BlackCrab: A Connection-Based Real-time Backdoor Detection Mechanism

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：32

、訪客IP：13.58.170.28

姓名

戴鴻慈(Hung-Tsz Tai) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

(BlackCrab: A Connection-Based Real-time Backdoor Detection Mechanism)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統	★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks	★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
★ Shark: Phishing Information Recycling from Spam Mails	★ FFRTD: Beat Fast-Flux by Response Time Differences
★ Antivirus Software Shield against Antivirus Terminators	★ MAC-YURI : My ACcount, YoUr ResponsIbility
★ KKBB: Kernel Keylogger Bye-Bye	★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 (2027-6-30以後開放)

摘要(中)

後門是一種用於未經授權訪問系統的惡意軟體。攻擊者可以透過後門竊取機密資訊、進行犯罪間諜活動或執行高級持續性威脅攻擊。由於復雜的攻擊需要時間來設置和執行，因此後門是攻擊者重新連接到受害者服務器的一種選擇。雖然很多設備會設置防火牆來防止這類型的攻擊，但後門的多樣性仍然是一個嚴重的問題。一些研究人員甚至發現有後門可以繞過防火牆進入到系統內。
本研究提出了一個機制 BlackCrab，此機制是基於抓取連線 IP 並將其與日誌檔案進行比較的後門檢測方法。藉由在機器上設置不同的服務來獲取其日誌檔案，每種服務會有各自的日誌檔案用來記錄其服務相關的連線或操作事件，當連線 IP 與任一日誌檔案的紀錄相符，便判定此連接為合法的連線。換句話說，如果匹配無效，我們將懷疑此連線是透過後門進入的。除此之外，我們還提供了另一種方法，針對沒有即時記錄日誌的服務進行雜湊值(hash value)比較。
在實驗中，我們選擇了 7 個常見的服務，並從 GitHub 網站和真實世界的後門攻擊中收集了 21 個 Linux 平台上的後門，將其設置在本研究測試的機器上。在 14,737 個合法連接中，通過檢查的準確率達到 99.6%，並且在 21個後門中，BlackCrab 可以檢測到其中的 19 個。經過測試，此機制對原始系統的開銷可以忽略不計。

摘要(英)

Backdoor is a type of malware that is used to get unauthorized access to a system. When attackers enter through the device successfully, they can steal sensitive information, do criminal-espionage activity, or execute an advanced persistent threat attack. Because sophisticated attack takes time to set up and execute, backdoor is a choice for criminals to reconnect to the victim server. Although many devices have firewalls to prevent attacks, the variety of backdoors is still a serious problem. Researchers even found that some backdoors can bypass the firewall.
We propose a system, BlackCrab, based on the method of capturing the connection IP and comparing it with log files to detect backdoors. We compare the log files of the services we have set up on the machine to determine whether the connection is legal. Besides, we provide another method, hash value comparison, for some services that do not have real-time log records.
In our implementation, we chose seven common services and collected 21 backdoors targeting the Linux platform from the GitHub project and real-world backdoor samples. With 14,737 legitimate connections, 99.6% accuracy of passing inspections is achieved. Of 21 backdoors, 19 of them can be detected by BlackCrab. The overhead introduced by our system is negligible.

關鍵字(中)

★ 後門
★ 日誌檔案
★ 即時檢測

關鍵字(英)

★ Backdoor
★ log
★ real-time detection

論文目次

中文摘要.....................................................................................................................................i
Abstract .....................................................................................................................................ii
致謝...........................................................................................................................................iii
Contents....................................................................................................................................iv
List of figures ...........................................................................................................................vi
List of tables...........................................................................................................................viii
Chapter 1 Introduction ............................................................................................................1
Chapter 2 Background.............................................................................................................4
2.1 Backdoor...............................................................................................................4
2.2 Backdoor installation...........................................................................................4
2.3 Backdoor attack ...................................................................................................5
2.4 BLAKE3 hash function .......................................................................................8
Chapter 3 Related work...........................................................................................................9
3.1 Backdoor detection tools.....................................................................................9
3.2 Backdoor detection research...............................................................................9
3.2.1 Hardware backdoor ..................................................................................9
3.2.2 Software backdoor...................................................................................10
3.2.3 Web backdoor..........................................................................................10
3.2.4 Binary-based backdoor ...........................................................................11
3.2.5 Behavior-based backdoor .......................................................................11
3.2.6 Malware....................................................................................................12
Chapter 4 System Design and Implementation ...................................................................13
4.1 Design Principle .................................................................................................13

v

4.2 System Architecture...........................................................................................14
4.3 Main Component ...............................................................................................16
4.3.1 BlackCrab Connection Observer ...........................................................16
4.3.2 BlackCrab Backdoor Detector ...............................................................20
Chapter 5 Evaluation .............................................................................................................24
5.1 Environment.......................................................................................................24
5.2 Case Study ..........................................................................................................24
5.2.1 Vsftpd-2.3.4 backdoor .............................................................................26
5.2.2 Pi-hole vulnerability ................................................................................27
5.2.3 BPFdoor....................................................................................................29
5.3 False Positives and Negatives............................................................................30
5.4 Performance Analysis........................................................................................33
5.4.1 Micro benchmark ....................................................................................33
5.4.2 Overall Performance ...............................................................................34
5.4.3 Comparison ..............................................................................................35
Chapter 6 Discussion..............................................................................................................37
6.1 Limitations..........................................................................................................37
6.2 Future work........................................................................................................37
Chapter 7 Conclusion.............................................................................................................38
Reference .................................................................................................................................39

參考文獻

[1] Isa Oyekunle, “What Is a Backdoor Attack?”, https://securitygladiators.com/threat/backdoorattack/, 2021.
[2] Ben Martens, “What Is a Backdoor & How to Prevent Backdoor Attacks?”,
https://www.safetydetectives.com/blog/what-is-a-backdoor-and-how-to-protect-against-it/, 2022.
[3] Kaspersky, “Research interest: Trojans, Backdoors, and Droppers top the list of most-searched
malware by security analysts”, https://www.kaspersky.com/about/press-releases/2020_researchinterest-trojans-backdoors-and-droppers-top-the-list-of-most-searched-malware-by-security-analysts,
2020.
[4] Malwarebytes, “State of Malware Report”,
https://www.malwarebytes.com/resources/files/2021/04/mwb_stateofmalware2021_execsummary_with-cta_final.pdf, 2021.
[5] Robert Roohparvar, “What Is a Backdoor Attack?”, https://www.infoguardsecurity.com/what-is-abackdoor-attack/, 2020.
[6] Malwarebytes, “Backdoor computing attacks”, https://www.malwarebytes.com/backdoor,
[7] Zeljka Zorz, “Malware opens RDP backdoor into Windows systems”,
https://www.helpnetsecurity.com/2020/05/26/windows-malware-rdp-backdoor/, 2020.
[8] Matt Graeber, “Abusing Windows Management Instrumentation (WMI) to Build a Persistent,
Asynchronous, and Fileless Backdoor”, Black Hat, 2015.
[9] Marc-Etienne M.Léveillé and Anton Cherepanov, “Watering hole deploys new macOS malware,
DazzleSpy, in Asia”, https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macosmalware-dazzlespy-asia/, 2022.
[10] Mohammad Rezaeirad, Brown Farinholt, Hitesh Dharmdasani, Paul Pearce, Kirill Levchenko,
and Damon McCoy, “Schrödinger’s RAT: Profiling the Stakeholders in the Remote Access Trojan”,
USENIX Security Symposium, 2018.
[11] Brown Farinholt, Mohammad Rezaeirad, Paul Pearce, Hitesh Dharmdasani, Haikuo Yin, Stevens
Le Blond, Damon McCoy, and Kirill Levchenko, “To Catch a Ratter: Monitoring the Behavior of
Amateur DarkComet RAT Operators in the Wild”, IEEE Security and Privacy (S&P), 2017.
[12] Sancho Lerena, “What are logs and why monitor them”, https://pandorafms.com/blog/what-arelogs/, 2021.
[13] Michael Kerrisk, “grep(1) — Linux manual page”, https://man7.org/linux/manpages/man1/grep.1.html, 2019.
[14] Christopher Domas, “Hardware Backdoors in x86 CPUs”, Black Hat, 2018.
[15] Sam L. Thomas, Flavio D. Garcia, and Tom Chothia, “HumIDIFy: A Tool for Hidden
Functionality Detection in Firmware”, 14th International Conference on Detection of Intrusions and
Malware, and Vulnerability Assessment, 2017.
[16] Yong Fang, Mingyu Xie, and Cheng Huang, “PBDT: Python Backdoor Detection Model Based
on Combined Features”, Security and Communication Networks, 2021.
[17] Huicong Loi, and Aspen Olmsted, “Low-cost Detection of Backdoor Malware”, International
Conference for Internet Technology and Secured Transactions, 2017.
[18] Enkli Ylli, Julian Fejzaj, and Igli Tafa, “Identifying and blocking the backdoors in Linux”, Recent
Trends and Applications in Computer Science and Information Technology, 2021
[19] Thiago Alves, and Thomas Morris, “Hardware-based Cyber Threats”, International Conference
on Information Systems Security and Privacy (ICISSP), 2018.
[20] Adam Waksman, and Simha Sethumadhavan, “Silencing Hardware Backdoors”, IEEE
Symposium on Security and Privacy, 2011.
[21] M. Boelen, “The Rootkit Hunter project”, http://rkhunter.sourceforge.net/, 2018.
[22] Malwarebytes, “Backdoor”, https://blog.malwarebytes.com/detections/backdoor/,
[23] Takayuki Sasaki, and Yusuke Shimada, “Towards a Backdoorless Network Architecture Based
on Remote Aestation and Backdoor Inspection”, arXiv preprint arXiv:2007.14748, 2020.
[24] Felix Schuster and Thorsten Holz, “Towards reducing the attack surface of software backdoors”,
ACM SIGSAC conference on Computer & communications security, 2013.
[25] Joseph Connelly, Taylor Roberts, Xing Gao, Jidong Xiao, Haining Wang, and Angelos Stavrou,
“CloudSkulk: A Nested Virtual Machine Based Rootkit and Its Detection”, 51st Annual IEEE/IFIP
International Conference on Dependable Systems and Networks (DSN), 2021.
[26] Tianchen Zhang, Haixiang Wang, Huan Ying, and Jiyuan Li, “Similarity Based Binary Backdoor
Detection via Attributed Control Flow Graph”, IEEE 4th Information Technology, Networking,
Electronic and Automation Control Conference (ITNEC), 2020.
[27] Ananda Krishna, “How to Find and Remove Website Backdoor Hack”,
https://www.getastra.com/blog/911/website-backdoors/, 2022.
[28] L. Duan, L. Zhang, Z. Chen, T. Wei, and X. Han, “Survey of web backdoor detection and
protection”, International conference on Management Innovation and Information Technology, 2014.
[29] Furkan Palgu, “Classification and Static Detection of Obfuscated Web Application Backdoors”,
2018.
[30] Xiaobo Yu, Weizhi Meng, Lei Zhao, and Yining Liu, “TridentShell: a Covert and Scalable
Backdoor Injection Attack on Web Applications”, International Conference on Information Security,
2021.
[31] Khin swe yin and May Aye Khine, “Optimal remote access trojans detection based on network
behavior”, International Journal of Electrical and Computer Engineering, 2019.
[32] Wei Jiang, Xianda Wu, Xiang Cui, and Chaoge Liu, “A Highly Efficient Remote Access Trojan
Detection Method”, International Journal of Digital Crime and Forensics (IJDCF), 2019.
[33] Seyyedeh Atefeh Musavi, and Mehdi Kharrazi, “Back to Static Analysis for Kernel-Level Rootkit
Detection”, IEEE Transactions on Information Forensics and Security, 2014.
[34] DONGHAI TIAN, RUI MA, XIAOQI JIA, and CHANGZHEN HU, “A Kernel Rootkit Detection
Approach Based on Virtualization and Machine Learning”, IEEE Access, 2019.
[35] Juho Junnila, “Effectiveness of Linux Rootkit Detection Tools”, 2020.
[36] Maxim I. Kondratev, Anna A. Gamova, and Valeriy V. Gurov, “USB Devices with Hardware
Backdoor”, IEEE Conference of Russian Young Researchers in Electrical and Electronic Engineering,
2020.
[37] Yan Shoshitaishvili, Ruoyu Wang, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna,
“Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware”,
NDSS Symposium, 2015.
[38] BlackArch, “Linux Font. Backdoor”, https://blackarch.org/backdoor.html.
[39] https://www.cvedetails.com/cve/CVE-2011-2523/
[40] Craig Rowland, “Detecting and Investigating OpenSSL Backdoors on Linux”,
https://www.linkedin.com/pulse/detecting-investigating-openssl-backdoors-linux-craig-rowland, 2021.
[41] BLAKE3, https://github.com/BLAKE3-team/BLAKE3
[42] Intezer, “Why we Should be Paying More Attention to Linux Threats”,
https://www.intezer.com/blog/malware-analysis/why-we-should-be-paying-more-attention-to-linuxthreats/, 2019.
[43] Mandiant, “M-Trends 2022 Mandiant special report”,
https://experience.mandiant.com/mtrends2022/p/1, 2022.

指導教授

許富皓

審核日期

2022-7-14

推文