IRC IRC HTTP P2P HTTP P2P IRC 1993 [1] IRC C&C [2], [3] [2] IRC C&C 16 3 [3] IRC IRC / n-gram 2003 C&C P2P [1] P2P P2P PeerShark [4] [4] IRC P2P HTTP



Similar documents
DDoS Distributed Denial of Service Attack [1], [2] [3] [4] 1.2 [5], [6] [7], [8] IRC IRC IRC IRC IRC IRC IRC IRC IRC Dews [9] M

& Vol.5 No (Oct. 2015) TV 1,2,a) , Augmented TV TV AR Augmented Reality 3DCG TV Estimation of TV Screen Position and Ro

Vol.55 No (Jan. 2014) saccess 6 saccess 7 saccess 2. [3] p.33 * B (A) (B) (C) (D) (E) (F) *1 [3], [4] Web PDF a m

1 Fig. 1 Extraction of motion,.,,, 4,,, 3., 1, 2. 2.,. CHLAC,. 2.1,. (256 ).,., CHLAC. CHLAC, HLAC. 2.3 (HLAC ) r,.,. HLAC. N. 2 HLAC Fig. 2

Vol.53 No (Mar. 2012) 1, 1,a) 1, 2 1 1, , Musical Interaction System Based on Stage Metaphor Seiko Myojin 1, 1,a

[2] OCR [3], [4] [5] [6] [4], [7] [8], [9] 1 [10] Fig. 1 Current arrangement and size of ruby. 2 Fig. 2 Typography combined with printing

IPSJ SIG Technical Report Vol.2009-DPS-141 No.20 Vol.2009-GN-73 No.20 Vol.2009-EIP-46 No /11/27 1. MIERUKEN 1 2 MIERUKEN MIERUKEN MIERUKEN: Spe

29 jjencode JavaScript

Vol. 42 No. SIG 8(TOD 10) July HTML 100 Development of Authoring and Delivery System for Synchronized Contents and Experiment on High Spe

3 2 2 (1) (2) (3) (4) 4 4 AdaBoost 2. [11] Onishi&Yoda [8] Iwashita&Stoica [5] 4 [3] 3. 3 (1) (2) (3)

IPSJ SIG Technical Report Vol.2016-CE-137 No /12/ e β /α α β β / α A judgment method of difficulty of task for a learner using simple

IPSJ SIG Technical Report Vol.2012-CG-148 No /8/29 3DCG 1,a) On rigid body animation taking into account the 3D computer graphics came

IPSJ SIG Technical Report Vol.2009-DPS-141 No.23 Vol.2009-GN-73 No.23 Vol.2009-EIP-46 No /11/27 t-room t-room 2 Development of

Vol.57 No (Mar. 2016) 1,a) , L3 CG VDI VDI A Migration to a Cloud-based Information Infrastructure to Support

DPA,, ShareLog 3) 4) 2.2 Strino Strino STRain-based user Interface with tacticle of elastic Natural ObjectsStrino 1 Strino ) PC Log-Log (2007 6)

IPSJ SIG Technical Report Vol.2014-EIP-63 No /2/21 1,a) Wi-Fi Probe Request MAC MAC Probe Request MAC A dynamic ads control based on tra

17 Proposal of an Algorithm of Image Extraction and Research on Improvement of a Man-machine Interface of Food Intake Measuring System

3_39.dvi

1 DHT Fig. 1 Example of DHT 2 Successor Fig. 2 Example of Successor 2.1 Distributed Hash Table key key value O(1) DHT DHT 1 DHT 1 ID key ID IP value D

i

(a) 1 (b) 3. Gilbert Pernicka[2] Treibitz Schechner[3] Narasimhan [4] Kim [5] Nayar [6] [7][8][9] 2. X X X [10] [11] L L t L s L = L t + L s

Input image Initialize variables Loop for period of oscillation Update height map Make shade image Change property of image Output image Change time L

( ) [1] [4] ( ) 2. [5] [6] Piano Tutor[7] [1], [2], [8], [9] Radiobaton[10] Two Finger Piano[11] Coloring-in Piano[12] ism[13] MIDI MIDI 1 Fig. 1 Syst

& Vol.2 No (Mar. 2012) 1,a) , Bluetooth A Health Management Service by Cell Phones and Its Us

Core1 FabScalar VerilogHDL Cache Cache FabScalar 1 CoreConnect[2] Wishbone[3] AMBA[4] AMBA 1 AMBA ARM L2 AMBA2.0 AMBA2.0 FabScalar AHB APB AHB AMBA2.0

1 4 4 [3] SNS 5 SNS , ,000 [2] c 2013 Information Processing Society of Japan

258 5) GPS 1 GPS 6) GPS DP 7) 8) 10) GPS GPS ) GPS Global Positioning System

1 Web [2] Web [3] [4] [5], [6] [7] [8] S.W. [9] 3. MeetingShelf Web MeetingShelf MeetingShelf (1) (2) (3) (4) (5) Web MeetingShelf

2. Twitter Twitter 2.1 Twitter Twitter( ) Twitter Twitter ( 1 ) RT ReTweet RT ReTweet RT ( 2 ) URL Twitter Twitter 140 URL URL URL 140 URL URL

B HNS 7)8) HNS ( ( ) 7)8) (SOA) HNS HNS 4) HNS ( ) ( ) 1 TV power, channel, volume power true( ON) false( OFF) boolean channel volume int

1 UD Fig. 1 Concept of UD tourist information system. 1 ()KDDI UD 7) ) UD c 2010 Information Processing S

johnny-paper2nd.dvi

24 Region-Based Image Retrieval using Fuzzy Clustering

WebRTC P2P Web Proxy P2P Web Proxy WebRTC WebRTC Web, HTTP, WebRTC, P2P i

IPSJ SIG Technical Report Vol.2011-MUS-91 No /7/ , 3 1 Design and Implementation on a System for Learning Songs by Presenting Musical St

Intrusion Detection Method using Online Learning by Kouki Takahata BA Thesis at Future University Hakodate, 2017 Advisor: Ayahiko N

Q [4] 2. [3] [5] ϵ- Q Q CO CO [4] Q Q [1] i = X ln n i + C (1) n i i n n i i i n i = n X i i C exploration exploitation [4] Q Q Q ϵ 1 ϵ 3. [3] [5] [4]

1 Table 1: Identification by color of voxel Voxel Mode of expression Nothing Other 1 Orange 2 Blue 3 Yellow 4 SSL Humanoid SSL-Vision 3 3 [, 21] 8 325

2006 [3] Scratch Squeak PEN [4] PenFlowchart 2 3 PenFlowchart 4 PenFlowchart PEN xdncl PEN [5] PEN xdncl DNCL 1 1 [6] 1 PEN Fig. 1 The PEN

7,, i

Web ( ) [1] Web Shibboleth SSO Web SSO Web Web Shibboleth SAML IdP(Identity Provider) Web Web (SP:ServiceProvider) ( ) IdP Web Web MRA(Mail Retrieval

揃 Lag [hour] Lag [day] 35

MDD PBL ET 9) 2) ET ET 2.2 2), 1 2 5) MDD PBL PBL MDD MDD MDD 10) MDD Executable UML 11) Executable UML MDD Executable UML

IPSJ SIG Technical Report Secret Tap Secret Tap Secret Flick 1 An Examination of Icon-based User Authentication Method Using Flick Input for

kut-paper-template.dvi

3D UbiCode (Ubiquitous+Code) RFID ResBe (Remote entertainment space Behavior evaluation) 2 UbiCode Fig. 2 UbiCode 2. UbiCode 2. 1 UbiCode UbiCode 2. 2

IPSJ SIG Technical Report Vol.2014-HCI-158 No /5/22 1,a) 2 2 3,b) Development of visualization technique expressing rainfall changing conditions

A Feasibility Study of Direct-Mapping-Type Parallel Processing Method to Solve Linear Equations in Load Flow Calculations Hiroaki Inayoshi, Non-member

IPSJ SIG Technical Report Vol.2017-ARC-225 No.12 Vol.2017-SLDM-179 No.12 Vol.2017-EMB-44 No /3/9 1 1 RTOS DefensiveZone DefensiveZone MPU RTOS

1 7.35% 74.0% linefeed point c 200 Information Processing Society of Japan

DEIM Forum 2010 A Web Abstract Classification Method for Revie

Fig. 3 Flow diagram of image processing. Black rectangle in the photo indicates the processing area (128 x 32 pixels).

THE INSTITUTE OF ELECTRONICS, INFORMATION AND COMMUNICATION ENGINEERS TECHNICAL REPORT OF IEICE.

第 55 回自動制御連合講演会 2012 年 11 月 17 日,18 日京都大学 1K403 ( ) Interpolation for the Gas Source Detection using the Parameter Estimation in a Sensor Network S. T

The copyright of this material is retained by the Information Processing Society of Japan (IPSJ). The material has been made available on the website

(MIRU2008) HOG Histograms of Oriented Gradients (HOG)

1 Gumblar Fig. 1 Flow of Gumblar attack. Fig. 2 2 RequestPolicy Example of operation based on RequestPolicy. (3-b) (4) PC (5) Web Web Web Web Gumblar

1., 1 COOKPAD 2, Web.,,,,,,.,, [1]., 5.,, [2].,,.,.,, 5, [3].,,,.,, [4], 33,.,,.,,.. 2.,, 3.., 4., 5., ,. 1.,,., 2.,. 1,,

149 (Newell [5]) Newell [5], [1], [1], [11] Li,Ryu, and Song [2], [11] Li,Ryu, and Song [2], [1] 1) 2) ( ) ( ) 3) T : 2 a : 3 a 1 :

(3.6 ) (4.6 ) 2. [3], [6], [12] [7] [2], [5], [11] [14] [9] [8] [10] (1) Voodoo 3 : 3 Voodoo[1] 3 ( 3D ) (2) : Voodoo 3D (3) : 3D (Welc

ID 3) 9 4) 5) ID 2 ID 2 ID 2 Bluetooth ID 2 SRCid1 DSTid2 2 id1 id2 ID SRC DST SRC 2 2 ID 2 2 QR 6) 8) 6) QR QR QR QR

..,,,, , ( ) 3.,., 3.,., 500, 233.,, 3,,.,, i

Computer Security Symposium October 2013 Android OS kub

IPSJ SIG Technical Report Vol.2014-IOT-27 No.14 Vol.2014-SPT-11 No /10/10 1,a) 2 zabbix Consideration of a system to support understanding of f

4. C i k = 2 k-means C 1 i, C 2 i 5. C i x i p [ f(θ i ; x) = (2π) p 2 Vi 1 2 exp (x µ ] i) t V 1 i (x µ i ) 2 BIC BIC = 2 log L( ˆθ i ; x i C i ) + q

3_23.dvi

独立行政法人情報通信研究機構 Development of the Information Analysis System WISDOM KIDAWARA Yutaka NICT Knowledge Clustered Group researched and developed the infor

IPSJ SIG Technical Report Vol.2012-HCI-149 No /7/20 1 1,2 1 (HMD: Head Mounted Display) HMD HMD,,,, An Information Presentation Method for Weara

大学における原価計算教育の現状と課題

1_26.dvi

1 Kinect for Windows M = [X Y Z] T M = [X Y Z ] T f (u,v) w 3.2 [11] [7] u = f X +u Z 0 δ u (X,Y,Z ) (5) v = f Y Z +v 0 δ v (X,Y,Z ) (6) w = Z +

Sobel Canny i

untitled

2. ICA ICA () (Blind Source Separation BBS) 2) Fig. 1 Model of Optical Topography. ( ) ICA 2.2 ICA ICA 3) n 1 1 x 1 (t) 2 x 2 (t) n x(t) 1 x(t

LAN LAN LAN LAN LAN LAN,, i

2. Eades 1) Kamada-Kawai 7) Fruchterman 2) 6) ACE 8) HDE 9) Kruskal MDS 13) 11) Kruskal AGI Active Graph Interface 3) Kruskal 5) Kruskal 4) 3. Kruskal

[2] 2. [3 5] 3D [6 8] Morishima [9] N n 24 24FPS k k = 1, 2,..., N i i = 1, 2,..., n Algorithm 1 N io user-specified number of inbetween omis

Vol.11-HCI-15 No. 11//1 Xangle 5 Xangle 7. 5 Ubi-WA Finger-Mount 9 Digitrack 11 1 Fig. 1 Pointing operations with our method Xangle Xa

untitled

IPSJ SIG Technical Report Vol.2011-EC-19 No /3/ ,.,., Peg-Scope Viewer,,.,,,,. Utilization of Watching Logs for Support of Multi-

IPSJ SIG Technical Report Vol.2009-CVIM-167 No /6/10 Real AdaBoost HOG 1 1 1, 2 1 Real AdaBoost HOG HOG Real AdaBoost HOG A Method for Reducing

IPSJ SIG Technical Report * Wi-Fi Survey of the Internet connectivity using geolocation of smartphones Yoshiaki Kitaguchi * Kenichi Nagami and Yutaka

8 P2P P2P (Peer-to-Peer) P2P P2P As Internet access line bandwidth has increased, peer-to-peer applications have been increasing and have great impact

Vol.54 No (July 2013) [9] [10] [11] [12], [13] 1 Fig. 1 Flowchart of the proposed system. c 2013 Information

情報処理学会研究報告 IPSJ SIG Technical Report Vol.2017-CG-166 No /3/ HUNTEXHUNTER1 NARUTO44 Dr.SLUMP1,,, Jito Hiroki Satoru MORITA The

07九州工業大学.indd

DTN DTN DTN DTN i

IPSJ SIG Technical Report iphone iphone,,., OpenGl ES 2.0 GLSL(OpenGL Shading Language), iphone GPGPU(General-Purpose Computing on Graphics Proc

2) 3) LAN 4) 2 5) 6) 7) K MIC NJR4261JB0916 8) 24.11GHz V 5V 3kHz 4 (1) (8) (1)(5) (2)(3)(4)(6)(7) (1) (2) (3) (4)

Table 1. Reluctance equalization design. Fig. 2. Voltage vector of LSynRM. Fig. 4. Analytical model. Table 2. Specifications of analytical models. Fig

kiyo5_1-masuzawa.indd

日本感性工学会論文誌

28 TCG SURF Card recognition using SURF in TCG play video

IPSJ SIG Technical Report Vol.2009-BIO-17 No /5/26 DNA 1 1 DNA DNA DNA DNA Correcting read errors on DNA sequences determined by Pyrosequencing

Vol. 48 No. 3 Mar PM PM PMBOK PM PM PM PM PM A Proposal and Its Demonstration of Developing System for Project Managers through University-Indus

<95DB8C9288E397C389C88A E696E6462>

08医療情報学22_1_水流final.PDF

THE INSTITUTE OF ELECTRONICS, INFORMATION AND COMMUNICATION ENGINEERS TECHNICAL REPORT OF IEICE {s-kasihr, wakamiya,

2. CABAC CABAC CABAC 1 1 CABAC Figure 1 Overview of CABAC 2 DCT 2 0/ /1 CABAC [3] 3. 2 値化部 コンテキスト計算部 2 値算術符号化部 CABAC CABAC

Web Web Web Web Web, i

Transcription:

C&C 1,2, 1 1,2 2,3,a) 1,2 2014 12 8, 2015 6 5 Command and Control C&C 1 C&C C&C C&C C&C C&C C&C C&C C&C Evaluation of Machine Learning Techniques for C&C Traffic Classification Kazumasa Yamauchi 1,2, 1 Junpei Kawamoto 1,2 Yoshiaki Hori 2,3,a) Kouichi Sakurai 1,2 Received: December 8, 2014, Accepted: June 5, 2015 Abstract: With the spread of Internet, the number of damage from botnet is increasing. General botnet use Command and Control (C&C) server and detecting C&C server is one of the technique of botnet measures. However, it is hard to detect C&C server because of diversification of C&C protocol and changing of botnet configuration. In our work, we define a feature vector to detect C&C server and report the experiment result that is classification normal traffic and C&C session by using real network traffic. Finally we show the effectiveness as the method of detecting C&C server which use several kinds of protocols. Keywords: botnet, C&C server, anomaly detection, machine learning 1. Command & Control C&C 1 Kyushu University, Fukuoka 819 0935, Japan 2 Institute of Institute of Systems, Information Technologies and Nanotechnologies (ISIT), Fukuoka 814 0001, Japan 3 Saga University, Saga 840 8502, Japan 1 Presently with NIPPON TELEGRAPH AND TELE- PHONE WEST CORPORATION a) horiyo@cc.saga-u.ac.jp [1] C&C C&C C&C C&C DDoS C&C C&C 1 C&C 1.1 C&C IRC HTTP P2P c 2015 Information Processing Society of Japan 1745

IRC IRC HTTP P2P HTTP P2P IRC 1993 [1] IRC C&C [2], [3] [2] IRC C&C 16 3 [3] IRC IRC / n-gram 2003 C&C P2P [1] P2P P2P PeerShark [4] [4] IRC P2P HTTP HTTP 2005 [1] HTTP IRC HTTP HTTP HTTP HTTP [5], [6] HTTP GET POST HTTP [5] [6] Artificial Immune System AIS [10] AIS HTTP 1.2 [3], [4], [5] 1 [5], [6] [3] IRC 2 C&C IRC HTTP C&C C&C C&C C&C C&C C&C C&C 2 3 C&C 4 5 6 7 2. C&C 1 1 CCCDATASet 10 1 1 C&C 3 1 4 3 c 2015 Information Processing Society of Japan 1746

1 Table 1 Feature vector. V 1 V 2 V 3 V 4 V 5 V 6 V 7 PKT Byte PKT Byte s 1 Fig. 1 Time-chart of Botnet activity. 3 PC C&C 3 19 C&C 3 14 7 1 C&C C&C C&C 3. C&C C&C CCCDataSet 09C09 CCCDataSetC10 PRACTICE 13P13 [7] IRC HTTP C&C 3.1 C&C 2 1 C&C IRC IRC 1.1 2 C&C HTTP P2P HTTP IRC HTTP HTTP IRC 3.2 C&C [8] 36 [8] C&C IRC C&C C&C [5] HTTP C&C HTTP DNS P2P [2] IRC TCP 1 / TCP 1 V 6 V 7 V 1 V 2 C&C IRC HTTP 1 V 3 V 4 C&C c 2015 Information Processing Society of Japan 1747

情報処理学会論文誌 Vol.56 No.9 1745 1753 (Sep. 2015) 図 2 C&C セッション分析 全結果 Fig. 2 C&C session analysis (All). 図 3 V1 V3 (IRC) Fig. 3 V1 V3 (IRC). 図 4 V1 V3 (HT T P ) Fig. 4 V1 V3 (HT T P ). 図 5 V6 V7 (HT T P ) Fig. 5 V6 V7 (HT T P ). データサイズの総数に関しては パケットのヘッダ情報を つとして考えることができ C&C セッションを検出する 基にセッションごとに含まれているパケットのデータサイ ことでボットネットによる攻撃を未然に防ぐことを可能に ズを合計したものである V5 はパケットのヘッダ情報に含 する 図 2 は IRC と HTTP の通信に関してそれぞれ特徴 まれるタイムスタンプを確認し セッション終了時刻から ベクトルを用いて解析を行った結果を示しており 通常の セッション開始時刻の差をとった時間である また V6 は HTTP または IRC セッションは青で C&C セッションは セッション中にクライアントがサーバへアクセスする回数 赤で示している また IRC に関しては セッション中に の合計を指し V7 はアクセス時間のばらつきを表している C&C サーバへの再接続を行わないので V6 V7 に関しては 考慮しない 図 2 から IRC の方がデータの分布範囲が狭 3.3 C&C セッション分析 本節では通常のセッションと C&C セッションが提案す る特徴ベクトルで分類可能であるか分析を行う 2 章より C&C サーバの通信はボットネットが攻撃を行う予兆の 1 c 2015 Information Processing Society of Japan いことが分かる これに対し HTTP ではデータの分布範 囲が広く IRC よりも通信の多様性が見られる 図 2 の結果において 特に 2 種類のデータを区別できた 結果に関して抜粋したものを図 3 図 4 図 5 に示す 図 3 1748

2 IP Table 2 Number of unique IP address. Normal C&C C09 C10 P13 IRC 736 6 19 0 HTTP 763 51 139 15 1,499 57 158 15 3 Table 3 Number of extracted session data. 6 Fig. 6 Experiment flow. IRC 25 500 1 1 C&C 1 1 4 HTTP C&C 5 10,000 HTTP 1 1 C&C 1 1 5 HTTP C&C 4. C&C 6 4.1 Linux tcpdump Normal C&C C09 C10 P13 IRC 903 190 573 0 HTTP 1,270 84 255 406 2,173 274 828 406 4.1.1 2012 8 9 6667 IRC 80 HTTP 4.1.2 C&C C09 C10 P13 C&C IRC JOIN HTTP GET C&C JOIN GET 2 3 IP P13 IRC 4.2 1 C&C TCP TCP c 2015 Information Processing Society of Japan 1749

20 TCP TCP 4 5 IRC HTTP 4 C&C IRC V 1 V 5 C10 V 1 V 5 C09 IRC V 6 =1 V 7 =0 5 C&C HTTP V 6 P13 V 1 V 7 C09 C10 V 4 C&C HTTP IRC i j ˆx i,j =(x i,j min(x n,j ))/ max(x m,j ) j n x n,j m x m,j i j 4 IRC Table 4 IRC session data analysis: Average (variance). Normal (IRC) C&C C09 C10 V 1 88 (6.0 10 3 ) 6 (24) 5 (250) V 2 1,187 (3.6 10 6 ) 67 (1.5 10 4 ) 77 (1.9 10 4 ) V 3 75 (6.1 10 3 ) 2 (6.9) 3 (632) V 4 1,336 (2.2 10 6 ) 177 (1.7 10 5 ) 185 (1.6 10 6 ) V 5 583 (2.8 10 5 ) 8 (75) 6 (111) V 6 1(0) 1(0) 1(0) V 7 0(0) 0(0) 0(0) x i,j ˆx i,j 0 1 4.3 3 SVM [2] IRC C&C SVM IRC HTTP 3.3 C&C HTTP IRC R [13] SVM kernlab [14] glmnet [15] e1071 [16] SVM k( x, y) =exp x y 2 2σ 2 σ SVM 3 5 HTTP Table 5 HTTP session data analysis: Average (variance). Normal (HTTP) C&C C09 C10 P13 V 1 88 (1.5 10 7 ) 60 (1.4 10 2 ) 47 (1.3 10 4 ) 4 (5.7) V 2 33,140 (3.9 10 9 ) 194 (5.7 10 2 ) 177 (2.1 10 9 ) 126 (1.4 10 2 ) V 3 129 (1.7 10 6 ) 50 (900) 35.4 (1.4 10 7 ) 3.4 (74) V 4 33,671 (2.1 10 12 ) 66,320 (1.9 10 9 ) 42,212 (2.6 10 9 ) 1,135 (1.1 10 4 ) V 5 249 (1.2 10 5 ) 2.6 (2.8) 0.27 (1.3 10 4 ) 1.7 (3.7) V 6 9.15 (1.3 10 6 ) 3.8 (0.13) 35.7 (7.8 10 5 ) 1.1 (0.3) V 7 122 (1.3 10 5 ) 0.64 (2.3) 3.1 (6.67) 1.5 (0.5) c 2015 Information Processing Society of Japan 1750

2/3 1/3 5. 7 7 HTTP IRC HTTP [2] SVM 22.3% 7 LR 8.2% 7 NB 3.9% SVM 2.7% 14.9% 23.2% V 6 V 7 C&C C&C Web Ajax 1 Web IRC IRC V 6 =1 V 7 =0 V 1 V 5 SVM 17% / 6. 5 HTTP IRC SVM 6 7 LR 6 7 NB 2 6.1 6 P13 C&C P13 HTTP P13 6 Table 6 Result of classifying every DataSet. Normal C&C IRC HTTP C09 C10 P13 IRC HTTP IRC HTTP HTTP SVM (Normal) 219 414 1 0 9 1 1 SVM (Anomaly) 45 12 66 32 208 100 103 LR (Normal) 196 251 0 2 1 14 0 LR (Anomaly) 68 115 67 30 216 87 104 NB (Normal) 197 382 0 8 0 17 0 NB (Anomaly) 67 44 67 27 217 84 104 264 426 67 32 217 101 104 (SVM) [%] 98.5 100 95,9 99.0 99.0 (SVM) [%] 17.0 2.8 (SVM) [%] 1.5 0 4.1 1.0 1.0 (LR) [%] 100 93.7 99.5 86.1 100 (LR) [%] 25.8 27.0 (LR) [%] 0 6.3 0.5 13.9 0 (NB) [%] 100 84.4 100 83.2 100 (NB) [%] 25.4 10.3 (NB) [%] 0 15.6 0 16.8 0 Table 7 7 Comparison of execution time of machine learning algorithms. 7 Fig. 7 Comparison between proposed vector and existing vector. SVM LR NB (s) 1.97 2.01 0.03 (s) 0.12 0.81 0.38 (s) 2.09 2.82 0.41 c 2015 Information Processing Society of Japan 1751

SVM C&C IRC 17.0% C10 HTTP 13.9%IRC HTTP 25.8% 27.0% C09 HTTP 25% C10 HTTP 16.8% IRC 25.4% 6.2 7 A SVM SVM 6.3 6.1 6.2 C&C C&C C&C SVM 90% 4% 7. C&C C&C C&C SVM SVM DNS P2P [1] Vania, J., Meniya, A. and Jethva, H.B.: A Review on Botnet and Detection Technique, International Journal of Computer Trends and Technology, Vol.4, No.1, pp.23 29 (2013). [2] Kondo, S. and Sato, N.: Botnet Traffic Detection Techniques by C&C Session Classification Using SVM, Proc. 2nd International Workshop on Security (IWSEC 2007 ), pp.91 104 (2007). [3] Goebel, J. and Holz, T.: Rishi: Identify bot contaminated hosts by IRC nickname evaluation, Proc. 1st USENIX HotBots (2007). [4] Narang, P., Ray, S., Hota, C. and Venkatakrishnan, V.: PeerShark-Detecting Peer-to-Peer Botnets by Tracking Conversations, Proc. IEEE Security & Privacy Workshops (SPW 2014 ), pp.108 115 (2014). [5] Ashley, D.: An Algorithm for HTTP Bot Detection, Research paper, University of Texas - Information Security Office (2011). [6] Tyagi, A.K. and Nayeem, S.: Detecting HTTP Botnet using Artificial Immune System, International Journal of Applied Information Systems, Vol.2, No.6, pp.34 37 (2012). [7] 2014 MWS2014 http://www.iwsec.org/mws/2014/ about.html 2014-12-05. [8] AdaBoost Vol.53, No.9, pp.2062 2074 (2012). [9] Gu, G., Perdisci, R., Zhang, J. and Lee, W.: BotSniffer: Detecting botnet command and control channels in network traffic, Proc. 15th Annual Network and Distributed System Security Symposium (NDSS 2008 ) (2008). [10] Castro, L.N. and Timmis, J.: Artificial Immune Systems, A New Computational Intelligence Approach, Springer (2002). [11] Schehlmann, L. and Baier, H.: COFFEE: A Concept based on OpenFlow to Filter and Erase Events of Botnet activity at high-speed nodes, Proc. INFORMATIK 2013, pp.2225 2239 (2013). [12] Gu, G., Perdisci, R., Zhang, J. and Lee, W.: BotMiner: Clustering Analysis of Network Traffic for Protocoland Structure-Independent Botnet Detection, Proc. 17th USENIX Security Symposium (2008). c 2015 Information Processing Society of Japan 1752

[13] R project, available from http://www.r-project.org/ (accessed 2014-11-10). [14] Package kernlab, available from http://cran.r-project. org/web/packages/kernlab/kernlab.pdf (accessed 2014-11-10). [15] Package glmnet, available from http://cran.r-project. org/web/packages/glmnet/glmnet.pdf (accessed 2014-11-10). [16] Package e1071, available from http://cran.r-project. org/web/packages/e1071/e1071.pdf (accessed 2014-11- 10). 1988 2004 2 2000 2000 2004 2005 IPA ACM IEEE 2013 2015 2007 2012 2013 IEEE ACM 1992 1994 1994 2004 2013 2000 2 ACM IEEE c 2015 Information Processing Society of Japan 1753

2024 © docsplayer.net プライバシー | 利用規約 | フィードバック