臺灣博碩士論文加值系統

隨著網際網路的發達，網路犯罪的事件也層出不窮。殭屍網路(Botnet)為近年來
網路犯罪中常被駭客利用作為網路攻擊的手段之一。駭客可以透過所控制的殭屍
網路執行分散式阻斷服務攻擊(DDoS)、身分個資竊取等行為。如何有效地去偵測
殭屍網路成為一個重要的課題，現行有許多如何有效地偵測殭屍網路的研究。然
而這些研究的結果大部分都是透過文字或數字的方式呈現。對於網路管理人員來
講這些資料並不直覺而且需要時間去過濾了解分析這些資料。透過資料視覺化，
有助於觀察出其他資料呈現方式不易察覺的資料特性。本篇論文提出一個視覺化
的架構方便殭屍網路偵測結果資料視覺化，希望能夠透過視覺化的結果激發出更
多對於殭屍網路偵測想法。

In recent years, the cyber-crimes become a significant issue threat everyone on Internet. There are numerous researches about botnet detection, but most of them only
provide the text-based informatics that is not intuitive for humanity cognition. There are trends about leveraging modern Web technology to present a more deep insight
from data itself. Using visualization on bot activities we think can help network operator to disclose more perceptions about their behaviors. We proposed a botnet
visualization framework to apply malicious consequences into a perceptible representation.
The visualization framework uses Node.js and HTLM5 with Jquery to construct a front-end interface. Network log and malicious behaviors are indexing and store in the
Elasticsearch. Besides, we also characterize those traces to build some compendium into a pivot table to promote the query speed in user interactive. With the sustenance
of several viewpoints, we expect our framework can support administrators to identify more sophisticated acumen about botnet activities.

Chapter 1: Introduction 1
Chapter 2: Background 6
2.1 Elasticsearch 6
2.2 Netflow version 5 8
Chapter 3: System Design 9
3.1 System Overview 9
3.2 System Architecture 11
3.3 Process of Three Visualization Views 13
3.3.1 Process of botnet distribution view 13
3.3.2 Process of Botnet Behavior Pattern recognition 15
3.3.3 Process of IPlist Views 17
3.4 Features of Each Component 18
3.4.1 ETL 18
3.4.2 Full-Text Search Engine 18
3.4.3 Pivot table database 18
3.4.4 Front end(Web GUI) 18
Chapter 4: Implementation 19
4.1 Creation of Visualization View Data 20
4.2 Accessing Visualization ViewS 26
Chapter 5: Visualization 27
5.1 Environments 27
5.2 Botnet geospatial distribution 28
5.3 Botnet Behavior Pattern Recognition 30
5.4 IPlist View 33
Chapter 6: Conclusion and Future Work 35
Chapter 7: Reference 36

[1]Feily, Maryam, Alireza Shahrestani, and Sureswaran Ramadass. A survey of botnet and botnet detection. 2009 Third International Conference on Emerging Security Information, Systems and Technologies. IEEE, 2009.
[2]Wang, Wei, et al. A novel approach to detect IRC-based botnets. Networks Security, Wireless Communications and Trusted Computing, 2009. NSWCTC'09. International Conference on. Vol. 1. IEEE, 2009.
[3]Dittrich, David, and Sven Dietrich. P2P as botnet command and control: a deeper insight. Malicious and Unwanted Software, 2008. MALWARE 2008. 3rd International Conference on. IEEE, 2008.
[4]Feily, Maryam, Alireza Shahrestani, and Sureswaran Ramadass. A survey of botnet and botnet detection. 2009 Third International Conference on Emerging Security Information, Systems and Technologies. IEEE, 2009.
[5]Zou, Cliff Changchun, and Ryan Cunningham. Honeypot-aware advanced botnet construction and maintenance. International Conference on Dependable Systems and Networks (DSN'06). IEEE, 2006.
[6]C. Zou and R. Cunningham, Honeypot-aware advanced botnet construction and maintenance, in Proceedings of International Conference on Dependable Systems and Networks (DSN), June 2006.
[7]W.Timothy Strayer , David Lapsely , Robert Walsh ,Carl Livadas Botnet Detection Based on Network Behavior Volume 36 of the series Advances in Information Security 1-24
[8]Binkley, James R., and Suresh Singh. An Algorithm for Anomaly-based Botnet Detection. SRUTI 6 (2006): 7-7.
[9]H. Choi, H. Lee, H. Lee, and H. Kim, “Botnet Detection by Monitoring Group Activities in DNS Traffic, in Proc. 7th IEEE International Conference on Computer and Information Technology (CIT 2007), 2007, pp.715-720.
[10]M. M. Masud, T. Al-khateeb, L. Khan, B. Thuraisingham, K. W.Hamlen, “ Flow-based identification of botnet traffic by mining multiple log file, in Proc. International Conference on Distributed Frameworks ＆ Applications (DFMA), Penang, Malaysia, 2008
[11]G. Gu, R. Perdisci, J. Zhang, and W. Lee, “Botminer: Clustering analysis of network traffic for protocol- and structure independent botnet detection, in Proc. 17th USENIX Security Symposium, 2008
[12]Potter, M.C., Wyble, B., Hagmann, C.E., ＆ McCourt, E.S. (2014). Detecting meaning in RSVP at 13 ms per picture. Attention, Perception, and Psychophysics.Triebel, Rudolph, et al. Intelligent Transportation System.
[13] Elasticsearch, https://www.elastic.co/products/elasticsearch.
[14]Netflow version 5,
http://www.cisco.com/c/en/us/td/docs/net_mgmt/netflow_collection_engine/3-6/user/guide/format.html.
[15]Logstash, https://www.elastic.co/products/logstash.