資安技術真實流量實地評比---子計畫三：資安技術反惡意軟體及反殭屍網路真實流量評比

Abstract

近年來惡意軟體急速增加，根據Panda Labs的統計，每天需要處理的惡意程式超過3000種，而且2007年跟2006相比，增加的比例高達800%，而其中又以Botnet之危害嚴重性最大。以往的惡意程式目的在於表現個人電腦實力或破壞他人電腦為主，但現今則是以竊取機密資料、獲取不法利益為主，甚至是滲透控制他人電腦作為攻擊的跳板以逃避追查。要避免感染惡意程式有兩方面，一是良好的使用者操作習慣，另一則是使用資安軟體。良好的使用者操作習慣可以避免惡意程式利用社交工程途徑發動感染；而資安軟體常見的則是『防毒軟體(Anti-Virus)』、『防毒牆(VirusWall)』、『防火牆(FireWall)』、『入侵偵測系統(Intrusion Detection System，IDS)』、『入侵預防系統(Intrusion Prevention System，IPS)』等，軟體系統不同、採用的偵測防禦技術也不同，當然就有不同的處理對象及方法。 本計畫將著重於資安偵測防禦系統測試平台之建置與測試評比反惡意程式(Anti-Malware)及反殭屍網路(Anti-Botnet)兩項資安偵防技術所需要的工具或機制，結合流量錄製、流量萃取、資訊重組、資訊詢問及流量重播技術，重播真實網路流量來找出任何潛在的資安威脅或是已發展的資安偵防技術不足之處。預期在一年內可以發展出Anti-Botnet及Anti-Malware兩類Specific資安技術之實地與重播測試技術，佈建誘捕網路(Honeynet)，發表這兩類資安技術相關之專利與論文如: bot recognition /w PIN、anti-malware product testing、bot collection and analysis: active vs. passive，研發可萃取此兩類資安技術相關流量內容的萃取工具，同時將執行至少上三件以上的資安產品測試案。

Recently malware expands rapidly. According to Panda Labs statistics, malwares needed to be processed every day are more than 3000 types, and compared 2007 with 2006, the increase of the proportion is as high as 800%. Among them, Botnet is one of the most harmful threats. The goal of former malwares aimed at showing off personal computing strength or destroying other computers, but nowadays it is aimed at stealing confidential information, intercepting illegal benefit, even intruding and controlling other computers as springboards for attacks in order to avoid tracing. There are two aspects to avoid malware infection; one is that users must have good operation habits which mean not downloading unauthorized software arbitrarily; the other is that using security products to protect computers. The well-known security products include Anti-Virus, Anti-Malware, Firewall, Viruswall, and IDS/IPS. Different products utilize distinct approaches to protect systems from attacks, and have different dissimilar advantages/disadvantages. The project will focus on the building of security detection/protection system and the benchmarking of two types of security technologies-Anti-malware and Anti-Botnet. Combined five benchmarking technologies-traffic recording, traffic extraction, information reorganization, querying, and traffic replaying with real flows, we can discover and resolve any potential network threats and find out the advantages/disadvantages of the security technologies. This project aims to develop two kinds of specific security technologies in field and replaying tests for anti-botnets and anti-malware. And the related patents and papers are in the area of bot recognition /w PIN, anti-malware product testing, bot collection and active/passive analysis. Besides, more than three testing cases will be executed.