隨著網路蓬勃的發展，網路安全防護已成為目前不可忽視之重要課題。其中，尤以殭屍網路威脅最為嚴重，殭屍網路是由一群網路犯罪者利用病毒散播的方式侵入電腦主機以進行各種網路攻擊行為，如分散式阻斷式 (DDoS) 攻擊、發送惡意郵件、以及竊取私密資料等不法行為。現今，網路犯罪者為了提升殭屍網路的存活率，避免被執法單位查獲，在殭屍網路架構中利用一種Fast-Flux Service Networks網域技術來隱藏其行蹤，使得追查者無法清楚追踨其真正位置。因此，本研究主要目的是發展一套適應式惡意網域偵測技術，找出新的偵測特徵值取代舊有特徵值，並針對此Fast-Flux Service Networks技術，進行偵測與追蹤。此適應式惡意網域偵測技術可利用基因演算法在所允許之時間複雜度下找出最佳的偵測策略。藉由實驗數據顯示，應用此最佳偵測策略可大幅減緩偵測延遲之問題，並且可根據新型Fast-Flux Service Networks技術所產生變種的特徵行為，動態調整所設計之偵測機制以達到高偵測正確率。

One of the most discussed topics on the Internet has been network security. Among all current network security issues, zombie networks have been the biggest threat. Botnet networks are an attack mechanism used by cyber criminals to intrude into computers by spreading viruses, and used to perform illegal activities such as Distributed Denial of Service (DDoS) attacks, distributing malicious emails, and stealing private data. In order to increase the survival rate of botnet networks and to prevent them from being discovered by law enforcements, cyber criminals today employ Fast-Flux Service Networks technologies to hide their trace. The purpose of this research is to develop an adaptive malicious domain detection technology, which could be used to detect and track Fast-Flux Service Networkss. This malicious domain detection technology applies genetic algorithm to generate an optimal detection strategy under a limited time complexity. According to the analysis of our research results, we concluded that this optimized detection strategy could largely decrease the delays in malicious domain detection. When dealing with new Fast-Flux networks and its mutated behavior, this technology could also dynamically adjust its detection mechanism in order to achieve the highest detection accuracy.

[1] Websense 2010 Threat Report, http://www.websense.com/content/threat-report-2010- introduction.aspx.
[2] FBI: Over One Million Potential Victims of Botnet Cyber Crime, http://www.fbi.gov /news/pressrel/press-releases/over-1-million-potential-victims-of-botnet-cyber-crime.
[3] Symantec Global Internet Security Threat Report, http://eval.symantec.com/mktginfo /enterprise/white_papers/b-whitepaper_internet_security_threat_report_xv_04-2010.en-us.pdf.
[4] D. Barroso, “Botnets - The Silent Threat,” European Network and Information Security Agency (ENISA) Position Paper No. 3, Nov. 2007.
[5] F. C. Freiling, T. Holz, and G. Wicherski, “Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service,” In Proceedings of the 10th European Symposium On Research In Computer Security (ESORICS’05), Sep. 2005.
[6] The Honeynet Project & Research Alliance: Know Your Enemy: Fast-Flux Service Networkss (2007), http://www.honeynet.org/papers/ff/.
[7] J. Nazario , T. Holz, “As the Net Churns: Fast-Flux Botnet Observations,” In Proceedings of the 3rd International Conference on Malicious and Unwanted Software (Malware 2008), pp. 24-31, Oct. 2008.
[8] T. Holz, C. Gorecki, K. Rieck and F. C. Freiling, “Measuring and Detecting Fast-Flux Service Networkss,” In Proceedings of the 15th Network and Distributed System Security (NDSS 2008), Feb. 2008.
[9] E. Passerini, R. Paleari, L. Martignoni and D. Bruschi, “FluXOR: Detecting and Monitoring Fast-Flux Service Networkss,” In Proceedings of the 5th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2008), pp. 186-206, Jul. 2008.
[10] M. Konte, N. Feamster and J. Jung, “Dynamics of Online Scam Hosting Infrastructure,” In Proceedings of the 10th International Conference on Passive and Active Network Measurement (PAM 2009), pp. 219-228, Apr. 2009.
[11] S. Y. Huang, C. H. Mao, and H. M. Lee, “Fast-Flux Service Networks Detection Based on Spatial Snapshot Mechanism for Delay-Free Detection,” In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (ASIACSS 2010), Apr. 2010.
[12] C. H. Hsu, C. Y. Huang, and K. T. Chen, “Fast-Flux Bot Detection in Real Time,” In Proceedings of the 13th international conference on Recent Advances in Intrusion Detection (RAID 2010), Sep. 2010.
[13] A. Caglayan, M. Toothaker, D. Drapaeau, D. Burke and G. Eaton, “Behavioral Patterns of Fast Flux Service Networks,” In Proceedings of the 43rd Hawaii International Conference on System Sciences (HICSS), Jan. 2010.
[14] L. Gasster, GNSO Issues Report on Fast Flux Hosting, Generic Names Supporting Organization (GNSO), Mar. 2008.
[15] M. Konings, Initial Report of the GNSO Fast Flux Hosting Working Group, Generic Names Supporting Organization (GNSO), Jan. 2009.
[16] D. K. McGrath, A. Kalafut and M. Gupta, “Phishing Infrastructure Fluxes All the Way,” IEEE Security and Privacy, vol. 7, no. 5, pp. 21-28, Sep.- Oct. 2009.
[17] P. Mockapetris, “Domain Names - Implementation and Specification,” RFC 1035, Nov. 1987.
[18] T. P. Brisco, “DNS Support for Load Balancing,” RFC 1794, Apr. 1995.
[19] B. Krishnamurthy, C. Wills and Y. Zhang, “On the Use and Performance of Content Distribution Networks,” In Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement (IMW ‘01), pp. 169-182, Oct. 2001.
[20] J. Hawkinson and T. Bates, “Guidelines for Creation, Selection, and Registration of An Autonomous System (AS),” RFC 1930, Mar. 1996.
[21] Internet Software Consortium: Dig(domain information groper), https://www.isc.org/ software/bind/documentation/arm95#man.dig.
[22] R. Buyya, M. Pathan and A. Vakali, Content Delivery Networks, Springer-Verlag, Berlin Heidelberg, 2008.
[23] Active Threat Level Analysis System(ATLAS), http://atlas.arbor.net/summary/ fastflux.
[24] DNSBL, http://dnsbl.abuse.ch/fastfluxtracker.php.
[25] DNSBH, http://www.malwaredomains.com/wordpress/.
[26] Alexa, http://www.alexa.com/topsites.
[27] Team Cymru Community Service, http://www.team-cymru.org.
[28] W. Stallings, Network Security Essentials, Prentice Hall, Jul. 2006.
[29] Cricket Liu and Paul Albitz, DNS and BIND, O'Reilly Media, May 2006.
[30] F. Herrera and M. Lozano, “Gradual Distributed Real-Coded Genetic Algorithms,” IEEE Transactions on Evolutionary Computation, vol. 4, no. 1, pp. 43 - 63, Apr. 2000.
[31] F. Herrera, M. Lozano and J.L. Verdegay, “Tackling Real-Coded Genetic Algorithms: Operators and Tools for Behavioural Analysis,” Artificial Intelligence Review, vol.12, no. 4, pp. 265 - 319, Aug. 1998.
[32] T. Back and H. P. Schwefel, “An Overview of Evolutionary Algorithms for Parameter Optimization,” Evolutionary Computation, vol. 1, no. 1, pp. 1 - 23, Mar. 1993.
[33] N. Chaiyaratana and A. M. S. Zalzala, “Recent Developments in Evolutionary and Genetic Algorithms: theory and applications,” Genetic Algorithms in Engineering Systems: Innovations and Applications, Sep. 1997.
[34] D. Wicker, M. M. Rizki and L. A. Tamburino, “The Multi-Tiered Tournament Selection for Evolutionary Neural Network Synthesis,” Combinations of Evolutionary Computation and Neural Networks, May 2000.
[35] C. Pitangui and G. Zaverucha, “Improved Natural Crossover Operators in GBML,” Evolutionary Computation, Sep. 2007.
[36] S. Abedi and R. Tafazolli, “Genetically Modified Multiuser Detection for Code Division Multiple Access Systems,” IEEE Journal on Selected Areas in Communications, vol. 20, no. 2, pp. 463-473, Feb. 2002.
[37] 林昇甫 徐永吉， “遺傳演算法及其應用” 五南圖書出版股份有限公司，Sep. 2009.