僵屍網路(Botnet) 是近幾年來最受關注與研究的一個重要議題。網路駭客運用Botnet 進行商業資訊的偷竊,造成企業及終端使用者重大威脅。另外,僵屍電腦(Zombies)具有隱密、不易偵測的特性,並使用不同的通訊協定進行操控,使得防火牆、防毒軟體難以完整偵測與清除。目前的病毒偵測技術主要依賴病毒碼(Virus Pattern) 與掃毒引擎進行比對。通常病毒是由多種特徵所決定,當同一隻病毒稍加修改後,即可避開病毒碼的偵測,並造成傷害。本研究使用沙盒(Sandbox)分析及歸納病毒行為特徵,建置「病毒特徵資料庫」,製作九十四條情節法則(Episode Rules) 以估算病毒偵測之支持度(Support) 與信心度(Confidence) ,避免偵測須100%特徵符合之限制,並有效檢測出僵屍病毒(Bot) 。為了證明本研究所提出之方法的可行性,完成一個僵屍電腦偵測系統,使用成功大學資通安全測試平台(Testbed@TWISC) 於仿真網路環境加以測試與驗證。實驗結果顯示本研究提出之方法可以有效及正確的地偵測出僵屍病毒,透過黑名單地圖監控僵屍病毒,協助管理者快速掌控網路感染之僵屍電腦。
Botnet has becoming a critical issue in information security research nowadays. Hackers use botnet to steal business information and lead to serious threats for enterprises and end-users. In other words, zombies are stealthy, and difficult to be detected and cleaned, even using firewalls and anti-virus toolsets. The detection techniques of existing anti-virus primarily used virus pattern matching by scanning engine. The variants can be formed by modifying virus signatures, such that it then can be hardly detected and cause some series damages. This work investigates virus behaviors via sandbox analysis, to construct a “virus signature database” with support and confidence degree using 94 episode rules. It successfully avoids the needs for 100% signature matching and increases bot detection rate. Furthermore, a Zombie Detection System (ZDS) and a Dark IP Map have successfully been built to monitor the network bots infection. To validate the effectiveness of system, test cases in Testbed@TWISC are conducted to emulate network attacks scenario. Experimental results show that the proposed approach can effectively detect zombies in a precise way.