簡易檢索 / 詳目顯示
| 研究生: |
李魚濬 Lee, Yu-Chun |
|---|---|
| 論文名稱: |
基於網路安全測試平台重現殭屍網路行為之研究 The Study of Botnet Behavior Replay on Network Testbed Platform |
| 指導教授: |
楊竹星
Yang, Chu-Sing |
| 學位類別: |
碩士 Master |
| 系所名稱: |
電機資訊學院 - 電腦與通信工程研究所 Institute of Computer & Communication Engineering |
| 論文出版年: | 2014 |
| 畢業學年度: | 102 |
| 語文別: | 中文 |
| 論文頁數: | 45 |
| 中文關鍵詞: | 殭屍網路 、Testbed@TWISC 、Wireshark 、OSSEC |
| 外文關鍵詞: | Botnet, Testbed@TWISC, Wireshark, Open Source Security |
| 相關次數: | 點閱:145 下載:0 |
| 分享至: |
| 查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
網路世界的蓬勃發展,讓人們的生活變得更為便利,但這也使得網路攻擊事件越來越多,嚴重地影響了網路世界與現實社會,較為常見的像是殭屍網路攻擊,攻擊者會對受感染的主機進行私密資料竊取或鍵盤側錄,也會利用此台主機來散佈許多垃圾郵件、釣魚郵件等,當然也可以透過下指令的方式,發動分散式阻斷服務攻擊。
較早期的殭屍網路利用IRC協定來做為溝通的橋樑,利用通訊軟體散播惡意程式,接著有了防火牆後,殭屍網路控制者改成以HTTP協定進行聯繫,由中控端的Web server對感染主機做控制,由於IRC協定與HTTP協定整體架構較為薄弱,為了使其更加穩固,最後發展出P2P型態的殭屍網路。
針對網路攻擊事件的發生,洞悉殭屍網路的行為極為重要。本研究將在Testbed@TWISC平台上重現殭屍網路的環境,透過封包擷取軟體(Wireshark)以及OSSEC比對正常主機與Bot主機間,封包內容以及系統登錄檔的差異性,探討出殭屍網路在進行感染時,會出現哪些行為與特徵,藉此分析此台主機如何被感染,以及告知使用者為何會遭到入侵,讓網路安全管理人員便於管理主機之安全。
The Internet network grows rapidly. It makes people’s lives more convenient. But it also makes a lot of attacks, such as Botnet. Botnet attacks effect the world and Internet very much. The Botmaster can make bots launch many type attacks, such as key logger, private information stealing, spam mail, phishing and DDoS attack.
In earlier, bots use IRC protocol to contact each other. But when the firewall appeared, it changed to use HTTP protocol. There is a web server at the middle of HTTP protocol, the Botmaster can use it to control and contact the bots. For now, the Botmaster form a robust P2P Botnet to make stronger and fix the weakness.
If we want to detect the Botnet attack, we must have to find out the Botnet behavior. This paper rebuilds a scenario on Testbed@TWISC that the Botmaster controls the bots by the C&C Server. We use Wireshark and Open Source Security to collect the packet contents and system logs from the normal computers and the bots. When the Botnet start to attack, we can know what the Botnet behavior will appear. Than the network security manager can manage the Internet easier.
[1] Appserv, http://www.appservnetwork.com/
[2] BitTorrent, http://en.wikipedia.org/wiki/BitTorrent_(disambiguation)
[3] Botnet, http://en.wikipedia.org/wiki/Botnet
[4] Haddadi,F.; Morgan,J.; Filho, E.G.; Zincir-Heywood, A.N.“Botnet Behavior Analysis Using IP Flows: With HTTP Filters Using Classifiers”, Advanced Information Networking and Applications Workshops (WAINA), 2014 28th International Conference on page(s): 7 – 12.
[5] Meng-Han Tsai; Kai-Chi Chang; Chang-Cheng Lin; Ching-Hao Mao; Huey-Ming Lee, “C&C Tracer: Botnet Command and Control Behavior Tracing”, Systems, Man, and Cybernetics (SMC), 2011 IEEE International Conference onpage(s): 1859 - 1864.
[6] Tai Cai and FutaiZou,“Detecting HTTP Botnet with Clustering Network Traffic”, Wireless Communications, Networking and Mobile Computing (WiCOM), 2012 8th International Conference on page(s): 1 - 7.
[7] Distributrd Hash Table, http://en.wikipedia.org/wiki/Distributed_hash_table
[8] Gnutella, http://en.wikipedia.org/wiki/Gnutella
[9] Hypertext Transfer Protocol, http://www.ietf.org/rfc/rfc2616.txt
[10] Internet Relay Chat Protocol, http://www.faqs.org/rfcs/rfc1459.html
[11] mIRC, http://www.mirc.com/
[12] OSSEC, http://www.ossec.net/
[13] Testbed@TWISC, http://testbed.ncku.edu.tw/
[14] WASTE, http://en.wikipedia.org/wiki/WASTE
[15] XAMPP, http://www.apachefriends.org/zh_tw/xampp.html
[16] 殭屍網路攻擊 智慧冰箱淪媒介, http://www.cna.com.tw/news/ait/201401180034-1.aspx
[17] 殭屍網路感染週期, 楊竹星、李俊皜、廖明沂、羅孟彥,"基於感染週期之IRC Bot偵測研究",電子通訊與應用研討會,2011。
[18] 微軟偕FBI遏網路金融犯罪, http://tw.news.yahoo.com/%E5%BE%AE%E8%BB%9F%E5%81%95fbi-%E9%81%8F%E7%B6%B2%E8%B7%AF%E9%87%91%E8%9E%8D%E7%8A%AF%E7%BD%AA-053504845.html
[19] 資訊安全的測試平台, 陳培德,"網路安全測試平台簡介",http://tnrc.ncku.edu.tw/course/93/930401.pdf
校內:2019-08-27公開校外:不公開