現今資通訊技術與應用服務發展迅速造成網路流量快速膨脹，以及全球電子商務普及化，致使資訊安全面臨重大挑戰。網路攻擊類型日新月異，其中殭屍網路(Botnet)攻擊是危害網際網路最嚴重的。巨量的網路流量中如何在攻擊發生前檢測到Botnet成為資訊安全研究人員的一大議題，本論文對IRC、HTTP、P2P、Hybrid等不同類型的Botnet探討檢測的方法並針對不同類型及Botnet變種的行為做分析，提出一種多階層檢測法，搭配白名單、流量重組與黑名單進行封包流量的前處理，多階層檢測採用循序二階層行為分析判定與惡意行為的相似度，並在任一階層行為較不明顯時，直接進行封包特徵比對的檢測流程。在本論文特點有：1)使用多階層架構分析比起傳統特徵分析在流量負載實驗中減少了約一半的運算需求。2) 當行為特徵不明顯時搭配多階層特徵比對來提升準確度，最終檢出率達97.8%且正向誤判9.1%及反向誤判2.2%。3) 本方法檢出率比使用流量熵函數在檢測P2P Botnet較高。4)使用先行為分析後依條件進行特徵分析的檢測速度快。

Many enterprises create e-commence, social web or e-learning sites in cloud environment. Botnets try to exploit vulnerabilities of devices and deploy malware programs. There is still an important need to join intrusion detection technology to build a secure mechanism in the framework of virtual machine.
Attackers try to break into virtual machine through three basic attack paths. First, attackers scan vulnerabilities in operating system or applications. Then, attackers install malware programs or rootkits. Social engineering is the other path to make users execute malware programs. Finally, attackers infect removable devices to execute malware programs.
We proposed a secure mechanism in the thesis which is called a multi-layer behavior signature method. It is to join two-layer behavior modules to detect and analyze Botnet behaviors in virtual machines. After that, we will join white lists, packets correlation and packet clustering mechanisms with hybrid virtual machine monitor to discard these abnormal actions.
Simulation results showed that our proposed method required less computing time, and illustrated the performance from receiver operating characteristic (ROC).

摘　 要 i
Abstract ii
誌　 謝 iii
目　 錄 iv
表目錄 vi
圖目錄 vii
符號說明 viii
第一章　緒論 1
1.1　前言 1
1.2　動機與目標 2
1.3　章節安排 3
第二章　Botnet網路架構介紹 3
2.1　Botnet members 4
2.1.1　Bot master(Bot herder) 4
2.1.2　Command and Control Server (C&C Server) 4
2.1.3　Bots 5
2.2 Botnet type 6
2.2.1　IRC Botnet 6
2.2.2　HTTP Botnet 7
2.2.3　P2P Botnet 8
2.2.4　Social Botnet 10
第三章　相關研究 11
3.1　Botnet防治方法 11
3.2　主機型入侵偵測技術 12
3.3　網路型入侵偵測技術 12
3.4　Honeypot 13
第四章　多階層行為分析 14
4.1　過濾器 16
4.2　流量重組 17
4.3　黑名單比對 21
4.4　多階層行為分析 22
4.5　多階層特徵比對 24
第五章　實驗 25
5.1　實驗數據來源 25
5.1.1　行為數據庫 27
5.1.2　已知Botnet特徵規則檔 31
5.2　實驗硬體與虛擬系統配置 37
5.3　惡意行為檢測結果 38
5.4　檢測效能測試 46
第六章　結論與未來工作 49
6.1　結論 49
6.1　未來工作 50
參考文獻 51
簡 歷 54

(1)Alomari E., et al., “Botnet-based Distributed Denial of Service (DDoS) Attacks on Web Servers: Classification and Art”, International Journal of Computer Applications, Vol. 49, No. 7, July 2012.
(2)Alomari, E., et al., “Design, deployment and use of HTTP-based botnet (HBB) testbed”, Advanced Communication Technology (ICACT), 2014 16th International Conference on, pp. 1265-1269, February. 2014.
(3)Akbar, S., et al., “Intrusion Detection System Methodologies Based on Data Analysis”, International Journal of Computer Applications (IJCA), Vol. 5, No. 2, pp. 10-20, August 2010.
(4)Denatious, D. K., John, A., “Survey on Data Mining Techniques to Enhance Intrusion Detection”, Computer Communication and Informatics (ICCCI), pp. 1-5, January 2012.
(5)Ficco, M., et al., “Intrusion Detection in Cloud Computing”, P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC), pp. 276-283, October 2013.
(6)Han, F., et al., “Garlic: A Distributed Botnets Suppression System”, Distributed Computing Systems Workshops (ICDCSW), 2012 32nd International Conference on, pp. 634-639, June 2012.
(7)Hung, P., Tan, L., “Design and Implementation of Partially Decentralized P2P Botnet Control”, Journal of Computer Applications, Vol. 29, No. 9, pp. 2446-2449, September 2009.
(8)Hussein, S. M., et al., “Evaluation Effectiveness of Hybrid IDS Using Snort with Naive Bayes to Detect Attacks”, Digital Information and Communication Technology and it''s Applications (DICTAP), 2012 Second International Conference on, pp. 256-260, May 2012.
(9)Idrees, F., et al., “Framework for Distributed and Self-healing Hybrid Intrusion Detection and Prevention System”, ICT Convergence (ICTC), pp. 277-282, October 2013.
(10)Jang D., et al., “Analysis of HTTP2P botnet: case study waledac”, Communications (MICC), 2009 IEEE 9th Malaysia International Conference on, pp. 15-17, December 2009.
(11)Jadidi, Z., et al., “Flow-Based Anomaly Detection Using Neural Network Optimized with GSA Algorithm”, Distributed Computing Systems Workshops (ICDCSW), pp. 76-81, July 2013.
(12)Kheir, N., “Behavioral Classification and Detection of Malware through HTTP User Agent Anomalies”, Journal of Information Security and Applications, Vol. 18, No. 1, pp. 2-13, July 2013.
(13)Khazaee, S., Rad, M. S., “Using Fuzzy C-means Algorithm for Improving Intrusion Detection Performance”, Fuzzy Systems (IFSC), 2013 13th Iranian Conference, pp. 1-4, August 2013.
(14)Lu, T. T., et al., “An Advanced Hybrid P2p Botnet 2.0”, World Academy of Science, Engineering and Technology, Vol. 81, pp. 595-597, June 2011.
(15)Modi, C. N., et al., “Integrating Signature Apriori based Network Intrusion Detection System (NIDS) in Cloud Computing”, 2nd International Conference on Communication, Computing & Security (ICCCS-2012), Vol. 6, pp. 905-912, November 2012.
(16)Modi, C., et al., “A Survey of Intrusion Detection Techniques in Cloud”, Journal of Network and Computer Applications, Vol. 36, No 1, pp. 42-57, January 2013a.
(17)Modi, C. N. and Patel, D., “A Novel Hybrid-network Intrusion Detection System (H-NIDS) in Cloud Computing”, IEEE Symposium on Computational Intelligence in Cyber Security (CICS), pp. 23-30, April 2013b.
(18)Muda, Z., et al., “Intrusion Detection based on K-Means Clustering and Naive Bayes Classification”, In Proceedings of 7th International Conference on IT in Asia (CITA), pp. 1-6, July 2011.
(19)Oikarinen, J., Reed, D., “Internet Relay Chat Protocol”, Request for Comments (RFC) 1459, IETF, May 1993.
(20)Park, Y., Reeves, D. S., “Identification of Bot Commands by Run-Time Execution Monitoring”, Computer Security Applications Conference, 2009. ACSAC ''09. Annual, pp. 321-330, December 2009.
(21)Schille,C.r, et al., Botnets: The Killer Web App, 1 edition, Syngress, January 2003.
(22)Tsai, M., et al., “C&C tracer: Botnet command and control behavior tracing”, Systems, Man, and Cybernetics (SMC), 2011 IEEE International Conference on, pp.1859-1864, October 2011.
(23)Uddin, M., et al., “Dynamic Multi-Layer Signature Based Intrusion Detection System Using Mobile Agents”, International Journal of Network Security & Its Applications (IJNSA), Vol. 2, No. 4, pp. 129-141, October 2010.
(24)Vanathi, R., Gunasekaran, S., “Comparison of Network Intrusion Detection Systems in Cloud Computing Environment”, Computer Communication and Informatics (ICCCI), pp. 1-6, January 2012.
(25)Wang, P., et al., “Honeypot Detection in Advanced Botnet Attacks”, International Journal of Information and Computer Security, pp. 30 – 51, March 2010a.
(26)Wang, P., et al., “An Advanced Hybrid Peer-to-Peer Botnet”, IEEE Transactions on Dependable and Secure Computing, Vol. 7, No. 2, pp. 113-127, April-June 2010b.
(27)Xiao-nan, L., et al., “Peer-to-Peer Botnets: Analysis and Defense”, Communication Software and Networks (ICCSN), 2011 IEEE 3rd International Conference on, pp. 27-29, May 2011.
(28)Zhigang, J., et al., “P2P Botnets Detection based on User Behavior Sociality and Traffic Entropy Function”, Consumer Electronics, Communications and Networks (CECNet), 2012 2nd International Conference on, pp. 1953-1955, April 2012