부산대학교 도서관

The earliest network attacks consisted of software transmissions designed to deduce a client’s capabilities and resources in order to transmit ordinary malicious code, or to partially paralyze hardware capability and interrupt operations.Later in the 90s, malicious code appeared in the form of worms, having no particular targets. By the 2000s, worms emerged whose purpose was to attack particular targets. These earlier attacks were usually detected quite effectively by anti-virus products based on known signatures. Later, however, as small-scale, specialized worm and denial of service attacks emerged, they used malicious code designed for specialized purposes to circumvent host and anti-virus security systems.A portion of this distinct malicious code may be detected by specialized signatures and much more malicious code was detected by a variety of other detection methods. However, in order to evade detection, these special-purpose malicious code developed in the form of Bots, which are loaded with artificial intelligence technology and even more difficult to detect. These Bots are controlled by Command and Control Servers which issue commands through old IRC networks and attack particular hosts or carry out denial of service attacks on particular networks. Some contemporary Bots continue to use IRC but others form a separate network and carry out attacks from their own attack networks, evading detection by a variety of detailed scenarios. When detection is attempted, they may also conceal themselves as a zombie host as a means of subterfuge. Compared to the attacks being developed, existing detection technologies are only using simple signature methods or thresh-based detection that relies only on frequencies of network data from simple specialized fields.I define these special-purpose communication networks that Bots of this type construct as Bot-nets. Further we assert that early detection of these Bot-net communications is absolutely essential for reducing the effectiveness of attacks. Bot-nets are ordinarily included in all executable or install files such as malicious code attachments to emails, videos, web pages, Active X, web plug-ins, installation software, PDF and other office files, and once installed on the target client, may produce mass produce zombie clients. Once clients become zombies, they transfer special packets to a Command and Control server, but in order to transmit, they request domain information from the domain server and then transmit packets to the confirmed IP address. Because zombies access to domain information, Command and Control servers use Fast-Flux domains in order to hide their actual location. In order to secretly access a more confirmed Command and Control server, Zombie clients include a normal domain request but this request makes it difficult, from a detection point of view, to identity the domain and IP of the actual Command and Control server. Later, Zombies intermittently send a message to the Command and Control server indicating that they are standing by as a normal network node and are waiting for an attack message from the Command and Control server.When the attack message is received, zombies typically attack designated systems en masse and at this point, it is beyond the ability of the system being attacked to avoid or block the damage being inflicted. In this thesis, we take the domain queries that zombies send to inform Command and Control servers of their status and use these to more effectively identity and isolate Bot-nets. Pre-existing machine learning methods have been widely used for intrusion detection; however, the specialized actions of Bot-nets are rapidly changing. Machine learning detection methods typically use classifiers, and these classifiers discriminate new data classes based on prior learning data. Therefore classification performance can vary widely according to the performance and relevance of the classifier, but also the training data. Bot-nets today are changing more quickly than ever and are an especially target to restrict. It is impossible to determine the actual attacker behind a Bot-net’s, and the best method available is to detect zombie clients within as narrow a window as possible, and quarantine them in order to block any forthcoming attacks.Accordingly, we have a need for detection methods which can respond sufficiently to these rapidly changing attacks in a short amount of time.The training data update method and accompanying multiple-classifier proposed in this thesis is capable of continuously reflecting these changing attacks and by identifying data previously used for training which may be eliminated, it can also avoid the inefficiencies that usually accompany large-scale training data.I also propose a multiple-dataset update module for our multiple-classifier in order to supplement the overall reduction of classification performance brought about data errors arising in retraining on old data.