隨著電腦技術的成長與網路的快速發展，駭客攻擊的手法也越來越多樣化，而其中殭屍網路結合電腦病毒、蠕蟲與木馬程式的技術與特性，堪稱為惡意程式的集大成之作。
而隨著各種偵測與防禦技術的誕生，殭屍網路也不斷在成長與進化。架構上從早期的中央式集中管理架構變成分散式管理架構，複合Fast-flux、DGA等技術，使偵測更為不易；而傳輸的管道也從IRC頻道演變成透過UTP或TCP等標準協定傳輸，近期更是架構於社交網路之上，使惡意程式的傳輸更為廣泛；行為上從早期的偷取資料，到控制殭屍網路發動DDOS攻擊，乃至於演化成勒索軟體、APT攻擊的前置作業等等，攻擊手法的多元化，也使得偵測與防禦更加困難，即使殭屍網路已經有十年以上的發展歷史，在資訊安全上的危險程度仍然有增無減。
目前世面上的防毒軟體大部分採用特徵碼偵測的方式，當惡意程式稍有變化則須經過一段時間蒐集樣本並採取新的特徵値，雖然對於一般使用者而言已經足夠安全，但無法即時偵測新型的惡意程式仍舊是其無可避免的弱點。針對這點，也已經有許多研究提出透過偵測網路連線或主機行為的異常，來彌補特徵碼偵測的不足。儘管這些研究已經有很不錯的偵測效率，但在實用性上仍然有其不足之處。
本研究嘗試從不同的角度切入，透過以觀察主機port state的變化作為trigger，並以時間關聯性驅動追蹤模組、行為分析模組與NetFlow Event模組，提出一個基於port monitor的複合型惡意程式偵測框架，預期能夠在感染初期就快速有效的判斷並採取相對應的防禦措施。

With the rapid development of computer technology and the growth of the Internet, methods of hacking attack are increasingly diverse. Of which botnet combined of technology and characteristics of computer viruses, worms and Trojan horses. It can be said that a masterpiece of malware. With the birth of a variety of detection and prevention techniques, botnets are constantly growing and evolution. Even though the botnet has more than ten years of development history, the degree of risk in information security remains unabated.

Currently most of the world face antivirus software uses signature detection methods. When malware slight change, a period of time shall be taken to collect samples and extract new features. Although it is safe enough for the general users, but not readily detect the new kind of malware is still its inevitable weaknesses. On this point, there have been many studies made by detecting abnormal network connection or host behavior to make up for the lack of signature detection. Although these studies have been very well detection efficiency, but still has its shortcomings practically.

This study attempts from a different point of view, through the host port state changes observed as a trigger, and use the relevance of time to drive the tracing module, behavior analysis module and NetFlow event module. Proposed a hybrid botnet malware detection framework based on port monitor, which is able to quickly and effectively diagnose and take corresponding defensive measures in the initial infection.

[1] Anestis Karasaridis, Brian Rexroad, David Hoeflin, “Wide-scale Botnet Detection and Characterization,” Proceeding HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, Pages 7-7, 2007
[2] Brett Stone-Gross, Marco Cova, Bob Gilbert, Richard Kemmerer, Christopher Kruegel, Giovanni Vigna, “Analysis of a Botnet Takeover,” IEEE Security & Privacy, Volume 9, Issue 1, pp.64-72, 2010
[3] Chao Dai, Jianmin Pang, Xiaochuan Zhang, Guanghui Liang, Hong Bai, “ A Novel Information Fusion Model for Assessment of Malware Threat,” International Journal of Security and Its Applications, Vol. 10, No. 5, pp.1-16, 2016
[4] Christian Seifert, Ramon Steenson, Ian Welch, Peter Komisarczuk, Barbara Endicott Popovsky, ”Capture – A behavioral analysis tool for applications and documents,” Digital Investigation: The International Journal of Digital Forensics & Incident Response, Volume 4, pp.23-30, 2007
[5] Chunyong Yin, Ali A. Ghorbani, “P2P Botnet Detection Based on Association between Common Network Behaviors and Host Behaviors,” International Conference on Multimedia Technology (ICMT), pp.5010-5012, 2011
[6] David Zhao, Issa Traore, Bassam Sayed, Wei Lu, Sherif Saad, Ali Ghorbani, Dan Garant, “Botnet detection based on traffic behavior analysis and flow intervals,” Computers and Security, Volume 39, pp.2-16, 2013
[7] E. Ilavarasan, K. Muthumanickam, ” A Survey on Host-Based Botnet Identification,” International Conference on Radar, Communication and Computing (ICRCC), pp.166-170, 2012
[8] Farhood Farid Etemad, Payam Vahdani, ” Real-Time Botnet Command and Control Characterization at the Host Level,” 6th International Symposium on Telecommunications (IST), pp.1005-1009, 2012
[9] Giovanni Bottazzi, Gianluigi Me, “A Survey on Financial Botnets Threat,” Communications in Computer and Information Science, Volume 534, pp.172-181, 2015
[10] H. Binsalleeh, T. Ormerod, A. Boukhtouta, P. Sinha, A. Youssef, M. Debbabi, L.Wang, “On the Analysis of the Zeus Botnet Crimeware Toolkit,” Eighth Annual International Conference on Privacy, Security and Trust (PST), pp.31-38, 2010
[11] K. Muthumanickam, E. Ilavarasan, “P2P Botnet Detection: Combined Host- and Network-Level Analysis,” Third International Conference on Computing Communication & Networking Technologies (ICCCNT), pp.1-5, 2012
[12] Matija Stevanovic, Jens Myrup Pedersen, “An analysis of network traffic classification for botnet detection,” International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), pp.1-8, 2015
[13] Mohammad M. Masud, Tahseen Al-khateeb, Latifur Khan, Bhavani Thuraisingham, Kevin W. Hamlen, “Flow-based Identification of Botnet Traffic by Mining Multiple Log files,” First International Conference on Distributed Framework and Applications, pp.200-206, 2008
[14] Netstat [Online] http://linux.die.net/man/8/netstat
[15] Nikolai Hampton, Zubair A. Baig, “Ransomware: Emergence of the cyber-extortion menace,” 13th Australian Information Security Management Conference, pp.47-56, 2015
[16] OSSEC [Online] http://ossec.github.io/ docs/
[17] Pedram Amini, Muhammad Amin Araghizadeh, Reza Azmi, “A Survey on Botnet: Classification, Detection and Defense,” International Electronics Symposium (IES), pp.233-238, 2015
[18] Rafael A. Rodríguez-Gómez, Gabriel Maciá-Fernández, Pedro García-Teodoro, “Survey and Taxonomy of Botnet Research through Life-Cycle,” ACM Computing Surveys (CSUR), Volume 45, Issue 4, 2013
[19] Ransomware Tracker [Online] https://ransomwaretracker.abuse.ch/
[20] Sakshi Bansal, Mir Qaiser, Shefali Khatri, Anchit Bijalwan, “Botnet Forensics Framework: Is your System a Bot,” Second International Conference on Advances in Computing and Communication Engineering (ICACCE), pp.535-540, 2015
[21] Sergio S.C. Silva, Rodrigo M.P. Silva, Raquel C.G. Pinto, Ronaldo M. Salles, “Botnets: A survey,” Computer Networks: The International Journal of Computer and Telecommunications Networking, Volume 57, Issue 2, pp.378-403, 2013
[22] Sreenivas Sremath Tirumala, Hira Sathu, Abdolhossein Sarrafzadeh, “Free and open source intrusion detection systems: A study,” International Conference on Machine Learning and Cybernetics (ICMLC), Volume 1, pp.205-210, 2015
[23] Testbed@NCKU [Online] https://www.testbed.ncku.edu.tw
[24] Virustotal [Online] https://www.virustotal.com/
[25] Xiaonan Zang, Athichart Tangpong, George Kesidis, David J. Miller, “Botnet Detection Through Fine Flow Classification,” CSE Dept Technical Report No. CSE11-001, 2011
[26] Yousof Al-Hammadi, Uwe Aickelin, “Behavioural Correlation for Detecting P2P Bots,” Second International Conference on Future Networks (ICFN), pp.323-327, 2010
[27] Yuede Ji, Yukun He, Qiang Li, Dong Guo, “BotCatch: A Behavior and Signature Correlated Bot Detection Approach,” IEEE 10th International Conference on High Performance Computing and Communications & IEEE International Conference on Embedded and Ubiquitous Computing (HPCC_EUC), pp.1634-1639, 2013
[28] Yuede Ji, Yukun He, Xinyang Jiang, Qiang Li, “Towards Social Botnet Behavior Detecting in the End Host,” 20th IEEE International Conference on Parallel and Distributed Systems (ICPADS), pp.320-327, 2014
[29] ZeuS Tracker [Online] https://zeustracker.abuse.ch/
[30] 吳培銘(2015)，「基於Net-DPIS之效能改良：設計與實作一網路流量分類之快取機制」，國立成功大學電腦與通信工程學系碩士論文
[31] 郭鎮穎(2015)，「設計與實作基於NetFlow的網路入侵偵測系統」，國立成功大學電腦與通信工程學系碩士論文