<noframes id="vfxvr">

    <track id="vfxvr"></track>

      <span id="vfxvr"></span>

          ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引頁]

          譯者: 林妙倩(清華大學網絡研究院網絡空間安全實習生)、戴亦侖(賽寧網安) 原創翻譯作品,如果需要轉載請取得翻譯作者同意。

          數據來源:ATT&CK Matrices

          原文: https://attack.mitre.org/techniques/T1483

          術語表: /attack/glossary

          域生成算法

          攻擊者可以利用域生成算法(DGA)來動態標識命令和控制流量的目的地,而不是依賴于靜態IP地址或域的列表。這樣做的好處是,防御者很難阻止,跟蹤或接管命令和控制通道,因為惡意軟件可能會檢查成千上萬個域,以檢查指令。

          DGA通過生成每個字母來構造域名時,可以采取看似隨機或“亂碼”字符串的形式(例如:istgmxdejdnxuyla.ru)。另外,某些DGA通過將單詞(而不是字母)串聯在一起來使用整個單詞作為單位(例如:cityjulydish.net)。許多DGA基于時間,在每個時間段(每小時,每天,每月等)生成一個不同的域。其他一些也包含種子值,這使得防御者很難預測未來的領域。

          攻擊者可能出于后備渠道(T1008)的目的而使用DGA 。當失去與主要命令和控制服務器的聯系時,惡意軟件可能會使用DGA作為重新建立命令和控制的手段。

          Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.

          DGAs can take the form of apparently random or "gibberish" strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.

          Adversaries may use DGAs for the purpose of Fallback Channels(T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.

          標簽

          ID編號: T1483

          策略:命令與控制

          平臺: Linux,macOS,Windows

          所需權限: user

          數據源: 網絡的過程使用,數據包捕獲,網絡設備日志,Netflow/Enclave Netflow,DNS記錄

          緩解措施

          減輕 描述
          網絡入侵防護 (M1031) 使用網絡簽名識別特定攻擊者惡意軟件流量的網絡入侵檢測和防御系統可用于緩解網絡級別的活動。惡意軟件研究人員可以對使用DGA的惡意軟件變體進行逆向工程,并確定該惡意軟件將嘗試聯系的未來域,但這是一項耗費時間和資源的工作。惡意軟件也越來越多地結合了對于每個實例唯一的種子值,然后需要確定這些值以提取將來生成的域。在某些情況下,可以從DNS流量中提取特定樣本使用的種子。即便如此,每天仍可能產生數千個可能的域。鑒于成本,這使得防御者搶先注冊所有可能的C2域是不切實際的。
          限制基于Web的內容(M1021) 在某些情況下,可以使用本地DNS漏洞來以降低的成本幫助防止基于DGA的命令和控制。
          Mitigation Description
          Network Intrusion Prevention(M1031) Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Malware researchers can reverse engineer malware variants that use DGAs and determine future domains that the malware will attempt to contact, but this is a time and resource intensive effort. Malware is also increasingly incorporating seed values that can be unique for each instance, which would then need to be determined to extract future generated domains. In some cases, the seed that a particular sample uses can be extracted from DNS traffic. Even so, there can be thousands of possible domains generated per day; this makes it impractical for defenders to preemptively register all possible C2 domains due to the cost.
          Restrict Web-Based Content(M1021) In some cases a local DNS sinkhole may be used to help prevent DGA-based command and control at a reduced cost.

          檢測

          由于不同DGA算法的數量,惡意軟件家族的不斷發展以及算法復雜性的提高,檢測動態生成的域可能具有挑戰性。有多種方法可以檢測偽隨機生成的域名,包括使用頻率分析,馬爾可夫鏈,熵,字典單詞比例,元音與其他字符的比例等。CDN域可能會由于其域名格式而觸發這些檢測。除了基于名稱檢測DGA域外,另一種用于檢測可疑域的更通用方法是檢查最近注冊的名稱或訪問很少的域。

          已經開發了用于檢測DGA域的機器學習方法,并在應用程序中取得了成功。一種方法是使用N-Gram方法來確定域名中使用的字符串的隨機性得分。如果隨機性分數高,并且域未列入白名單(CDN等),則可以確定域是否與合法主機或DGA相關。)另一種方法是使用深度學習將域分類為DGA生成的域。

          Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.

          Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain or related to a legitimate host or DGA.Another approach is to use deep learning to classify domains as DGA-generated

          欧美日韩国产亚洲,天天射影院,大芭蕉天天视频在线观看,欧美肥老太牲交大片,奇米色888,黄三级高清在线播放,国产卡一卡二卡三卡四,亚洲第一黄色视频 日韩中文字幕中文有码,日本A级作爱片一,奇米第四,三级片短片视频免费在线观看,奇米网狠狠网,影音先锋色AV男人资源网,日本丰满熟妇hd 日本日韩中文字幕无区码,涩 色 爱 性,天天射影视,中文字幕制服丝袜第57页,777米奇影院奇米网狠狠,尤物TV国产精品看片在线,欧洲女同牲恋牲交视频 久久AV天堂日日综合,亚洲性爱影院色yeye,日韩亚洲欧美Av精品,十八禁全身裸露全彩漫画,奇米网影视,人人爽人人澡人人人妻,动漫AV专区,天天色综合影院 日韩精品中文字幕,特级无码毛片免费视频,人妻少妇不卡无码视频,制服丝袜有码中文字幕在线,深爱激动情网婷婷,影音先锋全部色先锋,香港三级日本三级韩级人妇 日韩欧美亚洲综合久久在线视频,2021XX性影院,玖玖资源站最稳定网址,日韩亚洲制服丝袜中文字幕,国产超碰人人模人人爽人人喊,先锋色熟女丝袜资源 很黄特别刺激又免费的视频,2021一本久道在线线观看,色中娱乐黄色大片,日本高清不卡在线观看播放,97国产自在现线免费视频,国产在线精品亚洲第一区 免费中文字幕精品一区二区 视频,狠狠爱俺也色,天天好逼网,日韩制服丝袜,国产女人大象蕉视频在线观看,国产 精品 自在 线免费,午夜时刻在线观看