在現今資訊發達的社會，網路已成為人們生活中不可或缺的一部分，由於網路所帶來的便利性與即時性，使得許多個人相關的隱私資訊、金融資料都在網際網路中廣泛的流通，因而產生了各式各樣令人擔心的安全隱患。殭屍網路是目前已知的網路安全議題中，最令人擔憂的一種，殭屍網路控制者只需要透過網路將所要下達的指令發佈到控制伺服器上，便可以藉此命令其下的殭屍主機進行一連串的網路犯罪行為，如：竊取使用者資訊、發布垃圾郵件、散播惡意程式、發動分散式服務阻斷攻擊 (Distributed Deny of Service，簡稱DDoS) 等，針對日益崛起的殭屍網路威脅問題，本研究係以當今殭屍網路中隱蔽性最佳的HTTP型態殭屍網路做為主要的研究對象。HTTP型態殭屍網路使用Hypertext Transfer Protocol (HTTP) 作為資料傳輸的協定，因HTTP傳輸協定走的是80的傳輸埠，防火牆不易阻擋，加上80埠的一般正常流量居多，進而使得HTTP型態的殭屍網路流量相較於其他型態的殭屍網路流量而言，更為隱蔽、易傳播、不易被使用者所偵測出來。本研究主要透過觀察HTTP型態殭屍網路的流量特徵，提出一個無須詳細解析封包內容，僅需利用Packet Header等流量表徵資訊來檢測殭屍網路是否存在的偵測系統，期望能探討出於大量正常流量中，有效辨別HTTP殭屍主機流量的方法，藉以偵測殭屍網路的存在並加以防範。

In order to prevent the threat of HTTP botnets, this approach provided a detection scheme based on the flow characteristics observed in HTTP botnet traffic. This scheme can detect the presence of botnets precisely without analyzing the packet contents. Moreover, this research solved the non-periodic connection problem between botnet and C&C server and presented an effective scheme to identify HTTP botnet traffic from a large number of normal traffic.

[1] 警政署刑事警察局, http://www.cib.gov.tw/news/news02_2.aspx?no=261
[2] A. Turner. Tcpreplay. Available: http://tcpreplay.synfin.net/
[3] CAIDA : The Cooperative Association for Internet Data Analysis. http://www.caida.org/home/
[4] Dan Pelleg and Andrew W. Moore. “X-means: Extending K-means with Efficient Estimation of the Number of Clusters.” In Proceedings of the Seventeenth International Conference on Machine Learning, pp. 727-734, 2000.
[5] Geoff Tennant. “Six Sigma: SPC and TQM in Manufacturing and Services.”, 2001.
[6] Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee. “BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection.” In Proceedings of the 17th USENIX Security Symposium, pp. 139-154, 2008.
[7] G. Kirubavathi Venkatesh and R. Anitha Nadarajan. “HTTP Botnet Detection Using Adaptive Learning Rate Multilayer Feed-Forward Neural Network.” In Proceedings of 6-th IFIP WG 11.2 international conference on Information Workshop Security Theory and Practice, pp. 38-48, 2012.
[8] IRC Bot, http://en.wikipedia.org/wiki/IRC_bot
[9] Jarkko Oikarinen and Darren Reed. Internet Relay Chat Protocol. RFC 1459, 1993. http://en.wikipedia.org/wiki/Internet_Relay_Chat
[10] JI Sheng-jun. The Similitude Calculate of Sentence Based on Levenshtein Distance Algorithm, unpublished, 2009.
[11] MyIP.MS. http://myip.ms/
[12] Meisam Eslahi, H. Hashim and N.M. Tahir. “An Efficient False Alarm Reduction Approach in HTTP-based Botnet Detection.” In Symposium on IEEE Computers & Informatics, pp. 201-205, 2013.
[13] Normal distribution, http://en.wikipedia.org/wiki/Normal_distribution
[14] P. Porras, H. Saidi, and V. Yegneswaran. “Conficker C Analysis.” SRI International Technical Report, 2009.
[15] Single point of failure, http://en.wikipedia.org/wiki/Single_point_of_failure
[16] Standard deviation, http://en.wikipedia.org/wiki/Standard_deviation
[17] Six Sigma, http://en.wikipedia.org/wiki/Six_Sigma
[18] Symantec Global Internet Security Threat Report (ISTR) , Volume 17, http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=threat_report_17
[19] Trojan horse, http://en.wikipedia.org/wiki/Trojan_horse_(computing)
[20] Tu Xu, Dake He and Yu Luo. “DDoS Attack Detection Based on RLT Features.” In Proceedings of International Conference on Computational Intelligence and Security, pp. 697-700, 2007.
[21] Tao Cai and Futai Zou. “Detecting HTTP Botnet with Clustering Network Traffic.” In Proceedings of 8-th IEEE International Conference on Wireless Communications, Networking and Mobile Computing, 2012.
[22] Zhaosheng Zhu, Guohan Lu, Yan Chen, Zhi Judy Fu, Phil Roberts, Keesook Han. “Botnet Research Survey.” In 32nd Annual IEEE International Computer Software and Applications Conference, pp. 967-972, July 2008.