雲端計算環境下基於網路行為之殭屍網路偵測機制

Abstract

殭屍網路在近幾年非常盛行，造成經濟及隱私上的安全危害及分散式阻斷攻擊等網路犯罪的問題。傳統的字串比對偵測方法在殭屍網路的偵測上容易發生誤判或漏判的情況。為了解決這個問題，在本論文中，我們提出雲端計算環境下基於網路行為之僵屍網路偵測機制，簡稱 BBDC，來分析網路流量以偵測僵屍網路。我們根據錄製的各網路封包之行為來做僵屍網路之分析與偵測。BBDC分成五個階段，第一個階段是利用僵屍網路的特性來過濾掉不需要檢查的封包。第二個階段則是取出封包流量的特徵。第三個階段則將已經過濾完剩下的待測封包流量切割成多個相同大小的資料量送入雲端系統的多個虛擬機器進行殭屍網路檢測。第四個階段及第五個階段則是透過模糊識別對DNS封包及TCP封包的行為來進行殭屍網路偵測。當待測封包被確認為殭屍網路的流量，本機端的電腦以及在雲端內的伺服器群可以預防殭屍網路的危害經由儲存在資料庫的殭屍網路的相關資料。為了評估此方法的有效性，我們收集了真實殭屍網路流量及校園宿舍正常流量來評量我們的方法。實驗結果顯示，我們提出的BBDC對於僵屍網路的流量辨識正確率高達95.83%，且對於正常網路流量只有0% ~ 3.453%的誤判率。此外，我們引入雲端計算的技術，使用五台虛擬機器去進行殭屍網路的流量偵測，與只在本機端的殭屍網路偵測相比，我們提升4.73倍的殭屍網路偵測速度。此證明我們提出的偵測機制可藉由雲端計算環境資源達到快速偵測殭屍網路之結果。

In recent years, botnets become a major issue to Internet security; however, existing string signature-based matching methods usually lead to high false positive rates (FPR) and low true positive rates (TPR) for botnet detection. In this paper, we proposed a behavior-based botnet detection mechanism in cloud computing environments (BBDC). Our BBDC algorithm is divided into five stages: (1) traffic reduction: removing unwanted packets from an input trace for speeding up bot detection; (2) feature extraction: extracting features from the reduced input trace; (3) traffic partitioning: dividing the reduced input trace into pieces for a cloud-based system to detect botnets concurrently; (4) DNS phase: extracting botnet DNS features to detect bots; (5) TCP phase: extracting TCP request and response features to detect bots. Since stage four and five consume almost 90% of the total execution time in our design, we dispatch reduced input traces to the cloud to speed up botnet detection. In order to achieve a high detection rate, we utilize fuzzy pattern recognition for botnet detection in DNS and TCP phases. Once bot activities are identified from the input trace, local hosts and servers in the cloud will be alerted to avoid bot related IP addresses or domain names (DNs). Experimental results show that the proposed BBDC can achieve high TPR and low FPR. Furthermore, the proposed cloud-based botnet detection system with five virtual machines is 4.73 times faster than a host-based system.