跳到主要內容

臺灣博碩士論文加值系統

(35.175.191.36) 您好!臺灣時間:2021/07/30 18:19
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

我願授權國圖
: 
twitterline
研究生:曾瑞瑜
研究生(外文):Jui-Yu Tseng
論文名稱:以活動關連為基礎的IRC殭屍網路偵測
論文名稱(外文):IRC Botnet Detection Based on Activity Correlation
指導教授:鄭憲宗鄭憲宗引用關係
指導教授(外文):Sheng-Tzong Cheng
學位類別:碩士
校院名稱:國立成功大學
系所名稱:資訊工程學系碩博士班
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2009
畢業學年度:97
語文別:中文
論文頁數:62
中文關鍵詞:IRC 殭屍網路IRC 入侵偵測系統
外文關鍵詞:IRC IDSIRC botnet
相關次數:
  • 被引用被引用:1
  • 點閱點閱:178
  • 評分評分:
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
Botnet(殭屍網路)攻擊是近來最嚴重的網路安全的威脅之一。目前網路安全相關的研究或是產品對於傳統的網路安全的威脅如病毒,蠕蟲,木馬等等的問題均可以有效偵測,但是對於殭屍網路這種複雜之腳本式攻擊(Scenario Attack)以及複合式攻擊均很難發揮效果。為了能夠有效的操控大量的Bot(殭屍電腦),Botmaster(攻擊者(殭屍電腦的主人))利用公開的服務作為傳遞命令的媒介(命令與控制頻道),目前常見命令與控制頻道為IRC服務。當殭屍電腦接受指令之後,就會做相對應的動作。
本論文鎖定IRC的命令與控制頻道,透過IRC訊息的分析並且利用殭屍電腦的兩大特性 (1)Group Activity(群體活動) (2) Homogeneous Response(一致性的回應)以偵測區域網路內中殭屍電腦的活動。本論文透過大量殭屍電腦的集體行為以及對於命令與控制頻道有一致性的回應可以偵測到:(1)區域網路內的殭屍電腦;(2) 區域網路內的惡意IRC 伺服器。
透過本論文提出的方法,我們可以達以下列目標:(1) 偵測出被攻擊者(殭屍電腦)利用之IRC 伺服器 配合後續分析找出攻擊者(殭屍電腦的主人);(2) 偵測出區域網路內部的殭屍電腦並且將殭屍病毒消滅。透過本論文所提出的方法可以在殭屍網路還沒有發動攻擊(例如分散式的阻斷服務攻擊 /垃圾郵件等)造成重大危害之前就偵測出來,已達到事前預防的效果。
Recently, Bonet has become one of the most severe threats on the Internet because it is hard to be prevented and cause huge losses. Prior intrusion detection system researches focused on traditional threats like virus, worm or Trojan. However, traditional intrusion detection system has limited ability to defend scenario attack and complicated attack, so it cannot detect Botnet activities before Botmasters launch final attack. In Botnet attack, in order to control a large amount of compromised hosts (bots), Botmasters use public internet service as communication and control channel (C&C Channel). IRC (Internet Relay Chat) is the most popular communication service which Botmasters use to send their command to bots. Once bots receive commands from Botmasters, they will do the corresponding abnormal action.
In this paper, we will focus on abnormal IRC traffic analysis, we will use the two unique characteristics of Botnet ,“Group Activity” and “Homogeneous Response” to detect abnormal Botnet activities in LAN. In this paper, we develop an IRC IDS to detect abnormal IRC behavior. In the proposed system, abnormal IRC traffic can be detect and we can (1) identify the inflected hosts (bots) before Botmaster launch final attack (e.g. DDoS or Phishing) and (2) find out the malicious IRC server in LAN in real time. The experiments shows that the proposed system can indeed detect abnormal IRC traffic and prevent Botnet attack.
第一章 :簡介 8
1.1 研究背景 8
1.2 研究目的 10
1.3 研究動機 10
1.4 論文架構 11
第二章 :背景知識與相關研究 13
2.1 背景知識 13
2.1.1 殭屍電腦(Bot) 13
2.1.2 殭屍網路 13
2.1.3 殭屍網路的種類 14
2.2 殭屍網路偵測相關研究 18
第三章 系統架構 28
3.1系統架構簡介 28
3.2 IRC IDS 實作步驟 29
3.3最終目標:Traceback 37
3.4偵測效果 39
第四章 實驗結果 40
4.1 正常的IRC traffic來源 41
4.2 誤判率計算 45
第五章 結論 46
參考文獻 47
snort附錄規則 49
[1] Jivika Govil, “Examining the Criminology of Bot Zoo”, IEEE Sixth International Conferences on Information, Communications and Signal Processing, (ICICS 07), 10-13, Singapore, pp 1-6, Dec., 2007
[2] http://www.symantec.com/business/news/article.jsp?aid=in_101807_storm_botnet
[3] Zhaosheng Zhu, Guohan Lu, Yan Chen, Zhi Judy Fu, Phil Roberts, Keesook Han, "Botnet Research Survey," compsac, pp.967-972, 2008 32nd Annual IEEE International Computer Software and Applications Conference, 2008
[3] J. Stewart. Bobax trojan analysis. http://www.secureworks.com/research/threats/bobax/, 2004.
[4] http://www.lurhq.com/phatbot.html.
[5]http://www.lurhq.com/sinit.html.
[6] I. Arce and E. Levy, “An analysis of the slapper worm,” IEEE Security & Privacy Magazine, Jan.-Feb. 2003.
[7] R. Lemos. (2006, May) Bot software looks to improve peerage. http://www.securityfocus.com/news/11390.
[8] http://vx.netlux.org/lib/aps00.html
[9]Hyunsang Choi, Hanwoo Lee, Heejo Lee, Hyogon Kim Botnet Detection by Monitoring Group Activities in DNS Traffic Computer and Information Technology, 2007. CIT 2007. 7th IEEE International Conference on
[10] Goebel, J., Holz, T.: Rishi: Identify Bot-Contaminated Hosts by IRC Nickname
Evaluation. 1st Workshop on Hot Topics in Understanding Botnets, April 2007.
[11] Avira AntiVir. Worm/Rbot.210944 - Worm. 2004. http://www.avira.com/en/ threats/section/fulldetails/id_vir/3469/worm_rbot.210944.html.
[12] Avira AntiVir. Worm/Korgo.F.var - Worm.2005.http://www.avira.com/de /threats/section/fulldetails/id_vir/1874/worm_korgo.f.var.html
[13]GU, G., ZHANG, J., AND LEE, W. BotSniffer:Detecting botnet command and control channels in network traffic. In Proceedings of the 2008 Annual Network and Distributed System Security Symposium (NDSS’08) (San Diego, CA., USA, February 2008).
[14] J. Jung, V. Paxson, A.W. Berger, and H. Balakrishnan.Fast Portscan Detection Using Sequential Hypothesis Testing. In IEEE Symposium on Security and Privacy 2004, Oakland, CA, May 2004.
[15] Gail-Joon Ahn, Napoleon Paxton, Kevin Pearson: Understanding IRC Bot Behaviors in Network-centric Prevention Framework. Proceedings of 3rd International Conference on Information Warfare and Security, Peter Kiewit Institute, University of Nebraska Omaha, USA, 24-25 April 2008
[16] http://en.wikipedia.org/wiki/Eggdrop
連結至畢業學校之論文網頁點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top