論文使用權限 Thesis access permission:校內校外均不公開 not available
開放時間 Available:
校內 Campus:永不公開 not available
校外 Off-campus:永不公開 not available
論文名稱 Title |
使用 Flow 資訊偵測以網頁為基礎之殭屍網路 Web-based Botnet Detection Based on Flow Information |
||
系所名稱 Department |
|||
畢業學年期 Year, semester |
語文別 Language |
||
學位類別 Degree |
頁數 Number of pages |
59 |
|
研究生 Author |
|||
指導教授 Advisor |
|||
召集委員 Convenor |
|||
口試委員 Advisory Committee |
|||
口試日期 Date of Exam |
2009-07-23 |
繳交日期 Date of Submission |
2009-09-08 |
關鍵字 Keywords |
Web-based Botnet、分散式阻斷攻擊 DDoS(Distributed Denial-of-Service), Web-based Botnet |
||
統計 Statistics |
本論文已被瀏覽 5896 次,被下載 0 次 The thesis/dissertation has been browsed 5896 times, has been downloaded 0 times. |
中文摘要 |
殭屍網路 (Botnet) 是許多網路攻擊、感染、散播方式的綜合體。駭客經由網際網路控制受感染的電腦,並經由 IRC、P2P、Web (HTTP)等不同方式下達指令,受感染之電腦接收指令後進一步進行分散式阻斷攻擊(Distributed Denial-of-Service)、成為Proxy、或成為發送垃圾郵件的跳板。其中藉由Web來控制Botnet為近年來新興起的一種方式。Web-based Botnet 是經由標準HTTP協定進行控制,將自身流量隱藏在正常網頁流量下,因此更加難以判斷與偵測。 有鑑於此,本研究主要著重在Web-based Botnet之分析與偵測,並以Bot本身的特性,如Timeslot特性、NetFlow欄位計算、B2S(Bot to Server)、S2B(Server to Bot)進行Web-based Botnet之偵測。本實驗亦提出一偵測架構,並利用上述之特性,配合多種實驗環境設計進行實驗,均可以得到良好的偵測結果。此外,在真實網路環境下進行實驗亦能達到高偵測率。 |
Abstract |
Botnet is a combination of Cyber Attack, infection, and dissemination. Cross the Internet, the infected hosts might launch DDoS (Distributed Denial-of-Service) Attack, become a proxy sending SPAM according to commands from botmasters via some public services such as IRC, P2P or Web (HTTP) protocol. Among these command and control channel, Web-based Botnet is much difficult to detect because the command and control messages of Web-based Botnet are spread through HTTP protocol and hide behind normal Flows. In this research, we focus on analysis and detection of Web-based Botnet, detection by features - Timeslot, calculation of NetFlow, B2S(Bot to Server) and S2B(Server to Bot) of Web-based Botnet. The experimental result shows the proposed approach which uses the features mention above is good in many different topology designs. In addition, we also got nice detection rate in real network design. |
目次 Table of Contents |
第一章 緒論 9 第一節 研究背景 9 第二節 研究動機 10 第三節 問題描述 12 第四節 研究目的 13 第二章 文獻探討 15 第一節 Internet Relay Chat 15 第二節 IRC-based Botnet 15 第三節 Web-based Botnet 21 第四節 Botnet相關文獻整理 22 第三章 Web-based Botnet偵測系統 26 第一節 Web-based Botnet特性 26 第二節 Web-based Botnet特性驗證 32 第三節 Web-based Botnet偵測架構 39 第四節 Web-based Botnet偵測流程 41 第四章 Web-based Botnet偵測實驗與分析 43 第一節 實驗環境設定 43 第二節 實驗情境 - 區網內存在一種 Botnet 43 第三節 實驗情境 - 區網內存在多種 Botnet 49 第四節 真實區域網路資料偵測驗證 52 第五節 校園宿舍網路資料偵測驗證 54 第六節 實驗結果討論 55 第五章 結論 56 參考文獻 57 |
參考文獻 References |
[1] E. Cooke, F. Jahanian, D. McPherson,“The Zombie Roundup:Understanding, Detecting, and Disrupting Botnets,” Steps to Reducing Unwanted Traffic on the Internet Workshop, May 2005. [2] B. Plattner , “Analysis of Internet Relay Chat Usage by DDoS Zombies,“ Master Thesis MA-2004-01, October 2003 - April 2004. [3] T. Holz, M. Steinery, F. Dahl, E. Biersacky, F. Freiling ,“Measurements and Mitigation of Peer-to-Peer-based Botnets - A Case Study on StormWorm,“ Proceedings of the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2008. [4] P. Wang, S. Sparks, C. Zou,“An Advanced Hybrid Peer-to-Peer Botnet, ” Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, 2007. [5] R. Schoof , R. Koning,“Detecting peer-to-peer Botnets,” System and Network Engineering, University of Amsterdam, 2007. [6] A. Lakhina, M. Crovella,“Mining Anomalies Using Traffic Feature Distributions,” IEEE Communications Letters, vol. 11, No. 12, December 2007. [7] K. Wang,“A NetFlow Based Internet-worm Detecting System in Large. Network, ” Computer Science and Engineering, National Sun Yat-Sen University, 2005. [8] S. Yusuf, W. Luk, M. Sloman, N. Dulay, E. C. Lupu, and G. Brown,“Reconfigurable Architecture for Network Flow Analysis, ” IEEE Transactions on Very Large Scale Integration (VLSI) Systems, 2008. [9] G. Gu, J. Zhang, W. Lee,“BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic”, 2009. [10] J. Zhuge , T. Holz , X. Han ,J. Guo , W. Zou ,“Characterizing the IRC-based Botnet Phenomenon, “Technical Report / Department for Mathematics and Computer Science, University of Mannheim ; TR-2007-010 , December 2007. [11] Team Cymru,“A Taste of HTTP Botnets, “ July 2008, Available from:http://www.team-cymru.org/ReadingRoom/Whitepapers/2008/http-botnets.pdf. [12] “Botnet Threats and Solutions,” A Trend Micro White Paper November 2006, Available from:http://whitepapers.zdnet.com/abstract.aspx?docid=271589. [13] “Taxonomy of Botnet Threats,“ A Trend Micro White Paper November 2006, Available from:http://us.trendmicro.com/imperia/md/content/us/pdf/threats/securitylibrary/botnettaxonomywhitepapernovember2006.pdf. [14] J. Lee , H. Jeong , J. Park , M. Kim , B. Noh,“The Activity Analysis of Malicious HTTP-based Botnets using Degree of Periodic Repeatability”, Security Technology, 2008. SECTECH '08. International Conference on, December 2008. [15] Testbed @ NCKU, Available from: https://testbed.ncku.edu.tw. [16] NFDUMP, Available from: http://NFDUMP.sourceforge.net . [17] eggdrop, Available from: http://en.wikipedia.org/wiki/Eggdrop. [18] Agobot, Available from: http://en.wikipedia.org/wiki/Agobot. [19] Gaobot, Available from: http://en.wikipedia.org/wiki/Gaobot.ee. [20] Rbot, Available from: http://zh.wikipedia.org/wiki/Rbot.ebq. [21] Spybot, Available from: http://en.wikipedia.org/wiki/Spybot. [22] Cisco NetFlow, Available from: http://www.cisco.com/en/US/products/ps6601/products_ios_protocol_group_home.html. [23] NFSen, Available from: http://nfsen.sourceforge.net/. [24] Tcpdump, Available from: http://www.tcpdump.org/. [25] Wireshark, Available from: http://www.wireshark.org/. |
電子全文 Fulltext |
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。 論文使用權限 Thesis access permission:校內校外均不公開 not available 開放時間 Available: 校內 Campus:永不公開 not available 校外 Off-campus:永不公開 not available 您的 IP(校外) 位址是 3.141.193.158 論文開放下載的時間是 校外不公開 Your IP address is 3.141.193.158 This thesis will be available to you on Indicate off-campus access is not available. |
紙本論文 Printed copies |
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。 開放時間 available 已公開 available |
QR Code |