学校代码： 10286 类号： TP393 密 级： 公开 UDC： 004.7 学 号： 119736 HTTP-BASED BOTNET DETECTION USING NETWORK TRAFFIC TRACES 研究生姓名： TRUONG DINH TU _ 导 师 姓 名： 程光 教授 申请学位类别 工学博士 一级学科名称 计算机科学与技术 论文答辩日期 2015 年 12 月 22 日_ 二级学科名称 计算机系统结构 学位授予日期 20 年 月 22 日_ 答辩委员会主席 陈鸣 教授 学位授予单位 _ 评 阅 东 南 大 学 人 _ 2015 年 12 月 22 日 博士学位论文 HTTP-BASED BOTNET DETECTION USING NETWORK TRAFFIC TRACES 专 业 名 称：计算机系统结构 研究生姓名：TRUONG DINH TU 导 师 姓 名： 程 光 教授 HTTP-BASED BOTNET DETECTION USING NETWORK TRAFFIC TRACES A Dissertation Submitted to Southeast University For the Academic Degree of Doctor of Engineering BY TRUONG DINH TU Supervised by Prof CHENG Guang School of Computer Science and Engineering Southeast University November 2015 摘要 摘要 僵尸网络已经成为当今 Internet 面临的最严重威胁之一，它们被作为高度 受控的平台用于进行大规模合作的网络攻击，如：分布式拒绝服务，垃圾邮件， 信息窃取等。因此，僵尸网络检测至关重要，安全研究人员已经提出了诸多有 效的僵尸网络检测方法。 然而，僵尸网络制作者仍不断开发新的技术来改进僵尸程序，以逃避安全 研究人员提出的检测方法。近年来，基于 HTTP 的僵尸网络愈加泛滥，已对众 多政府组织和工业机构造成巨大破坏。新一代的 HTTP 僵尸网络多采取 fastflux, domain-flux 或 DGA (Domain Generation Algorithmically)技术来逃避检测， 其中一些使用 domain-flux 技术来规避黑名单检测，而一些使用 fast-flux 技术 来隐藏真实的命令控制服务器位置。 因此， 本文主要研究目标是对使用 DGA, domain-flux 或 fast-flux 技术来 逃避检测的 HTTP 僵尸网络构建检测方案。为此，本文解决如下三个问题：（1） 研究在被管网或企业网中识别与检测感染 DGA 僵持程序的主机；（2）检测与 识别使用 domain-flux 或 DGA 技术的 C&C 服务器；（3）检测恶意的 fast-flux 服务网络。此 项的主要研究内容概括如下： 第一个问题是如何在被管网或企业网中识别出感染 DGA 僵持程序的主机。 为此，本文收集了多个知名的 domain-flux 或 DGA-bot 僵尸程序样本，如 Kraken, Zeus, Conficker, Bobax 和 Murofet。然后在虚拟机环境中执行这些样本 并获取相应的网络流量数据。通过检查和分析这些网络流量数据，本文发现这 I Southeast University, PhD Dissertation, Truong Dinh Tu 些僵尸程序样本在请求域名时呈现出相似的周期行为。另外 ，感染 domainflux 或 DGA-bot 僵尸程序的主机在查找 C&C 服务器时经常会请求大量的非存 在域名，且请求行为的周期时间间隔序列具有相似性。而一般的合法主机是不 会以相似的周期时间间隔序列来访问许多不同域名，并且产生大量的非存在域 名应答。这些相似行为仅发生在感染 DGA 僵持程序的主机上。因此，基于上 述特征，本文提出一种通过分析 DNS 请求时间间隔序列对的关联性来聚类相 似域名的方法, 即同一僵尸网络或 DGA 算法所产生的域名相似性的方法。实 验结果表明，相同 DGA 僵尸代码产生的域名会被划为同一类别中。请求某类 域名的主机则被标记为感染相应 domain-flux 或 DGA-bot 僵尸程序的主机。该 方法并不能适用于所有感染僵尸程序主机的检测。它只有效检测被管网内感染 domain-flux 或 DGA 类型僵尸程序主机。此项研究结果将有助于寻找新的 C&C 服务器检测方法，这也是本文今后的研究工作之一（第 章）。 第二个问题是如何检测出 domain-flux 或 DGA 僵尸网络的 C&C 服务器。 已有一些研究工作关注此问题[1-4]，而且这些方法也取得了一定效果。Yadav 等[1]给出了一种基于所有域名一元和二元语法分布的 DGA 僵尸网络 C&C 域 名检测方法。然而，该方法特别是检测 Kraken, Bobax 或 Murofet 僵尸网络产 生的域名时效果欠佳，因为这些僵尸网络产生的域名与正常域名在一元和二元 语法分布上没有较大差别。为克服此缺陷，本文工作目标是改进和扩展 Yadav 等[1]等人的工作。本文计算了正常域名的 n-grams (n=3, 4, 5)的发生频率，并 分别给每个 n-gram 评分。为区分一个域名是合法域名还是僵尸网络产生的域 名，本文提出了一种方法来测量域名期望分值，并且结合其他两个特征来输入 II Chapter Conclusion and Future Works important features, uses the popular machine-learning algorithms to train dataset, and shows which algorithms can be applied to detect botnet with the highest efficiency The experiments show that some MLAs give very good predictive results, such as the K-Nearest Neighbor, Naïve Bayes, Support Vector Machine, Decision Trees (J48) and Random Forest classifiers However, comparing prediction performance of classifiers based on ROC curve and AUC values, the Decision Trees (J48) and Random Forest are two algorithms achieve the best performance for detecting botnet It can believe that our proposed approach is useful and can help security experts and organizations in their fight against cybercrime 6.2 Limitation and Future Work The effectiveness of the proposed method has been verified through the experimental results in the dissertation However, our work clearly has its own limitations and not comprehensive to detect all botnets on the Internet For example, for a flux domain to be detected, our method need to observe at a minimum one DNS message related to that domain Because if a flux domain is never queried by any of the users within the monitored network, our system will not be able to detect it In DGA-botnet detecting, we suppose that an attacker knows about the features that we are looking for in DNS traffic, she/he might try to evade detection by our proposed system To achieve this purpose, the attackers could try to improve their DGAs to avoid the specific features that we are looking for in DNS traffic For example, an attacker could create domain names that are comprised of a noun, verb or a combination of English language words These techniques generate domains, which attempt to exhibit lower entropy and higher ESOD making it harder to detect by our proposed method However, such domains often have a high probability of conflict with previously registered domains by legitimate users This is a selfdefeating act Therefore, the smart attackers are always thinking of ways how to 109 Southeast University, PhD Dissertation, Truong Dinh Tu design an algorithm to generate domains significantly different from human generated ones to avoid conflict, but still exhibit low entropy and high ESOD to be able to overcome our proposed method This is a new challenge for attackers to improve their DGA-bots to evade detection by our proposed system In the future work, we should collect other botnet samples, combine our current work with the lexical analysis methods in the field of natural language processing to improve the detection accuracy rate and to minimize the false positive rate For detecting of bot-infected hosts based on the similar periodic DNS queries, we plan to consider the use of the Fourier Transform to assess the spectrum and the periodicity In addition, we also plan to make our system more scalable to better keep pace with the foreseeable growing volume of DNS traffic Our future goal is to detect malicious domains as early as possible, and help to prevent other users from falling victim of the same threats 110 Bibliography Bibliography [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] Yadav S, Reddy AKK, Reddy ALN, et al Detecting Algorithmically Generated Domain-Flux Attacks With DNS Traffic Analysis [J] Ieee-Acm Transactions on Networking, 2012, 20(5): 1663-1677 Yadav S, Reddy AKK, Reddy ALN, et al Detecting algorithmically generated malicious domain names [C]// Proceedings of the 10th ACM SIGCOMM conference on Internet measurement ACM, Melbourne, Australia, 2010: 4861 Zhang Y, Zhang Y, and Xiao J Detecting the DGA-Based Malicious Domain Names [M] Springer, Trustworthy Computing and Services, 2014: 130-137 Sharifnya R and Abadi M DFBotKiller: Domain-flux botnet detection based on the history of group activities and failures in DNS traffic [J] Digital Investigation, 2015, 12(0): 15-26 Hsu C-H, Huang C-Y, and Chen K-T Fast-flux bot detection in real time [M] Recent Advances in Intrusion Detection, Springer, 2010: 464-483 Al-Duwairi BN and Al-Hammouri AT Fast Flux Watch: A Mechanism for Online Detection of Fast Flux Networks [J] Journal of Advanced Research, 2014, 5(4): 473-479 Holz T, Gorecki C, Rieck K, et al Measuring and Detecting Fast-Flux Service Networks [C]// Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08) 2008 Passerini E, Paleari R, Martignoni L, et al Fluxor: Detecting and monitoring fast-flux service networks [M] Detection of intrusions and malware, and vulnerability assessment, Springer, 2008: 186-206 Khattak S, Ramay NR, Khan KR, et al A Taxonomy of Botnet Behavior, Detection, and Defense [J] Ieee Communications Surveys and Tutorials, 2014, 16(2): 898-924 Pointer R Eggdrop [R], http://www.eggheads.org/ Terrorism Ca Taking Down Botnets: Public and Private Efforts to Disrupt and Dismantle Cybercriminal Networks [R] U.S Senate Judiciary Subcommittee on Crime and Terrorism, Washington, DC, 2014 Janssen C Global Threat Bot (GTbot) [EB/OL] (2014-05-06) [2015-07-10] http://www.techopedia.com/definition/59/global-threatbot-gtbot Sevcenco S SdBot [EB/OL] (2014-05-06) [2015-07-10] http://www.symantec.com/security_response/writeup.jsp?docid=2002-0513123628-99 Podrezov A F-Secure, Threat Description: Backdoor: W32/Agobot [EB/OL] (2011-02-12) [2015-07-10] https://www.f-secure.com/v-descs/agobot.shtml Schiller C and Binkley J Botnets: The Killer Web Applications [M] Syngress Publishing, 2007 451 pages Wang P, Sparks S, and Zou CC An advanced hybrid peer-to-peer botnet [J] 111 Southeast University, PhD Dissertation, Truong Dinh Tu [17] [18] [19] [20] [21] [22] [23] [24] [25] [26] [27] [28] [29] [30] [31] [32] [33] IEEE Transactions on Dependable and Secure Computing, 2010, 7(2): 113127 Stewart J Phatbot trojan analysis [R], Retrieved from Secure Works http://www.secureworks.com/research/threats/phatbot, 2004 Miller C The Rustock Botnet Spams Again [R], SC Magazine, 2008 Stover S, Dittrich D, Hernandez J, et al Analysis of the Storm and Nugache Trojans: P2P is here [J] USENIX; login, 2007, 32(6): 18-27 Keizer G Top botnets control m hijacked computers [EB/OL] (2008-01-25) [2015-07-10] http://www.computerworld.com/ Security TH New Zealand Teenager Accused of Controlling Botnet of 1.3 Million Computers [EB/OL] http://www.honline.com/security/news/item/New-Zealand-teenager-accused-of-controllingbotnet-of-1-3-million-computers-734068.html Francia R Storm Worm Network Shrinks to About One-Tenth of Its Former Size [R], Tech Blorge Com, 2007: 10-21 McMillan R Spanish Police Take Down Massive Mariposa Botnet [EB/OL] [2015-07-10] http://www.pcworld.com/article/190634/article.html Miller C Researchers Hijack Control of Torpig Botnet [EB/OL] [2015-0710] http://www.scmagazine.com/researchershijack-control-of-torpigbotnet/article/136207/ Symantec Messagelabs Intelligence [R] Symantec, Security Response, 2010 Higgins K New Massive Botnet Twice the Size of Storm [J] Retrieved May, 2008, 13: 2008 Falliere N Sality: Story of a Peer-to-Peer Viral Network [R], Technical Report, Symantic Security Response, 2011 Goodin D Waledac Botnet "Decimated" by MS Takedown [EB/OL] (201003-16) [2015-07-10] http://www.theregister.co.uk/2010/03/16/waledac_takedown_success Schmudlach M Calculating the Size of the Downadup Outbreak - F-Secure Weblog : News from the Lab [EB/OL] (2009-01-16) [2015-07-10] https://www.f-secure.com/weblog/archives/00001584.html Symantic Bagle [EB/OL] (2010-01-16) [2014-01-08] http://www.messagelabs.com/mlireport/MLI_2010_04_Apr_FINAL_EN.pdf Goodin D Botnet Sics Zombie Soldiers on Gimpy Websites [EB/OL] (200802-15) [2015-07-10] http://www.theregister.co.uk/2008/05/14/asprox_attacks_websites/ Mills E Experts: Gumblar Attack Is Alive, Worse than Conficker [EB/OL] (2009-05-28) [2015-07-11] http://news.cnet.com/8301-1009_3-1025177983.html Warner G Oleg Nikolaenko, Mega-D Botmaster to Stand Trial [EB/OL] (2010-12-02) [2015-07-11] http://garwarner.blogspot.com/2010/12/olegnikolaenko-mega-d-botmaster-to.html 112 Bibliography [34] Messmer E America's 10 Most Wanted Botnets [EB/OL] (2009-07-22) [2015-07-11] http://www.networkworld.com/news/2009/072209-botnets.html [35] Crowfoot S Trojan.Bredolab Spreading in PDF Download [EB/OL] [201507-10] http://www.iceni.com/blog/trojan-bredolab-spreading-in-pdfdownload/ [36] Stewart J Spam Botnets to Watch in 2009 [EB/OL] Dell SecureWorks, (200901-13) [2015-07-11] http://www.networkworld.com/news/2009/072209botnets.html [37] Keizer G Top botnets control 1M hijacked computers [EB/OL] Computerworld, (2008-04-09) [2015-07-11] http://www.computerworld.com/article/2536378/security0/top-botnets-control1m-hijacked-computers.html [38] Ortloff S Sinkholing the Hlux/Kelihos Botnet What Happened? [EB/OL] (2013-11-12) [2015-07-11] http://www.computerworld.com/article/2536378/security0/top-botnets-control1m-hijacked-computers.html [39] Musil S More than 600,00 Macs Infected with Flashback Botnet [EB/OL] (2012-04-04) [2015-07-11] http://www.cnet.com/news/more-than-600000macs-infected-with-flashback-botnet/ [40] Spider IO Discovered: Botnet Costing Display Advertisers over Six Million Dollars per Month [EB/OL] (2013-03-19) [2015-07-11] http://www.spider.io/blog/2013/03/chameleon-botnet/ [41] Wikipedia Botnets [EB/OL] Wikipedia, [2015-07-11] https://en.wikipedia.org/wiki/Botnet [42] Zorz Z Semalt botnet hijacked nearly 300k computers [EB/OL] (2014-09-03) [2015-07-10] http://www.net-security.org/malware_news.php?id=2857 [43] Kalt C Internet Relay Chat: Architecture [R] RFC 2810, http://tools.ietf.org/html/rfc2810, 2000 [44] Fielding R, Gettys J, Mogul J, et al Hypertext Transfer Protocol HTTP/1.1 [R] RFC 2616, http://tools.ietf.org/html/rfc2616, 1999 [45] Symantec Symantec Global Internet Security Threat Report [R], 2014 [46] Jing L, Yang X, Kaveh G, et al Botnet: classification, attacks, detection, tracing, and preventive measures [J] EURASIP journal on wireless communications and networking, 2009, 2009(6): 1184-1187 [47] Sinclair G, Nunnery C, and Kang BB The waledac protocol: The how and why [C]// Malicious and Unwanted Software (MALWARE), 2009 4th International Conference on IEEE, 2009: 69-77 [48] Zhu Z, Lu G, Chen Y, et al Botnet research survey [C]// 32nd Annual IEEE International Computer Software and Applications, COMPSAC'08 IEEE, 2008: 967-972 [49] Feily M, Shahrestani A, and Ramadass S A survey of botnet and botnet detection [C]// Third International Conference on Emerging Security 113 Southeast University, PhD Dissertation, Truong Dinh Tu [50] [51] [52] [53] [54] [55] [56] [57] [58] [59] [60] [61] [62] [63] [64] Information, Systems and Technologies (SECURWARE'09) IEEE, 2009: 268273 Rodríguez-Gómez RA, Maciá-Fernández G, and García-Teodoro P Survey and taxonomy of botnet research through life-cycle [J] ACM Computing Surveys (CSUR), 2013, 45(4): 1-33 Silva SSC, Silva RMP, Pinto RCG, et al Botnets: a Survey [J] Computer Networks, 2012 Abu Rajab M, Zarfoss J, Monrose F, et al A multifaceted approach to understanding the botnet phenomenon [C]// Proceedings of the 6th ACM SIGCOMM conference on Internet measurement ACM, 2006: 41-52 Liu L, Chen S, Yan G, et al Bottracer: Execution-based bot-like malware detection [M] Springer Berlin Heidelberg, 2008: 97-113 Zeidanloo HR and Manaf AA Botnet command and control mechanisms [C]// Second International Conference on Computer and Electrical Engineering (ICCEE'09) IEEE, 2009: 564-568 Grizzard JB, Sharma V, Nunnery C, et al Peer-to-peer botnets: Overview and case study [C]// Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets 2007: 1-8 Seo I, Lee H, and Han SC Cylindrical Coordinates Security Visualization for multiple domain command and control botnet detection [J] Computers & Security, 2014, 46: 141-153 Dagon D, Gu G, Lee CP, et al A taxonomy of botnet structures [C]// Proceedings of the 23 Annual Computer Security Applications Conference 2007 (ACSAC'07) IEEE, 2007: 325-339 Barford P and Yegneswaran V An inside look at botnets [M] Malware Detection, Springer US, 2007: 171-191 Kreibich C, Kanich C, Levchenko K, et al Spamcraft: An inside look at spam campaign orchestration [C]// Proc of 2nd USENIX LEET 2009: 1-9 Tyagi AK and Nayeem S Detecting HTTP Botnet using Artificial Immune System (AIS) [J] International Journal of Applied Information Systems, 2012, 2(6): 34-37 Kim S-J, Lee S, and Bae B HAS-Analyzer: Detecting HTTP-based C&C based on the Analysis of HTTP Activity Sets [J] KSII Transactions on Internet and Information Systems (TIIS), 2014, 8(5): 1801-1816 Binsalleeh H, Ormerod T, Boukhtouta A, et al On the analysis of the zeus botnet crimeware toolkit [C]// 2010 Eighth Annual International Conference on Privacy Security and Trust (PST) IEEE, 2010: 31-38 Bilge L, Sen S, Balzarotti D, et al EXPOSURE: a passive DNS analysis service to detect and report malicious domains [J] ACM Transactions on Information and System Security (TISSEC), 2014, 16(4): 14 Thomas M and Mohaisen A Kindred domains: detecting and clustering botnet domains using DNS traffic [C]// Proceedings of the companion publication of 114 Bibliography [65] [66] [67] [68] [69] [70] [71] [72] [73] [74] [75] [76] [77] [78] the 23rd international conference on World wide web companion International World Wide Web Conferences Steering Committee, Seoul, Korea, 2014: 707712 Guerid H, Mittig K, and Serhrouchni A Privacy-preserving domain-flux botnet detection in a large scale network [C]// 2013 Fifth International Conference on Communication Systems and Networks (COMSNETS) IEEE, Bangalore, 2013: 1-9 Yadav S and Reddy ALN Winning with dns failures: Strategies for faster botnet detection [M] Security and Privacy in Communication Networks, Springer, 2012: 446-459 Valeur F, Vigna G, Kruegel C, et al Comprehensive approach to intrusion detection alert correlation [J] Dependable and Secure Computing, IEEE Transactions on, 2004, 1(3): 146-169 Seewald AK and Gansterer WN On the detection and identification of botnets [J] computers & security, 2010, 29(1): 45-58 Pouget F and Dacier M Honeypot-based forensics [C]// AusCERT Asia Pacific Information Technology Security Conference 2004 Ramachandran A and Feamster N Understanding the network-level behavior of spammers [J] ACM SIGCOMM Computer Communication Review, 2006, 36(4): 291-302 Vrable M, Ma J, Chen J, et al Scalability, fidelity, and containment in the potemkin virtual honeyfarm [J] ACM SIGOPS Operating Systems Review, 2005, 39(5): 148-162 Freiling FC, Holz T, and Wicherski G Botnet tracking: Exploring a root-cause methodology to prevent distributed denial-of-service attacks [M] Springer, 2005 pages Dagon D, Zou CC, and Lee W Modeling Botnet Propagation Using Time Zones [C]// NDSS 2006: 2-13 Oberheide J, Karir M, and Mao ZM Characterizing dark dns behavior [M] Detection of Intrusions and Malware, and Vulnerability Assessment, Springer, 2007: 140-156 Karasaridis A, Rexroad B, and Hoeflin D Wide-scale botnet detection and characterization [C]// Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets Cambridge, MA, 2007 Gu G, Zhang J, and Lee W BotSniffer: Detecting botnet command and control channels in network traffic [C]// 15th Annual Network and Distributed System Security Symposium (NDSS'08) San Diego, CA, 2008: 1-18 Choi H, Lee H, Lee H, et al Botnet detection by monitoring group activities in DNS traffic [C]// Computer and Information Technology, 2007 CIT 2007 7th IEEE International Conference on IEEE, 2007: 715-720 Villamarín-Salomón R and Brustoloni JC Identifying botnets using anomaly detection techniques applied to DNS traffic [C]// Consumer Communications 115 Southeast University, PhD Dissertation, Truong Dinh Tu [79] [80] [81] [82] [83] [84] [85] [86] [87] [88] [89] [90] [91] [92] [93] and Networking Conference, 2008 CCNC 2008 5th IEEE IEEE, 2008: 476481 Dagon D Botnet detection and response [C]// OARC workshop 2005 Ramachandran A, Feamster N, and Dagon D Revealing botnet membership using DNSBL counter-intelligence [C]// Proc 2nd USENIX Steps to Reducing Unwanted Traffic on the Internet 2006: 49-54 Strayer WT, Lapsely D, Walsh R, et al Botnet Detection Based on Network Behavior [M] Springer, 2008: 1-24 Masud MM, Al-Khateeb T, Khan L, et al Flow-based identification of botnet traffic by mining multiple log files [C]// First International Conference on Distributed Framework and Applications 2008: 200-206 Gu G, Perdisci R, Zhang J, et al BotMiner: Clustering Analysis of Network Traffic for Protocol-and Structure-Independent Botnet Detection [C]// USENIX Security Symposium 2008: 139-154 Raff A DGAs: A Domain Generation Evolution [EB/OL] (2014-11-18) [2015-07-22] http://www.seculert.com/blog/2014/11/dgas-a-domaingeneration-evolution.html Antonakakis M, Perdisci R, Nadji Y, et al From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware [C]// USENIX Security Symposium 2012: 491-506 Nazario J and Holz T As the net churns: Fast-flux botnet observations [C]// 3rd International Conference on Malicious and Unwanted Software IEEE, Fairfax, 2008: 24-31 Salusky W and Danford R Know your enemy: Fast-flux service networks [EB/OL] The Honeynet Project, (2007-07-13) [2015-10-08] https://www.honeynet.org/book/export/html/130 Chen C-M, Ou Y-H, and Tsai Y-C Web botnet detection based on flow information [C]// 2010 International Computer Symposium (ICS) IEEE, Tainan, 2010: 381-384 Wang BB, Li ZT, Li D, et al Modeling Connections Behavior for Web-based Bots Detection [C]// 2nd International Conference on E-Business and Information System Security (Ebiss 2010) 2010: 141-144 Perdisci R, Corona I, and Giacinto G Early Detection of Malicious Flux Networks via Large-Scale Passive DNS Traffic Analysis [J] Dependable and Secure Computing, IEEE Transactions on, 2012, 9(5): 714-726 ISC Security Information Exchange [EB/OL] https://sie.isc.org Antonakakis M, Perdisci R, Lee W, et al Detecting Malware Domains at the Upper DNS Hierarchy [C]// USENIX Security Symposium 2011: 16 Ma J, Saul LK, Savage S, et al Beyond blacklists: learning to detect malicious web sites from suspicious URLs [C]// Proceedings of the 15th ACM SIGKDD international conference on Knowledge discovery and data mining ACM, 2009: 1245-1254 116 Bibliography [94] Keogh E, Chakrabarti K, Pazzani M, et al Locally adaptive dimensionality reduction for indexing large time series databases [J] ACM SIGMOD Record, 2001, 30(2): 151-162 [95] Jain AK, Murty MN, and Flynn PJ Data clustering: a review [J] ACM computing surveys (CSUR), 1999, 31(3): 264-323 [96] Jakalan A, Jian G, and ShangDong L Distributed Low-Interaction Honeypot System to Detect Botnets [C]// International Conference on Computer Engineering and Technology, 3rd (ICCET 2011) 2011: 413-419 [97] Virus Share [EB/OL] http://virusshare.com/ [98] Virus Total [EB/OL] https://www.virustotal.com/ [99] Jain AK and Dubes RC Algorithms for clustering data [M] Vol 6, Prentice hall Englewood Cliffs, 1988 pages [100] Jian J, Jian-Wei Z, Hai-Xin D, et al Research on Botnet Mechanisms and Defenses [J] Journal of Software, 2012, 23(1): 82-96 [101] Qu YZ and Lu QK Effectively Mining Network Traffic Intelligence to Detect Malicious Stealthy Port Scanning to Cloud Servers [J] Journal of Internet Technology, 2014, 15(5): 841-852 [102] Zhou HX, Guo W, and Feng Y An Automatic Extraction Approach of Worm Signatures Based on Behavioral Footprint Analysis [J] Journal of Internet Technology, 2014, 15(3): 405-412 [103] García S, Zunino A, and Campo M Survey on network-based botnet detection methods [J] Security and Communication Networks, 2013, 7(5): 878-903 [104] Nazario J and Holz T As the net churns: Fast-flux botnet observations [C], IEEE, 2008: 24-31 [105] Martinez-Bea S, Castillo-Perez S, and Garcia-Alfaro J Real-time Malicious Fast-flux Detection Using DNS and Bot Related Features [C]// 2013 Eleventh Annual International Conference on Privacy, Security and Trust 2013: 369372 [106] Huang R-D, Kuo S-Y, and Chou Y-H Detecting Strategy of Fast Flux Domain Based on Hidden Markov Model [J] Journal of Internet Technology, 2015, 16(2): 277-287 [107] Schiavoni S, Maggi F, Cavallaro L, et al Phoenix: DGA-Based Botnet Tracking and Intelligence [M] Detection of Intrusions and Malware, and Vulnerability Assessment, Springer, 2014: 192-211 [108] Alexa top global sites [EB/OL] (2013-03-20) [2014-06-30] http://www.alexa.com/topsites [109] Bayer U, Kruegel C, and Kirda E Anubis: Analyzing Unknown Binaries [R], https://anubis.iseclab.org/, 2008 [110] Witten IH and Frank E Data Mining: Practical machine learning tools and techniques [M] Morgan Kaufmann, 2011 [111] Ghorbani AA, Lu W, and Tavallaee M Network intrusion detection and 117 Southeast University, PhD Dissertation, Truong Dinh Tu prevention: concepts and techniques [M] Springer, 2009 [112] Manocha S and Girolami M An empirical analysis of the probabilistic Knearest neighbour classifier [J] Pattern Recognition Letters, 2007, 28(13): 1818-1824 [113] Wang L Support Vector Machines: theory and applications [M] Vol 177, Springer, 2005 pages [114] Xiao-Bai L A scalable decision tree system and its application in pattern recognition and intrusion detection [J] Decision Support Systems, 2005, 41(1): 112-130 [115] Bradley AP The use of the area under the ROC curve in the evaluation of machine learning algorithms [J] Pattern Recognition, 1997, 30(7): 1145-1159 [116] Hand DJ Measuring classifier performance: a coherent alternative to the area under the ROC curve [J] Machine learning, 2009, 77(1): 103-123 [117] Truong DT and Cheng G Detecting Bot-Infected Machines Based On Analyzing The Similar Periodic DNS Queries In Network Traffic [C]// Conference on Computing, Management and Telecommunications (ComManTel 2015) Danang, Vietnam, 2015 [118] Shannon CE A mathematical theory of communication [J] ACM SIGMOBILE Mobile Computing and Communications Review, 2001, 5(1): 355 [119] Theodoridis S and Koutroumbas K Pattern Recognition [M] Academic Press, 2009 pages [120] Domains M Malware Domain Blocklist [EB/OL] http://www.malwaredomains.com/ [121] Tracker Z ZeuS Tracker: ZeuS blocklist [EB/OL] https://zeustracker.abuse.ch/blocklist.php?download=Domainblocklist [122] Porras P, Saidi H, and Yegneswaran V A foray into Conficker's logic and rendezvous points [C]// Proceedings of the 2nd USENIX conference on Largescale exploits and emergent threats: botnets, spyware, worms, and more USENIX Association, Boston, MA, 2009: 7-7 [123] Stone-Gross B, Cova M, Cavallaro L, et al Your botnet is my botnet: analysis of a botnet takeover [C]// Proceedings of the 16th ACM conference on Computer and communications security ACM, 2009: 635-647 [124] Jain AK and Dubes RC Algorithms for clustering data [M] Prentice-Hall, Inc., 1988 320 pages [125] Zou FT, Zhang SY, and Rao WX Hybrid Detection and Tracking of FastFlux Botnet on Domain Name System Traffic [J] China Communications, 2013, 10(11): 81-94 [126] Hsu F-H, Wang C-S, Hsu C-H, et al Detect Fast-Flux Domains Through Response Time Differences [J] Ieee Journal on Selected Areas in Communications, 2014, 32(10): 1947-1956 [127] Gržinić T, Perhoč D, Marić M, et al CROFlux-Passive DNS method for 118 Bibliography detecting fast-flux domains [C]// 37th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO) 2014: 1376-1380 [128] Chen C-M, Huang M-Z, and Ou Y-H Detecting Hybrid Botnets with Web Command and Control Servers or Fast Flux Domain [J] Journal of Information Hiding and Multimedia Signal Processing, 2014, 5(2): 263-274 [129] Lin H-T, Lin Y-Y, and Chiang J-W Genetic-based Real-time Fast-Flux Service Networks Detection [J] Computer Networks, 2013, 57(2): 501-513 [130] Chen C-M, Huang M-Z, and Ou Y-H Detecting web-based botnets with fast-flux domains [M] Advances in Intelligent Systems and ApplicationsVolume 2, Springer, 2013: 79-89 [131] Celik ZB and Oktug S Detection of Fast-Flux Networks using various DNS feature sets [C]// Computers and Communications (ISCC), 2013 IEEE Symposium on IEEE, 2013: 000868-000873 [132] Wang H-T, Mao C-H, Wu K-P, et al Real-time fast-flux identification via localized spatial geolocation detection [C]// Computer Software and Applications Conference (COMPSAC), 2012 IEEE 36th Annual IEEE, 2012: 244-252 [133] Fjellskål EB PassiveDNS: A tool to collect DNS records passively [EB/OL] (2014-01-01) [2015-09-20] https://github.com/gamelinux/passivedns [134] Caglayan A, Toothaker M, Drapaeau D, et al Behavioral patterns of fast flux service networks [C]// System Sciences (HICSS), 2010 43rd Hawaii International Conference on IEEE, 2010: 1-9 [135] Caglayan A, Toothaker M, Drapeau D, et al Real-time detection of fast flux service networks [C]// Conference For Homeland Security, 2009 CATCH'09 Cybersecurity Applications & Technology IEEE, 2009: 285-292 [136] Wu J, Zhang L, Liang J, et al A comparative study for fast-flux service networks detection [C]// Networked Computing and Advanced Information Management (NCM), 2010 Sixth International Conference on IEEE, 2010: 346-350 [137] Yu S, Zhou S, and Wang S Fast-flux attack network identification based on agent lifespan [C]// 2010 IEEE International Conference on Wireless Communications, Networking and Information Security (WCNIS) IEEE, Beijing, China, 2010: 658-662 [138] Chen Z, Wang J, Zhou Y, et al An improvement for fast-flux service networks detection based on data mining techniques [M] Rough Sets, Fuzzy Sets, Data Mining and Granular Computing, Springer, 2011: 302-309 [139] Wang X, Shi J, He L, et al Analyzing the availability of fast-flux based service network under countermeasures [C]// Communications, Circuits and Systems (ICCCAS), 2010 International Conference on IEEE, 2010: 259-264 [140] Perdisci R, Corona I, Dagon D, et al Detecting malicious flux service networks through passive analysis of recursive dns traces [C]// Computer 119 Southeast University, PhD Dissertation, Truong Dinh Tu Security Applications Conference ACSAC'09 Annual IEEE, Honolulu, 2009: 311-320 [141] Castelluccia C, Kaafar MA, Manils P, et al Geolocalization of proxied services and its application to fast-flux hidden servers [C]// Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference ACM, 2009: 184-189 [142] Zhou CV, Leckie C, and Karunasekera S Collaborative detection of fast flux phishing domains [J] Journal of Networks, 2009, 4(1): 75-84 [143] DNSDB: Security Information Exchange [EB/OL] (2014-02-20) [2015-1002] https://www.dnsdb.info/ [144] Truong DT, Cheng G, Ahmad J, et al Detecting DGA-Based Botnet With DNS Traffic Analysis In Monitored Network [J] Journal of Internet Technology (JIT), 2015, Accepted to publish [145] Arbor Networks, Inc ATLAS Summary Report: Global Fast Flux [EB/OL] (2014-01-01) [2015-09-20] http://atlas.arbor.net/summary/fastflux [146] Malware Domain List [EB/OL] (2014-01-01) http://www.malwaredomainlist.com/hostslist/hosts.txt [147] Malware Domains [EB/OL] (2014-01-01) http://mirror1.malwaredomains.com/files/domains.txt [148] PhishTank [EB/OL] (2014-01-01) http://data.phishtank.com/data/onlinevalid.csv [149] hpHosts [EB/OL] (2014-01-01) http://hphosts.gt500.org/hosts.txt [150] CyberCrime Tracker [EB/OL] (2014-01-01) http://cybercrimetracker.net/all.php 120 Acknowledgements Acknowledgements Foremost, I would like to express my most sincere thanks and gratitude to my advisor, Prof Cheng Guang, who led me on this journey, guided me towards the right direction, and provided me with insightful and inspiring advice during the four years at School of Computer Science and Engineering, Southeast University I have been extremely lucky to work with him He has had an enormous impact for me and set a benchmark for me to follow in my career I have learnt a lot during the time spent in his laboratory and had many lively discussions, which will benefit me in my later study I am also grateful to my dissertation committee members, Prof Gong Jian, Prof Ding Wei and Prof Wu Hua for their interest in my work Their insightful comments have significantly improved the quality of my work I would like to extend my thank-you to all my lab mates and Vietnamese students whom supporting me to much more through encouragement, idea, gathers information, taking extra dissection during my study I would particularly like to thank my family for their mental support and encouragement, my dear mother, my dear father, my sisters, and my younger brother Without their support and encouragement, I would not have the confidence and perseverance to go through this journey Finally, I am grateful to all those who devote much time to reading this dissertation and give me much advice, which will benefit me in my later study Again, thanks to all the people mentioned above! Nanjing, China November 2015 Truong Dinh Tu 121 Southeast University, PhD Dissertation, Truong Dinh Tu 122 List of Publications List of Publications Truong Dinh Tu and Cheng Guang " Detecting Bot-Infected Machines Based On Analyzing The Similar Periodic DNS Queries In Network Traffic," in Conference on Computing, Management and Educational Tech (ComManTel 2015), 2015 (EI index, Accepted) Truong Dinh Tu, Cheng Guang, Ahmad Jakalan, Guo Xiao Jun and Zhou Ai Ping "Detecting DGA-Based Botnet With DNS Traffic Analysis In Monitored Network," Journal of Internet Technology (JIT), 2015 (EI, SCI index, Accepted) Truong Dinh Tu, Cheng Guang, Guo Xiao Jun, and Pan Wu Bin, “Evil-hunter: a novel web shell detection system based on scoring scheme,” Journal of Southeast University (English Edition), vol 30, no 3, pp 278-284, 2014 (EI index) Truong Dinh Tu, Cheng Guang, Guo Xiao Jun, and Pan Wu Bin, "Webshell detection techniques in web applications," in International Conference on Computing, Communication and Networking Technologies (ICCCNT), pp 1-7, 2014 (EI index) Truong Dinh Tu and Cheng Guang, "A novel bot identification method based on Domain-Flux traffic features", in The 16th Cross-Strait Conference on Information Technology (CSIT2014), 2014 Truong Dinh Tu, Cheng Guang, Guo Xiao Jun "Detecting Domain-Flux Botnet Based on DNS Traffic Features in Monitored Network," 2015 (SCI index, in progress review) Truong Dinh Tu, Cheng Guang "Detecting Fast-Flux Service Networks Uses Feature-Based Machine Learning Classification Techniques," China Communications (SCI index, in progress review) Guo Xiao Jun, Cheng Guang, Zhu Chen Gang, Truong Dinh Tu, and Zhou A.P, "Progress in research on active network flow watermark", Tongxin Xuebao/Journal on Communications, vol 35, pp 178-192, 2014 (EI index) Zhou Ai Ping, Cheng Guang, Guo Xiao Jun, Truong Dinh Tu and Zhu Cheng Gang "Heavy Hitter Identification Based on Adaptive Sampling with MapReduce", in International journal of Computer Systems Science and Engineering, 2015 (SCI index) 10 Guo Xiao Jun, Cheng Guang, Zhu Chen Gang, Zhou Ai Ping, Pan Wu Bin, and Truong Dinh Tu, "Make Your Webpage Carry Abundant Secret Information Unawarely," in High Performance Computing and Communications & 2013 IEEE International Conference on Embedded and Ubiquitous Computing (HPCC_EUC), 2013 IEEE 10th International Conference on, pp 541-548, 2013 (EI index) 123 [...]... XVI Chapter 1 Introduction 1 1.1 Botnet Definition 1 1.1.1 Bot and botnet 1 1.1.2 History of the Botnet 2 1.1.3 Botnet Architecture 4 1.1.4 Botnet lifecycle 8 1.2 Evolution of Botnet 11 1.2.1 IRC -Based Botnet 12 1.2.2 P2P -Based Botnet 12 1.2.3 HTTP- Based Botnet 13 1.3 Motivation and Challenges... Works 21 2.1 Botnet Detection Techniques 21 2.1.1 Honeypots -based detection 21 2.1.2 Anomaly -based Detection 23 2.1.3 DNS -based Detection 23 2.1.4 Mining -based Detection 25 IX Southeast University, PhD Dissertation, Truong Dinh Tu 2.2 Detection evasion techniques 26 2.2.1 DGA -Based technique 26 2.2.2 Fast Flux -Based technique ... or DGA -based botnets infected machines inside an enterprise network or the monitored network; (2) To detect C&C servers of botnets using domain-flux or DGA -based evasion techniques; (3) To detect malicious Fast-Flux Service Networks (FFSNs) The main contents of these three research works are summarized as follows: The first problem is how to identify the presence of domain-flux or DGA -based botnets... 10,500,000+ 10 HTTP [29] Bobax Bobic, Oderoor 185,000 9 HTTP [30] Asprox - 15,000 - HTTP [31] Gumblar - - - HTTP [32] Mega-D Ozdok 509,000 10 HTTP [33] Zeus Zbot, PRG, Wsnpoem 3,600,000 n/a HTTP [34] BredoLab Oficla 30,000,000 3.6 HTTP [35] Donbot Buzus, Bachsoy 125,000 0.8 HTTP [36] Wopla Pokier, Slogger 20,000 0.6 HTTP [37] 2010 Kelihos Hlux 300,000+ 4 P2P [38] LowSec LowSecurity 11,000+ 0.5 HTTP [30]... threat and proposed many effective botnet detection approaches However, botnet developers are constantly developing new techniques in order to improve their bot and avoid the detection from security researchers In recent years, HTTP- based botnets have become more widespread and caused enormous damage to many government organizations and industries New generation HTTP botnets tend to use techniques called... rarely used in corporate networks; in fact, it is usually blocked Therefore, a network administrator may prevent IRC botnet activity simply by detecting IRC traffic in the network and blocking it with firewalls Due to the restrictions on IRC traffic in corporate networks, the Hyper Text Transfer Protocol (HTTP) [44] became popular as a mechanism for implementing C&C communication The HTTP is the protocol... format of the IRC protocol is unique, making IRC traffic easily distinguishable from normal traffic Agobot, Spybot, and Sdbot are some popular IRC based botnets [58] After the relative success of researchers in tackling the issue of IRC botnets, the next step of cyber criminals in botnet evolution was Peer-to-Peer (P2P) botnet communication 1.2.2 P2P -Based Botnet To make their infrastructure more resilient,... DGA -based botnets infected machines inside the enterprise network or the monitored network To answer this question, multiple well-known domain-flux or DGA -based botnet samples are collected, such as Kraken, Zeus, Conficker, Bobax and Murofet botnets Then, we execute these bot samples in a virtual machine environment to obtain network traffic traces Through examining and analyzing on the large number... classifiers using 10-fold CV and percentage split 65 Table 4.3: The obtained DNS Traffic Data from our experiment 67 Table 4.4: The detection results for C&C domains 69 Table 4.5: The detection results of C&C server’s IP addresses 70 Table 4.6: The performance comparison between our approach and Ying et al 71 Table 5.1: Example of raw DNS traffic data sniffed from a network. .. fast-flux to avoid the detection Some botnets use the domain-flux technique to evade from being blacklisted; some botnets use the fast-flux technique to hide the true location of their servers Therefore, the main research objective of this dissertation is to build solutions for detecting HTTP botnets that attackers often use techniques such as DGA, domain-flux or fast-flux to evade the detection To achieve ...博士学位论文 HTTP- BASED BOTNET DETECTION USING NETWORK TRAFFIC TRACES 专 业 名 称：计算机系统结构 研究生姓名：TRUONG DINH TU 导 师 姓 名： 程 光 教授 HTTP- BASED BOTNET DETECTION USING NETWORK TRAFFIC TRACES A Dissertation... 2.1 Botnet Detection Techniques 21 2.1.1 Honeypots -based detection 21 2.1.2 Anomaly -based Detection 23 2.1.3 DNS -based Detection 23 2.1.4 Mining -based Detection. .. scale of network 2.1.4 Mining -based Detection One effective technique for botnet detection is to identify botnet C&C traffic However, botnet C&C traffic is difficult to detect In fact, since botnets