簡易檢索 / 詳目顯示
| 研究生: |
朱奕叡 Yi-Rui Zhu |
|---|---|
| 論文名稱: |
基於Semi-Passive DNS機制之可疑域名偵測研究 On the study of Semi-Passive DNS-based Suspicious Domain Name Detection Mechanism |
| 指導教授: |
陳奕明
Yi-Ming Chen |
| 口試委員: | |
| 學位類別: |
碩士 Master |
| 系所名稱: |
管理學院 - 資訊管理學系 Department of Information Management |
| 論文出版年: | 2016 |
| 畢業學年度: | 104 |
| 語文別: | 中文 |
| 論文頁數: | 78 |
| 中文關鍵詞: | 進階持續性滲透攻擊 、殭屍網路 、半被動式域名資源紀錄蒐集機制 |
| 外文關鍵詞: | Advanced Persistent Threat, BotNet, Semi-Passive DNS |
| 相關次數: | 點閱:11 下載:0 |
| 分享至: |
| 查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
惡意域名一直以來都是網路犯罪活動,例如散發垃圾郵件、財務詐欺、釣魚網站等的踏腳石。一個企業每天對外會有無數連線,但由於近年來駭客猖獗地利用各種方式讓惡意程式蔓延,例如Advanced Persistent Threat(APT)與BotNet等,導致眾多企業雖已受駭但仍不自覺。因此如何在眾多的對外連線中,及早發現可疑域名已成為一件極重要的企業資安問題。
為了及早發現可疑域名,有不少學者使用Passive DNS機制來識別惡意域名並且皆有卓越的偵測率。但是Passive DNS最大的限制在於域名資源記錄(Resource Recode, RR)日誌通常僅限ISP業者才能獲得,導致一般研究單位或是民間企業在實作上具有困難。此外現有方法大多都僅應用於偵測於一般的殭屍網路域名,反之對於近年來猖狂的APT並未多加著墨。因此,本研究提出一個(Suspicious Domain Name Detector, SDND)可疑域名偵測系統, SDND不僅能偵測殭屍網路域名與APT域名,同時也能克服Passive DNS機制的使用門檻,讓域名資源記錄不再需要依賴 ISP業者提供。SDND採用了本研究所提出之Semi-Passive DNS架構並使用機器學習的方法來評估域名是否近似於已知的殭屍網路域名與APT域名。本研究於實驗中使用了Alexa top、DNS-BH等相關機構所提供的域名清單進行內部測試與外部測試,證實SDND在惡意網域的偵測上擁有98.9的正確率以及僅有0.09的誤判率,代表了SDND在偵測可疑的域名上確實用有實用價值。
關鍵字:進階持續性滲透攻擊, 殭屍網路, 半被動式域名資源紀錄蒐集機制
Malicious domain name always useful for criminal activity, such as spamming, financial fraud and phishing sites. Attackers always use sophisticated methods to find a way in, and lead most victims are compromised for months before they discover it. Therefore, early to detect the malicious domain name become more and more important issue for most enterprises.
In order to address the malicious domain name issues, there are many academic literatures start to use the technology of passive DNS replication to identified malicious domain name, such as NOTOS, Kopis, EXPOSURE, Segugio and IDnS. Those are famous systems for malicious domain name detection and with high accuracy. Although those systems improve the issue of malicious domain name, it also brings another issues for detection, such as high barriers to apply the passive DNS and never academic try to use passive DNS to detect the Advanced Persistent Threat (APT) attack.
In this paper we propose Semi-Passive DNS replication and Suspicious Domain Name Detector (SDND) which can reduce the high barriers of apply the passive DNS, and also can efficiently to detect malicious domain name. Our results show that SDNS can identify malicious domain names with high accuracy (true positive rate of 98.9%) and low false positive rate (0.09%).
Keyword: Advanced Persistent Threat, BotNet, Semi-Passive DNS
[1] Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., & Feamster, N. (2010, August). Building a Dynamic Reputation System for DNS. In USENIX security symposium (pp. 273-290).
[2] Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou II, N., & Dagon, D. (2011, August). Detecting Malware Domains at the Upper DNS Hierarchy. In USENIX security symposium (p. 16).
[3] Bilge, L., Sen, S., Balzarotti, D., Kirda, E., & Kruegel, C. (2014). EXPOSURE: a passive DNS analysis service to detect and report malicious domains. ACM Transactions on Information and System Security (TISSEC), 16(4), 14.
[4] Chen, C. M., Huang, J. J., & Ou, Y. H. (2015). Efficient suspicious URL filtering based on reputation. Journal of Information Security and Applications, 20, 26-36.
[5] Ghafir, I., & Prenosil, V. (2014, November). DNS query failure and algorithmically generated domain-flux detection. In Frontiers of Communications, Networks and Applications (ICFCNA 2014-Malaysia), International Conference on (pp. 1-5). IET.
[6] Grill, M., Nikolaev, I., Valeros, V., & Rehak, M. (2015, May). Detecting DGA malware using NetFlow. In Integrated Network Management (IM), 2015 IFIP/IEEE International Symposium on (pp. 1304-1309). IEEE.
[7] Gržnić, T., Perhoč, D., Marić, M., Vlašić, F., & Kulcsar, T. (2014, May). CROFlux—Passive DNS method for detecting fast-flux domains. In Information and Communication Technology, Electronics and Microelectronics (MIPRO), 2014 37th International Convention on (pp. 1376-1380). IEEE.
[8] Hsu, F. H., Wang, C. S., Hsu, C. H., Tso, C. K., Chen, L. H., & Lin, S. H. (2014). Detect fast-flux domains through response time differences. IEEE Journal on Selected Areas in Communications, 32(10), (pp.1947-1956). IEEE.
[9] Janbeglou, M., Naderi, H., & Brownlee, N. (2014, May). Effectiveness of DNS-based security approaches in large-scale networks. In Advanced Information Networking and Applications Workshops (WAINA), 2014 28th International Conference on (pp. 524-529). IEEE.
[10] Kwon, J., Kim, J., Lee, J., Lee, H., & Perrig, A. (2014, October). PsyBoG: Power spectral density analysis for detecting botnet groups. In Malicious and Unwanted Software: The Americas (MALWARE), 2014 9th International Conference on (pp. 85-92). IEEE.
[11] Rahbarinia, B., Perdisci, R., & Antonakakis, M. (2015, June). Segugio: Efficient Behavior-Based Tracking of Malware-Control Domains in Large ISP Networks. In Dependable Systems and Networks (DSN), 2015 45th Annual IEEE/IFIP International Conference on (pp. 403-414). IEEE.
[12] Schales, D. L., Christodorescu, M., Hu, X., Jang, J., Rao, J. R., Sailer, R., ... & Wang, T. (2014, August). Stream computing for large-scale, multi-channel cyber threat analytics. In Information Reuse and Integration (IRI), 2014 IEEE 15th International Conference on (pp. 8-15). IEEE.
[13] Soska, K., & Christin, N. (2014). Automatically detecting vulnerable websites before they turn malicious. In 23rd USENIX Security Symposium (USENIX Security 14) (pp. 625-640).
[14] Weimer, F. (2005, April). Passive DNS replication. In FIRST conference on computer security incident (p. 98).
[15] Yu, B., Smith, L., & Threefoot, M. (2014). Semi-supervised time series modeling for real-time flux domain detection on passive DNS traffic. In Machine Learning and Data Mining in Pattern Recognition (pp. 258-271). Springer International Publishing.
[16] Zhao, Guodong, Xu, K., Xu, L., & Wu, B. (2015). Detecting APT Malware Infections Based on Malicious DNS and Traffic Analysis. In IEEE Access : Big Data for Green Communications and Computing, (pp. 1132-1142). IEEE.
相關網站
[17] “Alexa - Actionable Analytics for the Web” [Online]. Available: http://www.alexa.com/
[18] “APT簡介”. [Online]. Available: http://www.cert.org.tw/assets/pdf/apt.pdf
[19] “HAMMERTOSS:Stealthy Tactics Define a Russian Cyber Threat Group” [Online]. Available: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
[20] “Malwr.com”. [Online]. Available: https://malwr.com/
[21] “Malware Domain Blocklist” [Online]. Available: http://www.malwaredomains.com/
[22] “Network sniffer that logs all DNS server replies for use in a passive DNS setup” [Online]. Available: https://github.com/gamelinux/passivedns
[23] “Passive DNS” [Online]. Available: http://meetings.apnic.net/__data/assets/pdf_file/0017/45521/05-Merike-Kaeo-Passive-DNS.pdf
[24] “Passive DNS Data Collection”. [Online]. Available: https://www.isc.org/blogs/join-the-global-passive-dns-pdns-network-today-gain-effective-tools-to-fight-against-cyber-crime/
[25] “Targeted Cyberattacks Logbook”. [Online]. Available: https://apt.securelist.com/#firstPage
[26] “virustotal”. [Online]. Available: https://virustotal.com/
