隨著時代的進步,網路科技帶來便利與效率,相對的也帶來犯罪與惡意行為。現今網路犯罪行為日益增加,例如資料的竊取、分散式阻斷服務攻擊(DDoS)、錢騾、垃圾郵件(SpamMail)和釣魚網站等惡意攻擊活動日有所聞,殭屍網路(BotNet)是幕後的推手。公務機關網路中有著成千上百台電腦,若公務電腦受到殭屍網路的感染成為殭屍網路,所造成的損失將無法估計。 本文試圖利用殭屍網路的活動及傳輸特性來偵測公務機關殭屍網路,找出被感染殭屍程序的公務電腦。使用自由軟體-Open-AudIT,及SharpPcap 函數庫所自行撰寫sniffer進行網路流量監控,判斷公務網路中是否有疑似殭屍網路的活動行為。公務電腦受感染時提供警示訊息,讓公務人員做立即性的處置,預防災情的擴大。另將疑似被感染的主機清單,以電子郵件及網頁呈現的方式通報資訊人員。為避免實體測試殭屍網路造成公務網路無法預期的侵害,本研究將借用國立成功大學所引進的Testbed進行模擬測試,降低實驗上的成本與災害發生。
With the progress of the times, network technology brings the convenience and efficiency. It has also brought crime and malicious acts relatively. Today the increasing cyber crime, such as data theft, DDoS attacks, the money mule, spam and phishing, are often heard from time to time. Zombie network is the driving force behind the scenes. Public authority network has hundreds of computers. If infected with a zombie botnet network, the government agency suffers huge losses and can not be estimated. This paper attempts to use zombie networks and transmission characteristics to detect bot-like activities in government agency. Using freeware-Open Audit and SharpPcap library to write sniffer for network traffic monitoring, and to provide public warning message when infected. This allows officials to take immediate disposal to prevent further disaster. List of hosts with suspected infection is presented to IT staff by e-mail and web. To avoid damage in botnet experiments, simulation is built and performed on Testbed@TWISC based on the Emulab system.