Responsive image
博碩士論文 etd-0813110-025210 詳細資訊
Title page for etd-0813110-025210
論文名稱
Title
混合型殭屍網路偵測
Hybrid Botnet Detection
系所名稱
Department
畢業學年期
Year, semester
語文別
Language
學位類別
Degree
頁數
Number of pages
79
研究生
Author
指導教授
Advisor
召集委員
Convenor
口試委員
Advisory Committee
口試日期
Date of Exam
2010-07-15
繳交日期
Date of Submission
2010-08-13
關鍵字
Keywords
殭屍網路、Web 型殭屍網路、快速變動網域
Botnet, Web-based Botnet, Fast Flux Domain
統計
Statistics
本論文已被瀏覽 5859 次,被下載 11
The thesis/dissertation has been browsed 5859 times, has been downloaded 11 times.
中文摘要
近年來,殭屍網路(Botnet)已成為網際網路的重大威脅之一,從IRC 型殭屍網路(IRC-based Botnet)、P2P 型殭屍網路(P2P-based Botnet),到Web 型殭屍網路(Web-based Botnet)都對使用者造成危害,尤其是Web 型殭屍網路帶給使用者的威脅最大。Web 型殭屍網路不像P2P 型殭屍網路複雜,但是藉由HTTP 傳輸協協定進行溝通,能將惡意流量隱藏在大量的正常流量中,不易被發覺與偵測。我們實際以Bot 程式發送流量,藉此找出可偵測的特徵。
殭屍網路除了發動攻擊與竊取隱私外,駭客還會利用它來增加惡意網站的壽命。為了不讓使用者直接與惡意網站作連結,駭客會利用快速變動網域(Fast Flux Domain)技術減少惡意網站被發現的機會。快速變動網域代理人(Fast Flux Agent)會成為惡意網站與客戶端的中繼站,不讓惡意網站與客戶端直接接觸,卻能完成雙方的溝通行為。
殭屍網路與快速變動網域技術是緊密聯繫在一起的,因為只有殭屍網路才能提供駭客多個快速變動網域代理人。Web 型殭屍網路與快速變動網域技術都使用HTTP 溝通協定,因此本研究除了針對Web 型殭屍網路進行流量分析外,還必須探討快速變動網域技術帶給殭屍網路的影響,期望能讓Web 型殭屍網路與快速變動網域技術的偵測架構更加準確。
Abstract
There are three mail types of Botnet: IRC-based Botnet, P2P-based Botnet,Web-based Botnet and they have become major threat to the Internet recently. Web-based Botnet is popular and more harmful to users. The architecture of Web-based Botnet is simpler than P2P-based Botnet, and its malicious traffic can be hidden in a large number of normal traffic. In this study, we built an experimental environment of using malicious bot programs to detect suspicious traffic and malware features.
Except network attacking and identity theft, Botnet could also be used by hackers to extend the life time of rouge websites by combining with the technology of Fast Flux Domain. Botnet and the technology of Fast Flux Domain closely link to each other in the real world. Both of Web-based Botnet and Fast Flux Domain
technology use HTTP protocol to communicate, and Botnet provides a large number of infected hosts to be Fast Flux Agents which act like a relay station to block the direct link of malicious websites from clients, but completes the mutual connection.
In the research, not only the analysis and detection of Web-based Botnet are focused, but also the impact of Fast Flux Domain technology is included. We expect
to clear the architecture of Botnet and the technology of Fast Flux Domain, and make the detection mechanism more precisely.
目次 Table of Contents
論文提要 III
致謝 IV
摘要 V
Abstrac VI
目錄 VII
表目錄 IX
圖目錄 X
第一章 緒論 1
第一節 研究背景 1
第二節 研究動機 4
第三節 問題描述 9
第四節 研究目的 9
第二章 相關研究 11
第一節 相關名詞解釋 11
第二節 Web型殭屍網路 13
第三節 Web型殭屍網路偵測方法 16
第四節 快速變動網域 17
第五節 快速變動網域偵測 23
第三章 系統設計 27
第一節 系統架構 27
第二節 Web型殭屍網路偵測 28
第三節 快速變動網域偵測 34
第四章 實驗結果與分析 43
第一節 網站驗證機制 44
第二節 Web型殭屍網路偵測實驗與分析 48
第三節 快速變動網域偵測實驗與分析 59
第五章 結論 64
參考文獻 65
參考文獻 References
Jae-Seo Lee , HyunCheol Jeong , Jun-Hyung Park , Minsoo Kim , Bong-Nam Noh, 2008, “The Activity Analysis of Malicious HTTP-based Botnets using Degree of Periodic Repeatability”, Security Technology, 2008. SECTECH '08. International Conference on, 13-15 Dec. 2008.
Nazario, Jose and Thorsten Holz, 2008, “As the Net Churns: Fast-Flux Botnet Observations”, Sept 5 2008.
Chenfeng Vincent Zhou, Christopher Leckie and Shanika Karunasekera, 2009, “Collaborative Detection of Fast Flux Phishing Domains”, Journal of Networks, vol. 4, no. 1, February 2009.
Barry N. Taylor and Chris E. Kuyatt, 1994, “Guidelines for Evaluating and Expressing the Uncertainty of NIST Measurement Results”, Physics Laboratory.
Anukool Lakhina, Mark Crovella, 2007, “Mining Anomalies Using Traffic Feature Distributions”, IEEE COMMUNICATIONS LETTERS, vol. 11, No. 12, DECEMBER 2007.
Kuang-Ming Wang, 2005, “A Netflow Based Internet-worm Detecting System in Large Network”, Computer Science and Engineering, National Sun Yat-Sen University.
Emanuele Passerini, Roberto Paleari, Lorenzo Martignoni and Danilo Bruschi, 2008, “FluXOR: detecting and monitoring fast-flux service networks”, Springer, July 10-11, 2008.
ICANN, 2008, “SAC 025 SSAC Advisory on Fast Flux Hosting and DNS”, January 2008.
Holz, T., Gorecki, C., Freiling, F., Rieck, K., 2008, “Measuring and Detecting of Fast-Flux Service Networks”, In: Proceeding of the 15th Annual Network & Distributed System Security Symposium (NDSS08).
The New New Internet, 2010, “Microsoft’s Waledac Take-Down Could Provide Model for Future”, Available: http://www.thenewnewinternet.com/2010/03/17/microsofts-waledac-take-down-effective/
Team Cymru, 2010, “Developing Botnets”, Available: http://www.team-cymru.org/ReadingRoom/Whitepapers/2010/developing-botnets.pdf
Net Security, 2009, “RSA online fraud report highlights phishing and brand attacks”, Available: http://www.net-security.org/secworld.php?id=7963
NIST/SEMATECH, 2008, “e-Handbook of Statistical Methods”, Available: http://www.itl.nist.gov/div898/handbook
The Honeynet Project & Research Alliance, 2007, “Know Your Enemy: Fast-Flux Service Networks”, Available: http://www.honeynet.org/papers/ff
Chinese Honeynet Project, 2006, “Chinese Honeynet Project Status Report March 2006”, Available: http://www.honeynet.org.cn/index.php?option=com_content&task=view&id=23&Itemid=33&lang=en
Shadowserver Foundation, 2008, Available: http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20081231
Robot, 1961, Available: http://en.wikipedia.org/wiki/Robot
Waledac, 2008, Available: http://de.wikipedia.org/wiki/Waledac
Eggdrop, 1993, Available: http://en.wikipedia.org/wiki/Eggdrop
SDbot, 2002, Available: http://en.wikipedia.org/wiki/Zotob_(computer_worm)
Agobot, 2002, Available: http://en.wikipedia.org/wiki/Agobot
Spybot, 2003, Available: http://en.wikipedia.org/wiki/Spybot_worm
Phabot, 2004, Available: http://en.wikipedia.org/wiki/Agobot
Testbed @ NCKU, 2007, Available: https://testbed.ncku.edu.tw
Autonomous System, 1995, Available: http://en.wikipedia.org/wiki/Autonomous_System_Number
Content Delivery Network, 1993, Available: http://en.wikipedia.org/wiki/Content_delivery_network
Dig, 1987, Available: http://linux.about.com/od/commands/l/blcmdl1_dig.htm
McAfee, 2003, Available: http://www.siteadvisor.com/
SPAMHAUS, 1998, Available: http://www.spamhaus.org/lookup.lasso
WOT, 2010, Available: http://www.mywot.com/
Free PC Security, 2007, Available: http://www.freepcsecurity.co.uk/
MalwareURL, 2010, Available: http://www.malwareurl.com/
LikeVirus Statistics, 2010, Available: http://netflow.tn.edu.tw/likeVirus/html/20100505/15-20.html
XMCO Partners, 2010, Available: http://www.xmcopartners.com/article-fast-flux.html
i-Security, 2010, “DNS舊技術新玩法 - Fast Flux”, Available: http://www.i-security.tw/topic/topic_sg.asp?id=159
台灣FTP聯盟, 2008, “擄站勒贖-巴哈姆特被攻擊的真相”, Available: http://vbb.twftp.org/showthread.php?t=12000
刑事警察局, 2006, “僵屍電腦肆虐,台灣網路受害全球高居第六”, Available: http://www.cib.gov.tw/news/news02_2.aspx?no=261
鳥哥的 Linux 私房菜, 2003, Available: http://linux.vbird.org/
電子全文 Fulltext
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。
論文使用權限 Thesis access permission:校內一年後公開,校外永不公開 campus withheld
開放時間 Available:
校內 Campus: 已公開 available
校外 Off-campus:永不公開 not available

您的 IP(校外) 位址是 35.174.62.162
論文開放下載的時間是 校外不公開

Your IP address is 35.174.62.162
This thesis will be available to you on Indicate off-campus access is not available.

紙本論文 Printed copies
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。
開放時間 available 已公開 available

QR Code