國立中山大學,National Sun Yat-sen University,學位論文,thesis/dissertation,使用 Flow 資訊偵測以網頁為基礎之殭屍網路,Web-based Botnet Detection Based on Flow Information

論文名稱 Title	使用 Flow 資訊偵測以網頁為基礎之殭屍網路 Web-based Botnet Detection Based on Flow Information
系所名稱 Department	資訊管理學系 Department of Information Management
畢業學年期 Year, semester	97 學年度第 2 學期 The spring semester of Academic Year 97	語文別 Language	中文 Chinese
學位類別 Degree	碩士 Master	頁數 Number of pages	59
研究生 Author	蔡育洲 Yu-Chou Tsai
指導教授 Advisor	鄭炳強, 陳嘉玫 Bing-Chiang Cheng; Chia-Mei Chen
召集委員 Convenor	官大智 D. J. Guan
口試委員 Advisory Committee	鄭憲宗 Sheng-Tzong Cheng
口試日期 Date of Exam	2009-07-23	繳交日期 Date of Submission	2009-09-08
關鍵字 Keywords	Web-based Botnet、分散式阻斷攻擊 DDoS(Distributed Denial-of-Service), Web-based Botnet
統計 Statistics	本論文已被瀏覽 5896 次，被下載 0 次 The thesis/dissertation has been browsed 5896 times, has been downloaded 0 times.

中文摘要
殭屍網路 (Botnet) 是許多網路攻擊、感染、散播方式的綜合體。駭客經由網際網路控制受感染的電腦，並經由 IRC、P2P、Web (HTTP)等不同方式下達指令，受感染之電腦接收指令後進一步進行分散式阻斷攻擊(Distributed Denial-of-Service)、成為Proxy、或成為發送垃圾郵件的跳板。其中藉由Web來控制Botnet為近年來新興起的一種方式。Web-based Botnet 是經由標準HTTP協定進行控制，將自身流量隱藏在正常網頁流量下，因此更加難以判斷與偵測。有鑑於此，本研究主要著重在Web-based Botnet之分析與偵測，並以Bot本身的特性，如Timeslot特性、NetFlow欄位計算、B2S(Bot to Server)、S2B(Server to Bot)進行Web-based Botnet之偵測。本實驗亦提出一偵測架構，並利用上述之特性，配合多種實驗環境設計進行實驗，均可以得到良好的偵測結果。此外，在真實網路環境下進行實驗亦能達到高偵測率。
Abstract
Botnet is a combination of Cyber Attack, infection, and dissemination. Cross the Internet, the infected hosts might launch DDoS (Distributed Denial-of-Service) Attack, become a proxy sending SPAM according to commands from botmasters via some public services such as IRC, P2P or Web (HTTP) protocol. Among these command and control channel, Web-based Botnet is much difficult to detect because the command and control messages of Web-based Botnet are spread through HTTP protocol and hide behind normal Flows. In this research, we focus on analysis and detection of Web-based Botnet, detection by features - Timeslot, calculation of NetFlow, B2S(Bot to Server) and S2B(Server to Bot) of Web-based Botnet. The experimental result shows the proposed approach which uses the features mention above is good in many different topology designs. In addition, we also got nice detection rate in real network design.

目次 Table of Contents
第一章緒論 9 第一節研究背景 9 第二節研究動機 10 第三節問題描述 12 第四節研究目的 13 第二章文獻探討 15 第一節 Internet Relay Chat 15 第二節 IRC-based Botnet 15 第三節 Web-based Botnet 21 第四節 Botnet相關文獻整理 22 第三章 Web-based Botnet偵測系統 26 第一節 Web-based Botnet特性 26 第二節 Web-based Botnet特性驗證 32 第三節 Web-based Botnet偵測架構 39 第四節 Web-based Botnet偵測流程 41 第四章 Web-based Botnet偵測實驗與分析 43 第一節實驗環境設定 43 第二節實驗情境 - 區網內存在一種 Botnet 43 第三節實驗情境 - 區網內存在多種 Botnet 49 第四節真實區域網路資料偵測驗證 52 第五節校園宿舍網路資料偵測驗證 54 第六節實驗結果討論 55 第五章結論 56 參考文獻 57

參考文獻 References
[1] E. Cooke, F. Jahanian, D. McPherson,“The Zombie Roundup:Understanding, Detecting, and Disrupting Botnets,” Steps to Reducing Unwanted Traffic on the Internet Workshop, May 2005. [2] B. Plattner , “Analysis of Internet Relay Chat Usage by DDoS Zombies,“ Master Thesis MA-2004-01, October 2003 - April 2004. [3] T. Holz, M. Steinery, F. Dahl, E. Biersacky, F. Freiling ,“Measurements and Mitigation of Peer-to-Peer-based Botnets - A Case Study on StormWorm,“ Proceedings of the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2008. [4] P. Wang, S. Sparks, C. Zou,“An Advanced Hybrid Peer-to-Peer Botnet, ” Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, 2007. [5] R. Schoof , R. Koning,“Detecting peer-to-peer Botnets,” System and Network Engineering, University of Amsterdam, 2007. [6] A. Lakhina, M. Crovella,“Mining Anomalies Using Traffic Feature Distributions,” IEEE Communications Letters, vol. 11, No. 12, December 2007. [7] K. Wang,“A NetFlow Based Internet-worm Detecting System in Large. Network, ” Computer Science and Engineering, National Sun Yat-Sen University, 2005. [8] S. Yusuf, W. Luk, M. Sloman, N. Dulay, E. C. Lupu, and G. Brown,“Reconfigurable Architecture for Network Flow Analysis, ” IEEE Transactions on Very Large Scale Integration (VLSI) Systems, 2008. [9] G. Gu, J. Zhang, W. Lee,“BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic”, 2009. [10] J. Zhuge , T. Holz , X. Han ,J. Guo , W. Zou ,“Characterizing the IRC-based Botnet Phenomenon, “Technical Report / Department for Mathematics and Computer Science, University of Mannheim ; TR-2007-010 , December 2007. [11] Team Cymru,“A Taste of HTTP Botnets, “ July 2008, Available from:http://www.team-cymru.org/ReadingRoom/Whitepapers/2008/http-botnets.pdf. [12] “Botnet Threats and Solutions,” A Trend Micro White Paper November 2006, Available from:http://whitepapers.zdnet.com/abstract.aspx?docid=271589. [13] “Taxonomy of Botnet Threats,“ A Trend Micro White Paper November 2006, Available from:http://us.trendmicro.com/imperia/md/content/us/pdf/threats/securitylibrary/botnettaxonomywhitepapernovember2006.pdf. [14] J. Lee , H. Jeong , J. Park , M. Kim , B. Noh,“The Activity Analysis of Malicious HTTP-based Botnets using Degree of Periodic Repeatability”, Security Technology, 2008. SECTECH '08. International Conference on, December 2008. [15] Testbed @ NCKU, Available from: https://testbed.ncku.edu.tw. [16] NFDUMP, Available from: http://NFDUMP.sourceforge.net . [17] eggdrop, Available from: http://en.wikipedia.org/wiki/Eggdrop. [18] Agobot, Available from: http://en.wikipedia.org/wiki/Agobot. [19] Gaobot, Available from: http://en.wikipedia.org/wiki/Gaobot.ee. [20] Rbot, Available from: http://zh.wikipedia.org/wiki/Rbot.ebq. [21] Spybot, Available from: http://en.wikipedia.org/wiki/Spybot. [22] Cisco NetFlow, Available from: http://www.cisco.com/en/US/products/ps6601/products_ios_protocol_group_home.html. [23] NFSen, Available from: http://nfsen.sourceforge.net/. [24] Tcpdump, Available from: http://www.tcpdump.org/. [25] Wireshark, Available from: http://www.wireshark.org/.

電子全文 Fulltext
本電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。論文使用權限 Thesis access permission：校內校外均不公開 not available 開放時間 Available：校內 Campus：永不公開 not available 校外 Off-campus：永不公開 not available 您的 IP(校外) 位址是 3.141.193.158 論文開放下載的時間是校外不公開 Your IP address is 3.141.193.158 This thesis will be available to you on Indicate off-campus access is not available.
紙本論文 Printed copies
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊，請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。開放時間 available 已公開 available

QR Code

國立中山大學圖書與資訊處 │ 諮詢服務：2452 論文審查小組 │ 服務信箱 │ 系統開發維運：圖資處知識創新組

Office of Library and Information Services, National Sun Yat-sen University │ Contact Us : 2452 Thesis Format Review Team , Mail │ Development and operations : Knowledge Innovation Division, LIS