簡易檢索 / 詳目顯示

回結果列表
研究生: 王榮祥
Wang, Jung-Hsiang
論文名稱: 僵屍網路偵測方法之研究與實作
An Investigation and Implementation of Botnet Detection Schemes
指導教授: 賴溪松
Laih, Chi-Sung
學位類別: 碩士
Master
系所名稱: 電機資訊學院 - 電腦與通信工程研究所
Institute of Computer & Communication Engineering
論文出版年: 2008
畢業學年度: 96
語文別: 英文
論文頁數: 77
中文關鍵詞: 隨機取值設定臨界法序列式檢定測驗入侵偵測系統僵屍網路僵屍電腦
外文關鍵詞: bot, botnet, intrusion detection system, threshold random walk, sequential hypothesis testing
相關次數: 點閱:112下載:3
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 僵屍網路在最近的網路中產生許多資安事件,
    它並不是一個特定的惡意軟體,
    而是駭客控制受害電腦的一個手段。
    透過它可以輕易的控制成千上萬的受害電腦。
    過去幾年中,
    相關學者提出以不同角度偵測僵屍網路方法,
    針對這些方法本研究將其分類,
    並比較其優缺點。
    為了有效分析僵屍網路的行為模式,
    基於emulab網路測試平台,
    我們發展了一個工具包。
    對於IRC僵屍網路,
    研究人員可以只專注於行為模式,
    不須為架構僵屍網路的環境所困擾。
    在發展偵測方式的過程,
    針對個人電腦我們提出兩個偵測方式:
    (i)將系統內外部訊息加以整合,
    用來協助使用者判斷是否存在非預期的網路連線,
    而這些連線極有可能是僵屍網路網路;
    (ii)另一個方法則利用僵屍電腦在連線行為上與一般使用者上的差異,
    針對一般使用者在連線的速度上無法像僵屍電腦那樣快速,
    運用TRW演算法即時偵測。

    Many security incidents arisen by botnet has caused series dangers recently.
    The nature of a Botnet is not specific malware, but instead the metheod,
    that possibly comprised of thousands or millions hosts controlled by hackers.
    Many researchers have proposed separate detection schemes in the past years.
    We categorised those schemes and compare and contrast thier limitations and features.
    In order to facilitate observation of botnets, we developed an emulation toolkit based on the Emulab testbed.
    Researcher can focus on botnet behaviors without requiring manually building an IRC botnet environment.
    For botnet detection on personal computers,
    We propose two techniques:
    (i) A bot identifier tool - the tool uses integrated system information to help users to identify unexpected network connections.
    (ii) An online botnet detection scheme based on network analysis - since a bot is a program running on a host, its behavior and response time is supra-human and we use the TRW algorithm for online detection.

    ChineseAbstract i EnglishAbstract ii Acknowledgements iii Contents iv List of Tables ix List of Figures xi 1 Introduction 1 1.1 Reasons of Botnet Propagation . . . . . . . . . . . . . . . . . . . . . 1 1.1.1 The differences between botnet and other malwares . . . . . . 1 1.1.2 Endpoint perspective . . . . . . . . . . . . . . . . . . . . . . . 1 1.1.3 Network perspective . . . . . . . . . . . . . . . . . . . . . . . 2 1.1.4 Current situation . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2 Research Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2.1 How big is the problem? . . . . . . . . . . . . . . . . . . . . . 3 1.2.2 Research goal . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3 Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.3.1 Botnet emulation toolkit . . . . . . . . . . . . . . . . . . . . . 5 1.3.2 Botnet detection schemes . . . . . . . . . . . . . . . . . . . . 5 1.4 Thesis Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2 Background Knowledge of Botnet 7 2.1 Botnet Evolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.1.1 Malware evolution . . . . . . . . . . . . . . . . . . . . . . . . 7 2.1.2 Control methods of malware . . . . . . . . . . . . . . . . . . . 8 2.1.3 Bot and botnet . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.2 Features of Botnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.2.1 Key roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.2.2 Life cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.2.3 Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.3 Targets of Botnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.3.1 Resource of internet . . . . . . . . . . . . . . . . . . . . . . . 13 2.3.2 Resource of intranet or local area network . . . . . . . . . . . 14 2.3.3 Resources of host . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.4 Command and Control . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.4.1 Types of message receiving . . . . . . . . . . . . . . . . . . . . 16 2.4.2 Types of message sending . . . . . . . . . . . . . . . . . . . . 17 2.4.3 Botnet infrastructure . . . . . . . . . . . . . . . . . . . . . . . 17 2.4.4 Hidden tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.5 Samples Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.5.1 Communication protocols . . . . . . . . . . . . . . . . . . . . 19 2.5.2 Collected bots . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.6 Characteristics of Botnet . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.6.1 Defection Platforms . . . . . . . . . . . . . . . . . . . . . . . . 20 2.6.2 Challenge of herder . . . . . . . . . . . . . . . . . . . . . . . . 20 2.6.3 Victims of bot . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 3 Literature Review 21 3.1 Victim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 3.1.1 Bot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 3.1.2 Other target victim - commercial server . . . . . . . . . . . . . 23 3.2 Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 3.2.1 Passivity honeypot - Dark IP / mail address . . . . . . . . . . 24 3.2.2 High / Low interaction honeypots . . . . . . . . . . . . . . . . 24 3.2.3 Medium Interaction Honeypot - Nepenthes . . . . . . . . . . . 24 3.3 IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 3.3.1 Signature based . . . . . . . . . . . . . . . . . . . . . . . . . . 25 3.3.2 Anomaly based . . . . . . . . . . . . . . . . . . . . . . . . . . 25 3.4 Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 3.4.1 IRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 3.4.2 Netflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 3.4.3 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 3.5 Other Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 3.6 Methods for Botnet Defence . . . . . . . . . . . . . . . . . . . . . . . 28 3.6.1 Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 3.6.2 Defence objects . . . . . . . . . . . . . . . . . . . . . . . . . . 29 4 A Botnet Emulation Toolkit 31 4.1 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 4.1.1 Network script for topology construction . . . . . . . . . . . . 31 4.1.2 Construct C&C platform . . . . . . . . . . . . . . . . . . . . . 31 4.1.3 Launch bots . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 4.1.4 Traffic monitoring . . . . . . . . . . . . . . . . . . . . . . . . . 32 4.2 Environment Construction . . . . . . . . . . . . . . . . . . . . . . . . 32 4.2.1 Network topology . . . . . . . . . . . . . . . . . . . . . . . . . 32 4.2.2 Support software . . . . . . . . . . . . . . . . . . . . . . . . . 34 4.2.3 Methods of remote control . . . . . . . . . . . . . . . . . . . . 34 4.2.4 Command scripts . . . . . . . . . . . . . . . . . . . . . . . . . 34 4.2.5 System installation . . . . . . . . . . . . . . . . . . . . . . . . 35 4.2.6 Configuration setting . . . . . . . . . . . . . . . . . . . . . . . 35 4.3 Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 4.3.1 Experiment process . . . . . . . . . . . . . . . . . . . . . . . . 35 4.3.2 Parameter setting . . . . . . . . . . . . . . . . . . . . . . . . . 36 4.3.3 Scripts for environment setup . . . . . . . . . . . . . . . . . . 36 4.3.4 Bot launcher . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 4.3.5 Network monitor . . . . . . . . . . . . . . . . . . . . . . . . . 37 4.3.6 Control interface . . . . . . . . . . . . . . . . . . . . . . . . . 37 4.4 Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 4.5 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 5 A Bot Identifier 39 5.1 Assumptions abd Limitations . . . . . . . . . . . . . . . . . . . . . . 39 5.2 Design Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 5.2.1 Quantitative data . . . . . . . . . . . . . . . . . . . . . . . . . 41 5.2.2 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 5.2.3 Flowchart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 5.3 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 5.3.1 Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 5.3.2 Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 5.3.3 System information integration . . . . . . . . . . . . . . . . . 46 5.3.4 External information . . . . . . . . . . . . . . . . . . . . . . . 47 5.3.5 Historical data . . . . . . . . . . . . . . . . . . . . . . . . . . 47 5.4 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 6 An Online Botnet Detection Scheme Based on Network Analysis 49 6.1 Notion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 6.1.1 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 6.1.2 Supra-human behaviors . . . . . . . . . . . . . . . . . . . . . . 50 6.1.3 Similarity examinations . . . . . . . . . . . . . . . . . . . . . 52 6.2 Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 6.2.1 Response time . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 6.2.2 Data source . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 6.3 Traffic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 6.3.1 Analysis tools . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 6.3.2 Bots traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 6.3.3 Human traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 6.4 Design scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 6.4.1 A bot detecion scheme based on TRW algorithm . . . . . . . . 58 6.4.2 An extension of botnet detection . . . . . . . . . . . . . . . . 60 6.4.3 Advantages . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 6.5 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 6.5.1 Bro policy script . . . . . . . . . . . . . . . . . . . . . . . . . 61 6.5.2 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 6.6 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 7 Conclusions and Future Works 65 7.1 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 7.2 Future Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 7.2.1 Extension works . . . . . . . . . . . . . . . . . . . . . . . . . . 65 7.2.2 Botnet prediction . . . . . . . . . . . . . . . . . . . . . . . . . 66 7.2.3 Malware free . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Bibliography 66 A Emulab 71 A.1 Emulab Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 A.2 Node Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 A.3 Network Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 B Implementation in Bro policy 73 B.1 Calculation of command time . . . . . . . . . . . . . . . . . . . . . . 73 B.2 Flexible TRW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Curriculum Vitae 77

    [1] 40% of all spam comes from just one source. http://thetechdon.com/40-of-allspam-
    comes-from-just-one-source/.
    [2] Anti-rootkit software - detection, removal & protection.
    http://www.antirootkit.com/software/index.htm.
    [3] Arbor networks — atlas dashboard: Global. http://atlas.arbor.net/.
    [4] Archon scanner 2007. http://x-solve.com/index.php?option=com content&task=view&id=15&Itemid=[5] Detours. http://research.microsoft.com/sn/detours/.
    [6] Internet relay chat protocol. http://www.ietf.org/rfc/rfc1459.txt.
    [7] On the dark side of isp nets. http://www.darkreading.com/document.asp?doc id=116311.
    [8] Peer-to-peer. http://en.wikipedia.org/wiki/Peer-to-peer.
    [9] The sony bmg cd copy prevention scandal.
    http://en.wikipedia.org/wiki/2005 Sony BMG CD copy protection scandal.
    [10] Sophos virus analyses. http://www.sophos.com/security/analyses/viruses-andspyware/.
    [11] The world’s biggest botnets. http://www.darkreading.com/document.asp?doc id=138610.
    [12] The zen of python. http://www.python.org/dev/peps/pep-0020/.
    [13] Allowing relaying in smtp: A series of surveys. http://www.imc.org/uberelay.
    html, 2002.
    [14] Stop rogue web bots from eating your bandwidth & stealing your content.
    http://www.revenews.com/jimkukral/stop-rogue-web-bots-from-eatingyour-
    bandwidth-stealing-your-content/, 2005.
    [15] How to create a twitter bot. http://blog.stevepoland.com/how-to-create-atwitter-
    bot/, 2007.
    [16] Trusted computer system evaluation criteria.
    http://nsi.org/Library/Compsec/orangebo.txt, l985.
    [17] Luis von Ahn, Manuel Blum, Nicholas J. Hopper, and John Langford. Captcha:
    Using hard ai problems for security. In Annual International Conference on the
    Theory and Applications of Cryptographic Techniques (Eurocrypt), 2003.
    [18] ARBOR. Worldwide infrastructure security report. Technical report, Arbor
    Networks, 2007.
    [19] Paul Baecher, Markus Koetter, Thorsten Holz, Maximillian Dornseif, and Felix
    and Freiling. Global environment for network innovations - geni system
    overview. Technical report, Global Energy Network Institute, 2007.
    [20] Michael Bailey, Jon Oberheide, Jon Andersen, Zhuoqing M. Mao, Farnam Jahanian,
    and Jose Nazario. Automated classification and analysis of internet
    malware. In Recent Advances in Intrusion Detection International Symposium,
    2007.
    [21] Paul Barford and Mike Blodgett. Toward botnet mesocosms. In Workshop on
    Hot Topics in Understanding Botnets, 2007.
    [22] Paul Barford and Vinod Yegneswaran. An inside look at botnets. In Special
    Workshop on Malware Detection, Advances in Information Security, 2005.
    [23] Salman Baset and Henning Schulzrinne. An analysis of the skype peer-to-peer
    internet telephony protocol. In IEEE Infocom Conference, 2006.
    [24] Kuan T. Chen, Jhih W. Jiang, Polly Huang, Hao H. Chu, Chin L. Lei, and
    Wen C. Chen. Identifying mmorpg bots: a traffic analysis approach. In Interna-
    tional Conference on Advances in Computer Entertainment Technology, 2006.
    [25] David Dagon, Guofei Gu, Christopher P. Lee, and Wenke Lee. A taxonomy of
    botnet structures. In Annual Computer Security Applications Conference, 2007.
    [26] Herv′e Debar, Marc Dacier, and Andreas Wespi. Towards a taxonomy of
    intrusion-detection systems. COMPUTER NETWORKS, 1999.
    [27] Bryan Ford, Pyda Srisuresh, and Dan Kegel. Peer-to-peer communication across
    network address translators. In USENIX Annual Technical Conference, 2005.
    [28] Felix C. Freiling, Thorsten Holz, and Georg Wicherski. Botnet tracking: exploring
    a root-cause methodology to prevent distributed denial-of-service attacks. In
    European Symposium on Research in Computer Security, 2005.
    [29] Jan Gerrit G‥obel. Advanced honeynet based intrusion detection, 2005.
    [30] Jan Goebel and Thorsten Holz. Rishi: Identify bot contaminated host by irc
    nickname evaluation. In Workshop on Hot Topics in Understanding Botnets,
    2007.
    [31] Julian B. Grizzard, Vikram Sharma, Chris Nunnery, Brent ByungHoon Kang,
    and Dagon David. Peer-to-peer botnets: Overview and case study. In Workshop
    on Hot Topics in Understanding Botnets, 2007.
    [32] Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, and Wenke Lee.
    Bothunter: Detecting malware infection through ids-driven dialog correlation. In
    USENIX Security Symposium, 2007.
    [33] Guofei Gu, Junjie Zhang, andWenke Lee. Botsniffer: Detecting botnet command
    and control channels in network traffic. In Annual Network & Distributed System
    Security Conference, 2008.
    [34] Michael Hasenstein. Ip address translation, 1997.
    [35] Galen Hunt and Doug Brubacher. Detours: Binary interception of win32 functions.
    In USENIX - NT, 1999.
    [36] Nicholas Ianelli and Aaron Hackworth. Botnets as a vehicle for online crime.
    The International Journal of Forensic Computer Science, 2007.
    [37] Don Johnson. Sequential hypothesis testing.
    http://cnx.org/content/m11242/latest/.
    [38] Jaeyeon Jung. Real-Time Detection of Malicious Network Activity Using Stochas-
    tic Models. PhD thesis, Massachusetts Institute of Technology, 2006.
    [39] Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan. Fast
    portscan detection using sequential hypothesis testing. In IEEE Symposium on
    Security and Privacy, 2004.
    [40] Srikanth Kandula, Dina Katabi, Matthias Jacob, and Arthur Berger. Botz4sale:
    Surviving organized ddos attacks that mimic flash crowds. In USENIX Sympo-
    sium on Networked Systems Design & Implementation, 2005.
    [41] Ninghui Li, Ziqing Mao, and Hong Chen. Usable mandatory integrity protection
    for operating systems. In IEEE Symposium on Security and Privacy, 2007.
    [42] Peter A. Loscocco, Stephen D. Smalley, Patrick A. Muckelbauer, Ruth C. Taylor,
    S. Jeff Turner, and John F. Farrell. The inevitability of failure: The flawed
    assumption of security in modern computing environments. In National Infor-
    mation Systems Security Conference, 1998.
    [43] Paul Paul Baecher, Markus Koetter, Thorsten Holz, Maximillian Dornseif, and
    Felix and Freiling. The nepenthes platform: An efficient approach to collect
    malware. In Recent Advances in Intrusion Detection International Symposium,
    2006.
    [44] Vern Paxson. Bro: A system for detecting network intruders in real-time. COM-
    PUTER NETWORKS, 1999.
    [45] Niels Provos. A virtual honeypot framework. In USENIX Security Symposium,
    2004.
    [46] Moheeb A. Rajab, Jay Zarfoss, Fabian Monrose, and Andreas Terzis. My botnet
    is bigger than yours (maybe, better than yours): why size estimates remain
    challenging. In Workshop on Hot Topics in Understanding Botnets, 2007.
    [47] Martin Roesch. Snort: Lightweight intrusion detection for networks. In Large
    Installation System Administration Conference, 1999.
    [48] Ravi S. Sandhu. Good-enough security: Toward a pragmatic business-driven
    discipline. IEEE Internet Computing, 2003.
    [49] Monirul Sharif1, Andrea Lanzi, Jonathon Giffin, and Wenke Lee. Impeding
    malware analysis using conditional code obfuscation. In Annual Network & Dis-
    tributed System Security Conference, 2008.
    [50] Ray Spencer, Stephen Smalley, Peter Loscocco, Mike Hibler, David Andersen,
    and Jay Lepreau. The flask security architecture: System support for diverse
    security policies. In USENIX Security Symposium, 1999.
    [51] Lance Spitzner. Honeypots: Catching the insider threat. In Annual Computer
    Security Applications Conference, 2003.
    [52] Elizabeth Stinson and John C. Mitchell. Characterizing bots’ remote control
    behavior. In Conference on Detection of Intrusions and Malware & Vulnerability
    Assessment, 2007.
    [53] Abraham Wald. Sequential analysis, 1947.
    [54] Ping Wang, Sherri Sparks, and Cliff C. Zou. An advanced hybrid peer-to-peer
    botnet. In Workshop on Hot Topics in Understanding Botnets, 2007.
    [55] Brian White, Jay Lepreau, Leigh Stoller, Robert Ricci, Shashi Guruprasad, Mac
    Newbold, Mike Hibler, Chad Barb, and Abhijeet Joglekar. An integrated experimental
    environment for distributed systems and networks. In Symposium on
    Operating Systems Design and Implementation, 2002.
    [56] Gseorg Wicherski. Medium interaction honeypots. Technical report, Rheinisch-
    Westfaelische Technische Hochschule Aachen, 2006.
    [57] Jeffrey Wilhelm and Tzi-cker Chiueh. A forced sampled execution approach to
    kernel rootkit identification. In Recent Advances in Intrusion Detection Interna-
    tional Symposium, 2007.

    下載圖示 校內:2009-07-29公開
    校外:2009-07-29公開
    QR CODE