殭屍網路(Botnet)已經對於Internet的穩定性造成重大威脅。目前許多攻擊手法，諸如垃圾郵件、釣魚網站、身份竊取、分散式阻斷服務攻擊(Distributed Denial of Service, DDoS)等，皆透過殭屍網路實現，對許多企業與組織造成重大傷害。
目前殭屍網路控制方式以集中式殭屍網路(Centralized Botnet)為主，究其原因為該類型殭屍網路易於操控之特性。集中式殭屍網路包含IRC-based與HTTP-based殭屍網路。本研究發現集中式殭屍網路的Homogeneous Response，Group Activity與 Periodic Connection可用來偵測集中式殭屍網路。本研究所提出之集中式殭屍網路偵測機制透過Payload相似度分析(Payload Similarity Analysis)與行為相關分析(Behavior Correlation Analysis)偵測集中式殭屍網路。
本研究所提出之偵測方法可以在攻擊者命令殭屍網路發動攻擊前有效區別受感染主機與未受感染主機產生之可疑訊息，發現受感染主機之惡意行為以及識別殭屍網路之存在。研究結果顯示本研究所提出之偵測方法可有效偵測集中式殭屍網路。

Cybercrime presents great security challenges for Internet and makes Internet security gain a lot of attention by academic domain. Cybercrime takes advantage of Internet for gaining revenue and profit, sending malicious mail, compromising computer hosts, stealing confidential information and launching distributed denial of service (DDoS) attacks. Cyber-attacks which compromise the security such as confidentiality, integrity, availability of a computer and network system are often carried out by botnets. Botnets have become a serious threat to the stability of Internet, because they can cause huge disasters to organizations and are difficult to detect their existence.
Most of existing botnets are centralized botnets because of ease of use and control. Centralized botnets often use IRC (Internet Relay Chat) or HTTP as a communication channel through which the botmaster can control the IRC-based or HTTP-based botnets to propagate more infections or launch attacks. There are three distinct message patterns of centralized botnets discovered from our observation: the homogeneous response, the group activity, and the periodic connection. The set of infected hosts respond similar message to the botmaster, exhibiting homogenous response. A group of hosts with long time span act together shows the characteristic of the group activity. The HTTP bots need to periodically perform a set of inquiries to retrieve the commands and messages which are prepared and maintained by the botmaster. In this research, a centralized botnet detection approach is proposed to identify the bots and botnet by the payload similarity analysis, autocorrelation analysis, and cross correlation analysis. The payload similarity analysis is employed to measure the similarity between flows. The autocorrelation and cross correlation analysis are employed to discover the periodic behaviors of centralized bots.
The proposed method can differentiate the suspicious messages generated by infected hosts (bots) from normal clients, discover the malicious behaviors of bots and identify the existence of bonnet before the botmaster launches attacks. The experimental results show that the proposed approach effectively detects abnormal behaviors of centralized botnets and the existence of centralized botnets.

中文摘要 i
Abstract ii
Table of Contents iv
List of Tables vi
List of Figures vii
Chapter 1 Introduction 1
1.1 Research Background 2
1.2 Research Motivation 4
1.3 Research Contribution 6
Chapter 2 Related Work 8
2.1 Botnet C&C Models 8
2.2 The Evolution of Botnet 11
2.3 Botnet Life Cycle 13
2.4 Botnet Detection Approaches 16
Chapter 3 Proposed Approach 21
3.1 Feature Extraction 22
3.2 Flow Aggregation 24
3.3 Payload Similarity Analysis 26
3.3.1 Longest Common Subsequence 26
3.3.2 Normalized Compression Distance 29
3.4 Behavior Correlation Analysis 31
3.4.1 Cross-Correlation Coefficient 31
3.4.2 Autocorrelation Coefficient 32
Chapter 4 System Evaluation 34
4.1. Data Collection 34
4.2. Evaluation Metric and Experimental Design 38
4.3 Experimental Results 40
4.3.1 IRC-based Botnet Detection 40
4.3.2 HTTP-based Botnet Detection 44
4.3.3 Performance Comparison - BotHunter 45
4.3.4 Parameter Analysis 47
Chapter 5 Conclusion 50
Chapter 6 Future Work 52
Bibliography 53

[1] M. Akiyama, T. Kawamoto, M. Shimamura, T. Yokoyama, Y. Kadobayashi, and S. Yamaguchi, “A Proposal of Metrics for Botnet Detection based on Its Cooperative Behavior,” Proceedings of the 2007 International Symposium on Applications and the Internet Workshops (SAINTW'07), 2007.
[2] Autocorrelation, http://en.wikipedia.org/wiki/Autocorrelation.
[3] P. Barford and V. Yegneswaran, “An Inside Look at Botnets,” Special Workshop on Malware Detection, Advances in Information Security, 2006.
[4] J.R. Binkley and S. Singh, “An Algorithm for Anomaly-based Botnet Detection,” USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet, pp. 43-48, 2006.
[5] R. Cilibrasi and P.M.B. Vit´anyi, “Clustering by Compression,” IEEE Transactions on Information Theory, vol. 51, no. 4, pp. 1523-1545, 2005.
[6] Clustering Coefficient, http://en.wikipedia.org/wiki/Clustering_coefficient.
[7] E. Cooke, F. Jahanian, and D. McPherson, “The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets,” Proceedings of the Steps to Reducing Unwanted Traffic on the Internet, pp. 39-44, 2005.
[8] T.H. Cormen, C.E. Leiserson, and R.L. Rivest, Introduction to Algorithms, 3rd ed. The MIT Press, 2009.
[9] Cross Correlation, http://en.wikipedia.org/wiki/Cross-correlation.
[10] DARPA 2000 Intrusion Detection Scenario Specific Data Sets, “Inside Tcpdump Data,” http://www.ll.mit.edu/mission/communications/cyber/CSTcorpora/ideval/data/2000data.html.
[11] D. Dittrich and S. Dietrich, “Command and Control Structures in Malware: from Handler/Agent to P2P,” ;LOGIN: vol. 32, no. 6, pp. 8-17, 2007.
[12] C.J. Dittrich, C. Rossow, and N. Pohlmann, “CoCoSpot: Clustering and Recognizing Botnet Command and Control Channels Using Traffic Analysis,” Computer Networks, 2012. Available from: http://dx.doi.org/10.1016/j.comnet.2012.06.019.
[13] A. Estabrooks, T. Jo, and N. Japkowicz, “A Multiple Resampling Method for Learning from Imbalanced Data Sets,” Computational Intelligence, vol. 20, no. 1, pp. 18-36, 2004.
[14] F.C. Freiling, T. Holz, and G. Wicherski, “Botnet Tracking: Exploring a Root-cause Methodology to Prevent Distributed Denial-of-Service Attacks,” Lecture Notes in Computer Science, vol. 3679, pp. 319-335, 2005.
[15] J. Goebel and T. Holz, “Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation,” Proceedings of the 1st Conference on First Workshop on Hot Topics in understanding botnets, pp. 8-19, 2007.
[16] J. Govil, “Examining the Criminology of Bot Zoo,” 6th International Conference on Information, Communications & Signal Processing, pp. 1-6, 2007.
[17] G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee, “BotHunter: Detecting Malware Infection through IDS-driven Dialog Correlation,” Proceedings of the 16th USENIX Security Symposium, 2007.
[18] G. Gu, J. Zhang, and W. Lee, “BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic,” Proceedings of the 15th Annual Network and Distributed System Security Symposium, 2008.
[19] G. Gu, R. Perdisci, J. Zhang, and W. Lee, “BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-independent Botnet Detection,” Proceedings of the 17th USENIX Security Symposium, pp. 139-154, 2008.
[20] IRC Logs, http://www.irclog.org.
[21] M. Jalali, N. Mustapha, Md.N. Sulaiman, and A. Mamat, “A Recommender System Approach for Classifying User Navigation Patterns Using Longest Common Subsequence Algorithm,” American Journal of Scientific Research, vol. 4, pp. 17-27, 2009.
[22] A. Karasaridis, B. Rexroad, and D. Hoeflin, “Wide-scale Botnet Detection and Characterization,” HotBots’07 1st Workshop on Hot Topics in Understanding Botnets, 2007.
[23] S. Kondo and N. Sato, “Botnet Traffic Detection Techniques by C&C Session Classification Using SVM,” Lecture Notes in Computer Science, vol. 4752, pp. 91-104, 2007.
[24] J.S. Lee, H.C. Jeong, J.H. Park, M. Kim, and B.N. Noh, “The Activity Analysis of Malicious HTTP-Based Botnets Using Degree of Periodic Repeatability”, 2008 International Conference on Security Technology, pp. 83-86, 2008.
[25] C. Livadas, B. Walsh, D. Lapsley, and W.T. Strayer, “Using Machine Learning Techniques to Identify Botnet Traffic,” 31st IEEE Conference on Local Computer Networks, pp. 967-974, 2006.
[26] A. Lelli, “Cracking into the New P2P Variant of Zeusbot/Spyeye,” http://www.symantec.com/connect/blogs/cracking-new-p2p-variant-zeusbotspyeye, 2011.
[27] A. Lelli, “Zeusbot/Spyeye P2P Updated, Fortifying the Botnet,” http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet, 2012.
[28] W. Lu, M. Tavallaee, and A.A. Ghorbani, “Clustering Botnet Communication Traffic based on N-gram Feature Selection,” Computer Communications, vol. 34, no. 33, pp. 502-514, 2011.
[29] M.M. Masud, T. Al-khateeb, L. Kha, B. Thuraisingham, and K.W. Hamlen, “Flow-based Identification of Botnet Traffic by Mining Multiple Log Files,” 1st International Conference on Distributed Framework and Applications, pp. 200-206, 2008.
[30] C. Mazzariello, “IRC Traffic Analysis for Botnet Detection,” IEEE 4th International Conference on Information and Assurance, pp. 318-323, 2008.
[31] C.J. Mielke II and H. Chen, “Botnets, and the CyberCriminal Underground,” IEEE International Conference on Intelligence and Security Informatics (ISI 2008), pp. 206 -211, 2008.
[32] J. Nazario, “BlackEnergy DDoS Bot Analysis,” http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf, 2007.
[33] G. H. Nguyen, A. Bouzerdoum, and S. Phung, “Learning Pattern Classification Tasks with Imbalanced Data Sets,” http://ro.uow.edu.au/infopapers/792, 2009.
[34] Normalized Compression Distance, http://en.wikipedia.org/wiki/Normalized_Compression_Distance.
[35] D. Plohmann and E. Gerhards-Padilla, “Case Study of the Miner Botnet,” 2012 4th International Conference on Cyber Conflict (CYCON), pp. 1-16, 2012.
[36] M.A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis, “A Multifaceted Approach to Understanding the Botnet Phenomenon,” Proceedings of the 6th ACM SIGCOMM Conference on Internet measurement, pp. 41-52, 2006.
[37] Snort, http://www.snort.org.
[38] W.T. Strayer, B. Walsh, C. Livadas, and D. Lapsley, “Detecting Botnets with Tight Command and Control,” 31st IEEE Conference on Local Computer Networks, pp. 195-202, 2006.
[39] W. Wang, B. X. Fang, Z. X. Zhang and C. Li, “A Novel Approach to Detect IRC-based Botnets,” Proceedings of the 2009 International Conference on Networks Security, Wireless Communications and Trusted Computing, vol. 1, pp. 408-411, 2009.
[40] R.A. Wagner and M.J. Fischer, “The String-to-String Correction Problem,” Journal of the ACM, vol. 21, no. 1, pp. 168-173, 1974.
[41] D.J. Watts and S. Strogatz, “Collective Dynamics of 'Small-World' Networks,” Nature, vol. 393, No. 6684, pp. 440–442, 1998.
[42] T.F. Yen and M.K. Reiter, “Traffic Aggregation for Malware Detection,” Lecture Notes in Computer Science, vol. 5137, pp. 207-227, 2008.