國立台灣科技大學 資訊工程系所
智慧型系統實驗室 研究論文
Intelligent System Laboratory Paper

97級畢業碩士 陳裕傑 (Yu-jie Chen) 發表論文


混合式隱藏式馬可夫模型應用於殭屍網路流量行為之早期偵測

摘要

    由於駭客透過一般使用者聊天傳送訊息的機制傳遞指令控制殭屍網路(Botnet),其產生的網路流量和一般正常聊天的流量混淆不清,因此根據網路封包辨識殭屍網路命令及控制通道(command and control channel)存在相當大的挑戰,對於殭屍網路早期命令和控制的偵測,更因為溝通行為的多樣性(diverse of communication behavior)而不易於從正常流量分佈(normal distribution)中區隔出來。因此在本研究中,我們提出一種早期偵測殭屍網路的方法,其根據殭屍網路溝通階段產生不同的動作和突發流量(bursty traffic) 塑模殭屍網路的溝通行為。由於殭屍網路的溝通具有時間性,因此我們除了考慮溝通產生的循序的特性之外,亦考慮每個溝通動作中的前後關係特性。針對這些需求,我們提出了混合式隱藏式馬可夫模型(HHMM, Hybrid Hidden Markov Model)演算法,它是一種序列式塑模(model)的方法,根據網路封包之間的因果關係而導致的順序側寫(profile)流量中的溝通行為,用於辨識網路流量中早期的殭屍網路溝通行為。因此透過偵測早期的殭屍網路溝通的動作清除網域中的遭受控制的電腦,可以防止大規模的攻擊產生及降低產生或遭受攻擊後所需的修復成本。上述方法也在實際實驗中證明遭受控制的殭屍電腦可以於早期的殭屍網路溝通時偵測出來,並且驗證本研究所提出的序列式塑模方法較傳統非序列式方法更有效的側寫(profile)網路流量中的溝通行為。


Early Detection for Botnet Traffic Behavior Based on Hybrid Hidden Markov Model

Abstract

    Identifying Botnet in Command and Control (C&C) channel from network traffic still remains a main difficulty due to ambiguous traffics between Botnet and normal communications. In the early stage of Botnet C&C, however, the diverse behaviors are hard to be detected and difficult to be distinguished from usual fluctuations. In this study, we propose a novel approach for Botnet early detection by modeling the phenomena of bursty traffic within different phases of behaviors of bot. Since communication of Botnet is temporal interdependencies, we consider that network traffic is sequential and has to be seen as time series task. Therefore, the Hybrid Hidden Markov Model (HHMM), a sequential profiling method, is applied to identify Botnet C&C behaviors as early as possible without losing detecting capability; so that the affection of Botnet can be reduced before invoking large-scale distributed attacks. Experimental results demonstrate the proposed method not only indeed outperforms than other non-sequential methods but also capable to detect compromised hosts with bots in the early phase under an acceptable level of false positive rate.