在這電腦普及的時代，每個人生活及工作上都需要使用到電腦。然而，大部分的使用者只學習如何使用電腦，卻不懂得如何保護電腦。在各個資安部門方面多以安裝防火牆來阻斷外部網路對區網內使用者做連線，並將已知外部惡意網站列為黑名單，阻斷區網內部對其連線。然而在區網內部受感染電腦上惡意程式仍未移除，則受感染電腦可能在區網內部迅速擴散，且外部惡意網站使用動態DNS或fast-fulx技術亦有可能躲過防火牆的阻絕。
在一般傀儡網路研究上，主要有流量異常偵測及擷取傀儡電腦封包分析，抑或滲透進入傀儡網路指揮伺服器瓦解傀儡網路。然而在流量異常方面多等到傀儡網路發動攻擊後才偵測的出來，且已經造成頻寬資源被佔；而傀儡電腦封包分析必須先將封包實施解密，上述兩種方式主要偵測出指揮伺服器位置，再利用防火牆阻斷其聯繫，但此兩種方法均未能偵測出所有受感染主機。而滲透進入傀儡指揮伺服器其非常不易，且進入指揮伺服器後因權限不足也無法指揮移除傀儡程式。
在本文提出了一個運用Agent的架構，以巡邏方式在不同碰撞網域下實施偵測，用以偵測出所有區網內部異常網路流量與發現可能受感染電腦主機，以彌補防火牆無法處理內部流量異常的狀況，亦不會佔用太大的網路資源。並以偵測Posion及junci1兩種木馬型的傀儡程式，發現此兩種傀儡程式的網路行為相似處，將此網路行為定為Agent判斷傀儡網路的規則。
本文第四章對所提出的架構進行討論與分析，確立此架構之可行與運作效能未來將就收集各式傀儡程式的網路行為來強化Agent的偵測能力，增加Agent在其他異常行為的偵測功能。

Recently, the Information Security becomes more important, since users learn how to use computers without realizing how to protect their computers. Security department installs the firewall system to block internet connecting between internet and intranet. However, there are also some other problems. For example, the inside threats or the computer viruses are in the intranet. These viruses infecting computers may spread malware rapidly in the intranet.
In the study of botnets, researchers analyze the packets of botnet’s traffic to trace and penetrate the botnet’s C&C Server or block the communication from bots to the C&C Server. However, these malicious Web sites use the dynamic DNS or fast-flux technologies against the firewall detection and trace C&C Server back. Besides, the abnormal flow might not be generated until the botnet attacks in some cases. Also, the botnet’s packet could be encrypted, so the the content of packets can not be realized. The main procedures of detective methods are to find out the location of the command and control server, and to use the firewall to block the connection. The procedures fail to detect all infected computers. Besides, it is not easy to penetrate into the botnet’s C&C Server to remove bots.
This thesis provides a framework with computer Agent programs to detect anomaly behaviors .To detect in the different collision domain by patrolling, it is able to find out the anomaly traffic and the infected computers. The computer Agent can work with the firewall to locate systems and other security devices. Moreover, these two Trojan botnets, Posion and Junci1 have been introduced in this thesis to rule out the characteristic behaviors for showing the abilities of proposed mechanism of computer Agent in botnet detections.
The chapter four in the thesis brings up the proposed framework for discussions and analyze in examining the feasibility of this framework. Collecting all characteristic of botnet’s, the Agent detective ability could be enhanced, so the detective function of Agent for others could be increased as well.

誌謝 iv
摘要 v
Abstract vi
目錄 vii
表目錄 ix
圖目錄 x
1. 緒論 1
1.1. 研究背景 1
1.2. 研究動機 2
1.3. 研究目的 2
2. 背景知識與文獻探討 4
2.1. 傀儡網路定義 4
2.2. 傀儡網路發展 4
2.3. 傀儡網路分類 5
2.3.1. 傳輸協定區分 5
2.3.2. 指揮架構 6
2.4. 傀儡網路相關研究 14
2.4.1. 利用暱稱相似性來偵測 14
2.4.2. 以網路流量來偵測 14
2.4.3. 使用機器自我學習方式偵測傀儡網路封包 15
2.5. 網路代理人 15
3. 架構設計 16
3.1. 偵測傀儡網路架構 16
3.2. 傀儡網路指揮流程分析 18
3.3. 網路代理人運作流程 21
4. 實驗與分析 23
4.1.1. 方法流程 24
4.2. 實驗環境 25
4.2.1. Aglet平台架設 26
4.2.2. 傀儡網路架設 27
4.2.3. 網路代理人設計 36
4.3. 實驗結果分析 38
4.3.1. Poison Ivy傀儡網路行為封包分析 39
4.3.2. Junci1傀儡網路行為封包分析 41
4.3.3. 結果分析 43
5. 結論與未來工作 46
參考文獻 47
附錄 50
控制代理人程式碼 50
擷取封包代理人程式碼 51
自傳 54

[1] 孫郁興，”電腦病毒科技發展史之研究”，中華科技史學會會刊，第十期，2006。
[2] http://www.cib.gov.tw/news/news02_2.aspx?no=261。
[3] http://www.itis.tw/node/1273。
[4] http://www.runpc.com.tw/content/main_content.aspx?mgo=185&fid=G03。
[5] http://www.libertytimes.com.tw/2010/new/jun/1/today-life8.htm。
[6] http://domynews.blog.ithome.com.tw/trackbacks/1252/36516。
[7] http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project。
[8] http://www.networkworld.com/news/2009/072209-botnets.html。
[9] http://www.tuaw.com/2010/03/20/20-zero-day-security-holes-in-mac-os-x-to-
be-revealed/。
[10] http://www.xssed.org/archive/special=1/page=1/。
[11] http://www.1c3man.com/1c3man/cal9000/cal9000.html#top。
[12] 田筱榮，劉邦威，”P2P殭屍網路之適應防禦機制”，中原大學，桃園。
[13] http://www.symantec.com/norton/theme.jsp?themeid=ibotnet。
[14] http://clubhouse.microsoft.com/Public/Post/d4666a88-8d90-4d6c-9311-07e945
2eebdb。
[15] Dae-il Jang, Minsoo Kim, Hyun-chul Jung, Bong-Nam Noh,” Analysis of HTTP2P Botnet :Case Study Waledac”, Proceedings of the 2009 IEEE 9th Malaysia International Conference on Communications15 -17 December 2009 Kuala Lumpur Malaysia.
[16] http://en.wikipedia.org/wiki/Zeus_%28trojan_horse%29。
[17] Ben Stock, Jan Gobel, Markus Engelberth, Felix C. Freiling, and Thorsten Holz,” Walowdac- Analysis of a Peer-to-Peer Botnet”, European Conference on Computer Network Defense,2009.
[18] L ivadas, C., Walsh, R., Lapsley, D., and Strayer, W. T., “Using Machine Learning Techniques to Identify Botnet Traffic,” Proceedings 2006 31st IEEE Conference on Local Computer Networks, pp. 967-974, 14-16 Nov., 2006.
[19] Daswani, N., Stoppelman, M., and the Google Click Quality and Security Teams, “The Anatomy of Clickbot.A,” http://www.usenix.org/events/hotbots07
/tech/full_papers/daswani/daswani.pdf.
[20] Wang, W., Fang, B. X., Zhang, Z. X., and Li, C., “A Novel Approach to Detect IRC-Based Botnets,” International Conference on Networks Security, Wireless Communications and Trusted Computing, Wuhan, Hubei, pp. 408-411, 25-26 April, 2009.