網際網路已經成為人們日常生活相當重要的一部分，給社會帶來許多便利的服務，從休閒娛樂、人與人之間的聯絡通訊、吸收知識等等都可以透過網際網路。但人們在使用時卻忽略了很多資訊安全的問題，其中殭屍網路是一個威脅性十分大的資訊安全問題，殭屍網路的攻擊者(Botmaster)只要透過網際網路就可以進行散佈惡意程式、垃圾郵件、架設釣魚網站以及發動分散式服務阻斷攻擊(DDos)等等的惡意行為。殭屍網路是由受到病毒或木馬感染而淪陷的電腦所形成的一個網路群體， Botmaster可經由命令與控制伺服器(C&C Server)聯繫Botnet以及下達指令進行上述各種惡意行為。殭屍網路為了提升存活率而有多種不同的型態，其中Domain Generation Algorithm(DGA) Botnet透過網域產生演算法產生多組網域，並控制網域的變動以規避偵查，Botmaster只要註冊一個網域便可向所有的受感染主機下達指令，是相當主流的殭屍網路型態之一，Confiker、Torpig、Kraken、Srizbi等等都屬於網域產生演算法型殭屍網路。本研究所開發的偵測系統主要針對於此種類型的殭屍網路進行分析以及偵測，此種類型的殭屍網路可能會有相異於一般網域的網域名稱或是查詢行為。因此本研究以分群演算法以及相似度演算法兩種方式分析惡意網域以及一般網域之間的差異性，以此偵測出DGA型態的殭屍網路。本研究使用已知的DGA型態殭屍網路之行為特徵以及網域名稱以分析全部的殭屍網路。並成功從臺灣學術網路台南區網取得的真實數據中找出真正存在的殭屍網路。

The Internet plays an important role in people’s lives nowadays. However, Internet security is a major concern. Among the various threats facing the Internet and Internet users are so-called botnet attacks. In such an attack, hundreds or even thousands of devices (known as bots) are compromised by malicious websites or malware and are then controlled by the botmaster through a C&C controller to perform various nefarious activities, such as DDOS attacks, phishing, spam distribution, and so on. Domain Generation Algorithm (DGA) botnets are particularly resilient to detection since they generate a large number of domains (upwards of tens of thousands per day) and simply change to a new domain if the current domain is compromised. Crucially, the botmaster needs only to register one domain name to carry out C&C activity, whereas defenders must block all of the generated domains in order to thwart the attack. Accordingly, this thesis presents a robust approach for detecting DGA botnets based on an inspection of the DNS traffic in a system. In the proposed approach, the DNS records are filtered to remove known benign or malicious domains and are then clustered using a modified Chinese Whispers algorithm. The nature of each group (i.e., malicious or benign) is then identified by means of a Sequence Similarity Module based on the Sorensen-Dice Coefficient and a Query Sequence Similarity Module based on an inspection of the query timing sequence. It is shown that the proposed method successfully detects various types of botnet in a real-world, large scale network.

[1] Symantec Corporation Internet Security Threat Report 2016, [Online].
Available:https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf
[2] Alexa Top Global Sites, [Online].Available: http://www.alexa.com/topsites
[3] Alexa Top Sites in Taiwan,
[Online].Available:http://www.alexa.com/topsites/countries/TW
[4] B. Markines, C. Cattuto, F. Menczer, D. Benz, “Evaluating similarity measures for emergent semantics of social tagging”,WWW '09 Proceedings of the 18th international conference on World wide web Pages 641-650, 2009.
[5] B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna. “Your Botnet is my Botnet: Analysis of a Botnet takeover,” in Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS), Pages 635-647, 2009.
[6] B. Zdrnja, “Google Chrome and (weird) DNS requests,” https://isc.sans.edu/diary/ Google+Chrome+and+%28weird%29+DNS+requests/10312, 2011.
[7] D. Dittrich and S. Dietrich. “P2p as botnet command and control: a deeper insight,” in Proceedings of the 3rd International Conference on Malicious and Unwanted Software (Malware 2008), Pages 41-48, Oct. 2008.
[8] G. Gu, J. Zhang, and W. Lee. “Botsniffer: Detecting Botnet command and control channels in network traffic,” in Proceedings of Network and Distributed System Security Symposium, 2008.
[9] L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi. “Exposure: Finding malicious domains using passive dns analysis,” in Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS 2011), 2011.
[10] M. Antonakakis, R. Perdisci, Y. Nadji, N. Vasiloglou, S. Abu-Nimeh, W. Lee, & D. Dagon, “From throw-away traffic to Bots: detecting the rise of DGA-based malware,“ in Proceedings of the 21th USENIX Security Symposium (USENIX Sec 2012), Pages 491-506, 2012.
[11] M. Feily, A. Shahrestani and S. Ramadass. “A Survey of Botnet and Botnet Detection,” in Proceedings of the 3rd International Conference on Emerging Security Information, Systems and Technologies, Pages 268-273, 2009.
[12] P. Porras, H. Saidi, and V. Yegneswaran, “An analysis of Conficker’s Logic and Rendezvous Points,” Computer Science Laboratory, SRI International, Tech. Rep, 2009.
[13] P. Porras, H. Saidi, and V. Yegneswaran, “Conficker C analysis,” Technical Report, Apr. 2009. [Online]. Available: http://mtc.sri.com/Conficker/addendumC
[14] P. Royal, “On Kraken and Bobax botnets,” Damballa, Inc., Atlanta, GA, 2008 [Online].Available: http://www.damballa.com/downloads/r_pubs/Kraken_Response.pdf
[15] Chris Biemann, “Chinese Whispers - an Efficient Graph Clustering Algorithm and its Application to Natural Language Processing Problems,“ Proceedings of the First Workshop on Graph Based Methods for Natural Language Processing, Pages 73-80, 2006.
[16] Nominum, “DNS-Based DDoS: Diverse Options for Attackers”, Apr. 2015. [Online]. Available:http://www.circleid.com/posts/20150415_dns_based_ddos_diverse_options_for_attackers/
[17] The Abusive Hosts Blocking List. [Online]. Available: http://www.ahbl.org/
[18] The Spamhaus Project. [Online]. Available: http://www.spamhaus.org/
[19] Z. Zhu, G. Lu, Y. Chen, Z. J. Fu, P. Roberts, and K. Han. “Botnet research survey,” in Proceedings of the 32nd Annual IEEE International Computer Software and Applications Conference, Jul. 2008.
[20] S. Shin, G. Gu, N. Reddy, and C. Lee. “A large-scale empirical study of conficker,” IEEE Transactions on Information Forensics and Security, Apr. 2012.
[21] S. Yadav, A. K. K. Reddy, A. L. Reddy, and S. Ranjan, "Detecting algorithmically generated malicious domain names," in 10th ACM SIGCOMM conference on Internet measurement, Pages 48-61, 2012.
[22] Longest Common Subsequence, [Online]. Available: https://en.wikipedia.org/wiki/Longest_common_subsequence_problem
[23] Sheng-Yu Chen, Hui-Tang Lin. “Botnet Detection Based on Similarity of DNS Group Queries”, Institute of Computer & Communication Engineering, National Cheng Kung University, Thesis for Master of Science, July 2014.
[24] Tzy-Shiah Wang, Hui-Tang Lin. “Cyber-Attack Detection and Defense Based on Spectral Analysis and Community Structure Recognition”, Institute of Computer & Communication Engineering, National Cheng Kung University, Dissertation for Doctor of Philosophy, January 2017.
[25] RI Griffiths, AS Whiteley, AG O'Donnell. “Rapid method for coextraction of DNA and RNA from natural environments for analysis of ribosomal DNA-and rRNA-based microbial community composition,” Appl. Environ. Microbiol. Pages 5488-5491, vol. 66 no. 12, December 2000
[26] Bert L. Jackson.” Remove s3 amazonaws Virus (July 2017 Update),” 2017[Online]. Available: https://howtoremove.guide/remove-s3-amazonaws-virus/
[27] Daniel Contreras.” What is the Amazonaws Virus and how to remove it” 2016, [Online]. Available: https://theusbport.com/amazonaws-virus-remove/18145