論文使用權限 Thesis access permission:校內一年後公開,校外永不公開 campus withheld
開放時間 Available:
校內 Campus: 已公開 available
校外 Off-campus:永不公開 not available
博碩士論文 etd-0806109-175029 詳細資訊
Title page for etd-0806109-175029
論文名稱 Title |
在 IRC 伺服器偵測以 IRC 為主的殭屍網路 IRC-Based Botnet Detection on IRC Server |
||
系所名稱 Department |
|||
畢業學年期 Year, semester |
語文別 Language |
||
學位類別 Degree |
頁數 Number of pages |
59 |
|
研究生 Author |
|||
指導教授 Advisor |
|||
召集委員 Convenor |
|||
口試委員 Advisory Committee |
|||
口試日期 Date of Exam |
2009-07-23 |
繳交日期 Date of Submission |
2009-08-06 |
關鍵字 Keywords |
IRC-Based殭屍網路、IRC探嗅器、殭屍網路 IRC Sniffer, IRC-Based Botnet, Botnet |
||
統計 Statistics |
本論文已被瀏覽 5879 次,被下載 11 次 The thesis/dissertation has been browsed 5879 times, has been downloaded 11 times. |
中文摘要 |
網路上攻擊的方法眾多,殭屍網路結合了木馬、病毒與蠕蟲等惡意程式的感染與攻擊功能,如寄送垃圾郵件、阻斷服務攻擊等,常常一發動攻擊才能發現殭屍網路的存在。殭屍網路種類分成IRC-Based Botnet、Web-Based、P2P Botnet等種類,最常使用與存在時間最久的為IRC-Based Botnet。由於殭屍網路在潛伏期時,封包流量與平常沒有任何差異,現今的入侵偵測系統只能於殭屍網路發動攻擊時才偵測出其活動,無法有效防禦殭屍網路。本研究透過建置IRC Sniffer偵測IRC Server內Channel之所有使用者通訊內容,找出遭受Botmaster控制Channel的特性,發展出一套IRC Server端使用的入侵偵測系統,透過分析比對Channel通訊內容的差異度、平均回應時間、以及平均訊息內容長度等,找出被Botmaster控制之Channel,以防止Botmaster利用IRC Server操控Bot主機,進行攻擊,可以在Botnet發動真實攻擊之前阻止其行為,以達到事前預防之功效。透過本研究的實驗可以發現正常的Channel與實驗惡意通訊內容的Channel在Botdoubt中其判斷比率是有差異的,因此在進行內容判斷部份,是能找出Bot主機所在的Channel。在資料中也可發現Botmaster傳送的訊息內容長度會小於Bot主機傳送的訊息內容長度,傳送的時間間隔也會比Bot主機傳送訊息的間隔時間還長。透過本研究可找出異常Channel並知道Bot主機與Botmaster的來源位址,也可將收集到的異常Channel特徵提供後續研究分析。 |
Abstract |
Recently, Botnet has become one of the most severe threats on the Internet because it is hard to be prevented and cause huge losses. Prior intrusion detection system researches focused on traditional threats like virus, worm or Trojan. However, traditional intrusion detection system cannot detect Botnet activities before Botmasters launch final attack. In Botnet attack, in order to control a large amount of compromised hosts (bots), Botmasters use public internet service as communication and control channel (C&C Channel). IRC (Internet Relay Chat) is the most popular communication service which Botmasters use to send command to their bots. Once bots receive commands from Botmasters, they will do the corresponding abnormal action. It seems that Botnet activities could be detected by observing abnormal IRC traffic. In this paper, we will focus on IRC Server and, we will use four unique characteristics of abnormal channel, (1) the prefix of Botmaster communication in C&C channel, (2) the response messages of bots, (3) average response time from bots, and (4) average length of message, to detect abnormal Channel in IRC Server. We develop an on-line IRC IDS to detect abnormal IRC channel. In the proposed system, abnormal IRC channel can be detect and we can (1) identify the infected hosts (bots) and Botmaster in C&C Channel, (2) trackback the IP of Bots and Botmaster, (3) identify Bots before Botmasters launch final attack, and (4) find the pattern of abnormal channel. The experiments show that the proposed system can indeed detect abnormal IRC channel and find out bots and Botmaster. |
目次 Table of Contents |
第一章. 緒論 1 第一節 研究背景 1 第二節 研究動機 4 第三節 研究目的 9 第二章. 文獻探討 12 第一節 Botnet介紹 12 第二節 Botnet形成階段 15 第三節 Botnet偵測與防禦技術 17 第三章. 研究方法 21 第一節 IRC Server IDS系統架構 21 第二節 特徵選取 24 第三節 分析模組 29 第四章. 實驗結果與分析 33 第一節 實驗環境 33 第二節 資料收集 34 第三節 資料分析 38 第四節 績效評估 43 第五章. 結論 47 參考文獻 49 |
參考文獻 References |
[1] C. A. Schiller, J. Binkley, D. Harley, G. Evron, T. Bradley, C. Willems and M. Cross, “Botnets: the killer web app,” Syngress, 2007. [2] C. Livadas, R. Walsh, D. Lapsley and W. T. Strayer, “Using machine learning techniques to identify botnet traffic,” In proceeding of the 31st IEEE Conference on Local Computer Networks Workshop on Network Security, 2006. [3] C. Mazzariello, “IRC traffic analysis for botnet detection,” In proceeding of the 4th International Conference on Information Assurance and Security, pp.318-323, 2008. [4] C.J. Mielke and H. Chen, “Botnets, and the CyberCriminal underground,” In proceeding of the 2008 International Conference on Intelligence and Security Informatics, pp.206-211, 2008. [5] D. Ramsbrock, X. Wang, X. Jiang, “A first step towards live botmaster traceback,” In proceeding of the 11th International Symposium on Recent Advances in Intrusion Detection, pp.59-77, 2008. [6] E. Cooke, F. Jahanian and D.McPherson, “The zombie roundup: understanding, detecting, and disrupting botnets,” In Usenix Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI), 2005. [7] E. Stinson and J.C. Mitchell, “Characterizing bots’ remote control behavior,” In Detection of Intrusions and Malware, and Vulnerability Assessment, pp.89-109, 2007. [8] IRC Normal Traffic, http://www.irclog.org [9] J. Goebel and T. Holz, “Rishi: Identify bot contaminated hosts by IRC nickname evaluation,” In Proceedings of the 1st conference on First Workshop on Hot Topics in Understanding Botnets, pp.8-8, 2007. [10] J. R. Binkley and S. Singh, “An algorithm for anomaly-based botnet detection,” In proceeding of the 2nd International conference on Steps to Reducing Unwanted Traffic on the Internet, Vol.2, pp.7-7, 2006. [11] J. Soriano, “Top 8 in ’08,” TrendLabs Malware Blog, http://blog.trendmicro.com/top-8-in-08/, 2008 [12] M. Akiyama, T. Kawamoto, M. Shimamura, T. Yokoyama, Y. Kadobayashi and S. Yamaguchi, “A proposal of metrics for botnet detection based on its cooperative behavior,” In proceedings of the 2007 International Symposium on Applications and the Internet Workshops, pp.82, 2007. [13] M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, "A multifaceted approach to understanding the botnet phenomenon," In Proceedings of the 6th ACM SIGCOMM conference on Internet Measurement, pp.41-52, 2006. [14] P. Bacher, T. Holz, M Kotter and G Wicherski, “Know your Enemy: Tracking Botnets,” The Honeynet Project and Research Alliance, 2005 [15] P. Barford and V. Yegneswaran, ”An inside look at botnets,” Advances in Information Security, Malware Detection, Vol.27, pp.171-191, 2007. [16] R. Villamarin-Salomon, J. C. Brustoloni, “Identifying botnets using anomaly detection techniques applied to DNS traffic,” In proceedings of the 5th Consumer Communications and Networking conference, pp.476-481, 2008. [17] TrendMircro, “The Trend Micro 2008 Annual Threat Roundup and 2009 Forecast,” http://us.trendmicro.com/imperia/md/content/us/pdf/threats/securitylibrary/trend_micro_2009_annual_threat_roundup.pdf, 2009 [18] V. Kamluk, “The botnet business,” Viruslist.com, http://www.viruslist.com/en/analysis?pubid=204792003, 2008 [19] Y. Al-Hammadi and U. Aickelin, “Detecting bots based on keylogging activities,” In proceeding of the 3thInternational Conference on Availability, Reliability and Security, pp.896-902, 2009. [20] Y. Kugisaki, Y. Kasahara, Y. Hori and K. Sakurai, “Bot detection based on traffic analysis,” In proceedings of the 2007 Intelligent Pervasive Computing conference, pp.303-306, 2007. [21] CNCERT/CC, 技術文章「關於殭屍網路」CNCERTCC_TR_2005-001 [22] 科技犯罪防制中心,“殭屍電腦(BotNet係稱機器人電腦)肆虐,台灣網路受害全球高居第六,”內政部警政署刑事警察局之公告事項, http://www.cib.gov.tw/news/news02_2.aspx?no=261, 2006. [23]陳英傑, “中國駭客癱瘓巴哈姆特,”自由電子報, http://www.libertytimes.com.tw/2008/new/apr/30/today-life7.htm, 2008. [24] 蘇湘雲, “CNN網站遭駭客冒用!假電子報內含病毒影片,” NOWnews, http://www.nownews.com/2008/08/07/339-2316527.htm, 2008. |
電子全文 Fulltext |
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。 您的 IP(校外) 位址是 18.118.12.222 論文開放下載的時間是 校外不公開 Your IP address is 18.118.12.222 This thesis will be available to you on Indicate off-campus access is not available. |
紙本論文 Printed copies |
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。 開放時間 available 已公開 available |
QR Code |
國立中山大學 圖書與資訊處 │ 諮詢服務:2452 論文審查小組 │ 服務信箱 │ 系統開發維運:圖資處知識創新組
Office of Library and Information Services, National Sun Yat-sen University │ Contact Us : 2452 Thesis Format Review Team , Mail │ Development and operations : Knowledge Innovation Division, LIS