Computer and communications security, pp. 375-388, ACM, Alexandria, Virginia, USA, 2007.
[2] FBI National Press Office, Over One Million Potential Victims of Botnet Cyber Crime June 13, 2007 Available from: http://www.fbi.gov/news/pressrel/press-releases/over-1-million-potential-victims-of-botnet-cyber-crime.
[3] Yury Namestnikov, The economics of Botnets, July 22, 2009. Available from: http://www.securelist.com/en/analysis/204792068/The_economics_of_Botnets.
[4] ICANN, GNSO Issues Report on Fast Flux Hosting. March 2008.
[5] The Honeynet Project and Research Alliance, Know Your Enemy: Fast-Flux Service Networks, July 13, 2007. Available from: http://www.honeynet.org/papers/ff.
[6] Committee, I.S.a.S.A., SAC 025 SSAC Advisory on Fast Flux Hosting and DNS. 2008.
[7] Sharon Gaudin, InformationWeek, Storm Worm Erupts Into Worst Virus Attack In 2 Years, July 24, 2007. Available from: http://www.informationweek.com/news/201200849.
[8] RSA Online Fraud Reports, A Monthly Intelligence Report from the RSA® Anti-Fraud Command Center, July 2009. Available from: http://www.rsa.com/solutions/consumer_authentication/intelreport/FRARPT_DS_0709.pdf.
[9] Gartner, Inc., Gartner Says Number of Phishing E-Mails Sent to U.S. Adults Nearly Doubles in Just Two Years, November 9, 2006. Available from: http://www.gartner.com/it/page.jsp?id=498245.
[10] Gartner, Inc, Gartner Survey Shows Phishing Attacks Escalated in 2007; More than $3 Billion Lost to These Attacks. Available from: http://www.gartner.com/it/page.jsp?id=565125.
[11] Zhou, C.V., Leckie, C., and Karunasekera, S., "Collaborative Detection of Fast Flux Phishing Domains", Journal of Networks, vol. 4, pp. 75-84, February 2009.
[12] Wikipedia, the free encyclopedia, Fully Qualified Domain Name. Available from: http://en.wikipedia.org/wiki/Fully_qualified_domain_name.
[13] International Organization for Standardization, ISO 3166-1 and ISO 3166-2 databases. Available from: http://www.iso.org/iso/country_codes/iso_3166_databases.htm.
[14] Internet Systems Consortium, Domain Information Groper (DIG). Available from: https://www.isc.org/software/bind.
[15] Holz, T., Gorecki, C., Rieck, K., and Freiling, F.C., "Measuring and Detecting Fast-Flux Service Networks", in Network and Distributed System Security Symposium, San Diego, CA, February 2008.
[16] RRDNS, Round Robin DNS Information and Services. Available from: http://www.rrdns.com/.
[17] Krishnamurthy, B., Wills, C., and Zhang, Y., "On the use and performance of content distribution networks", in Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, pp. 169-182, ACM, San Francisco, California, USA, 2001.
[18] Wikipedia, the free encyclopedia, Content Delivery Network. Available from: http://en.wikipedia.org/wiki/Content_delivery_network.
[19] Passerini, E., Paleari, R., Martignoni, L., and Bruschi, D., "FluXOR: Detecting and Monitoring Fast-Flux Service Networks", in Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 186-206, Springer-Verlag, Paris, France, 2008.
[20] Perdisci, R., Corona, I., Dagon, D., and Lee, W., "Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces", in Proceedings of the 2009 Annual Computer Security Applications Conference, pp. 311-320, IEEE Computer Society, 2009.
[21] Robert Lemos, Security Focus, Fast flux foils bot-net takedown, July 9, 2007. Available from: http://www.securityfocus.com/news/11473/.
[22] Caglayan, A., Toothaker, M., Drapeau, D., Burke, D., and Eaton, G., "Real-Time Detection of Fast Flux Service Networks", in Proceedings of the 2009 Cybersecurity Applications & Technology Conference for Homeland Security, pp. 285-292, IEEE Computer Society, March 2009.
[23] Hsu, C.-H., Huang, C.-Y., and Chen, K.-T., "Fast-flux bot detection in real time", in Proceedings of the 13th international conference on Recent advances in intrusion detection, pp. 464-483, Springer-Verlag, Ottawa, Ontario, Canada, September 2010.
[24] Alexa the Web Information Company. Available from: http://www.alexa.com/.
[25] ATLAS: Arbor networks, inc. Available from: http://atlas.arbor.net/summary/fastflux.
[26] dnsbl.abuse.ch. Available from: http://dnsbl.abuse.ch/fastfluxtracker.php.

指導教授

許富皓(Fu-Hau Hsu)

審核日期

2011-7-28

推文