题名

以行為為基礎偵測異常IRC流量

并列篇名

Behavior-based Detection of Abnormal IRC Traffic

DOI

10.29614/DRMM.201207.0002

作者

陳嘉玫;官大智;陳怡綾

关键词

殭屍網路 ; 惡意軟體 ; 入侵偵測 ; Botnet ; malware ; intrusion detection

期刊名称

資訊安全通訊

卷期/出版年月

18卷3期(2012 / 07 / 01)

页次

32 - 47

内容语文

繁體中文
中文摘要

網路攻擊常利用殭屍網路做攻擊,它結合木馬、病毒、與蠕蟲等惡意程式的感染與攻擊功能。然而,網管或是使用者通常卻是在攻發生後才發覺異常現象,察覺可能有殭屍網路的存在。常見的殭屍網路,以IRC為基礎的殭屍網路乃利用IRC通訊管道進行殭屍網路的控制與攻擊命令之下達。由於殭屍網路在潛伏期時,網路流量與平常並無明顯差異,現今的入侵偵測系統只能於殭屍網路發動攻擊時才偵測出其活動,無法有效防禦殭屍網路。本研究透過收集並分析IRC管道之訊息內容,找出操縱者(botmaster)控制的管道特性,發展一套IRC伺服器端的異常流量偵測系統,透過分析比對正常與異常管道通訊內容的差異度、平均回應時間、以及平均訊息內容長度等,找出操縱者控制之管道,以防止操縱者利用IRC伺服器操控殭屍主機,進行攻擊,期望可以在殭屍網路發動真實攻擊之前阻止其行為,以達到事前預防之功效。本研究發現正常與惡意通訊內容確實有差異,其訊息回應時間也有差異,實驗顯示所提出的特徵可找出異常IRC管道。
英文摘要

Botnet has often been used for attack, which combines various malicious infection and attack functionalities possessed by Trojan, virus, and worm. However, its existence is discovered by network administrator or user only after an attack has been launched. IRC-based botnet is commonly used, where the botmaster controls and commands the bots through an IRC channel. As network performs normal during its latency stage, botnet is hard to be identified. Current intrusion detection systems could identify the botnet only if it actives and could not prevent botnet effectively.In this study, IRC sniffer is deployed to collect the messages exchanged in the IRC channels and anomalous behaviors are identified to detect abnormal IRC channel in IRC server. The study found that the payload length and message response time are important features to identify anomalous IRC traffic. The experimental results show that the proposed detection mechanism can identify malicious IRC channel efficiently.
主题分类 基礎與應用科學 > 資訊科學
参考文献
  1. CNCERT/CC, 技術文章「關於殭屍網路」CNCERTCC_TR_2005-001。
  2. IRC Normal Traffic, http://www.irclog.org
  3. J. Soriano, “Top 8 in '08,” TrendLabs Malware Blog, http://blog.trendmicro.com/top-8-in-08/,2008
  4. 蘇湘雲, “CNN 網站遭駭客冒用!假電子報內含病毒影片,” NOWnews, http://www.nownews.com/2008/08/07/339-2316527.htm, 2008.
  5. V. Kamluk, “The botnet business,” Viruslist.com,http://www.viruslist.com/en/analysis?pubid=204792003, 2008
  6. 陳英傑, “中國駭客癱瘓巴哈姆特,”自由電子報, http://www.libertytimes.com.tw/2008/new/apr/30/today-life7.htm, 2008.
  7. TrendMircro, “The Trend Micro 2008 Annual Threat Roundup and 2009 Forecast,”http://us.trendmicro.com/imperia/md/content/us/pdf/threats/securitylibrary/trend_micro_2009_annual_threat_roundup.pdf, 2009
  8. 科技犯罪防制中心,“殭屍電腦(BotNet 係稱機器人電腦)肆虐,台灣網路受害全球高居第六,”內政部警政署刑事警察局之公告事項, http://www.cib.gov.tw/news/news02_2.aspx?no=261, 2006.
  9. Akiyama, M.,Kawamoto, T.,Shimamura, M.,Yokoyama, T.,Kadobayashi, Y.,Yamaguchi, S.(2007).A proposal of metrics for botnet detection based on its cooperative behavior.proceedings of the 2007 International Symposium on Applications and the Internet Workshops
  10. Al-Hammadi, Y.,Aickelin, U.(2009).Detecting bots based on keylogging activities.proceeding of the 3thInternational Conference on Availability, Reliability and Security
  11. Bacher, P.,Holz, T.,Kotter, M.,Wicherski, G.(2005).Know your Enemy: Tracking Botnets.The Honeynet Project and Research Alliance.
  12. Barford, P.,Yegneswaran, V.(2007).An inside look at botnets.Advances in Information Security, Malware Detection,27,171-191.
  13. Binkley, J. R.,Singh, S.(2006).An algorithm for anomaly-based botnet detection.proceeding of the 2nd International conference on Steps to Reducing Unwanted Traffic on the Internet
  14. Cooke, E.,Jahanian, F.,McPherson, D.(2005).The zombie roundup: understanding, detecting, and disrupting botnets.Usenix Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI)
  15. Goebel, J.,Holz, T.(2007).Rishi: Identify bot contaminated hosts by IRC nickname evaluation.Proceedings of the 1st conference on First Workshop on Hot Topics in Understanding Botnets
  16. Kugisaki, Y.,Kasahara, Y.,Hori, Y.,Sakurai, K.(2007).Bot detection based on traffic analysis.proceedings of the 2007 Intelligent Pervasive Computing conference
  17. Livadas, C.,Walsh, R.,Lapsley, D.,Strayer, W. T.(2006).Using machine learning techniques to identify botnet traffic.proceeding of the 31st IEEE Conference on Local Computer Networks Workshop on Network Security
  18. Mazzariello, C.(2008).IRC traffic analysis for botnet detection.proceeding of the 4th International Conference on Information Assurance and Security
  19. Mielke, C. J.,Chen, H.(2008).Botnets, and the CyberCriminal underground.proceeding of the 2008 International Conference on Intelligence and Security Informatics
  20. Rajab, M. A.,Zarfoss, J.,Monrose, F.,Terzis, A.(2006).A multifaceted approach to understanding the botnet phenomenon.Proceedings of the 6th ACM SIGCOMM conference on Internet Measurement
  21. Ramsbrock, D.,Wang, X.,Jiang, X.(2008).A first step towards live botmaster traceback.proceeding of the 11th International Symposium on Recent Advances in Intrusion Detection
  22. Schiller, C. A.,Binkley, J.,Harley, D.,Evron, G.,Bradley, T.,Willems, C.,Cross, M.(2007).Botnets: the killer web app.Syngress.
  23. Stinson, E.,Mitchell, J.C.(2007).Characterizing bots' remote control behavior.Detection of Intrusions and Malware, and Vulnerability Assessment
  24. Villamarin-Salomon, R.,Brustoloni, J. C.(2008).Identifying botnets using anomaly detection techniques applied to DNS traffic.proceedings of the 5th Consumer Communications and Networking conference
print cancel