Botnet現在已成為網路安全最大的威脅,Botnet除了可以發動阻斷服務攻擊癱瘓重要網站外,也可將受害電腦本身的機密資料偷走,或以釣魚網頁手法騙取他人帳號密碼,發送大量廣告信、點擊詐欺等網路犯罪,但隨著許多新的偵測技術和解決方案出現,仍然無法有效降低Botnet所帶來的威脅。現今的偵測方法主要是透過分析封包內容與網路流量的特徵,但這些方法所面臨的問題是Botnet可以很容易的改變這些封包內容和流量特徵以躲避偵測系統,而且還會面臨封包加密及隱私權問題。本研究提出了一個機制,可在封包加密、封包或流量特徵被改變、不侵犯隱私權的情況下偵測到問題,首先藉由文獻探討與分析受害電腦在網路的活動找出三項重要的網路行為特徵,分別為長期通訊行為(ActBehavior)、連線失敗行為(FailBehavior)、網路掃描行為(ScanBehavior),隨即透過網路設備從網路層及傳輸層的網路資料中萃取出這些網路行為特徵,這些網路行為在Botnet運作產生變化時也不會影響到本方法之偵測效果,接著透過PSO(Particle Swarm Optimization)結合K-means演算法尋找組織網路內的Botnet成員。本研究以某學術機構網路作為個案進行分析,結果顯示本方法可以有效達到:(1)找出組織內部網路中Botnet的成員;(2)當Botnet為了避免被偵測到而對封包加密或改變流量特徵時,仍可以找出Botnet成員;(3)在Botnet的成員尚未被其他資安系統偵測到時,可以提早發現。由於本方法只使用網路流量進行分析,而且不會侵犯隱私權問題,也不需在使用者電腦安裝程式,因此很適合應用在宿舍網路、電信業者提供給家庭用戶的網路、手機使用的3G網路等。
Nowadays, Botnet has become one of the greatest threats to the network security. Network attackers can use Botnet to launch the distributed denial of service (DDoS) to paralyze the important websites or to steal the confidential data from infected computer, use fishing attacking to steal the sensitive information such as the account and password, send bulk email advertising or conduct click fraud. Even though the detection technology has got improved and some solutions to Internet security have been proposed, the threat of Botnet still exists. Most previous studies used the packet contents or the features of network flows to analyze to detect Botnet. However, there are still some problems with packet encryption and privacy, i.e., Botnet can easily change the packet contents and flow features to avoid the detection system. This study proposes a solution to those problems and develops a mechanism of Botnet detection step-by-step. First of all, three important network behaviors including long communication behavior (ActBehavior), connection failure behavior (FailBehavior), and network scanning behavior (ScanBehavior) are defined in this study by reviewing the related literatures and analyzing the network activities of infected computer. Secondly, the features of network behaviors are extracted from the flow records of Network-Layer and Transport-layer in the network equipment. Finally, Particle Swarm Optimization (PSO) and K-means algorithm are used to detect the members of Botnet in the organization's network. This study uses campus network as a case study. The experimental results show that this mechanism can find out the Botnet members on the network of an organization even the packet encryption or changed features of flows, find out the Botnet members prior to the detection of the other information security systems. Moreover, the mechanism in this study is and simple to implement and can be used in student dormitory network, home network and mobile 3G network as well.
為了持續優化網站功能與使用者體驗,本網站將Cookies分析技術用於網站營運、分析和個人化服務之目的。
若您繼續瀏覽本網站,即表示您同意本網站使用Cookies。