在網路技術越來越發達的時代裡，電腦與電腦之間的溝通更加便利了，然而在這便利的機制底下，卻也淺藏了許多危機。不肖人士利用網路，以寄發電子郵件、通訊軟體、系統漏洞等方式，入侵電腦，植入病毒，而近幾年來散發病毒的方式又以殭屍網路為最大宗。殭屍網路(Botnet)的特性類似流感病毒一般，透過通訊軟體(IRC)，命令已受感染的機器，經由網路，入侵並再次感染其他具有漏洞的電腦，其傳染速度非一般病毒所能比擬。
本研究即利用殭屍網路中主機行為相似的特性進行分析與比對。蒐集真實Botnet網路行為資料，根據幾種應用於網路上常見的行為特徵種類，分析計算產生出特徵值，並整合基因演算法(Genetic Algorithm)及群聚演算法(Clustering Algorithm)，計算出偵測率(Detection Rate)以及錯殺率(False Positive Rate)，來評估該Botnet最適當的特徵組合，日後便可利用此特徵組合比對其他電腦的行為，以偵測出該電腦是否受到同樣的Bot所感染。

The advancing of internet technology enables more convenient communications among computers, but there are also many problems hiding under the convenience of the computer networking. Hackers invade user’s computers and implant virus in various ways like emails, messaging programs, and system bugs. In recent years, Botnet has become the most massive way of virus-spreading. Similar to flu virus transmission, it commands infected computer through Internet Relay Chat software (IRC) to intrude other bug-containing computers and convey virus on internet in a speed much faster than normal virus.
In this study, we make analysis and comparison by employing the similarity of the behavioral characteristics of host systems on Botnet. Data of live Botnet behavior are collected. Characteristics data are calculated by analyzing several common types of behavioral characteristics on internet. By integrating Genetic Algorithm and Clustering Algorithm, Detection Rate and False Positive Rate are worked out to characterize the matching combination for the Botnet, which can be applied to make contrast with the behavior of other computers for detection of the same Bot.

[1] Chao Li , Wei Jiang , Xin Zou . “Botnet: Survey and Case Study . Fourth International Conference on Innovative Computing, Information and Control” , 2009

[2] Guofei Gu , Roberto Perdisci . “BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection” ,2008

[3] Thorsten Holz , Moritz Steiner . Measurements and Mitigation of Peer-to-Peer-based Botnets:A Case Study on StormWorm , 2008

[4]Botnet . http://en.wikipedia.org/wiki/Botnet

[5] Wei-Yu Chen, Wen-Chieh Kuo, Yao-Tsung Wang . “Building IDS Log Analysis System on Novel Grid Computing Architecture” , 2009

[6] Clustering Algorithm. http://www.sciencedirect.com/

[7] Dan Pelleg, Andrew Moore. “X-means:Extending K-means with Efficient Estimation of the Number of Clusters” , 2002

[8] Ariel Cary, Yaacov Yesha, Malek Adjouadi, Naphtali Rishe. “Leveraging Cloud Computing in Geodatabase Management” , 2010

[9] J´erˆome Franc¸ois, Shaonan Wang, Walter Bronzi, Radu State, Thomas Engel. “BotCloud: Detecting Botnets Using MapReduce”, 2011
[10] Taiwan Hadoop Forum . http://forum.hadoop.tw/index.php
[11] Rui Xu, Student Member, IEEE and Donald Wunsch II, Fellow, IEEE.”Survey of Clustering Algorithms” , May 2005

[12]Tian Zhang , Raghu Ramakrishnan , Miron Livny.”BIRCH:An Efficient Data Clustering Method for Very Large Databases” , 1996

[13] snort. http://www.openfoundry.org/tw/tech-column/8265--snort-

[14] Wonchul Kang, Yeonhee Lee, Youngseok Lee.”NetFlow Analysis with MapReduce” . 2010

[15] Cloudman workshop, “An Internet Traffic Analysis Method with MapReduce”, April 2010

[16] Genetic Algorithm, http://en.wikipedia.org/wiki/Genetic_algorithm

[17] Optimization Algorithm, http://www.csie.ntnu.edu.tw/~u91029/Optimization.html

[18] Wei-Yu Chen, Yao-Tsung Wang . “Improve Security-Events-Center to the Cloud Platform” . May 2009

[19] Open Malware Website http://oc.gtisc.gatech.edu

[20] USENIX http://static.usenix.org/

[21] Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke Lee . “BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation” .2007