惡意域名受害族群估計－使用聯合超幾何最大似然估計法

Estimating Population Size of Fast-Flux Domain-Using Joint Hypergeometric Maximum Likelihood Estimator Method

10.6188/JEB.2014.16(1).01

古東明(Tung-Ming Koo)；張宏昌(Hung-Chang Chang)

重複捕取法 ； 動態惡意域名服務網路 ； 規模估計 ； Capture-Recapture ； Fast-Flux Service Networks ； Size Estimation

電子商務學報

16卷1期（2014 / 03 / 27）

1 - 16

繁體中文

FFSN是目前網路世界所面臨的極大威脅，其技術可以讓攻擊者隱藏在一群代理伺服器（agent）後面，這樣的方式可以讓攻擊者來躲避偵測使資訊安全人員偵測失敗，FFSN這項技術對犯罪份子的好處是惡意網站可以受到保護，進而延長惡意網站的壽命。所以FFSN的危害日益嚴重，要規模估計FFSN-Agent也相當不容易，且Flux-Agent本身可能是Bot節點，估計FFSN的規模也可以知道其威脅程度。本研究的核心為規模估計動態惡意域名服務網路（Fast-Flux Service Network，FFSN）的族群規模大小，藉由重複捕取法（Capture-Recapture Method，CRM）中的聯合超幾何最大似然估計法（Joint hypergeometric maximum likelihood estimator，JHE）來估計Flux-Agent的群體大小，其結果發現比普查的方式可以更快速找出整個族群大小。

FFSN is one of the enormous threats of internet. It can hide the attackers behind a group of agents and by this way the attackers can avoid being detected. The benefit of FFSN to attackers is the malicious websites can be protected and the survival time can be prolonged. The danger of FFSN is getting more serious and Flux-Agent could be a Bot note. To estimate the size of FFSN can find the danger degree but to estimate the size is not easy. The purpose of this study is to estimate the group size of Fast-Flux Service Network (FFSN.). Uses Joint hypergeometric maximum likelihood estimator (JHE) of Capture-Recapture Method (CRM) to estimate the group size of Flux-Agent. By computing the joint hypergeometric maximum likelihood estimator (JHE) of Program NOREMARK, the group size can be found. The experiment result can find the group size more quickly than census.

1. Parket, L. (2010). Dutch national crime squad announces takedown of dangerous botnet. Retrieved January. 27, 2014, from http://www.om.nl/actueel/nieuws-_en/@154338/dutch_national_crime/
2. Bächer, P.,Holz, T.,Kötter, M.,Wicherski, G.(2008).,未出版
3. Daswani, N.,Stoppelman, M.(2007).The anatomy of Clickbot A.Proceedings of USENIX HotBots'07,Cambridge, USA:
4. Holz, T.,Gorecki, C.,Rieck, K.,Freiling, F. C.(2008).Measuring and detecting fast-flux service networks.NDSS Symposium 2008,San Diego, USA:
5. Jolly, G. M.(1965).Explicit estimates from capture-recapture data with both death and immigration-stochastic model.Biometrika,52(1/2),225-247.
6. Koo, T. M.,Chang, H. C.,Liao, W. C.(2012).Estimating the size of P2P botnets.International Journal of Advancements in Computing Technology,4(12),386-395.
7. Krebs, C. J.(1999).Ecological methodology.USA:Benjamin Cummings.
8. Mane, S.,Mopuru, S.,Mehra, K.,Srivastava, J.(2005).,MN, USA:Department of Computer Science and Engineering, University of Minnesota.
9. Persisci, R.,Corona, I.,Giacinto, G.(2012).Early detection of malicious flux networks via large-scale passive DNS traffic analysis.IEEE Transactions on Dependable and Secure Computing,9(5),714-726.
10. Saha, B.,Gairola, A.(2005).Botnet: An overview.India:Indian Computer Emergency Response Team.
11. Salusky, W.,Danford, R.(2007).,未出版
12. Scharrenberg, P.(2008).Germany,University of Aachen.
13. Weaver, R.,Collins, M.(2007).Fishing for phishes: Applying capture-recapture methods to estimate phishing populations.Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit,NY, USA:
14. 胡文寅(2006)。碩士論文(碩士論文)。台灣，台中，私立東海大學環境科學所。
15. 國立屏東科技大學農學院(2006)。2006 野生動物研究實習手冊。屏東縣:國立屏東科技大學農學院。
16. 曹佳(2008)。P2P 網路中規模估計方法的研究。計算機工程與應用，44(6)，99-101。
17. 曾仲強(2009)。DNS 舊技術新玩法 ─Fast-Flux。資安人雜誌，66，74-78。
18. 蕭淵隆、陳彥錚、黃景煌(2003)。採用 RR-DNS 機制的網路服務可用性之研究。2003 年台灣網際網路研討會，台灣，台北市: