基於二分圖關聯分析驗證網路威脅情資

10.29428/9789860544169.201801.0168

黃傳強；鄭棕翰；陳建智；張光宏；周國森

惡意網域 ； 進階持續性滲透攻擊 ； 圖形分析 ； 網路威脅情資 ； Malicious Domain ； Advanced Persistent Threats ； Graph Analysis ； Cyber Threat Intelligence

NCS 2017 全國計算機會議

2017（2018 / 01 / 01）

898 - 903

繁體中文

惡意網域的數量正在逐年增加，對於企業而言每天都有無數的外部連線，攻擊者總是使用複雜的方法將惡意軟體傳播到企業之中，如進階持續性滲透攻擊 (Advanced Persistent Threat; APT)與傀儡殭屍網路(Botnet)。雖然有許多方法與技術發掘惡意網域，然而，所發掘的惡意網域數量龐大且誤報率高，為了由龐大的結果驗證是否為真正的潛在惡意網域是一項重要的課題。因此，本文延續先前的研究，提出了一種新穎的潛在惡意網域驗證分析平台。此平台透過收集外部情資以定義網域的關聯關係，並且利用關係的推理以評估每個待驗證網域的信譽分數，藉此判斷該網域是否為潛在的惡意網域，以幫助資安鑑識人員對網路威脅作為判斷的依據。實驗結果顯示，本文提出的方法除了可用於驗證潛在惡意網域之外還可以發現其他外部情資提供商無法識別的新潛在惡意網域。

Recently, the number of the malicious domain is increasing from quarter to quarter and year to year. An enterprise has countless external connections in every day. The attackers always use the sophisticated methods for allowing the malware to spread to the enterprise, such as Advanced Persistent Threat (APT) or Botnet. Although there are many techniques for discovering the malicious domains, the number of the malicious domains are large and the false positives rate are high. The verification of the huge malicious domain is a very important issue. Therefore, this paper continues the previous study and proposes a novel potential malicious domain verification analysis platform. The analysis platform defines the association of the domain by collecting the external intelligence and uses the derivation of the relational equation to compute the reputation score for each domain. The potential malicious domain can be determined by the reputation score. Our experimental results show that the proposed approach can identify the potential malicious domains. And these potential malicious domains are not be identified by other reputation services.