隨著網路技術的進步和網際網路的普及,網路上的惡意行為也越來越多,如轉發垃圾信(Spam)、阻絕服務攻擊(Denial of Service)、分散式阻絕服務攻擊攻擊(Distributed Denial of Service)。而 殭屍網路(Botnet) 則是網路惡意行為的重要部分之一。通常 Botnet 分為三個部分 - Botmaster、C&C server(Command and Control Server)和 Bots,而 Botnet 運行的重點則在於彼此間的溝通,因此在偵測Botnet行為及防禦 Botnet 時多數已發表的論文都是藉由統計DNS流量或依其流量來判斷是否為Botnet行為並藉以偵測是否成為 Bot,或是偵測其網路流量依其流量行為來判斷是否感染。本文結合不同的通訊協定(TCP、UDP)、統計重複性較高的 Payload 及特定之埠號並以資料探勘(Data Mining)分群方式,以內容關鍵字分群等多層次特徵擷取方式進行阻擋其溝通。實驗測試結果多層次特徵擷取方式,可達到完全性阻檔之目的並可避免因與某些正常行為相似而產生之正向誤判,且因其依協定分群實行規則比對故可比需偵測所有特徵的偵測方式較為快速。
In recent years, malware attacks become more serious over the Internet by spam e-mail, denial of service (DoS) or distributed denial of service (DDoS). The Botnets become a significant part of the Internet malware attacks. In this thesis, we will develop a mechanism called Multi-layered Signatures Analysis and Detection System to detect and analyze the signature of botnet. The objective is to identify the Botnet behaviors. However, the botnets have many different behaviors and signatures. Data mining methods are applied to search, detect and statistical analysis the important signatures payloads from TCP and UDP packets. The mechanism will bypass normal communication patterns to have similar behaviors as botnets. Also, the system can identify the traffic flows of botnets.