網際網路的快速發展帶動了產業演進，也提升了一般使用者生活上的便利性，民眾對於網路的依賴程度也與日劇增，但如此的普及的應用情況下使用者的資訊安全程度卻沒有相對性的成長，近年來台灣一直是亞洲地區網路攻擊影響最嚴重的國家之一，包含個人隱私資料竊取、垃圾郵件攻擊、阻斷服務攻擊等。其中，殭屍網路是目前網路環境中所面對危害最深的攻擊之一，殭屍網路是一群受到各種感染途徑攻陷的電腦所組成的群體，除了受感染之電腦主機內的隱私資料會遭到竊取之外，殭屍網路的控制者會更進一步的利用這些殭屍電腦進行非法行為，使得殭屍網路儼然成為資安防護人員最急迫性的問題。而面對針對殭屍網路的偵測防禦機制不斷的提出，殭屍網路控制者為了提高殭屍網路在網路環境中的存活率，開始利用改變特徵、調整通訊策略等方式以規避追緝，其中DGA(Domain Generation Algorithm)型態的殭屍網路是近年來新興的形式之一，殭屍電腦溝通之控制伺服器會不斷改變網域名稱，而受感染之殭屍電腦也會定期的產生大量網域清單，避免資安偵防人員在短時間內觀測到異常流量進而追蹤，大幅度增加傳統IRC型態殭屍網路之存活率，但也由於受感染電腦在查尋控制伺服器時會產生大量的網域查尋行為，本研究以此群體行為特徵當作特徵作為判斷依據進行分群，最後利用群體的查尋結構偵測出DGA形態殭屍網路。本研究在真實網路環境下只需要分析DNS(Domain Name System)一小時的網路流量，即可偵測出其中之DGA型態。達到準確偵測出殭屍網路之目的，減少惡意攻擊行為，保障使用者的資訊安全。

There are lots of convenient service developed for human with the growth of the Internet in recent years, but users usually ignore the network security issues. Among all current network security issue, Botnet have been the biggest threat. Botnet is a group composed of the infected computer. Botmaster uses these computer for illegal behavior. In order to increase the survival rate of Botnet and prevent them from being detected by defenders, the DGA Botnet are generated. Every Bot generate large amounts of domain and change C&C Server frequently to avoid detecting. There are a lot of domain query when change C&C Server. Base on the group behavior, we can cluster them together. Finally detecting the DGA Botnet from the group query structure. This research only require DNS log in one hour, then detect a variety of DGA Botnet. The results show that there are at least 3 kinds of DGA Botnet on the NCKU campus network. In conclusion, the research can detect Botnet to prevent malicious attacks and protect the user’s information security.

[1]B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna. “Your Botnet is my Botnet: Analysis of a Botnet takeover,” ACM Conference on Computer and Communication Security, pp. 635-647, 2009.
[2]D. Fay, H. Haddadi, A. Thomason, A. W. Moore; Mortier, M. Richard, A. Jamakovic, S. Uhlig, M. Rio, “Weighted Spectral Distribution for Internet Topology Analysis: Theory and Applications,” IEEE/ACM Transactions on Networking, Volume 18, 164-176, 2010.
[3]G. Gu, J. Zhang, and W. Lee. “Botsniffer: Detecting Botnet command and control channels in network traffic,” In Proceedings of Network and Distributed System Security Symposium, 2008.
[4]H. Choi, H. Lee, H. Lee, and H. Kim. “Botnet detection by monitoring group activities in DNS traffic,” In Proceedings of 7th IEEE International Conference on Computer and Information Technology, pp. 715-720, 2007.
[5]J. B. MacQueen. “Some Methods for classification and Analysis of Multivariate Observations,” In Proceedings of 5-th Berkeley Symposium on Mathematical Statistics and Probability, vol. 1, no. 281-297, p. 14, 1967.
[6]K. Wehmuth and A. Ziviani. "Distributed algorithm to locate critical vertices to network robustness based on spectral analysis," arXiv preprint arXiv:1101.5019, 2011.
[7]K. Wehmuth and A. Ziviani. "Distributed location of the critical vertices to network robustness based on spectral analysis," Network Operations and Management Symposium (LANOMS), 2011 7th Latin American. IEEE, 2011.
[8]L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi. “Exposure: Finding malicious domains using passive dns analysis,” In Proceedings of Network and Distributed System Security Symposium, 2011.
[9]M. Antonakakis, R. Perdisci, Y. Nadji, N. Vasiloglou, S. Abu-Nimeh, W. Lee, & D. Dagon, “From throw-away traffic to Bots: detecting the rise of DGA-based malware,“ In the Proceedings of 21th USENIX Security Symposium, 2012.
[10]P. Porras, H. Saidi, and V. Yegneswaran. “A Foray into Conficker's Logic and Rendezvous Points,” USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2009.
[11]P. Porras, H. Saidi, and V. Yegneswaran. “An Analysis of Conficker C,” SRI International Technical report, 2009.
[12]P. Wang, S. Sparks, and C. C. Zou. “An Advanced Hybrid Peer-to-Peer Botnet,” IEEE Transactions on Dependable and Secure Computing, vol.7, no.2, pp.113-127, April-June, 2010.
[13]S. Shin, G. Gu, N. Reddy, and C. Lee. “A large-scale empirical study of conficker,” IEEE Transactions on Information Forensics and Security, vol. 7, no. 2, pp. 676-690, April, 2012.
[14]S. Yadav, A. K. K. Reddy, A. L. N. Reddy and S. Ranjan. “Detecting algorithmically generated domain-flux attacks with DNS traffic analysis,” IEEE/ACM Transactions on Networking, vol. 20, no. 5, pp. 1663-1677, Oct, 2012.
[15]Z. Zhu, G. Lu, Y. Chen, Z. J. Fu, P. Roberts, and K. Han. “Botnet research survey,” In 32nd Annual IEEE International Computer Software and Applications Conference, pp. 967-972, July, 2008.