TWI656778B - Malicious domain detection method combining network information and network traffic - Google Patents

Malicious domain detection method combining network information and network traffic Download PDF

Info

Publication number
TWI656778B
TWI656778B TW106116836A TW106116836A TWI656778B TW I656778 B TWI656778 B TW I656778B TW 106116836 A TW106116836 A TW 106116836A TW 106116836 A TW106116836 A TW 106116836A TW I656778 B TWI656778 B TW I656778B
Authority
TW
Taiwan
Prior art keywords
domain
malicious
unknown
network
benign
Prior art date
Application number
TW106116836A
Other languages
Chinese (zh)
Other versions
TW201902174A (en
Inventor
鄭棕翰
陳建智
張光宏
周國森
施君熹
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW106116836A priority Critical patent/TWI656778B/en
Publication of TW201902174A publication Critical patent/TW201902174A/en
Application granted granted Critical
Publication of TWI656778B publication Critical patent/TWI656778B/en

Links

Abstract

一種結合網域情資與網路流量之惡意網域偵測方法,其主要係藉由網路威脅情資共享系統(CTISP,Cyber Threat Intelligence Sharing Platform)中儲存的網域情資搭配網路流量資料透過本發明提出之Process-Domain Behavior Graph可以取得惡意網域跟正常網域的Process Behavior特徵,進一步利用機器學習訓練出網域惡意程度模型,並利用網域惡意程度模型即可量測未知網域的惡意程度,最後新偵測的惡意網域及其惡意程度會回饋到CTISP,由於CTISP佈署在不同地區(企業),可以收集到的不同區域的在地化情資,並透過情資的交換可以不斷提升準確性,同時,當相同的惡意網域或特徵出現在不同地區時也可以被偵測到,達到區域聯防的效果。 A malicious domain detection method combining network domain information and network traffic, which mainly uses network domain information stored in a network threat sharing system (CTISP, Cyber Threat Intelligence Sharing Platform) to match network traffic. Through the Process-Domain Behavior Graph proposed by the present invention, the Process Behavior feature of the malicious domain and the normal domain can be obtained, and the malicious degree model of the domain can be further trained by using machine learning, and the unknown degree network can be measured by using the malicious degree model of the domain. The degree of maliciousness of the domain, and finally the newly detected malicious domain and its malicious degree will be fed back to the CTISP. Because the CTISP deploys different regions (enterprises), it can collect the localized sentiment of different regions, and through the situation The exchange can continuously improve the accuracy, and at the same time, when the same malicious domain or feature appears in different regions, it can be detected to achieve the effect of regional joint defense.

Description

結合網域情資與網路流量之惡意網域偵測方法 Malicious domain detection method combining network information and network traffic

本發明係有關一種惡意網域偵測的方法,尤指一種使用企業內部代理伺服器日誌搭配網路威脅情資共享平台(CTISP)訓練出惡意網域行為模型,其主要係基於駭客使用的惡意程式產生的網路連線行為特徵,為透過大量的流量資料取得,因此不論網址如何變化,皆可以偵測出其惡意程度,且透過網路威脅情資共享平台(CTISP)儲存所偵測出的網路威脅情資,藉由情資共享與回饋的機制,不斷提升情資精確度的結合網域情資與網路流量之惡意網域偵測方法。 The invention relates to a method for detecting malicious domain, in particular to using a corporate internal proxy server log with a network threat sharing platform (CTISP) to train a malicious domain behavior model, which is mainly based on a hacker. The characteristics of the network connection behavior generated by the malware are obtained through a large amount of traffic data, so no matter how the website changes, the malicious degree can be detected and detected by the network threat sharing platform (CTISP) storage. The cyber threat situation, through the mechanism of sharing and feedback, continuously improves the accuracy of the intelligence and the malicious domain detection method combining the network situation and network traffic.

當攻擊者建構中繼站後,會企圖藉由垃圾郵件、釣魚網站或其他途徑將惡意程式植入被害主機後使其成為殭屍電腦(Bots),而受駭主機的惡意程式會藉由特定的連線行為與中繼站進行溝通。 When an attacker constructs a relay station, it attempts to embed the malicious program into the victim host by spam, phishing websites or other means, and then becomes a zombie computer (Bots), and the malicious program of the host computer is connected by a specific connection. Behave in communication with the relay station.

為避免上述情況發生,中華民國第I455546號「利用快速變動網域技術之惡意網域之偵測方法及偵測系統」專利提供一種利用路由器資訊,包括路由器主機名稱與網路位址自治系統號碼等,搭配路由器主機名稱的特定部分相同或網路封包傳送時間大於預設檢查值,判斷為惡意網域,然而該專利使用網路封包傳送時間做為惡意程度評估的依據,僅適用於popular domain name與malicious domain name的比較,對於名氣不高的benign domain name則容易產生誤判的現象。 In order to avoid this, the Republic of China No. I455546 "Detection Method and Detection System for Malicious Domains Using Fast-Change Domain Technology" provides a use of router information, including router host name and network address autonomous system number. Etc., the specific part of the router host name is the same or the network packet transmission time is greater than the preset check value, and it is judged as a malicious domain. However, the patent uses the network packet transmission time as the basis for the malicious degree evaluation, which is only applicable to the popular domain. The comparison between name and malicious domain name is prone to misjudgment for the less famous benign domain name.

另外,美國第US 20120198549 A1號「Method and system for detecting malicious domain names at an upper DNS hierarchy」專利提供一種透過passive DNS log來檢測malicious domain name的方法,其方法步驟是透過與ISP業者以及特殊單位的合作,例如某些擁有Authority Domain Name Server(後續簡稱ADNS)的單位,以便取得樣本豐富度更高的passive DNS log,接著再根據passive DNS log當中的RR來解析出benign domain name以及malicious domain name之間的差異,然而該專利案雖然使用的特徵繁多(約41個),但實際上僅是從time stamp、domain name、resource recode type與return IP四個欄位延伸而來(不含Time To Live),因此對於CDN domain name與fast flux domain name仍存在不小的誤判的像現象。 In addition, US Patent No. 20120198549 A1 "Method and system for detecting malicious domain names at an upper DNS hierarchy" provides a method for detecting a malicious domain name through a passive DNS log, the method steps being through an ISP and a special unit. Cooperation, for example, some units with an Authority Domain Name Server (hereinafter referred to as ADNS), in order to obtain a more abundant passive DNS log, and then parse the benign domain name and the Malicious domain name according to the RR in the passive DNS log. The difference, however, although the patent uses a lot of features (about 41), it actually extends only from the four fields of time stamp, domain name, resource recode type and return IP (excluding Time To Live). Therefore, there is still a lot of misjudgment for CDN domain name and fast flux domain name.

由此可見,目前習知之技術與方法均有其問題存在,而亟待加以改良,有鑑於此,本發明乃針對上述需求,積極研究加以改良創新,研發完成本件結合網域情資與網路流量之惡意網域偵測方法。 It can be seen that the prior art techniques and methods have their own problems, and need to be improved. In view of this, the present invention is aimed at the above needs, actively researching and improving, and researching and developing this piece to combine network domain information and network traffic. Malicious domain detection method.

為解決上述習知技術之問題,本發明之一目的係在於提供一種透過網路流量與網域情資偵測未知網域惡意程度的結合網域情資與網路流量之惡意網域偵測方法。 In order to solve the above problems in the prior art, an object of the present invention is to provide a malicious domain detection that combines network domain intelligence and network traffic by detecting network traffic and network domain intelligence to detect the malicious degree of an unknown domain. method.

為解決上述習知技術之問題,本發明之另一目的係在於提供一種透過網路流量中連線網域行為產生的Process-Domain Behavior Graph,已有效擷取惡意網域連線特徵。 In order to solve the above problems of the prior art, another object of the present invention is to provide a Process-Domain Behavior Graph generated by the behavior of a wired domain in a network traffic, which has effectively captured the characteristics of a malicious domain connection.

請參閱圖1,為達成上述目的,本發明結合網域情資與網路流量之惡意網域偵測方法係利用佈署在不同地區(企業)的CTISP幫助企業評量網域的 惡意程度,CTISP佈署在不同地區(企業),CTISP之間會分享網域的情資以達到區域聯防的效果,其中CTIS主要包含一情資分享模組101、一威脅情資資料庫102、一情資收集模組103、一網路流量側錄模組104及一惡意網域探知(MD-Miner)模組105。 Referring to FIG. 1 , in order to achieve the above object, the malicious domain detection method combining the network context and network traffic of the present invention utilizes CTISP deployed in different regions (enterprise) to help the enterprise to measure the domain. The degree of malpractice, CTISP deployment in different regions (enterprise), CTISP will share the information of the domain to achieve the effect of regional joint defense, which CTIS mainly includes a situation sharing module 101, a threat information database 102, An intelligence collection module 103, a network traffic side recording module 104, and a malicious domain detection (MD-Miner) module 105.

其中,情資分享模組101係用於分享本機端的網域情資給其它CTISP,威脅情資資料庫102係用於儲存FQDN(fully qualified domain name,完整網域名稱)、IP address(IP位址)、URL(Uniform Resource Locator,網址)、file(文件)以及情報來源等網域情資,情資收集模組103係用於接收不同來源,如惡意網域探知(MD-Miner,Malicious-Domain Miner)模組105、VirusTotal...等防毒軟體或Bluecoat...網路存取資安閘道系統等來源提供的網域情資資訊,網路流量側錄(日誌)模組104係用於接收網路流量產生的資料,例如側錄流量產生的PCAP檔與代理伺服器日誌等網路流量資料,惡意網域探知模組105係用以產生未知網域的網路行為特徵並且計算出其惡意程度以評量未知網域的威脅程度。 The emotional sharing module 101 is used to share the local domain information to other CTISPs, and the threat information database 102 is used to store the FQDN (fully qualified domain name), IP address (IP). Domain address, URL (Uniform Resource Locator, URL), file (file) and intelligence source and other network domain information, the emotional collection module 103 is used to receive different sources, such as malicious domain detection (MD-Miner, Malicious -Domain Miner) Network 105, VirusTotal, etc. Antivirus software or Bluecoat... Network access information provided by sources such as the security gateway system, network traffic side record (log) module 104 It is used to receive data generated by network traffic, such as network traffic data such as PCAP files generated by side-recorded traffic and proxy server logs. The malicious domain detection module 105 is used to generate network behavior characteristics of unknown domains. Calculate the degree of malice to measure the threat level of the unknown domain.

請參閱圖2~5,惡意網域探知模組105係利用網路流量中的Domain(網域),Client-IP(客戶端IP),UserAgent(使用者代理)資訊產生行程-網域行為圖(Process-Domain Behavior Graph)為步驟201,將一個特定個別的Client-IP,UserAgent作為一個Process(行程),假設Process的清單組合為P,相對地,一個特定個別的Domain組合的清單假設為D,一個Process p i P節點(node)連到一個Domain d j D節點(node)會產生一條連線,因此可以形成Process跟Domain的二分圖(bipartite Graph),稱作Process-Domain Behavior Graph;將Process-Domain Behavior Graph中的所有Domain與Process進行標記為步驟202,利用網路威脅情資共享平台(CTISP)的威脅情資資料庫中的黑白名單把所有出現在 Process-Domain Behavior Graph中的Domain標示惡意\良性或者未知;當一個Process的節點有查詢過標記為惡意的Domain則此Process也會被標記為惡意,如圖4中的Process1、Process2所示;Domain的特徵擷取為步驟203,透過Process-Domain Behavior Graph擷取Domain的特徵值,Process Behavior的特徵為:Process的集合、受駭Process的百分比、未知Process的百分比等特徵都是從Process-Domain Behavior Graph中取得相關資訊;機器學習演算法為步驟204,將已經被標記的惡意與良性網域搭配其個別的特徵值輸入機器學習演算法進行訓練,即可產生步驟205所示的「網域惡意程度模型」;計算未知網域惡意程度為步驟206,將CTISP的威脅情資資料庫中標記為未知的網域以及其在步驟203時計算的特徵值輸入步驟205所產生之「網域惡意程度模型」,就可以得到網域惡意程度。 Referring to FIG. 2~5, the malicious domain detection module 105 generates the itinerary-domain behavior map by using Domain (Domain), Client-IP (Client IP), and UserAgent (User Agent) information in the network traffic. (Process-Domain Behavior Graph) is a step 201, a specific individual Client-IP, UserAgent as a Process, assuming that the list of Process is combined into P , relatively, a list of a specific individual Domain combination is assumed to be D , a Process p i P node (node) connected to a domain d j The D node (node) will generate a connection, so it can form a bipartite graph of Process and Domain, called Process-Domain Behavior Graph; mark all the Domain and Process in the Process-Domain Behavior Graph as step 202. Use the black and white list in the Threat Intelligence Database of the Network Threat Sharing Platform (CTISP) to mark all Domains appearing in the Process-Domain Behavior Graph as malicious\benign or unknown; when a Process node has a query tag For a malicious Domain, the Process will also be marked as malicious, as shown in Process1 and Process2 in Figure 4; the feature of the Domain is taken as Step 203, and the Feature value of the Domain is retrieved through the Process-Domain Behavior Graph. The characteristics are: the collection of Process, the percentage of the process being processed, the percentage of the unknown process, etc. are all obtained from the Process-Domain Behavior Graph; the machine learning algorithm is step 204, the malicious and benign domain that has been marked By inputting the machine learning algorithm with its individual feature values for training, the process shown in step 205 can be generated. The domain malware degree model is calculated. In step 206, the network domain marked as unknown in the threat information database of the CTISP and the feature value calculated in step 203 are input into the network generated in step 205. The domain malicious degree model can get the degree of maliciousness of the domain.

最後,CTISP會正規化新偵測出的惡意網域情資包含惡意程度資訊透過情資分享模組供所有的CTISP叢集使用。透過CTISP叢集間交換網域情資,可以形成一個情資共享區域聯防的正向回饋。當佈署的範圍越大,越容易達到防禦的效果,可以有效抵禦攻擊者對於企業進行跨區域攻擊。 Finally, CTISP will normalize the newly detected malicious domain information including malicious level information through the emotional sharing module for all CTISP clusters. Through the exchange of network domain information between CTISP clusters, a positive feedback of joint prevention of the shared area of interest can be formed. When the scope of deployment is larger, the easier it is to achieve the defense effect, it can effectively resist the attacker's cross-regional attack on the enterprise.

101‧‧‧情資分享模組 101‧‧‧Emotion sharing module

102‧‧‧威脅情資資料庫 102‧‧‧ Threat Intelligence Database

103‧‧‧情資收集模組 103‧‧‧Emotional collection module

104‧‧‧網路流量側錄(日誌)模組 104‧‧‧Network Traffic Recording (Log) Module

105‧‧‧惡意網域探知(MD-Miner)模組 105‧‧‧Malicious Domain Detection (MD-Miner) Module

201~206‧‧‧流程步驟 201~206‧‧‧ Process steps

S601~S610‧‧‧流程步驟 S601~S610‧‧‧ Process steps

圖1係為本發明結合網域情資與網路流量之惡意網域偵測方法的使用情境圖;圖2係為惡意探知模組之運作流程圖;圖3係為Process-Domain Behavior Graph的示意圖;圖4係為Process-Domain Behavior Graph中的Domain標示惡意\良性或者未知的示意圖; 圖5係為Process-Domain Behavior Graph擷取特徵的示意圖;圖6係為本發明結合網域情資與網路流量之惡意網域偵測方法的流程圖。 FIG. 1 is a usage scenario diagram of a malicious domain detection method combining network domain intelligence and network traffic according to the present invention; FIG. 2 is a flowchart of operation of a malicious detection module; FIG. 3 is a Process-Domain Behavior Graph Schematic; Figure 4 is a schematic diagram of the malicious/benign or unknown Domain label in the Process-Domain Behavior Graph; FIG. 5 is a schematic diagram of a Process-Domain Behavior Graph capture feature; FIG. 6 is a flowchart of a malicious domain detection method combining network domain intelligence and network traffic according to the present invention.

以下將描述具體之實施例以說明本發明之實施態樣,惟其並非用以限制本發明所欲保護之範疇:當企業欲藉由CTISP搭配內部網路流量辨認企業內部連線網域的惡意程度時,會在企業內部的網路閘道口架設CTISP,藉由網路流量側錄(日誌)模組接收由流量產生的網路資料或者代理伺服器產生的日誌資料,將此資料導入MD-Miner之後就會開始進行網域惡意程度的分析。 The specific embodiments are described below to illustrate the embodiments of the present invention, but are not intended to limit the scope of the invention to be protected: when the enterprise wants to identify the malicious degree of the internal connection domain of the enterprise by using CTISP with internal network traffic. When the CTISP is set up in the enterprise's internal network gateway, the network traffic side-recording (log) module receives the network data generated by the traffic or the log data generated by the proxy server, and imports the data into MD-Miner. The analysis of the degree of maliciousness of the domain will begin.

本發明結合網域情資與網路流量之惡意網域偵測方法之流程如圖6所示,S601表示某企業內部之長天期網路流量資料,網路流量之內容如表1所示,輸入MD-Miner之後,會經由S602形成Process-Domain Behavior Graph,在形成Process-Domain Behavior Graph時會將Client-IP和User Agent當作是一個Process。其概念是由數位鑑識經驗中延伸而出,惡意程式分析時會識別C & C中繼站以進一步發現也連接到該C & C中繼站的其他受感染機器。如表2所示,User Agent字串在惡意二進制中是以hard-code的方式存在惡意程式中。每一個C & C http連線紀錄包含該User Agent字串。基於上述的實際現象,我們才會將網路流量中的Client-IP和User Agent當作是一個Process,例如表1中的Item1,2,3皆是使用10.10.10.1與UA1進行連線,因此Domain1,2,3皆是用同一個Process連線,因此表1的網路流量範例會形成如圖3之Process-Domain Behavior Graph。 The process of the malicious domain detection method combining the network context and network traffic of the present invention is shown in FIG. 6. S601 represents the long-term network traffic data of an enterprise, and the content of the network traffic is shown in Table 1. After inputting MD-Miner, a Process-Domain Behavior Graph is formed via S602, and Client-IP and User Agent are treated as a Process when the Process-Domain Behavior Graph is formed. The concept is extended from the digital forensic experience, which identifies C&C relay stations to further discover other infected machines that are also connected to the C & C relay. As shown in Table 2, the User Agent string is stored in a malware in a hard-code manner in a malicious binary. Each C & C http connection record contains the User Agent string. Based on the above actual phenomenon, we will regard Client-IP and User Agent in the network traffic as a Process. For example, Item1, 2, and 3 in Table 1 are connected to UA1 using 10.10.10.1, so Domain1, 2, and 3 are all connected by the same Process, so the network traffic example in Table 1 will form the Process-Domain Behavior Graph as shown in Figure 3.

接著S603將Process-Domain Behavior Graph中所有Domain藉由CTISP標記為惡意\良性\未知等網域,標記完畢的輸出為S604,藉由標記的結果可以計算Process Behavior的三個特徵值,特徵值的計算方式如下:假使S為所有Process的集合,I表示連線到標記為惡意網域的Process集合,而U表示連線到標記為未知網域的Process集合,則三個特徵值公式為:已知的受駭process分數,m=|I|/|S;未知的process分數u=|U|/|S|;以及所有的process總數t=|S|。S605會利用上述三個數學式,對於所有網域進行特徵值的運算,其中,惡意\良性網域與其特徵之範例如表3所示,未知網域與其特徵之範例如表4所示,最後在S606就可以將已知惡意\良性的網域,搭配其個別的三個特徵值進行機器學習,塑模出S607的網域惡意程度模型。 Then, in S603, all the Domains in the Process-Domain Behavior Graph are marked as malicious\benign\unknown by the CTISP, and the marked output is S604. The three characteristic values of the Process Behavior can be calculated by the result of the marking, and the feature values are The calculation is as follows: If S is a collection of all Processes, I means to connect to the Process collection marked as a malicious domain, and U means to connect to the Process collection marked as an unknown domain, then the three eigenvalue formulas are: The known process score, m =| I |/| S ; the unknown process score u =| U |/| S |; and the total number of processes t =| S |. S605 will use the above three mathematical formulas to perform eigenvalue operations on all domains. The malicious\benign domain and its characteristics are shown in Table 3. The unknown domain and its characteristics are shown in Table 4. Finally, In S606, the known malicious \ benign domain can be machine learning with its three unique feature values, and the domain malicious degree model of S607 can be modeled.

S608是將未知網域搭配其個別的三個特徵值(於S605時得到),如表5所示,輸入S609的網域惡意程度模型(在S607得到),網域惡意模型即會評鑑輸入之網域,同時得到未知網域相似於惡意\良性網域的程度,如表5所示,在表5中可以看到原本被標記為未知的網域,經過S609之後會依照「probability」而歸類到Malicious,紀錄probability的資訊可以讓MD-Miner在使用網域情資時更有彈性,佈署在不同企業的MD-Miner可以藉由probability選擇是否選用某一網域的情資,因此S610會將probability連同其它情資透過圖1所示的情資收集模組S103整合其它來源的情資一併儲存到到圖1所示的威脅情資資料庫,當被標記的網域越多,就表示MD-Miner在進行網域惡意程度模型塑模時可以獲得的網域情資越多,進行訓練時的模型也就會塑模得越準確。表6顯示的是我們將MD-Miner在S710輸出結果於VirusTotal做驗證已證實本發明之可用性,可發現被MD-Miner從未知標示成惡意的確實是惡意網域,代表本名確實可以提供企業辨識惡意網域。 S608 is to match the unknown domain with its three individual feature values (obtained at S605). As shown in Table 5, enter the domain malicious degree model of S609 (obtained in S607), and the domain malicious model will evaluate the input. The domain is also obtained to the extent that the unknown domain is similar to the malicious/benign domain. As shown in Table 5, in Table 5, the domain originally marked as unknown can be seen. After S609, it will follow the "probability". Classified into Malicious, the information of the record probability can make MD-Miner more flexible when using the domain information. MD-Miner deployed in different enterprises can choose whether to use the qualification of a certain domain by probability. The S610 stores the probability together with other information through the emotional collection module S103 shown in Figure 1 and integrates the information from other sources into the threat information database shown in Figure 1, when the number of marked domains is increased. It means that the more the domain information that MD-Miner can obtain when modeling the malicious degree model of the domain, the more accurate the model will be when training. Table 6 shows that we have verified the availability of the MD-Miner output on the S710 in VirusTotal. The availability of the invention has been confirmed. It can be found that the MD-Miner is maliciously marked from unknown to malicious, and the real name can be provided on behalf of the real name. Malicious domain.

上列詳細說明係針對本發明之一可行實施例之具體說明,惟該實施例並非用以限制本發明之專利範圍,凡未脫離本發明技藝精神所為之等效實施或變更,均應包含於本案之專利範圍中。 The detailed description of the preferred embodiments of the present invention is intended to be limited to the scope of the invention, and is not intended to limit the scope of the invention. The patent scope of this case.

Claims (2)

一種結合網域情資與網路流量之惡意網域偵測方法,其步驟包括:a.將網路流量資料輸入惡意網域探知模組以產生行程-網域行為圖(Process-Domain Behavior Graph);其中行程-網域行為圖係惡意網域探知模組將網路流量資料中的Client-IP(客戶端IP)及UserAgent(使用者代理)資訊作為一個行程(Process),並假設行程的清單組合為P,將一個別的網域組合的清單假設為D,一個行程p i P節點(node)連到一個網域d j D節點(node)會產生一條連線,因此可以形成行程跟網域的二分圖(bipartite Graph);b.利用網路威脅情資共享系統(Cyber Threat Intelligence Sharing Platform,CTISP)的威脅情資資料庫中的黑白名單把所有出現在行程-網域行為圖中的網域(Domain)分別標示為惡意網域、良性網域或未知網域;c.惡意網域探知模組利用標示結果計算惡意網域、良性網域及未知網域的特徵值;d.將已經被標記的惡意網域與良性網域搭配惡意網域與良性網域的特徵值輸入機器學習演算法進行訓練,產生網域惡意程度模型;e.將未知網域以及未知網域的特徵值輸入網域惡意程度模型以得到未知網域的惡意程度;f.將未知網域的惡意程度加入網路威脅情資共享系統的情資收集模組,以供情資收集模組整合並添加至威脅情資資料庫的黑白名單中。 A malicious domain detection method combining network domain intelligence and network traffic, the steps comprising: a. inputting network traffic data into a malicious domain detection module to generate a process-Domain Behavior Graph The travel-domain behavior map is a malicious domain detection module that uses Client-IP (client IP) and UserAgent (user agent) information in the network traffic data as a process, and assumes the itinerary. The list is combined into P , and the list of other domain combinations is assumed to be D , one trip p i P node (node) connected to a domain d j The D node (node) will generate a connection, so it can form a bipartite graph of the itinerary and the domain; b. use the threat information of the Cyber Threat Intelligence Sharing Platform (CTISP). The black and white list in the library marks all the domains (Domains) appearing in the itinerary-domain behavior map as malicious domains, benign domains or unknown domains; c. The malicious domain detection module uses the labeled results to calculate malicious The eigenvalues of the domain, the benign domain, and the unknown domain; d. The malicious domain and the benign domain are matched with the eigenvalues of the malicious domain and the benign domain, and the machine learning algorithm is trained to generate the domain. Maliciousness model; e. Enter the unknown domain and the unknown domain into the domain malicious degree model to obtain the malicious degree of the unknown domain; f. Add the malicious degree of the unknown domain to the network threat sharing system The Emotional Collection Module is integrated for the Emotional Collection Module and added to the black and white list of the Threat Intelligence Database. 一種結合網域情資與網路流量之惡意網域偵測方法,其步驟包括: a.將網路流量資料輸入惡意網域探知模組以產生行程-網域行為圖(Process-Domain Behavior Graph);b.利用網路威脅情資共享系統(Cyber Threat Intelligence Sharing Platform,CTISP)的威脅情資資料庫中的黑白名單把所有出現在行程-網域行為圖中的網域(Domain)分別標示為惡意網域、良性網域或未知網域;c.惡意網域探知模組利用標示結果計算惡意網域、良性網域及未知網域的特徵值,其中惡意網域、良性網域及未知網域的特徵值包括所有行程(Process)的集合、受駭行程的百分比及未知行程的百分比,其計算方法係假使S為所有行程的集合,I表示連線到標記為惡意網域的行程集合,而U表示連線到標記為未知網域的行程集合,則三個特徵值公式為:已知的受駭行程百分比的分數為m=|I|/|S|,未知的行程百分比的分數為u=|U|/|S|,所有行程的集合總數為t=|S|;d.將已經被標記的惡意網域與良性網域搭配惡意網域與良性網域的特徵值輸入機器學習演算法進行訓練,產生網域惡意程度模型;e.將未知網域以及未知網域的特徵值輸入網域惡意程度模型以得到未知網域的惡意程度;f.將未知網域的惡意程度加入網路威脅情資共享系統的情資收集模組,以供情資收集模組整合並添加至威脅情資資料庫的黑白名單中。 A malicious domain detection method combining network domain intelligence and network traffic, the steps thereof include: a. inputting network traffic data into a malicious domain detection module to generate a process-Domain Behavior Graph b) Use the black and white list in the Threat Intelligence Database of the Cyber Threat Intelligence Sharing Platform (CTISP) to mark all domains that appear in the itinerary-domain behavior map The malicious domain, the benign domain or the unknown domain; c. The malicious domain detection module uses the marking result to calculate the eigenvalues of the malicious domain, the benign domain and the unknown domain, wherein the malicious domain, the benign domain and the unknown The eigenvalues of the domain include the set of all the processes, the percentage of the trips, and the percentage of the unknown trips. The calculation method is that if S is a set of all trips, I means that the trip is set to the set of trips marked as malicious domains. And U means to connect to the set of trips marked as unknown domain, then the three eigenvalue formulas are: the fraction of the known stroke percentage is m =| I |/| S |, the percentage of the unknown trip The score is u =| U |/| S |, the total number of sets of all the itineraries is t =| S |; d. The flagged value of the malicious domain and the benign domain with the malicious domain and the benign domain are entered. The machine learning algorithm is trained to generate a domain malicious degree model; e. input the unknown domain and the unknown domain eigenvalue into the domain malicious degree model to obtain the malicious degree of the unknown domain; f. the unknown domain malicious The level of participation in the network threat sharing system's emotional collection module for the integration of the emotional collection module and added to the black and white list of threat information database.
TW106116836A 2017-05-22 2017-05-22 Malicious domain detection method combining network information and network traffic TWI656778B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW106116836A TWI656778B (en) 2017-05-22 2017-05-22 Malicious domain detection method combining network information and network traffic

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW106116836A TWI656778B (en) 2017-05-22 2017-05-22 Malicious domain detection method combining network information and network traffic

Publications (2)

Publication Number Publication Date
TW201902174A TW201902174A (en) 2019-01-01
TWI656778B true TWI656778B (en) 2019-04-11

Family

ID=65803192

Family Applications (1)

Application Number Title Priority Date Filing Date
TW106116836A TWI656778B (en) 2017-05-22 2017-05-22 Malicious domain detection method combining network information and network traffic

Country Status (1)

Country Link
TW (1) TWI656778B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI732169B (en) * 2019-01-15 2021-07-01 中華電信股份有限公司 Method and verification system for verifying validness of threats
TWI764618B (en) * 2020-10-19 2022-05-11 新加坡商賽博創新新加坡股份有限公司 Cyber security protection system and related proactive suspicious domain alert system
US11558352B2 (en) 2020-10-19 2023-01-17 Cycraft Singapore Pte. Ltd. Cyber security protection system and related proactive suspicious domain alert system

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI709874B (en) * 2019-04-01 2020-11-11 中華電信股份有限公司 Method of sharing cyber threat intelligence with external device and electronic device thereof

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7890612B2 (en) * 2006-05-08 2011-02-15 Electro Guard Corp. Method and apparatus for regulating data flow between a communications device and a network
US8682812B1 (en) * 2010-12-23 2014-03-25 Narus, Inc. Machine learning based botnet detection using real-time extracted traffic features
US20140215621A1 (en) * 2013-01-25 2014-07-31 REMTCS Inc. System, method, and apparatus for providing network security
US20160087860A1 (en) * 2014-09-19 2016-03-24 International Business Machines Corporation Application topology based on network traffic
CN106576058A (en) * 2014-08-22 2017-04-19 迈克菲股份有限公司 System and method to detect domain generation algorithm malware and systems infected by such malware

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7890612B2 (en) * 2006-05-08 2011-02-15 Electro Guard Corp. Method and apparatus for regulating data flow between a communications device and a network
US8682812B1 (en) * 2010-12-23 2014-03-25 Narus, Inc. Machine learning based botnet detection using real-time extracted traffic features
US20140215621A1 (en) * 2013-01-25 2014-07-31 REMTCS Inc. System, method, and apparatus for providing network security
CN106576058A (en) * 2014-08-22 2017-04-19 迈克菲股份有限公司 System and method to detect domain generation algorithm malware and systems infected by such malware
US20160087860A1 (en) * 2014-09-19 2016-03-24 International Business Machines Corporation Application topology based on network traffic

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI732169B (en) * 2019-01-15 2021-07-01 中華電信股份有限公司 Method and verification system for verifying validness of threats
TWI764618B (en) * 2020-10-19 2022-05-11 新加坡商賽博創新新加坡股份有限公司 Cyber security protection system and related proactive suspicious domain alert system
US11558352B2 (en) 2020-10-19 2023-01-17 Cycraft Singapore Pte. Ltd. Cyber security protection system and related proactive suspicious domain alert system

Also Published As

Publication number Publication date
TW201902174A (en) 2019-01-01

Similar Documents

Publication Publication Date Title
TWI648650B (en) Gateway device, detection method of malicious domain and host host, and non-transitory computer readable media
Wang et al. Delving into internet DDoS attacks by botnets: characterization and analysis
Owen et al. Empirical analysis of Tor hidden services
Torabi et al. Detecting Internet abuse by analyzing passive DNS traffic: A survey of implemented systems
Zhang et al. A survey on latest botnet attack and defense
TWI656778B (en) Malicious domain detection method combining network information and network traffic
Yu Distributed denial of service attack and defense
Gugelmann et al. An automated approach for complementing ad blockers’ blacklists
CN113474776A (en) Threat detection platform for real-time detection, characterization, and remediation of email-based threats
Yu et al. A feasible IP traceback framework through dynamic deterministic packet marking
CN107547488A (en) A kind of DNS tunnel detection methods and DNS tunnel detectors
Alenazi et al. Holistic model for http botnet detection based on dns traffic analysis
CN105635064B (en) CSRF attack detection method and device
Kheir et al. Mentor: positive DNS reputation to skim-off benign domains in botnet C&C blacklists
Kondracki et al. Catching transparent phish: Analyzing and detecting mitm phishing toolkits
US11956261B2 (en) Detection method for malicious domain name in domain name system and detection device
Li et al. Street-Level Landmarks Acquisition Based on SVM Classifiers.
TWI684113B (en) Gateway apparatus, detecting method of malicious domain and hacked host, and non-transitory computer readable medium thereof
Bai et al. Refined identification of hybrid traffic in DNS tunnels based on regression analysis
EP3789890A1 (en) Fully qualified domain name (fqdn) determination
TWI677803B (en) Suspicious domain detecting method, gateway apparatus and non-transitory computer readable medium apparatus
Kondracki et al. The droid is in the details: Environment-aware evasion of android sandboxes
Kuyama et al. Method for detecting a malicious domain by using only well-known information
TWI634769B (en) Method for detecting domain name transformation botnet through proxy server log
US10462180B1 (en) System and method for mitigating phishing attacks against a secured computing device