Cyber-Attack Detection and Defense Based on Spectral Analysis and Community Structure Recognition

• Main Authors: Tzy-ShiahWang, 王子夏
• Other Authors: Hui-Tang Lin
• Format: Others
• Language: en_US
• Published: 2017
• Online Access: http://ndltd.ncl.edu.tw/handle/whhzsj

博士 === 國立成功大學 === 電腦與通信工程研究所 === 105 === With the ever-growing number of online services nowadays, and the proliferation of wireless access services, more and more users are connecting to the Internet. However, the increasing reliance on the Internet and associated network services exposes users to the risk of malicious attacks by third parties intent on causing short-term disruption or more serious long-term damage. Among the various network security concerns, botnets are regarded as one of the leading threats to network security, and are used to conduct a wide range of malicious activities, including information theft, phishing, spam mail distribution, and Distributed Denial of Service (DDoS) attacks. Of the various forms of botnet, DGA-based botnets, which utilize a Domain Generation Algorithm (DGA) to avoid detection, are one of the most disruptive and difficult to detect. In addition to botnets, attacks on social network sites have also emerged as a major concern in recent years. One of the most common and harmful types of attack is the Sybil attack, in which the attacker creates multiple identities and uses these identities to breech a running system with fake information. Although botnets and Sybil attacks are both difficult to detect, they leave behind several important clues which can be used to identify their presence. For example, when mapping the communication patterns of a botnet, or the relationships among the sybil nodes and the honest nodes, on to a graph, the graph shows a unique characteristic in terms of the community structure. Accordingly, this dissertation proposes a clustering algorithm for detecting the community structure of cyber-attacks. More specifically, to address the problem of DGA-based botnets, a scheme is proposed for detecting botnet activity by analyzing the query behavior of the DNS traffic. The proposed scheme exploits the fact that hosts compromised by the same DGA-based malware query the same sets of domains in the domain list and most of these queries fail since only a very small number of the domains are actually associated with an active C＆C. The evaluation results show that the proposed scheme provides an accurate and effective means of detecting both existing and new DGA-based botnet patterns in real-world networks. To counter the problem of Sybil attacks, the dissertation additionally proposes a defense mechanism based on the characteristic structural properties of honest and sybil groups. Notably, in contrast to most existing Sybil defense schemes, which require a knowledge of at least one honest node in advance, the scheme proposed in this dissertation has the ability to detect sybil groups in a network without the need for any prior knowledge regarding the honest nodes. The performance of the proposed defense scheme is evaluated using data obtained from a real-world social network (Facebook). The results show that the proposed scheme has the ability to detect Sybil attacks in real social networks with a low false positive ratio.