Responsive image
博碩士論文 etd-0806109-175029 詳細資訊
Title page for etd-0806109-175029
論文名稱
Title
在 IRC 伺服器偵測以 IRC 為主的殭屍網路
IRC-Based Botnet Detection on IRC Server
系所名稱
Department
畢業學年期
Year, semester
語文別
Language
學位類別
Degree
頁數
Number of pages
59
研究生
Author
指導教授
Advisor
召集委員
Convenor
口試委員
Advisory Committee
口試日期
Date of Exam
2009-07-23
繳交日期
Date of Submission
2009-08-06
關鍵字
Keywords
IRC-Based殭屍網路、IRC探嗅器、殭屍網路
IRC Sniffer, IRC-Based Botnet, Botnet
統計
Statistics
本論文已被瀏覽 5876 次,被下載 11
The thesis/dissertation has been browsed 5876 times, has been downloaded 11 times.
中文摘要
網路上攻擊的方法眾多,殭屍網路結合了木馬、病毒與蠕蟲等惡意程式的感染與攻擊功能,如寄送垃圾郵件、阻斷服務攻擊等,常常一發動攻擊才能發現殭屍網路的存在。殭屍網路種類分成IRC-Based Botnet、Web-Based、P2P Botnet等種類,最常使用與存在時間最久的為IRC-Based Botnet。由於殭屍網路在潛伏期時,封包流量與平常沒有任何差異,現今的入侵偵測系統只能於殭屍網路發動攻擊時才偵測出其活動,無法有效防禦殭屍網路。本研究透過建置IRC Sniffer偵測IRC Server內Channel之所有使用者通訊內容,找出遭受Botmaster控制Channel的特性,發展出一套IRC Server端使用的入侵偵測系統,透過分析比對Channel通訊內容的差異度、平均回應時間、以及平均訊息內容長度等,找出被Botmaster控制之Channel,以防止Botmaster利用IRC Server操控Bot主機,進行攻擊,可以在Botnet發動真實攻擊之前阻止其行為,以達到事前預防之功效。透過本研究的實驗可以發現正常的Channel與實驗惡意通訊內容的Channel在Botdoubt中其判斷比率是有差異的,因此在進行內容判斷部份,是能找出Bot主機所在的Channel。在資料中也可發現Botmaster傳送的訊息內容長度會小於Bot主機傳送的訊息內容長度,傳送的時間間隔也會比Bot主機傳送訊息的間隔時間還長。透過本研究可找出異常Channel並知道Bot主機與Botmaster的來源位址,也可將收集到的異常Channel特徵提供後續研究分析。
Abstract
Recently, Botnet has become one of the most severe threats on the Internet because it is hard to be prevented and cause huge losses. Prior intrusion detection system researches focused on traditional threats like virus, worm or Trojan. However, traditional intrusion detection system cannot detect Botnet activities before Botmasters launch final attack. In Botnet attack, in order to control a large amount of compromised hosts (bots), Botmasters use public internet service as communication and control channel (C&C Channel). IRC (Internet Relay Chat) is the most popular communication service which Botmasters use to send command to their bots. Once bots receive commands from Botmasters, they will do the corresponding abnormal action. It seems that Botnet activities could be detected by observing abnormal IRC traffic.
In this paper, we will focus on IRC Server and, we will use four unique characteristics of abnormal channel, (1) the prefix of Botmaster communication in C&C channel, (2) the response messages of bots, (3) average response time from bots, and (4) average length of message, to detect abnormal Channel in IRC Server. We develop an on-line IRC IDS to detect abnormal IRC channel. In the proposed system, abnormal IRC channel can be detect and we can (1) identify the infected hosts (bots) and Botmaster in C&C Channel, (2) trackback the IP of Bots and Botmaster, (3) identify Bots before Botmasters launch final attack, and (4) find the pattern of abnormal channel. The experiments show that the proposed system can indeed detect abnormal IRC channel and find out bots and Botmaster.
目次 Table of Contents
第一章. 緒論 1
第一節 研究背景 1
第二節 研究動機 4
第三節 研究目的 9
第二章. 文獻探討 12
第一節 Botnet介紹 12
第二節 Botnet形成階段 15
第三節 Botnet偵測與防禦技術 17
第三章. 研究方法 21
第一節 IRC Server IDS系統架構 21
第二節 特徵選取 24
第三節 分析模組 29
第四章. 實驗結果與分析 33
第一節 實驗環境 33
第二節 資料收集 34
第三節 資料分析 38
第四節 績效評估 43
第五章. 結論 47
參考文獻 49
參考文獻 References
[1] C. A. Schiller, J. Binkley, D. Harley, G. Evron, T. Bradley, C. Willems and M. Cross, “Botnets: the killer web app,” Syngress, 2007.
[2] C. Livadas, R. Walsh, D. Lapsley and W. T. Strayer, “Using machine learning techniques to identify botnet traffic,” In proceeding of the 31st IEEE Conference on Local Computer Networks Workshop on Network Security, 2006.
[3] C. Mazzariello, “IRC traffic analysis for botnet detection,” In proceeding of the 4th International Conference on Information Assurance and Security, pp.318-323, 2008.
[4] C.J. Mielke and H. Chen, “Botnets, and the CyberCriminal underground,” In proceeding of the 2008 International Conference on Intelligence and Security Informatics, pp.206-211, 2008.
[5] D. Ramsbrock, X. Wang, X. Jiang, “A first step towards live botmaster traceback,” In proceeding of the 11th International Symposium on Recent Advances in Intrusion Detection, pp.59-77, 2008.
[6] E. Cooke, F. Jahanian and D.McPherson, “The zombie roundup: understanding, detecting, and disrupting botnets,” In Usenix Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI), 2005.
[7] E. Stinson and J.C. Mitchell, “Characterizing bots’ remote control behavior,” In Detection of Intrusions and Malware, and Vulnerability Assessment, pp.89-109, 2007.
[8] IRC Normal Traffic, http://www.irclog.org
[9] J. Goebel and T. Holz, “Rishi: Identify bot contaminated hosts by IRC nickname evaluation,” In Proceedings of the 1st conference on First Workshop on Hot Topics in Understanding Botnets, pp.8-8, 2007.
[10] J. R. Binkley and S. Singh, “An algorithm for anomaly-based botnet detection,” In proceeding of the 2nd International conference on Steps to Reducing Unwanted Traffic on the Internet, Vol.2, pp.7-7, 2006.
[11] J. Soriano, “Top 8 in ’08,” TrendLabs Malware Blog, http://blog.trendmicro.com/top-8-in-08/, 2008
[12] M. Akiyama, T. Kawamoto, M. Shimamura, T. Yokoyama, Y. Kadobayashi and S. Yamaguchi, “A proposal of metrics for botnet detection based on its cooperative behavior,” In proceedings of the 2007 International Symposium on Applications and the Internet Workshops, pp.82, 2007.
[13] M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A multifaceted approach to understanding the botnet phenomenon," In Proceedings of the 6th ACM SIGCOMM conference on Internet Measurement, pp.41-52, 2006.
[14] P. Bacher, T. Holz, M Kotter and G Wicherski, “Know your Enemy: Tracking Botnets,” The Honeynet Project and Research Alliance, 2005
[15] P. Barford and V. Yegneswaran, ”An inside look at botnets,” Advances in Information Security, Malware Detection, Vol.27, pp.171-191, 2007.
[16] R. Villamarin-Salomon, J. C. Brustoloni, “Identifying botnets using anomaly detection techniques applied to DNS traffic,” In proceedings of the 5th Consumer Communications and Networking conference, pp.476-481, 2008.
[17] TrendMircro, “The Trend Micro 2008 Annual Threat Roundup and 2009 Forecast,” http://us.trendmicro.com/imperia/md/content/us/pdf/threats/securitylibrary/trend_micro_2009_annual_threat_roundup.pdf, 2009
[18] V. Kamluk, “The botnet business,” Viruslist.com, http://www.viruslist.com/en/analysis?pubid=204792003, 2008
[19] Y. Al-Hammadi and U. Aickelin, “Detecting bots based on keylogging activities,” In proceeding of the 3thInternational Conference on Availability, Reliability and Security, pp.896-902, 2009.
[20] Y. Kugisaki, Y. Kasahara, Y. Hori and K. Sakurai, “Bot detection based on traffic analysis,” In proceedings of the 2007 Intelligent Pervasive Computing conference, pp.303-306, 2007.
[21] CNCERT/CC, 技術文章「關於殭屍網路」CNCERTCC_TR_2005-001
[22] 科技犯罪防制中心,“殭屍電腦(BotNet係稱機器人電腦)肆虐,台灣網路受害全球高居第六,”內政部警政署刑事警察局之公告事項, http://www.cib.gov.tw/news/news02_2.aspx?no=261, 2006.
[23]陳英傑, “中國駭客癱瘓巴哈姆特,”自由電子報, http://www.libertytimes.com.tw/2008/new/apr/30/today-life7.htm, 2008.
[24] 蘇湘雲, “CNN網站遭駭客冒用!假電子報內含病毒影片,” NOWnews, http://www.nownews.com/2008/08/07/339-2316527.htm, 2008.
電子全文 Fulltext
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。
論文使用權限 Thesis access permission:校內一年後公開,校外永不公開 campus withheld
開放時間 Available:
校內 Campus: 已公開 available
校外 Off-campus:永不公開 not available

您的 IP(校外) 位址是 35.174.62.162
論文開放下載的時間是 校外不公開

Your IP address is 35.174.62.162
This thesis will be available to you on Indicate off-campus access is not available.

紙本論文 Printed copies
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。
開放時間 available 已公開 available

QR Code