本文選題：高級持續(xù)性威脅 + DGA動態(tài)域名�。� 參考：《南京理工大學(xué)》2017年碩士論文

【摘要】：計算機(jī)與網(wǎng)絡(luò)技術(shù)的飛速發(fā)展和廣泛應(yīng)用,在給人們帶來便利的同時,也帶來了各種安全問題。近年來,以零日滲透、極具隱蔽性和持久性控制為主要特點的高級持續(xù)性威脅(Advanced Persistent Threat,APT)已成為網(wǎng)絡(luò)安全領(lǐng)域關(guān)心的最大威脅,引起了業(yè)界和科學(xué)界的廣泛重視。如何及時地發(fā)現(xiàn)我方網(wǎng)絡(luò)中可能存在的APT攻擊威脅,是防御APT威脅的重要問題之一。本文結(jié)合部分APT攻擊案例和樣本數(shù)據(jù),針對APT攻擊遠(yuǎn)控階段的異常通信的行為特點進(jìn)行了分析,在此基礎(chǔ)上設(shè)計可實現(xiàn)異常遠(yuǎn)控通信檢測的相關(guān)特征,并提出了應(yīng)用性較強(qiáng)的基于機(jī)器學(xué)習(xí)的異常通信檢測方法,并以該方法為核心,設(shè)計與實現(xiàn)了 APT攻擊遠(yuǎn)控階段異常通信的檢測程序,通過實驗驗證了檢測程序的有效性。具體來說,本文主要完成了以下工作:(1)通過對APT攻擊遠(yuǎn)控階段異常通信的深入研究,詳細(xì)分析了被控主機(jī)通常利用域名生成算法(Domain Generation Algorithm,DGA)生成動態(tài)域名獲取CC服務(wù)器的IP地址的原因、DGA生成動態(tài)域名的工作原理以及與域名結(jié)構(gòu)上與正常域名的不同;另一方面則從多個角度全面分析了在遠(yuǎn)控過程中,APT攻擊的TCP通信行為與正常通信之間存在的差異。根據(jù)這些特點,提出了基于機(jī)器學(xué)習(xí)的異常通信檢測方法。(2)根據(jù)對多種DGA動態(tài)域名和合法域名在字符特征上的分析對比,設(shè)計提取多項特征指標(biāo),并通過相關(guān)域名樣本驗證這些特征指標(biāo)的區(qū)分能力,考慮到檢測模型的精度和效率,利用特征選擇算法確定了 11項用于實際檢測DGA動態(tài)域名的特征指標(biāo)。(3)針對遠(yuǎn)控階段APT攻擊異常TCP通信行為的特點,利用網(wǎng)絡(luò)流量分析的方法確定了 TCP流作為特征提取源,然后設(shè)計提取了多項特征指標(biāo),并結(jié)合實際數(shù)據(jù)對這些特征指標(biāo)的有效性進(jìn)行分析,最后也利用特征選擇算法確定了 10項最優(yōu)的檢測特征。(4)根據(jù)設(shè)計的特征指標(biāo),對比分析多種機(jī)器學(xué)習(xí)方法構(gòu)建的檢測模型的性能,最終確定DGA動態(tài)域名和異常TCP通信檢測模型均為GBDT分類器。然后設(shè)計并實現(xiàn)APT攻擊遠(yuǎn)控階段異常通信的檢測程序,該檢測程序利用PF_RING的Libpcap接口實現(xiàn)對網(wǎng)絡(luò)數(shù)據(jù)的捕獲,并且設(shè)計了域名與IP白名單以降低檢測程序的工作負(fù)荷和虛警率,并通過仿真實驗驗證了檢測程序的有效性。最后,論文對全文進(jìn)行了總結(jié),并指出了下一步的研究方向。
[Abstract]:The rapid development and wide application of computer and network technology not only bring convenience to people, but also bring all kinds of security problems. In recent years, Advanced Persistent threat (Advanced Persistent threat), which is characterized by zero day penetration, concealment and persistence control, has become the most concerned threat in the field of network security. How to detect the possible APT attack threat in our network in time is one of the important problems to defend against APT threat. Based on some APT attack cases and sample data, this paper analyzes the behavior characteristics of abnormal communication in remote control stage of APT attack, and then designs the relevant features of detecting abnormal remote control communication. An anomaly communication detection method based on machine learning is proposed, and the detection program of abnormal communication in remote control stage of APT attack is designed and implemented with this method as the core. The validity of the detection program is verified by experiments. Specifically, this paper mainly completes the following work: 1) through the in-depth study of abnormal communication in remote control stage of APT attack, This paper analyzes in detail the reason why the controlled host usually generates the dynamic domain name to obtain the IP address of the CC server by using the domain name generation algorithm (DGA) and the working principle of generating the dynamic domain name and the difference between the domain name structure and the normal domain name. On the other hand, the differences between the TCP communication behavior of apt attack and the normal communication are analyzed from several aspects. According to these characteristics, an anomaly communication detection method based on machine learning is proposed. Based on the analysis and comparison of the character features of various DGA dynamic domain names and legal domain names, several feature indexes are designed and extracted. And through the relevant domain name samples to verify the ability of distinguishing these characteristic indicators, considering the accuracy and efficiency of the detection model, Using feature selection algorithm, 11 feature indexes used to detect DGA dynamic domain name are determined. Aiming at the characteristics of abnormal TCP communication behavior of APT attack in remote control stage, TCP stream is determined as feature extraction source by network traffic analysis method. Then, several feature indexes are designed and extracted, and the validity of these feature indexes is analyzed by combining the actual data. Finally, 10 optimal detection features are determined by using the feature selection algorithm. By comparing and analyzing the performance of the detection models constructed by various machine learning methods, it is determined that both DGA dynamic domain name and abnormal TCP communication detection model are GBDT classifiers. Then the detection program of abnormal communication in remote control phase of APT attack is designed and implemented. The detection program uses Libpcap interface of PF_RING to capture network data, and designs domain name and IP whitelist to reduce the workload and false alarm rate of detection program. The validity of the detection program is verified by simulation experiments. Finally, the paper summarizes the full text and points out the next research direction.
【學(xué)位授予單位】：南京理工大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2017
【分類號】：TP393.08

【相似文獻(xiàn)】

相關(guān)期刊論文 前10條

1 震震有詞;;玩木馬愛好者的新寵 “維度遠(yuǎn)控”[J];網(wǎng)友世界;2010年06期

2 震震有詞;;虎年抓雞就用“牧民遠(yuǎn)控”[J];網(wǎng)友世界;2010年06期

3 震震有詞;;香蕉也能來遠(yuǎn)控[J];網(wǎng)友世界;2010年05期

4 曾琳;;遠(yuǎn)控技術(shù)的風(fēng)險與控制[J];農(nóng)村電氣化;2013年04期

5 方玉;;遠(yuǎn)控電路起動難的解決方法[J];電工技術(shù);1994年04期

6 萬立夫;;末日2012 就是個遠(yuǎn)控木馬[J];網(wǎng)友世界;2011年17期

7 萬立夫;;簡單新穎的先鋒遠(yuǎn)控[J];網(wǎng)友世界;2010年13期

8 郭建偉;;突破常規(guī) 讓遠(yuǎn)控服務(wù)更具活力[J];電腦愛好者;2012年08期

9 方華;王懷周;楊思祥;續(xù)欣;賈躍偉;;CDM-570L遠(yuǎn)控軟件的設(shè)計與實現(xiàn)[J];通信技術(shù);2013年11期

10 震震有詞;;讓遠(yuǎn)控中的帶頭大哥更無敵[J];網(wǎng)友世界;2010年Z1期

相關(guān)會議論文 前1條

1 鄧秉林;;BEPCⅡ直線真空自動遠(yuǎn)控系統(tǒng)的實現(xiàn)[A];第三屆全國加速器技術(shù)學(xué)術(shù)交流會論文摘要集[C];2007年

相關(guān)重要報紙文章 前1條

1 東棟;紅峽廠遠(yuǎn)控清理裝置通過驗收[N];中國航天報;2009年

相關(guān)碩士學(xué)位論文 前2條

1 方瑋;高級持續(xù)性威脅遠(yuǎn)控階段異常通信的檢測技術(shù)研究[D];南京理工大學(xué);2017年

2 趙則珍;某大型冶金企業(yè)動力系統(tǒng)實時遠(yuǎn)控系統(tǒng)的開發(fā)[D];西安建筑科技大學(xué);2010年

，

本文編號：1808616