網際網路帶來了相當多的便利服務，當人們在使用時忽略了許多資訊安全的問題，其中僵屍網路是目前最具有威脅性的資訊安全問題，殭屍網路操控者只需要透過網際網路即可進行竊取資料、散佈垃圾郵件、惡意程式散播、架設釣魚網站以及分散式服務阻斷等攻擊 (DDoS) 等惡意行為。殭屍網路為了提升存活率而有多種不同的型態，其中Domain Generation Algorithm (DGA) 殭屍網路透過網域產生演算法生成多組控制網域，並利用控制網域的變動以規避偵查，是目前相當主流的殭屍網路型態之一，而DGA殭屍網路雖然擁有高存活率的優點，但其在改變控制網域時，會在DNS資料中產生大量的不存在網域。因此，本研究主要透過剖析DNS中不存在之網域查詢紀錄發展一套偵測DGA型態殭屍網路之技術，以殭屍網路群體行為特徵為基礎進行分群，最後識別各群體之身份且偵查出控制網域。由於DNS中不存在網域的數量非常少，因此相較於過往需要取得大量殭屍網路的控制網域樣本、通訊封包內容等相關研究，本研究僅需少量資訊即可偵測DGA殭屍網路，不但可以大幅降低偵測系統的負載與成本，並且本研究之系統可達到 95%以上的偵測準確率，能有效提高網路安全之防護。最後使用本研究之偵測系統在成大校園網路中進行偵測，為期五天的偵測期間偵測出12台主機受到DGA型態感染，以及偵測出其C&C Domain，因此本研究可使用於任何子網路當中，以達到減少受到惡意攻擊之危險，保障網路使用者之使用安全。

Today, the ever changing online services have attracted more and more users to access the Internet. However, most users are very naive and are unaware of the security issues that come with using these services. Among all network security issues, botnet networks (or zombie networks) have been a major threat. A botmaster controls a botnet to launch attacks, such as information stealing, phishing site, spam mails and distributed denial of service (DDoS). To avoid being detected, many botnets apply the domain generation algorithm (DGA) to increase the survivability of botnets. In general, a DGA bot tries to connect the Command-and-Control (C&C) server by sequentially querying a list of domains generated by DGA. By doing so, DGA botnets can evade the detection as the queried C&C domains have been changing. However, it usually generate a large amount of non-existence domains before bots successfully connect to the active C&C server. Therefore, this research is to develop a DGA-based botnet detection system by analyzing non-existence domains in DNS traffic. According to the domain query behavior of users, they are classified into a normal group or a malicious group. Unlike the previous detection approaches which need to process a large amount of C&C domain queries and/or perform deep packet inspection on each packet, this research significantly reduce the amount of data to be processed by only examining the non-existence domains queries while achieving a 95% detection ratio. Finally, experiments have been conducted by applying this proposed system on the NCKU campus network. The results show that the proposed scheme is able to effectively detect many compromised hosts associated with DGA-based botnets which are not detected by the traditional detection system.

[1] B. Krishnamurthy, C. Wills and Y. Zhang. “On the Use and Performance of Content Distribution Networks.” In Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, pp. 169-182, 2001.
[2] B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna. “Your botnet is my botnet: Analysis of a botnet takeover.” In ACM Conference on Computer and Communication Security, pp. 635-647, 2009.
[3] C. Brew and D. McKelvie. Word-pair extraction for lexicography, 1996.
[4] D. Pelleg and A. W. Moore. “X-means: Extending k-means with efficient estimation of the number of clusters.” In Proceedings of the Seventeenth Inter-national Conference on Machine Learning, pp. 727-734, 2000.
[5] G. Gu, J. Zhang, and W. Lee. “Botsniffer: Detecting botnet command and control channels in network traffic.” In Proceedings of Network and Distributed System Security Symposium, 2008.
[6] H. Choi, H. Lee, H. Lee, and H. Kim. “Botnet detection by monitoring group activities in DNS traffic.” In Proceedings of the 7th IEEE International Conference on Computer and Information Technology, pp. 715-720, 2007.
[7] J. B. MacQueen. “Some Methods for classification and Analysis of Multivariate Observations.” In Proceedings of 5-th Berkeley Symposium on Mathematical Statistics and Probability, vol. 1, no. 281-297, p. 14, 1967.
[8] J. Liu, Y. Xiao, K. Ghaboosi, H. Deng, and J. Zhang. “Botnet: Classification, Attacks, Detection, Tracing, and Preventive Measures.” EURASIP Journal on Wireless Communications and Networking, 2009.
[9] J. Oikarinen and D. Reed. Internet Relay Chat Protocol. RFC 1459, 1993.
[10] L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi. “Exposure: Finding malicious domains using passive dns analysis.” In Proceedings of Network and Distributed System Security Symposium, 2011.
[11] M. Antonakakis, R. Perdisci, Y. Nadji, N. Vasiloglou, S. Abu-Nimeh, W. Lee, & D. Dagon, “From throw-away traffic to bots: detecting the rise of DGA-based malware. “ In the Proceedings of 21th USENIX Security Symposium, 2012.
[12] M. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. “A multifaceted approach to understanding the botnet phenomenon.” In Proceedings of ACM SIGCOMM /USENIX Internet Measurement Conference, pp.41-52, 2006.
[13] M. Basseville and I. V. Nikiforov. “Detection of Abrupt Changes - Theory and Application.” Prentice Hall” Journal of the Royal Statistical Society-Series A Statistics in Society, 1995.
[14] P. Porras, H. Saidi, and V. Yegneswaran. “A Foray into Conficker's Logic and Rendezvous Points.” In USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2009.
[15] P. Porras, H. Saidi, and V. Yegneswaran. “Conficker C Analysis.” SRI International Technical report, 2009. http://mtc.sri.com/Conficker/addendumC/index.html
[16] P. Wang, S. Sparks, and C. C. Zou. “An Advanced Hybrid Peer-to-Peer Botnet.” IEEE Transactions on Dependable and Secure Computing, vol.7, no.2, pp.113-127, April-June, 2010.
[17] R. Feldman and J. Sanger. The text mining handbook: advanced approaches in analyzing unstructured data. Cambridge University Press, 2006.
[18] S. Shin, G. Gu, N. Reddy, and C. Lee. “A large-scale empirical study of conficker.” IEEE Transactions on Information Forensics and Security, vol. 7, no. 2, pp. 676-690, April, 2012.
[19] Symantec Global Internet Security Threat Report, http://www.symantec.com/ content/en/us/enterprise/other_resources/b-istr_main_report_2011_21239364.en-us.pdf.
[20] T. P. Brisco, DNS Support for Load Balancing, RFC 1794, Apr. 1995.
[21] Team Cymru Community Service, HTTP Botnet. http://www.team-cymru.com/ ReadingRoom/ Whitepapers/2008/http-botnets.pdf.
[22] The Honeynet Project Papers. Know Your Enemy: Containing Conficker, 2009. http://www.honeynet/org/papers/conficker
[23] The Honeynet Project Papers. Know Your Enemy: Fast-Flux Service Networks, 2007. http://www.honeynet.org/papers/ff/.
[24] The Honeynet Project Papers. Know your Enemy: Tracking Botnets, 2008. http://www.honeynet.org/papers/bots/.
[25] The Spamhaus Project. http://www.spamhaus.org/.
[26] Twitter API still attracts hackers. Unmask Parasites blog, 2009. http://blog.unmaskparasites.com/2009/12/09/twitter-api-still-attracts-hackers/
[27] Websense 2010 Threat Report, http://www.websense.com/assets/reports/ report-2012-threat-report-en.pdf.
[28] S. Yadav, A. K. K. Reddy, A. L. N. Reddy and S. Ranjan. “Detecting algorithmically generated domain-flux attacks with DNS traffic analysis.” IEEE/ACM Transactions on Networking, vol. 20, no. 5, pp. 1663-1677, Oct. 2012.
[29] Z. Zhu, G. Lu, Y. Chen, Z. J. Fu, P. Roberts, and K. Han. “Botnet research survey.” In 32nd Annual IEEE International Computer Software and Applications Conference, pp. 967-972, July 2008.