論文使用權限 Thesis access permission:校內一年後公開,校外永不公開 campus withheld
開放時間 Available:
校內 Campus: 已公開 available
校外 Off-campus:永不公開 not available
論文名稱 Title |
混合型殭屍網路偵測 Hybrid Botnet Detection |
||
系所名稱 Department |
|||
畢業學年期 Year, semester |
語文別 Language |
||
學位類別 Degree |
頁數 Number of pages |
79 |
|
研究生 Author |
|||
指導教授 Advisor |
|||
召集委員 Convenor |
|||
口試委員 Advisory Committee |
|||
口試日期 Date of Exam |
2010-07-15 |
繳交日期 Date of Submission |
2010-08-13 |
關鍵字 Keywords |
殭屍網路、Web 型殭屍網路、快速變動網域 Botnet, Web-based Botnet, Fast Flux Domain |
||
統計 Statistics |
本論文已被瀏覽 5847 次,被下載 11 次 The thesis/dissertation has been browsed 5847 times, has been downloaded 11 times. |
中文摘要 |
近年來,殭屍網路(Botnet)已成為網際網路的重大威脅之一,從IRC 型殭屍網路(IRC-based Botnet)、P2P 型殭屍網路(P2P-based Botnet),到Web 型殭屍網路(Web-based Botnet)都對使用者造成危害,尤其是Web 型殭屍網路帶給使用者的威脅最大。Web 型殭屍網路不像P2P 型殭屍網路複雜,但是藉由HTTP 傳輸協協定進行溝通,能將惡意流量隱藏在大量的正常流量中,不易被發覺與偵測。我們實際以Bot 程式發送流量,藉此找出可偵測的特徵。 殭屍網路除了發動攻擊與竊取隱私外,駭客還會利用它來增加惡意網站的壽命。為了不讓使用者直接與惡意網站作連結,駭客會利用快速變動網域(Fast Flux Domain)技術減少惡意網站被發現的機會。快速變動網域代理人(Fast Flux Agent)會成為惡意網站與客戶端的中繼站,不讓惡意網站與客戶端直接接觸,卻能完成雙方的溝通行為。 殭屍網路與快速變動網域技術是緊密聯繫在一起的,因為只有殭屍網路才能提供駭客多個快速變動網域代理人。Web 型殭屍網路與快速變動網域技術都使用HTTP 溝通協定,因此本研究除了針對Web 型殭屍網路進行流量分析外,還必須探討快速變動網域技術帶給殭屍網路的影響,期望能讓Web 型殭屍網路與快速變動網域技術的偵測架構更加準確。 |
Abstract |
There are three mail types of Botnet: IRC-based Botnet, P2P-based Botnet,Web-based Botnet and they have become major threat to the Internet recently. Web-based Botnet is popular and more harmful to users. The architecture of Web-based Botnet is simpler than P2P-based Botnet, and its malicious traffic can be hidden in a large number of normal traffic. In this study, we built an experimental environment of using malicious bot programs to detect suspicious traffic and malware features. Except network attacking and identity theft, Botnet could also be used by hackers to extend the life time of rouge websites by combining with the technology of Fast Flux Domain. Botnet and the technology of Fast Flux Domain closely link to each other in the real world. Both of Web-based Botnet and Fast Flux Domain technology use HTTP protocol to communicate, and Botnet provides a large number of infected hosts to be Fast Flux Agents which act like a relay station to block the direct link of malicious websites from clients, but completes the mutual connection. In the research, not only the analysis and detection of Web-based Botnet are focused, but also the impact of Fast Flux Domain technology is included. We expect to clear the architecture of Botnet and the technology of Fast Flux Domain, and make the detection mechanism more precisely. |
目次 Table of Contents |
論文提要 III 致謝 IV 摘要 V Abstrac VI 目錄 VII 表目錄 IX 圖目錄 X 第一章 緒論 1 第一節 研究背景 1 第二節 研究動機 4 第三節 問題描述 9 第四節 研究目的 9 第二章 相關研究 11 第一節 相關名詞解釋 11 第二節 Web型殭屍網路 13 第三節 Web型殭屍網路偵測方法 16 第四節 快速變動網域 17 第五節 快速變動網域偵測 23 第三章 系統設計 27 第一節 系統架構 27 第二節 Web型殭屍網路偵測 28 第三節 快速變動網域偵測 34 第四章 實驗結果與分析 43 第一節 網站驗證機制 44 第二節 Web型殭屍網路偵測實驗與分析 48 第三節 快速變動網域偵測實驗與分析 59 第五章 結論 64 參考文獻 65 |
參考文獻 References |
Jae-Seo Lee , HyunCheol Jeong , Jun-Hyung Park , Minsoo Kim , Bong-Nam Noh, 2008, “The Activity Analysis of Malicious HTTP-based Botnets using Degree of Periodic Repeatability”, Security Technology, 2008. SECTECH '08. International Conference on, 13-15 Dec. 2008. Nazario, Jose and Thorsten Holz, 2008, “As the Net Churns: Fast-Flux Botnet Observations”, Sept 5 2008. Chenfeng Vincent Zhou, Christopher Leckie and Shanika Karunasekera, 2009, “Collaborative Detection of Fast Flux Phishing Domains”, Journal of Networks, vol. 4, no. 1, February 2009. Barry N. Taylor and Chris E. Kuyatt, 1994, “Guidelines for Evaluating and Expressing the Uncertainty of NIST Measurement Results”, Physics Laboratory. Anukool Lakhina, Mark Crovella, 2007, “Mining Anomalies Using Traffic Feature Distributions”, IEEE COMMUNICATIONS LETTERS, vol. 11, No. 12, DECEMBER 2007. Kuang-Ming Wang, 2005, “A Netflow Based Internet-worm Detecting System in Large Network”, Computer Science and Engineering, National Sun Yat-Sen University. Emanuele Passerini, Roberto Paleari, Lorenzo Martignoni and Danilo Bruschi, 2008, “FluXOR: detecting and monitoring fast-flux service networks”, Springer, July 10-11, 2008. ICANN, 2008, “SAC 025 SSAC Advisory on Fast Flux Hosting and DNS”, January 2008. Holz, T., Gorecki, C., Freiling, F., Rieck, K., 2008, “Measuring and Detecting of Fast-Flux Service Networks”, In: Proceeding of the 15th Annual Network & Distributed System Security Symposium (NDSS08). The New New Internet, 2010, “Microsoft’s Waledac Take-Down Could Provide Model for Future”, Available: http://www.thenewnewinternet.com/2010/03/17/microsofts-waledac-take-down-effective/ Team Cymru, 2010, “Developing Botnets”, Available: http://www.team-cymru.org/ReadingRoom/Whitepapers/2010/developing-botnets.pdf Net Security, 2009, “RSA online fraud report highlights phishing and brand attacks”, Available: http://www.net-security.org/secworld.php?id=7963 NIST/SEMATECH, 2008, “e-Handbook of Statistical Methods”, Available: http://www.itl.nist.gov/div898/handbook The Honeynet Project & Research Alliance, 2007, “Know Your Enemy: Fast-Flux Service Networks”, Available: http://www.honeynet.org/papers/ff Chinese Honeynet Project, 2006, “Chinese Honeynet Project Status Report March 2006”, Available: http://www.honeynet.org.cn/index.php?option=com_content&task=view&id=23&Itemid=33&lang=en Shadowserver Foundation, 2008, Available: http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20081231 Robot, 1961, Available: http://en.wikipedia.org/wiki/Robot Waledac, 2008, Available: http://de.wikipedia.org/wiki/Waledac Eggdrop, 1993, Available: http://en.wikipedia.org/wiki/Eggdrop SDbot, 2002, Available: http://en.wikipedia.org/wiki/Zotob_(computer_worm) Agobot, 2002, Available: http://en.wikipedia.org/wiki/Agobot Spybot, 2003, Available: http://en.wikipedia.org/wiki/Spybot_worm Phabot, 2004, Available: http://en.wikipedia.org/wiki/Agobot Testbed @ NCKU, 2007, Available: https://testbed.ncku.edu.tw Autonomous System, 1995, Available: http://en.wikipedia.org/wiki/Autonomous_System_Number Content Delivery Network, 1993, Available: http://en.wikipedia.org/wiki/Content_delivery_network Dig, 1987, Available: http://linux.about.com/od/commands/l/blcmdl1_dig.htm McAfee, 2003, Available: http://www.siteadvisor.com/ SPAMHAUS, 1998, Available: http://www.spamhaus.org/lookup.lasso WOT, 2010, Available: http://www.mywot.com/ Free PC Security, 2007, Available: http://www.freepcsecurity.co.uk/ MalwareURL, 2010, Available: http://www.malwareurl.com/ LikeVirus Statistics, 2010, Available: http://netflow.tn.edu.tw/likeVirus/html/20100505/15-20.html XMCO Partners, 2010, Available: http://www.xmcopartners.com/article-fast-flux.html i-Security, 2010, “DNS舊技術新玩法 - Fast Flux”, Available: http://www.i-security.tw/topic/topic_sg.asp?id=159 台灣FTP聯盟, 2008, “擄站勒贖-巴哈姆特被攻擊的真相”, Available: http://vbb.twftp.org/showthread.php?t=12000 刑事警察局, 2006, “僵屍電腦肆虐,台灣網路受害全球高居第六”, Available: http://www.cib.gov.tw/news/news02_2.aspx?no=261 鳥哥的 Linux 私房菜, 2003, Available: http://linux.vbird.org/ |
電子全文 Fulltext |
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。 論文使用權限 Thesis access permission:校內一年後公開,校外永不公開 campus withheld 開放時間 Available: 校內 Campus: 已公開 available 校外 Off-campus:永不公開 not available 您的 IP(校外) 位址是 34.234.83.135 論文開放下載的時間是 校外不公開 Your IP address is 34.234.83.135 This thesis will be available to you on Indicate off-campus access is not available. |
紙本論文 Printed copies |
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。 開放時間 available 已公開 available |
QR Code |