利用群聚法分析網路記錄

Abstract

本篇論文藉由觀察網路用戶的連線行為，結合殭屍網路的連線特徵尋找校園網路內潛在中電腦病毒的受害機器以及由Domain Generating Algorithm(DGA)產生的惡意網域，我們針對無法連接的網域(NXdomains)提出了一個分辨一般網域以及由DGA產生惡意網域的特徵叫做Popular 2gram(兩個連續的英文單字)，並且透過群聚法以及分類法找到受害的機器以及惡意的網域。我們另外觀察受害機器的連線目標並且計算每一個受害機器的連線相似程度去法絕這些機器在一起行動時的行為模式。為了加快分析的時間，我們使用Hadoop的技術去分析大量的網路紀錄。本論文提出的方法可以提供中毒機器的連線行為模式，惡意的網域以及IP的資訊給網路管理人員，使網路管理人員能做出相應的措施此殭屍網路所造成的傷害降低。 關鍵詞:殭屍網路、動態網域產生演算法、群聚法、機器學習、分散式阻斷攻擊、海量 資料、網域名稱系統。

Profiling network traffic pattern is an important approach for tackling network security problem. Based on campus network infrastructure, we propose a new method based on connection behavior of botnet to identify randomly generated malicious domain names and pinpoint the potential victim groups. We characterize normal domain names with the so called popular 2gram (2 consecutive characters in a word) to distinguish between active and nonexistent domain names and classify the clients as victims or not with the spectral clustering method. We also track the destination IPs of sources IPs and analyze their similarity of connection pattern to uncover potential anomalous group network behaviors. We apply the Hadoop technique to deal with the big data of network traffic. Our approach can give information about connection pattern of victims, malicious domains and malicious IPs, which is can help network administrators to mitigate the effect of botnet.