僵屍電腦偵測系統之實現

僵屍網路(Botnet) 是近幾年來最受關注與研究的一個重要議題。網路駭客運用Botnet 進行商業資訊的偷竊，造成企業及終端使用者重大威脅。另外，僵屍電腦(Zombies)具有隱密、不易偵測的特性，並使用不同的通訊協定進行操控，使得防火牆、防毒軟體難以完整偵測與清除。目前的病毒偵測技術主要依賴病毒碼(Virus Pattern) 與掃毒引擎進行比對。通常病毒是由多種特徵所決定，當同一隻病毒稍加修改後，即可避開病毒碼的偵測，並造成傷害。本研究使用沙盒(Sandbox)分析及歸納病毒行為特徵，建置「病毒特徵資料庫」，製作九十四條情節法則(Episode Rules) 以估算病毒偵測之支持度(Support) 與信心度(Confidence) ，避免偵測須100%特徵符合之限制，並有效檢測出僵屍病毒(Bot) 。為了證明本研究所提出之方法的可行性，完成一個僵屍電腦偵測系統，使用成功大學資通安全測試平台(Testbed@TWISC) 於仿真網路環境加以測試與驗證。實驗結果顯示本研究提出之方法可以有效及正確的地偵測出僵屍病毒，透過黑名單地圖監控僵屍病毒，協助管理者快速掌控網路感染之僵屍電腦。

關鍵字

僵屍網路；僵屍電腦；情節法則； Testbed@TWISC

並列摘要

Botnet has becoming a critical issue in information security research nowadays. Hackers use botnet to steal business information and lead to serious threats for enterprises and end-users. In other words, zombies are stealthy, and difficult to be detected and cleaned, even using firewalls and anti-virus toolsets. The detection techniques of existing anti-virus primarily used virus pattern matching by scanning engine. The variants can be formed by modifying virus signatures, such that it then can be hardly detected and cause some series damages. This work investigates virus behaviors via sandbox analysis, to construct a “virus signature database” with support and confidence degree using 94 episode rules. It successfully avoids the needs for 100% signature matching and increases bot detection rate. Furthermore, a Zombie Detection System (ZDS) and a Dark IP Map have successfully been built to monitor the network bots infection. To validate the effectiveness of system, test cases in Testbed@TWISC are conducted to emulate network attacks scenario. Experimental results show that the proposed approach can effectively detect zombies in a precise way.

並列關鍵字

Botnet ； Zombie ； Episode rule ； Testbed@TWISC

參考文獻

[5] J. Binkley and S. Singh. , “Suresh Singh, An algorithm for anomaly-based botnet detection,” Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet, July , 2006, pp.7-7.

[6] T. Strayer, et al., “Botnet detection based on network behavior,” Botnet Detection: Countering the Largest Security Threat, in Series: Advances in Information Security, Vol. 36, 2008.

[7] P. Wurzinger, et al., “Automatically generating models for botnet detection,” In 14th European Sym-posium on Research in Computer Security (ESORICS), 2009.

[9] E. Cooke, F. Jahanian, D. Mcpherson, “The Zombie Roundup: Understanding, Detecting, and Disrupting BotNets,” Steps to Reducing Unwanted Traffic on the Internet(SRUTI), 2005, pp.39-44.

[10] Rajab, M.A., et al., “A Multifaceted Approach to Understanding the Botnet Phenomenon,” Internet Measurement Conference 2006, October, 2006, pp.25-27.

被引用紀錄

王清平（2012）。殭屍病毒數位解藥之精進〔碩士論文，崑山科技大學〕。華藝線上圖書館。https://doi.org/10.6828/KSU.2012.00077

李奇軒（2011）。殭屍病毒數位解藥之精進〔碩士論文，崑山科技大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0025-1907201114461300

呂育華（2011）。殭屍網路監控平台之開發〔碩士論文，崑山科技大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0025-1907201114460900

劉佳琪（2012）。一個以沙盒為基礎的自動化惡意程式分析之方法〔碩士論文，崑山科技大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0025-2307201217490000

國際替代計量

僵屍電腦偵測系統之實現

未授權

主題瀏覽