以DNS封包內涵為基礎之殭屍網路封包行為之偵測與阻擋

殭屍網路病毒是目前最危險，同時也是成長最快的網路威脅之一，不管是個人、學校、公司或組織，殭屍網路已構成相當嚴重的威脅，如何去偵測區域網路內所屬的電腦是否有感染殭屍病毒，已成為一大挑戰。在本研究，我們針對HTTP Based的殭屍網路提出偵測與阻擋機制，並以DNS為基礎，配合殭屍網路的封包行為設計一套演算法，透過此演算法能夠有效的偵測出殭屍網路，並透過代理伺服器黑名單機制將中殭屍網路病毒之電腦做阻擋，以避免造成更嚴重的後果。

關鍵字

殭屍網路；網域名稱伺服器；殭屍病毒

並列摘要

Botnet is one of the most dangerous and fastest growing network threats at present. No matter it is individual, school, company or organization, the Botnet have constituted a serious threat. How to detect computers inside the LAN to determine if they are being affected by Botnet virus has become a major challenge. In this study, we focus on the HTTP Based Botnet detection and blocking mechanism. We develop an algorithm to measure the Botnet Packet behavior to detect Botnet infection. By this algorithm, we can effectively detect one of the Botnet viruses. By using the blacklist mechanism provided by the proxy server to block the infected computers, we can avoid further serious consequences.

並列關鍵字

bot ； botnet ； dns

參考文獻

[8]王平、王榮祥、蘇浩儀、顏柏璋、郭溥村，「殭屍網路的感染途徑重建與分析」 TANET 2008 臺灣網際網路研討會，2008

[21]Hyunsang Choi,Hanwoo Lee, Heejo Lee, and Hyogon Kim, “Botnet Detection by Monitoring Group Activities in DNS Traffic,” in Proc. 7th IEEE International Conference on Computer and Information Technology, 2007

[1]行政院主計處，「電腦應用概況報告 97年調查結果」