隨著網際網路的快速普及，HTTP已經是世界上最被廣為使用的網路傳輸協定之一。也因此，Botnet(魁儡網路)也開始用HTTP開始散佈、感染，藉由其使用之普遍性，企圖混雜在正常的HTTP流量中，滲透過防火牆(Firewalls, FW)、網路入侵偵測器(Network Intrusion Detection System, NIDS)的阻攔。網路入侵偵測器是一種偵測異常網路流量的機制，搭配適當的IDS規則檔使用，可以有效地阻擋異常流量的傳輸、通訊。唯以人工分析惡意流量來製作規則檔所耗費的時間甚鉅；此外，規則檔的製作者也需要相當的知識背景。一般來說，一位有經驗的規則檔製作者，一小時約只能分析十個惡意流量。這些原因都使得規則檔常常都只能在Botnet造成一定傷害後才來的及產出相對應的規則檔加以遏止。
本研究主要建立一套「自動化類HTTP魁儡網路特徵產生系統」(Automatic Rules Generating System, ARGS)加速規則檔產生流程，該系統可以在短時間內針對所輸入之惡意流量(Malign Traffic, MT)迅速且準確地產出相對應之規則檔，我們採用Snort作為我們的IDS並且採用開放組織釋出的規則檔作為我們的基礎。最後實驗結果，本系統所產出的規則檔有99%以上的偵測率(True Positive Rate)與0.1%以下的誤判率(False Positive Rate)。除此之外，藉由Support Vector Machine (SVM)的導入，我們可以進一步合併規則、壓縮規則檔的數量到原本規則數的85%~90%，以更少的規則攔截到跟原本相同甚至更多的惡意流量；而且，數量更少的規則檔可以有效減少NIDS的比對偵測時間，實驗結果顯示，平均每減少10%的規則數，可以減少5%的比對偵測時間。此外，我們也實際佈建ARGS所產出之Rule到縣市規模的學術網路中，以測試所產出Rule的效能與偵測率。從資料結果統計顯示，在實驗期間，平均每日有10~15%的Rule被命中而觸發，每日平均紀錄到21000筆log。結果證明，ARGS所產出的Rule確實可以有效偵測病毒行為，並遏止其擴散。

With the popular and widely used of Internet, HTTP has become the main protocol of Internet and many network applications rely on it. Botnet also utilizes it as a covert channel through which to evade the firewall (FW) or network intrusion detection system (NIDS). NIDS is a mechanism to detect a Botnet but the creation of an IDS rule set usually requires significant professional manpower and research time. In general, for an experienced rule maker, it takes several hours to analyze only dozen of malign traffic. These restrictions may delay the best timing to stop the spreading of Botnet.
Base on statement above, we developed an automatic rule generation system (ARGS) to speed up the processing time of generating corresponding rule set. The ARGS generates the corresponding NIDS rule efficiently and precisely from the input malign traffic (MT). We use Snort as our IDS for practical purpose and adopt the open Botnet rule set as rule base. In our experiments, the true positive rate and false positive rate of generated rule set is more than 99% and less than 0.1%. Besides, with the integration of support vector machine (SVM), we can further combine rules which are highly relevant and reduce the rules’ numbers into 85%~90% of original size. With this mechanism, we can use less rule numbers to detect equal or more malware traffic. Furthermore, we can reduce the processing time of NIDS by reducing the rules’ number. In our experiments, we can reduce 10% processing time by reducing 5% rules’ number. Besides, we apply the rules generated by ARGS in county-level TANet to evaluate the performance of rules. On average, there are about 10~15% rules are triggered every day, and there are about 21000 logs recorded every day. The statistics indicate that the rules generated by ARGS can efficiently stop spreading of malware.

[1] Mukherjee, B., L. T. Heberlein, et al. (1994). "Network intrusion detection." Network, IEEE 8(3): 26-41.
[2] J. Oikarinen and D. Reed, Internet Relay Chat Protocol, IETF Std., 1993. [Online]. Available: http://tools.ietf.org/html/rfc1459
[3] R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee, “Hypertext transfer protocol–HTTP/1.1,” 1999.
[4] K. Chiang and L. Lloyd. A case study of the rustock rootkit and spam bot. In Proceedings of USENIX HotBots’07, 2007.
[5] N. Daswani and M. Stoppelman. The anatomy of clickbot.a. In Proceedings of USENIX HotBots’07, 2007.
[6] N. Ianelli and A. Hackworth. Botnets as a vehicle for online crime. http://www.cert.org/archive/pdf/Botnets.pdf, 2005.
[7] SecureWorks. Bobax trojan analysis. http://www.secureworks.com/research/threats/bobax/ , 2004.
[8] G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee, “Bothunter: detecting malware infection through ids-driven dialog correlation,” in Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium. Berkeley, CA, USA: USENIX Association, 2007, pp. 12:1–12:16.
Available: http://portal.acm.org/citation.cfm?id=1362903.1362915
[9] T. S. Project. Snort, the open-source network intrusion detection system. http://www.snort.org/
[10] Emerging threats.net open rulesets. Emerging Threats.net. [Online]. Available: http://rules.emergingthreats.net/open
[11] J. R. Binkley and S. Singh. An algorithm for anomaly-based botnet detection. In Proceedings of USENIX SRUTI’06, pages 43–48, July 2006.
[12] J. Goebel and T. Holz. Rishi: Identify bot contaminated hosts by irc nickname evaluation. In Proceedings of USENIX HotBots’07, 2007.
[13] G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee. BotHunter: Detecting malware infection through ids-driven dialog correlation. In Proceedings of the 16th USENIX Security Symposium (Security’07), 2007.
[14] G. Gu, J. Zhang, and W. Lee. BotSniffer: Detecting botnet command and control channels in network traffic. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08), 2008.
[15] A. Karasaridis, B. Rexroad, and D. Hoeflin. Widescale botnet detection and characterization. In Proceedings of USENIX HotBots’07, 2007.
[16] C. Livadas, R.Walsh, D. Lapsley, andW. T. Strayer. Using machine learning techniques to identify botnet traffic. In Proceedings of the 2nd IEEE LCN Workshop on Network Security (WoNS’2006), 2006.
[17] M. K. Reiter and T.-F. Yen. Traffic aggregation for malware detection. In Proceedings of the Fifth GI International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’08), 2008.
[18] W. T. Strayer, R.Walsh, C. Livadas, andD. Lapsley. Detecting botnets with tight command and control. In Proceedings of the 31st IEEE Conference on Local Computer Networks (LCN’06), 2006.
[19] Chang, C.-C. and C.-J. Lin (2011). "LIBSVM: A library for support vector machines." ACM Trans. Intell. Syst. Technol. 2(3): 1-27.
[20] T. F. Smith and M. S. Waterman. Identification of common molecular subsequences. Journal of molecular biology,Vol. 147, No. 1., pp. 195-197., March 1981.
[21] Newsome, J., B. Karp, et al. (2005). Polygraph: Automatically Generating Signatures for Polymorphic Worms. Proceedings of the 2005 IEEE Symposium on Security and Privacy, IEEE Computer Society: 226-241.
[22] Perdisci, R., W. Lee, et al. (2010). Behavioral clustering of HTTP-based malware and signature generation using malicious network traces. Proceedings of the 7th USENIX conference on Networked systems design and implementation. San Jose, California, USENIX Association: 26-26.
[23] R. Muthuregunathan, S. S., S. R., and R. S.R., “Efficient snort rule generation using evolutionary computing for network intrusion detection,” Computational Intelligence, Communication Systems and Networks, International Conference on, vol. 0, pp. 336–341, 2009.
[24] Z. Liand, M. Sanghi, Y. Chen, M. Kao, and B. Chavez. Hamsa: Fast signature generation for zero-day polymorphicworms with provable attack resilience. In IEEE Symposium on Security and Privacy, 2006.
[25] J. Newsome, B. Karp, and D. Song. Polygraph: Automatically generating signatures for polymorphic worms. In IEEE Symposium on Security and Privacy, 2005.
[26] S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In ACM/USENIX Symposium on Operating System Design and Implementation, December 2004.
[27] Y. Xie, F. Yu, K. Achan, R. Panigrahy, G. Hulten, and I. Osipkov. Spamming botnets: signatures and characteristics. In ACM SIGCOMM conference on data communication, 2008.
[28] V. Yegneswaran, J. T. Giffin, P. Barford, and S. Jha. An architecture for generating semantics-aware signatures. In USENIX Security Symposium, 2005.
[29] Wireshark. [Online]. Available: http://www.wireshark.org/
[30] Threatexpert. [Online]. Available: http://www.threatexpert.com/
[31] Tcpdump/libpcap public repository. Available: http://www.tcpdump.org/
[32] Paxson, V. (1999). “Bro: a system for detecting network intruders in real-time." Computer Networks 31(23-24): 2435-2463.
[33] Daniel S. Hirschberg, Algorithms for the Longest Common Subsequence Problem, Journal of the ACM (JACM), v.24 n.4, p.664-675, Oct. 1977.