標題: 基於模糊識別演算法之僵屍網路偵測方法
A Fuzzy Pattern Recognition-based Filtering Algorithm for Botnet Detection
作者: 林上智
Lin, Shang-Jyh
王國禎
Wang, Kuo-Chen
網路工程研究所
關鍵字: 殭屍網路;模糊識別;網路安全;真實流量;Botnet;fuzzy pattern recognition;network security;real trace
公開日期: 2009
摘要: 由於目前殭屍網路的盛行,造成分散式阻斷攻擊、垃圾郵件及釣魚郵件散佈、非法儲存或偷取智慧財產等網路犯罪的問題。傳統的字串比對偵測方法容易有誤判及漏判的問題。為了解決這些問題,在本論文中,我們提出一種基於模糊識別演算法之僵屍網路偵測方法,簡稱 FPRF,來分析網路流量以偵測僵屍網路。我們是根據網路封包行為模式來做僵屍網路之分析與偵測。FPRF分成三個階段,第一個階段是利用僵屍網路的特性來過濾掉不需檢查的封包。第二個階段則是取出封包流量的特徵。在最後階段我們利用模糊辨識方法來偵測僵屍網路。為了評估此方法的有效性,我們收集了真實殭屍網路流量及校園正常流量來評量我們的方法。實驗結果顯示,我們提出的FPRF對於僵屍網路的流量辨識正確率高達95%以上,且對於正常網路流量只有0 ~ 3.08%的誤判率。此外,封包縮減率達70%以上,如此可達到快速而有效的辨識率。
Botnets become a popular technique for deploying Internet crimes. Existing botnet detection methods using string signature matching usually get high false positive rate (FPR) and low true positive rate (TPR). Therefore, the behavior-based detection method becomes a major way for botnet detection. In this thesis, we propose a behavior-based botnet detection method using a fuzzy pattern recognitions-based filtering (FPRF) algorithm. The proposed FPRF extracts bot features first and then recognizes botnets based on collected bot behaviors. In this algorithm, there are three stages. The traffic reduction stage is to reduce input raw packet traces for speeding processing. The feature extraction stage is used to extract features from the reduced input packet traces. The fuzzy pattern recognition stage has two phases. First, the DNS (domain name system) phase analyzes features of DNS packets. If a domain name (DN) is determined to be malicious, the corresponding DN and its associated IP address(es) will be marked without going to the next phase. Second, the TCP connection phase analyzes features of TCP connection packets. The associated IP addresses will be marked if TCP connection packets are malicious. Performance evaluation results based on real traces show that with features extracted from raw network traces, the proposed FPRF can reduce input raw packet traces by over 70%, while achieve a high TPR (95%) and a low FPR (0 ~ 3.08%). Unlike two representative methods, Livadas and Gu, we used real botnet traffic and only one traffic reduction filter for evaluation. Furthermore, FPRF is resource-efficient so that on-line botnet detection based on FPRF can be incorporated to hosts.
URI: http://140.113.39.130/cdrfb3/record/nctu/#GT079756528
http://hdl.handle.net/11536/46019
Appears in Collections:Thesis