98級-張宏昌-結合重覆捕取法及迴歸分析之惡意域名受害族群估計

98級-張宏昌-結合重覆捕取法及迴歸分析之惡意域名受害族群估計

[ 摘要 ]
惡意域名是目前網路世界所面臨的極大威脅,其技術可以讓攻擊者隱藏在一群代理伺服器(Agent)後面,這樣的隱匿方法可以讓攻擊者躲避偵測使資訊安全人員偵測失敗,Fast-Flux Service Network(FFSN)這項技術對犯罪份子經營的惡意網站可以受到保護,進而延長惡意網站的壽命。FFSN的危害日益嚴重,要估計FFSN-Agent規模也相當不容易,且Flux-Agent本身可能是Bot節點,對於FFSN的規模估計也可以知道其威脅程度。本研究的核心為規模估計動態惡意域名服務網路(Fast-Flux Service Network,FFSN)的族群規模大小,藉由重覆捕取法(Capture-Recapture Method,CRM)中的聯合超幾何最大似然估計法(Joint hypergeometric maximum likelihood estimator,JHE)來估計Flux-Agent的群體大小,以其JHE最小估計基數再加以線性迴歸預測分析,產生最小估計基數前之線性迴歸模型,形成兩階段預測分析,其結果發現比普查的方式可以更快速找出整個族群大小。

[ 英文摘要 ]
Fast-flux service networks (FFSNs) are currently the greatest threat encountered in the computer networking field. This technique hides attackers behind a network of proxy servers (agents), thereby avoiding detection by security personnel. FFSN benefits criminal parties because it protects their Web sites and extends Web site life span. FFSN is becoming more dangerous, and estimating the size of FFSN-agents is becoming increasingly difficult. Additionally, because flux-agents may represent bot nodes, we can estimate the scale of FFSNs to determine the extent of threats. This study primarily estimates the population size of FFSNs. The flux-agent population size was estimated using the joint hypergeometric maximum likelihood estimator (JHE) of capture-recapture methods (CRMs), and using the linear regression analysis to make a prediction of the initial data. The results showed that the JHE and CRM estimated the population size more rapidly compared to general survey approaches.

100級-林玉燕-基於重複補取法之動態惡意域名服務網路規模估計

100級-林玉燕-基於重複補取法之動態惡意域名服務網路規模估計

[ 摘要 ]
本研究的核心為規模估計動態惡意域名服務網路(Fast-Flux Service Network)的族群規模大小,FFSN是目前網路世界所面臨的極大威脅,其技術可以讓攻擊者隱藏在一群代理伺服器(agent)後面,這樣的方式可以讓攻擊者來躲避偵測使資訊安全人員偵測失敗,FFSN這項技術對犯罪份子的好處是惡意網站可以受到保護,進而延長惡意網站的壽命。所以FFSN的危害日益嚴重,要規模估計FFSN-Agent也相當不容易,且Flux-Agent本身可能是Bot節點,估計FFSN的規模也可以知道其威脅程度。所以本研究藉由重複捕取法(Capture-Recapture Method,CRM)估計Flux-Agent的群體大小,其計算方式是透過Program NOREMARK 的Joint hypergeometric maximum likelihood estimator (JHE)估計族群量,實驗結果只需要前六天所Query的樣本數便可以估計出整個FFSN的族群大小,其實驗結果比普查的方式可以更快速找出整個族群大小。

[ 英文摘要 ]
The purpose of this study is to estimate the group size of Fast-Flux Service Network (FFSN.) FFSN is one of the enormous threats of internet. It can hide the attackers behind a group of agents and by this way the attackers can avoid being detected. The benefit of FFSN to attackers is the malicious websites can be protected and the survival time can be prolonged. The danger of FFSN is getting more serious and Flux-Agent could be a Bot note. To estimate the size of FFSN can find the danger degree but to estimate the size is not easy. Hence, this study uses Capture-Recapture Method (CRM) to estimate the group size of Flux-Agent. By computing the joint hypergeometric maximum likelihood estimator (JHE) of Program NOREMARK, the group size can be found. The experiment needs just the query samples among six days before and the group size of FFSN can be found. The experiment result can more quickly find the group size than census can.

100級-蔡佩旻-自動化部署與運用虛擬化蜜網系統

100級-蔡佩旻-自動化部署與運用虛擬化蜜網系統

[ 摘要 ]
由於網際網路的普及化越來越高,以及社群網站的盛行,已讓網際網路安全成為一大重要課題。尤其在學術網路的使用上,對於網路與電腦的管理都採取較寬鬆的方式處理,使的學術網路成為大部分犯罪者攻擊的目標。當犯罪者成功入侵電腦之後往往使用諸多的惡意軟體工具來從事許多的非法活動,像是木馬、垃圾郵件、分散式阻斷服務攻擊、釣魚網站與病毒散播等威脅。Honeynet屬於一種dummy的網路架構,藉著所提供諸多網路服務來吸引犯罪者入侵,並可部署在許多的區域當作一種防禦策略。

本研究利用honeynet的特性,提供使用者可以快速的偵測與確認malicious source,但由於honeynety在部署與實作上本身就存在諸多的困難度,所以本研究提出一個新的自動化系統,讓管理者可以藉此將系統快速的部署在學術網路上加以運用。

[ 英文摘要 ]
Because the popularization of the Internet is increasingly high, and the prevalence of social networking , which have allowed Internet security has become an important issue. Campus Network has become the target of attacks by the majority of offenders, to adopt a more lenient approach to the management of network and computer. After the successful invasion of the computer, the offender spreads a lot of malicious software tools to engage in illegal activities, such as Trojans, spam, distributed denial of service attacks, phishing sites, and other threats. The Honeynet belong to a dummy network infrastructure, to attract a lot of network services through the provision of the criminal invasion and can be deployed in many areas as a defense strategy。

In this thesis we can quickly detect and confirm the malicious source through characteristic of honeypot. Users would be a lot difficulty to deploy and implement the honeynet. In this thesis we present the new automatic system that allows managers to rapid deployment of the virtual honeynet system in the Campus Network.

100級-黃宗恩-以網域名稱服務之郵件交換紀錄為基礎偵測動態惡意域名服務網路

100級-黃宗恩-以網域名稱服務之郵件交換紀錄為基礎偵測動態惡意域名服務網路

[ 摘要 ]
近年來隨著科技與網際網路的進步,人們的日常生活及商業活動變得越來越依賴網路,因此使許多駭客開始藉由種種不當的入侵與攻擊手法企圖謀取龐大的非法利益;例如「動態惡意域名服務網路(Fast-Flux Service Networks)」便是一項近年來廣被許多駭客使用的新興的攻擊方式,此入侵手法藉由導入DNS之輪替式網域名稱服務(Round Robin DNS, RR-DNS) 技術,透過不斷變換其所對應到的實體機器之網域,來保護具備惡意用途的內容網站,其中被對應的實體機器常為受害的電腦主機,導致此攻擊所造成之危害日益漸增。因此,本研究利用FFSN特徵偵測技術搭配其既有之特徵值為偵測基準來實作一偵測系統,並針對ATLAS及ALEXA所獲取之資料進行測試,以利後續驗證本研究所建置之偵測系統之偵測率及正確率,並分析特徵搭配後的偵測效益,進而從中挑選出最佳方案作為日後之偵測基準。

[ 英文摘要 ]
During recent decades, the explosive development of the Internet brings a remarkable advance in information exchange. Hence, people’s daily life and commercial activities rely on the Internet much tremendously. More and more hackers try to gain enormous illegal profits by such illegitimate invasion and attack approaches. For instance, Fast-Flux Service Networks is one of emerging attack technologies, which is used to invade the system through combining the RR-DNS technology (Round Robin DNS) of DNS. Fast-Flux can protect malicious websites by keeping changing the IP address of the Mothership. In most cases, naïve users’ computers are usually the attack targets so the damage is getting worse with each passing day. Therefore, this study uses FFSN characterization and original features as detection patterns to construct a detection system. The data from ATLAS and ALEXA are tested to evaluate the detection rate and accuracy of the proposed system. Finally, through the analysis of the detection effectiveness after features mapping, the best solution can be found as the future detection pattern.

100級-林添財-社交網站惡意程式分析:以Koobface為例

100級-林添財-社交網站惡意程式分析:以Koobface為例

[ 摘要 ]
社交網路服務(Social Networking Service,SNS)目前成已為網路上最受歡迎的活動,舉凡聊天、寄信、影音、分享檔案等,讓相同興趣的人建立線上的社群,透過網際網路提供使用者各種聯繫與交流的功能來鞏固的彼此的關係。隨著社交網路服務被廣泛的使用,駭客利用惡意連結、社交工程、網路釣魚等攻擊的方式,使社交網路成為散佈惡意程式的跳板工具。
本研究以社交網站中的惡意程式koobface為主題,討論其散佈、感染的方式、對外網路的行為,研究結果最終證實都具有惡意的性質,探究其原因駭客就是利用社交網路中對人的信任或是好奇的心理,藉由這樣的誘因、手段,以達到預先想要的目的。

[ 英文摘要 ]
Social networking service (Social Networking Service, SNS), as currently the most popular activities on the network covered the chat, e-mail, video, file sharing, etc., so that the same people interested in the establishment of online community through the Internet provide users with a variety of contacts and exchanges to consolidate the mutual relationship. The malicious link with the social networking service is widely used, hackers, social engineering, phishing and other mode of attack, so that the social network to become a springboard for spreading malware tools.
In this study, the malware koobface social networking sites as the theme, to discuss its spread infection, the behavior of the external network, the results eventually confirmed to have a malicious nature, explore the reason hackers use social networks in the human the trust or the curious psychology, by this incentive, means, in order to achieve the desired purpose in advance.

100級-吳沅錄-以連接埠掃描為基礎偵測動態惡意域名服務網路

100級-吳沅錄-以連接埠掃描為基礎偵測動態惡意域名服務網路

[ 摘要 ]
動態惡意域名服務網路Fast-Flux Service Networks (FFSN)源自於一種稱為輪替式網域名稱服務Round-Robin DNS (RR-DNS)的技術。它是一種透過將DNS記錄快速更換,使得網域名稱能夠被快速對應到數個不同的主機,以達到負載平衡的機制。Fast-Flux與RR-DNS相似,然而不同的是,Fast-Flux是將網域名稱快速對應到數個來自殭屍網路(Botnet)的受害電腦設備,並以保護惡意內容網站,如釣魚網站、惡意程式下載站及垃圾郵件內容網站為目的,使惡意攻擊時效得以延長。過去的研究著重於多次對特定網域進行DNS查詢,並找出多次查詢之間的相異之處,然而這樣的作法容易受到網路環境影響,且偵測時間較長。本研究透過掃描網域內的每個主機,並計算各個主機間的連接埠重複程度,藉此來判斷此網域為重複程度低的FFSN惡意網域或重複度高的正常網域,此外,本研究還搭配了過去研究所發現的另一項Fast-Flux之特徵,DNS query time之標準差,並以標準差高於門檻值者判定為FFSN惡意網域,而低於門檻值者則判定為正常網域,以此二特徵搭配作為Fast-Flux之偵測特徵,並得出相當高的精確率。本研究也針對了此二特徵進行偵測速度分析,並得出了使用連接埠重複程度作為FFSN之偵測特徵,不同於過去研究所發現到的特徵必須利用多次查詢,並在每一次查詢之中皆需等候TTL時間經過才能進行下一步驟的特點,它在平均約47秒內便可得出偵測結果,比過去偵測時間動輒約數百秒還快上許多,且在降低偵測時間的同時,亦能維持一定的精確率。

[ 英文摘要 ]
Fast-Flux Service Networks (FFSN) derives from Round-Robin DNS. RR-DNS is a method of choosing a resource for a task from a list of available resources, usually for the purposes of load balancing. FFSN is similar to RR-DNS, but there have some differentials that the list of available resources is come from the victim hosts, and those victim hosts are used to protect phishing sites, malicious sites and spam server by hackers. In the past, the research usually focused on “To DNS query a specific domain, and finding the difference between each results of DNS query”, the result of detection will easily be influenced by the network environment, and the time of detection may be increased. In this thesis, we use the nmap to scan host’s port in specific domain, to calculate the discrepancy between each hosts, and to determine the FFSN domain (high differentiate) and the benign domain (low differentiate), in addition, we use another FFSN feature “The standard deviation of DNS query time”, if the standard deviation are higher than threshold, then it is a FFSN domain, if it not, it is a benign domain. We combine this two FFSN feature, and then we get a high accuracy. We also analyze this two FFSN feature about their detection speed, we find that the feature “differentiate of each host’s port” is not the same with the past’s research, it do not need to wait for TTL time, it’s average of complete the detection is about 47 seconds, and the past’s research is more than 100 seconds. “Differentiate of each host’s port” is not only decreasing the time of detection, but also keep the accuracy higher.

99級-楊昆鑫-以DNS Query Time 為基礎偵測Fast-Flux Service Networks(FFSN)

99級-楊昆鑫-以DNS Query Time 為基礎偵測Fast-Flux Service Networks(FFSN)

[ 摘要 ]
隨著網際網路被運用在商業的頻率越來越高,網路攻擊所造成的利益損害已經逐漸擴大。駭客運用著網際網路從事非法的活動,像是木馬、病毒散播、分散式阻斷服務攻擊、垃圾郵件與釣魚網站的威脅等,為了獲取龐大的利益,犯罪者對於非法活動的需求日漸成長,而為了讓這些詐欺行為具有高度的隱蔽性,犯罪者開始使用一種稱為Fast-Flux Service Networks的攻擊手法,FFSN是由一群被用來當作代理轉向服務的傀儡網路(botnet)所組成,利用這些受感染的傀儡主機便可以將使用者重新導向至犯罪者所架設的惡意內容。
本研究實作建置一系統,以本研究所探討之偵測特徵搭配既有特徵為偵測基準,針對Malware Domain List及ATLAS資料來源偵測FFSN惡意網域,探討當前網路犯罪中FFSN被犯罪者應用的實際情形、並分析偵測效益並挑選出最佳方案作為日後之偵測基準。

[ 英文摘要 ]
With the Internet being used more frequently in the business, network attack have caused damage to the interests gradually expanded. Hackers use the Internet for illegal activities, such as Trojan, viruses, DDoS attacks, spam and phishing, etc. In order to obtain huge benefits, the offender’s demand for illegal activities growth, and to make such fraud a high degree of concealment, the offender began to use the attack tactics called Fast-Flux Service Network (FFSN). FFSN is composed by who is used by a group of agents to service as a proxy of the botnet. Use these infected host can redirect the user to the malicious content that offender set.
In this thesis we implemented a system, we use the detection feature discuss in this thesis and the features that is already discussed in other study to detect whether the data which are from Malware Domain List and ATLAS are belong to FFSN or not. Also, we investigate the utilization of FFSN by miscreants on the Internet, and analyze the detection performance and select the best case as the baseline of detection in the future.

99級-林庭弘-以逆向工程偵測惡意代碼行為

99級-林庭弘-以逆向工程偵測惡意代碼行為

[ 摘要 ]
過去幾年來惡意程式的數量和破壞能力已成倍數成長,惡意程式開始使用代碼混淆技術、加密和加殼技術來躲避防毒軟體的特徵碼偵測。目前很多惡意作者都是使用加殼技術加密惡意程式,以躲避防毒軟體的檢測,所以惡意程式加殼已成為現今防毒公司最具挑戰性的問題。
如何去偵測惡意加殼程式,本研究提出使用Entropy和其他的輔助特徵來檢測加殼程式,並使用靜態特徵與動態特徵來偵測惡意加殼程式。實驗結果,本研究能即時偵測出代碼混淆技術、加殼和加殼技術,並能有效區分善意加殼程式和惡意加殼程式的差別。

[ 英文摘要 ]
In the past few years, the amount of the malicious program and the capability of destruction have become more and more. Malicious programs and their writers are also staring to use the packed technology of encryption and code obfuscation to avoid the detection from anti-virus software. Therefore, the packed technology has become a challenging problem to the anti-virus company.
How to detect the malicious packed program is also the important issue of researches of the information security. This study uses the encryption and the other assistant feature to help the detection to malicious packed program. Furthermore, there has use the combination of the static and dynamic feature to detect the malicious packed program. The result of this study shows that the packed technology of encryption and code obfuscation could be detected more efficiency and the different between the friendly packed program and the malicious packed program can also be identified more operative.

98級-莊竣程-偵測與分析Fast-Flux Service Network

98級-莊竣程-偵測與分析Fast-Flux Service Network

[ 摘要 ]
隨著網際網路的高度發展,網路安全已是我們所面臨最嚴重的問題之一。有一大群不法之徒運用著網際網路從事非法的活動,像是木馬、病毒散播、分散式阻斷服務攻擊、垃圾郵件與釣魚網站的威脅等,基於不法利益的考量,犯罪者對於他們的非法活動有高度的可用性需求,而為了混淆他們的詐欺活動,犯罪者們最近開始使用一種稱為Fast-Flux Service Networks的攻擊手法,FFSN是由一群被用來當作代理轉向服務的傀儡網路(botnet)所組成,同時利用這些受感染的傀儡主機來呈現犯罪者所架設的詐欺內容。
本研究實作建置一系統,針對Malware Domain List資料來源偵測FFSN惡意網域,探討當前網路犯罪中FFSN被犯罪者應用的實際情形、並分析被感染節點之分佈概況等。

[ 英文摘要 ]
As the highly development of Internet, one of the most serious threats we face is cyber-security. There are many groups of criminals using the Internet to engage in illegal activities like Trojan horse, viruses, DDoS attacks, spam emails and phishing. They motivated by illegal profit, have a high demand in availability of their illegal activities, and to confuse the location of their services. These criminals recently started to use a new technique called Fast-Flux Service Networks, composed of large groups of bots and acting as proxies to their scam contents.
In this thesis we implemented a system, detecting whether the data which are from Malware Domain List are belong to FFSN or not. Also, we investigate the utilization of FFSN by miscreants on the Internet, and analyzing the location details of the infected bots.

98級-廖紋淇-P2P Botnet之規模估計

98級-廖紋淇-P2P Botnet之規模估計

[ 摘要 ]
年來傀儡網路已成為網際網路安全的威脅,攻擊者能控制大量的電腦,以發動各種不同的攻擊,如DDoS攻擊、濫發垃圾郵件、竊取個資等。
Botnet的規模大小是評估其威脅的關鍵指標,愈大的Botnet其所帶來的威脅也愈大。
如何去估計Botnet的規模,也成為資安研究的一個重要議題。本研究提出一個利用P2P Botnet中,每個節點都會持有Botnet中部分成員的節點資訊之特性,以重複捕取法取樣估計的模式來估計P2P Botnet的規模。

[ 英文摘要 ]
In recent years, Botnets have become major security threats in Internet, since the attacker can control a large number of bots. Attackers primarily use them for DDoS attacks, e-mail spamming, or massive personal information theft.

The size of a Botnet is a key index to estimate the threat of a botnet. The larger size of a Botnet, the more devastating these attacks can be. To estimate the size of a botnet becomes an important issue in Internet security. In P2P Botnet, every bot peer holds information about some other bot peers. In this study, we utilize this characteristic and capture-recapture technique to estimate the size of a P2P botnet.