摘要
殭屍網路是網路世界主要的安全威脅之一。近年來,殭屍網路不斷的演化,從集中式控制的的IRC殭屍網路、HTTP殭屍網路演化至非集中式控制的P2P殭屍網路,使得既有的偵測或防禦方法無法有效地阻擋P2P殭屍網路,因此需要發展適用的新方法,而在發展的過程中,合宜的測試環境不可或缺。直接使用真實的殭屍病毒參與殭屍網路的難處包括:P2P殭屍病毒樣本不易取得,取得的P2P殭屍病毒樣本常不再能與殭屍網路完成連接並進行運作,而可運作的P2P殭屍病毒具有高度的安全風險。因此在本研究中,我們提出使用行為模擬環境支持P2P殭屍網路偵測與防禦機制的發展,並開發了P2P殭屍網路的模擬環境,根據文獻中所記載的P2P殭屍網路病毒在主機上的行為以及網路上的封包流量進行模擬。此P2P殭屍病毒模擬環境可依照使用者的需求,輸入各項參數,來模擬出各種可能的殭屍病毒封包流量,提供各種偵測與防禦殭屍病毒機制作為有效性測試的資料。
並列摘要
Botnet is one of the major threats to the cyberworld. In recent years, the operation model of botnet has evolved from the centralized IRC or HTTP botnets to the decentralized P2P botnet. The existing botnet detection or defense mechanisms based on the centralized operation model are not effective in deterring the threats resulted from P2P botnet, thus, new detection or defense mechanism is in need, and an experiment environment for testing is indispensable. There are several major issues pertaining to the establishment of such environment with real botnet malware in the wild: the accessibility to the malwares, the operability of obtained malwares, and the security risk that may come with them. Therefore, in stead of employing real botnet malwares, an emulated test environment is proposed and implemented in this thesis. Its design is based on the P2P botnet operation characteristics described in literature. With properly supplied configuration parameter settings, the emulated environment can facilitate the needed testing in developing detection or defense mechanisms for P2P botnet.