98級-張宏昌-結合重覆捕取法及迴歸分析之惡意域名受害族群估計

98級-張宏昌-結合重覆捕取法及迴歸分析之惡意域名受害族群估計

[ 摘要 ]
惡意域名是目前網路世界所面臨的極大威脅,其技術可以讓攻擊者隱藏在一群代理伺服器(Agent)後面,這樣的隱匿方法可以讓攻擊者躲避偵測使資訊安全人員偵測失敗,Fast-Flux Service Network(FFSN)這項技術對犯罪份子經營的惡意網站可以受到保護,進而延長惡意網站的壽命。FFSN的危害日益嚴重,要估計FFSN-Agent規模也相當不容易,且Flux-Agent本身可能是Bot節點,對於FFSN的規模估計也可以知道其威脅程度。本研究的核心為規模估計動態惡意域名服務網路(Fast-Flux Service Network,FFSN)的族群規模大小,藉由重覆捕取法(Capture-Recapture Method,CRM)中的聯合超幾何最大似然估計法(Joint hypergeometric maximum likelihood estimator,JHE)來估計Flux-Agent的群體大小,以其JHE最小估計基數再加以線性迴歸預測分析,產生最小估計基數前之線性迴歸模型,形成兩階段預測分析,其結果發現比普查的方式可以更快速找出整個族群大小。

[ 英文摘要 ]
Fast-flux service networks (FFSNs) are currently the greatest threat encountered in the computer networking field. This technique hides attackers behind a network of proxy servers (agents), thereby avoiding detection by security personnel. FFSN benefits criminal parties because it protects their Web sites and extends Web site life span. FFSN is becoming more dangerous, and estimating the size of FFSN-agents is becoming increasingly difficult. Additionally, because flux-agents may represent bot nodes, we can estimate the scale of FFSNs to determine the extent of threats. This study primarily estimates the population size of FFSNs. The flux-agent population size was estimated using the joint hypergeometric maximum likelihood estimator (JHE) of capture-recapture methods (CRMs), and using the linear regression analysis to make a prediction of the initial data. The results showed that the JHE and CRM estimated the population size more rapidly compared to general survey approaches.