殭屍網路是一群受到殭屍病毒感染的電腦所形成的網路,這些電腦是目前網際網路安全的重大威脅。攻擊者先在正常使用者的電腦中植入殭屍病毒,再經由網路下達命令操控所有的受害電腦,執行分散式阻斷服務攻擊、偷竊私密資訊或散佈垃圾郵件等進行各種的惡意行為。殭屍網路其中類型之一:P2P殭屍網路,其架構模仿P2P軟體,使用多主控端架構避免單點故障問題,並搭配加密技術,讓各種特徵比對偵測技術無法發揮其效果。 但是P2P殭屍網路的運作有別於一般正常網路行為,它具有建立大量連線卻不會消耗大量頻寬的特性,故仍可用異常行為偵測技術來偵測它的存在。本論文提出一個使用資料探勘的技術的方法論來偵測P2P殭屍網路,實作於一個網路環境,並驗證其可用來尋找出P2P殭屍網路的宿主。其關鍵作法在於使用P2P殭屍網路與正常網路行為的原生相異點作為資料探勘參數,透過資料探勘技術加以分群、分辨,從而找出潛伏於網路中的殭屍電腦,並可達到可接受的正確率。 相較於過去的研究,本方法達到了以下的四個研究目標:(1)不受限於P2P殭屍網路的加密特性。(2)佈署可行性高,僅做閘道端網路監控,不需監控個人電腦。(3)不把攻擊行為納入探勘參數,可偵測潛伏狀態下的殭屍電腦。(4)不被繁雜的背景流量所干擾。 此法與現行的防毒軟體解決方案可並行不悖,並直接的降低了企業整體資安風險。
A Botnet, is a network connected by computers compromised by viruses, or Trojan horses over internet, and causes a severe security issue. Hackers controlled the zombie computers by implanting malicious programs to perform malicious tasks such as executing distributed denial of services (DDoS), stealing confidential information, spreading junk mails, etc. A peer-to-peer (P2P) Botnet, like P2P architecture, uses multiple main controllers to avoid single point of failure, and with encryption technologies, P2P Botnet is hard to be detected by Misuse detection technologies. Unlike normal network, the behavior of creating numerous sessions but not consuming bandwidth substantially causes P2P Botnet can be aware by Anomaly detection technology. In this thesis, a data mining method was proposed to detect P2P Botnet in a real network environment, and we verified that the method can be used to find the hosts of P2P Botnet. The main idea is to apply the original dissimilarity of P2P Botnet differing from normal internet behaviors as parameters to cluster and distinguish the data mining results, finally to check the accuracy is acceptable. Compare to past researches, we accomplish four objectives: (1)P2P Botnet can be detected regardless its encryption technologies;(2)This method is only needed to be deployed on network gateways instead of personal computers; (3)Inactive zombie computers can also be detected without considering attack behavior;(4)The data mining method can detect zombie computers without being confused by complicate network flows. This method can work with anti-virus software, and reduce enterprise’s security risk.