Botnet網路行為特徵碼自動生成系統

10.29614/DRMM.201207.0003

黃能富；高迦南；張詠承

Botnet ； Malware ； 特徵碼自動生成 ； 惡意網路行為識別

資訊安全通訊

18卷3期（2012 / 07 / 01）

48 - 59

繁體中文

近年來Botnet幾乎已經成為資安問題的代名詞，主要受影響的有兩個層面，一個是主機端，另外一個是網路端。在主機端主要的問題在於新型未知的Botnet/Malware不容易被防毒軟體偵測到，而在網路端則是因為對於Botnet/Malware網路行為識別能力的缺乏，而無法有效偵測。近年來Botnet/Malware的個數每年大約新增一千萬個，使得傳統用人工採取網路特徵碼的方法已不足以應付如此龐大的巨量，本文說明網路行為特徵碼的採碼原則，並設計相對應的網路行為特徵碼自動生成機制，減少了的99%的人力需求，並有效地縮短了在Botnet/Malware肆虐時無特徵碼可用的空窗期。

1. Snort. [Online]. Available: http://www.snort.org/
2. R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee, “Hypertext transfer protocol–HTTP/1.1,” 1999..
3. Emerging threats.net open rulesets. Emerging Threats.net. [Online].Available: http://rules.emergingthreats.net/open/
4. J. Oikarinen and D. Reed, Internet Relay Chat Protocol, IETF Std., 1993. [Online]. Available: http://tools.ietf.org/html/rfc1459
5. Wireshark. [Online]. Available: http://www.wireshark.org/
6. AV-Test Malware Statistics, http://www.av-test.org/en/statistics/malware/
7. Tcpdump/libpcap public repository. [Online]. Available: http://www.tcpdump.org/
8. Gu, G.,Porras, P.,Yegneswaran, V.,Fong, M.,Lee. W.(2007).Bothunter: detecting malware infection through ids-driven dialog correlation.Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium,Berkeley, CA, USA:
9. Muthuregunathan, R.,S., S.,S., R.,R., S. R.(2009).Efficient snort rule generation using evolutionary computing for network intrusion detection.Computational Intelligence, Communication Systems and Networks,International Conference
10. Newsome, C.,Karp, B.,Song, D.(2005).Polygraph: automatically generating signatures for polymorphic worms.Security and Privacy, 2005 IEEE Symposium
11. Perdisci, R,Lee, W.,Feamster, N.(2010).Behavioral clustering of http-based malware and signature generation using malicious network traces.Proceedings of the 7th USENIX conference on Networked systems design and implementation,Berkeley, CA, USA: