簡易檢索 / 詳目顯示
| 研究生: |
李俊皜 Li, Jyun-Hao |
|---|---|
| 論文名稱: |
重現殭屍網路感染拓樸之研究 The Study on Botnet Topology Reconstruction |
| 指導教授: |
楊竹星
Yang, Chu-Sing |
| 學位類別: |
碩士 Master |
| 系所名稱: |
電機資訊學院 - 電腦與通信工程研究所 Institute of Computer & Communication Engineering |
| 論文出版年: | 2011 |
| 畢業學年度: | 99 |
| 語文別: | 中文 |
| 論文頁數: | 66 |
| 中文關鍵詞: | 殭屍網路 、感染拓樸 、攻擊情境 、Testbed |
| 外文關鍵詞: | Botnet, Attack Scenario, Testbed |
| 相關次數: | 點閱:173 下載:0 |
| 分享至: |
| 查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
近十年來,殭屍網路所發動的攻擊事件嚴重影響了網路世界和現實社會。殭屍網路控制者會對已感染殭屍病毒的網路主機進行鍵盤側錄、私密資料竊取、安裝廣告軟體,或者利用殭屍主機來散佈垃圾郵件、釣魚郵件、點擊詐欺等網路攻擊,也可下指令讓殭屍網路發動分散式阻斷服務攻擊。
較早期的殭屍網路是以IRC協定作為溝通管道,後來為了躲避防火牆,改成使用HTTP協定進行連絡;最後為了強化IRC協定和HTTP協定等集中式網路架構的弱點,進而發展成強健的P2P殭屍網路;近期社群網站興起,駭客也已將惡意程式改寫成以Facebook或Twitter為溝通基礎的殭屍程式。由前述可知,殭屍網路躲避偵測、入侵主機及網路攻擊技術近趨完整,會隨著常用的網路協定或應用而有不同的變化,更加的難以偵測,讓網路使用者容易遭受攻擊。
為了防禦殭屍網路的攻擊,首先必須全面性的了解殭屍網路的感染路徑與攻擊方式,經由不同的殭屍網路攻擊觀察弱點並進行阻擋。本研究在Testbed@TWISC平台上仿真重現殭屍網路控制者透過C&C伺服器控制受殭屍程式感染主機的情境,觀察和分析殭屍網路感染週期;並且在網路設備上建立防禦工具,偵測殭屍網路所傳送的攻擊封包;最後會將收集到的各種攻擊的封包進行分析與整合,並且還原殭屍網路的感染與攻擊情境。
Over the past decade, Botnet has been a serious threat in Internet. The Botmaster can make bots launch a number of attacks, such as key logger, private information stealing, spam mail, phishing, click fraud and DDoS attack.
In earlier, bots communicated with each other by IRC protocol, and in order to bypass the firewall, changed to use the HTTP protocol. Now they form a robust P2P Botnet to make stronger and put right the weaknesses. Social networks have developed dramatically in recent, and hackers can transform malwares into Facebook-based or Twitter-based bot programs. Due to the mature technology, it becomes more and more difficult to detect Botnet, which makes network users vulnerable from Botnet attacks.
To defend the attacks of Botnet, it is necessary to make an overall understanding in infection paths and attack methods of Botnet. This paper rebuilds a scenario in Testbed@TWISC that the Botmaster controls the bots by the C&C Server, analyzes the infection period of Botnet, deploys defense tools in network devices to detect attacks launched by Botnet, and the last makes integration and analysis of collected attacking packets.
[1] Ago wiki, http://en.wikipedia.org/wiki/Agobot.
[2] An introduction to data mining, http://www.thearling.com/text/dmwhite/dmwhite.htm.
[3] Appserv Open Project, http://www.appservnetwork.com/.
[4] BitTorrent (protocol) wiki, http://en.wikipedia.org/wiki/BitTorrent_(protocol).
[5] Botnet wiki, http://en.wikipedia.org/wiki/Botnet.
[6] Brandon Wiley, “Distributed Hash Tables,” http://www.linuxjournal.com/article/6797, 01 Oct 2003.
[7] BSD, http://www.bsd.org/.
[8] Cisco IOS NetFlow, http://www.cisco.com/web/go/netflow.
[9] CWSandbox, http://mwanalysis.org/.
[10] Domain names - implementation and specification, http://www.faqs.org/rfcs/rfc1035.html.
[11] Emulab, http://www.emulab.net/.
[12] FREEnet, http://www.freenet.com/.
[13] Gnutella wiki, http://en.wikipedia.org/wiki/Gnutella.
[14] Gunter Ollmann, VP of Research, Damballa, Inc., “Botnet Communication Topologies,” 4 June 2009.
[15] Hypertext Transfer Protocol, http://www.ietf.org/rfc/rfc2616.txt.
[16] IANA, “IANA port number list,” http://www.iana.org/assignments/port-numbers.
[17] Internet Relay Chat Protocol, http://www.faqs.org/rfcs/rfc1459.html.
[18] Internet Relay Chat: Architecture, http://www.faqs.org/rfcs/rfc2810.html.
[19] Internet Relay Chat: Channel Management, http://www.faqs.org/rfcs/rfc2811.html.
[20] Internet Relay Chat: Client Protocol, http://tools.ietf.org/html/rfc2812.
[21] Internet Relay Chat: Server Protocol, http://www.faqs.org/rfcs/rfc2813.html.
[22] Jeremy Reimer, “FBI: Over one million computers working for botnets,” http://arstechnica.com/security/news/2007/06/fbi-over-one-million-computers-working-for-botnets.ars.
[23] Kaspersky Labs blog, “TDL4 – Top Bot,” http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot, 27 Jun 2011.
[24] Kazaa, http://www.kazaa.com/#.
[25] Maryam Feily, Alireza Shahrestani and Sureswaran Ramadass, “A Survey of Botnet and Botnet Detection,“ Third International Conference on Emerging Security Information, Systems and Technologies, 2009.
[26] Peer-to-Peer (P2P) Architecture, http://tools.ietf.org/html/rfc5694.
[27] S. MccCanne, V. Jacobson, “The BSD Packet Filter:A New Architecture for User-level Packet Capture,” 1993 Winter USENIX conference, Jan 1993.
[28] Shadowserver Home page, http://www.shadowserver.org/wiki/.
[29] Simeon, “Introduction of Botnet,” http://simeon.blog.51cto.com/18680/24553.
[30] State of Peer-to-Peer (P2P) Communication across Network Address Translators (NATs), http://tools.ietf.org/html/rfc5128.
[31] Symantec, “Internet Security Threat Report, Volume 16,” http://www.symantec.com/business/threatreport/index.jsp#.
[32] TCPDUMP&LiBPCAP, http://www.tcpdump.org/.
[33] Tcpreplay, http://tcpreplay.synfin.net/.
[34] Testbed@TWISC - Network Emulation Testbed Home, http://testbed.ncku.edu.tw/index.php3.
[35] VirusTotal, http://www.virustotal.com/.
[36] WASTE wiki, http://en.wikipedia.org/wiki/WASTE.
[37] XAMPP, http://www.apachefriends.org/zh_tw/xampp.html.
[38] Yoram Kulbak and Danny Bickson, “The eMule Protocol Specification,” January 17, 2005.
[39] Yu Yao, Yong Li, Fu-xiang Gao, Ge Yu, “A Signature-behavior-based P2P worm detection approach,” Ninth International Conference on Hybrid Intelligent Systems, 2009.
[40] SandBox 沙盒原理, http://norman.bestpc.tw/%E7%94%A2%E5%93%81%E4%BB%8B%E7%B4%B9/normans-sandbox-technology%E6%B2%99%E7%9B%92%E5%8E%9F%E7%90%86.
[41] 陳培德,” 網路安全測試平台簡介”, http://tnrc.ncku.edu.tw/course/93/930401.pdf。
[42] 楊竹星、李俊皜、廖明沂、羅孟彥,"基於感染週期之IRC Bot 偵測研究",電子通訊與應用研討會,2011。
校內:2013-08-30公開校外:不公開