臺灣博碩士論文加值系統

Botnet 主要是依靠網路域名來和底下眾多的Bot程式連線。當受到新興的水坑式攻擊(watering hole)時，被害者電腦會向Command & Control Server(C&C Server)，透過攻擊者申請的惡意域名，自動下載最新的惡意程式。
因此，惡意域名的辨識對於Botnet防禦非常重要。一旦Botnet結構內惡意域名失效，攻擊者將無法透過C&C Server 遙控被害者電腦。為了偵測惡意域名，尤其較難偵測的不含母音的域名，我們提出以新的語彙分析和字母分析分析Botnet惡意域名與正常域名的差異，建立以白名單為基礎的語彙特徵。
利用擷取的語彙特徵，以不同特徵組合的方式找出最適合訓練辨識模型的語彙特徵組合。其次再以此特徵組合進行決策樹演算模型的建立，並評估其辨識惡意域名能夠達到的效果。實驗結果顯示誤報率與漏報率可同時低於5%，因此新的語彙特徵可對於無母音的惡意域名辨識有良好的效果。

Botnets generally use a domain name rather than actual IP address to connect its subordinated bot programs. The latest “watering hole attack” enables the botnet to propagate itself not only passively but actively. As the victim’s computer visits some webpages which contain malicious files, the victim is redirected to the C&C server and automatically downloads the newest version of malware. A botnet master, the owner and administrator of it, typically registers many a domain name of random string for their C&C server, so it is a low-cost strategy to defense against botnet by way of identifying malicious domains by their names. Once the connections to the C&C server are blocked, the botnet master can no longer control the victim computers remotely. To detect malicious domain names, especially for those without vowels, a new lexical analysis is developed in this essay with an aim to distinguishing malicious domains from normal ones and to establishing a database of lexical features based on the whitelist. Among every combination of those lexical features, the most suitable one for training is filtered out to create a decision tree model, and its effectiveness of identification is evaluated later. The result shows that both the false positive rate and false negative rate are below five percent, indicating the new lexical analysis can effectively detect malicious domain names without vowels.

目錄
致謝 I
摘要 II
ABSTRACT III
目錄 IV
圖目錄 VI
表目錄 VII
第1章 緒論 1
1.1 Botnet介紹 1
1.2 研究動機 3
1.3 研究目的 6
第2章 文獻探討 8
第3章 惡意域名辨識 12
3.1 辨識架構 12
3.1.1 資料來源和預處理 14
3.1.2 子音特徵擷取 14
3.1.3 驗證模組辨識率 15
3.2 特徵擷取方法 16
3.2.1 白名單內單子音選擇方法 16
3.2.2 擷取語彙特徵 18
第4章 實驗結果 22
4.1 字母特徵資料集 22
4.2 白名單數量選擇結果 23
4.3 特徵評估結果 26
4.4 小結 27
第5章 結論 29
參考文獻 30
附錄：特徵擷取程式 34
著作權聲明 43
 
圖目錄
圖 1：水坑式攻擊感染示意圖 2
圖 2：Botnet惡意域名辨識模組 13
圖 3：Simulated syllable count說明 20
圖 4：黑白名單出現率和兩者相差絕對值分布 22
圖 5：白名單子音辨識效果 24
圖 6：加入出現率相差絕對值辨識效果 25
圖 7：特徵評估結果 26

 
表目錄
表 1：Zeus Bot樣本(部分) 5
表 2：用有母音特徵測無母音 5
表 3：新發現的惡意域名量表 6
表 4：個人定義之名詞解釋說明 16
表 5：研究使用的五種語彙特徵 19
表 6：特徵辨識結果呈現 28

[1]J. Nazario, and T. Holz, “As the net churns: Fast-flux botnet observations,” International Conference on Malicious and Unwanted Software, pp: 24-31, 2008.
[2]R. Elz, and R. Bush, “Clarifications to the DNS Specification,” from http://www.ietf.org/rfc/rfc2181.txt,1997
[3]A. Baddeley, S. D. Sala, and T. Robbins, “Working Memory and Executive Control and Discussion,” Philosophical Transactions of the Royal Society of London. Series B: Biological Sciences, 351(1346), pp. 1397-1404, 1996
[4]H. Binsalleeh, T. Ormerod, A. Boukhtouta, P. Sinha, A. Youssef, M. Debbabi, and L. Wang, “On the analysis of the Zeus botnet crimeware toolkit,” Paper presented at the Privacy Security and Trust (PST), pp: 31- 38, 2010.
[5]J. Zhuge, T. Holz, X. Han, J. Guo, and W. Zou, “Characterizing the IRC-based botnet phenomenon,” Peking University & University of Mannheim Technical Report, 2007.
[6]D. Moore, C. Shannon, D. J. Brown, G. M. Voelker, and S. Savage, “Inferring internet denial-of-service activity,” ACM Transactions on Computer Systems, 24(2), pp. 115-139, 2006
[7]E. Alomari, S. Manickam, B. B. Gupta, P. Singh, and M. Anbar, “Design, deployment and use of HTTP-based botnet (HBB) testbed,” International Conference on Advanced Communication Technology (ICACT), pp 1265- 1269, 2014
[8]Z. Junjie, R. Perdisci, L. Wenke, L. Xiapu, and U. Sarfraz, “Building a Scalable System for Stealthy P2P-Botnet Detection,” IEEE Transactions on Information Forensics and Security, 9(1), pp. 27-38, 2014
[9]A. Shahrestani, M. Feily, M. Masood, and B. Muniandy, “Visualization of invariant bot behavior for effective botnet traffic detection,” International Symposium on Telecommunication Technologies(ISTT), pp. 325-330, 2012
[10]G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee, “Bothunter: Detecting malware infection through ids-driven dialog correlation,” USENIX Security Symposium, 2007
[11]G. Gu, J. Zhang, and W. Lee, “BotSniffer: Detecting botnet command and control channels in network traffic,” Network and Distributed System Security Symposium, 2008
[12]G. Gu, R. Perdisci, J. Zhang, and W. Lee, “BotMiner: clustering analysis of network traffic for protocol-and structure-independent botnet detection,” USENIX Security Symposium, pp: 139-154, 2008
[13]J. Ma, L. K. Saul, S. Savage, and G. M. Voelker, “Beyond blacklists: learning to detect malicious web sites from suspicious URLs,” ACM SIGKDD international conference on Knowledge discovery and data mining, pp. 1245-1254. , Paris 2009
[14]A.Blum, B. Wardman, T. Solorio, and G. Warner, “Lexical feature based phishing URL detection using online learning,” ACM workshop on Artificial intelligence and security, pp: 54-60, 2010
[15]N.S. Raghava, D. Sahgal, and S. Chandna, “Classification of Botnet Detection Based on Botnet Architechture,” , Communication Systems and Network Technologies (CSNT) , pp.569-572, 2012
[16]E. Stalmans, S.O. Hunter, and B. Irwin, “Geo-spatial autocorrelation as a metric for the detection of Fast-Flux botnet domains,” Information Security for South Africa (ISSA), pp. 1- 7,2012
[17]L. Hsiaochung, C. Chiamei, and T. Juiyu, “Flow Based Botnet Detection,” International Conference on Innovative Computing, Information and Control (ICICIC), pp.1538-1541, 2009
[18]C. Chiamei, O. Yahui, and T. Yuchou, “ Web botnet detection based on flow information,” International Computer Symposium (ICS), pp.381 – 384, 2010
[19]D. Mahjoub, and H. El-Rewini, “ Adaptive Constraint-Based Multi-Objective Routing for Wireless Sensor Networks,” IEEE International Conference on Pervasive Services, pp.72-75, 2007
[20]D. Sanchez, M.J. Martin-Bautista, I. Blanco, and C. Torre, “Text Knowledge Mining: An Alternative to Text Data Mining,” IEEE International Conference on Data Mining Workshop, pp. 664- 672, 2008
[21]S. Shehata, F. Karray, and M.S. Kamel, “ An Efficient Concept-Based Mining Model for Enhancing Text Clustering,” IEEE Transactions on Knowledge and Data Engineering, 22( 10), pp. 1360-1371,2010
[22]M. Sukanya, and S, Biruntha, “ Techniques on text mining,” IEEE International Conference Advanced Communication Control and Computing Technologies, pp.269-271,2012
[23]Q. Yanliang, Z. Yang, and S. Min, “Text Mining for Bioinformatics: State of the Art Review,” IEEE International Conference on Computer Science and Information Technology (ICCSIT), pp.398-401, 2009
[24]X. Huosong, F. Zhaoyan, and P. Liuyan, “Chinese Web Text Outlier Mining Based on Domain Knowledge,” WRI Global Congress on Intelligent Systems (GCIS), pp. 73- 77, 2010
[25]Y. Yujie, C. Yunpeng, L. Wenshu, L. Zhifeng, M. Zhenghui, Y. Xiaolu, and Y. Haibo, “An Ontology-based Approach for Text Mining of Stroke Electronic Medical Records,” IEEE International Conference on Bioinformatics and Biomedicine (BIBM), pp. 288-291, 2013
[26]S. L. Salzberg, “C4.5: Programs for Machine Learning,” by J. Ross Quinlan. Morgan Kaufmann Publishers, Inc., 1993. Machine Learning, 16(3), pp. 235-240, 1994
[27]R. Kohavi, “A study of cross-validation and bootstrap for accuracy estimation and model selection,” Paper presented at the International Joint Conference on Artificial Intelligence (IJCAI), 14(2), pp. 1137-1143, 1995
[28]DNS-BH Malware Domain Blocklist, 2013, from http://www.malwaredomains.com/
[29]Alexa the web information company, 2013, from http://www.alexa.com/
[30]T. Chinyang, and T. Yungyao, “Identification of Botnet domain name base on lexical feature,” Cryptology and Information Security Conference (CISC), 2012
[31]張士龍 “賽門鐵克2013年第 18 期網路安全威脅研究報告,” from http://icstwebstorage.blob.core.windows.net/attachfilearticles/%E8%B3%BD%E9%96%80%E9%90%B5%E5%85%8B%E5%85%A8%E7%90%83%E7%B6%B2%E8%B7%AF%E5%AE%89%E5%85%A8%E5%A8%81%E8%84%85%E7%A0%94%E7%A9%B6%E5%A0%B1%E5%91%8A%20%E7%AC%AC18%E6%9C%9F.pdf