殭屍網路通訊特性結合去匿名化之主機式殭屍網路偵測

Abstract

近年來殭屍網路病毒擴展迅速，對現今網路形成嚴重的威脅，受殭屍病毒感染的電腦會在使用者無法察覺的情況下，盡情利用受害電腦的資源或隱私資料，這不僅造成系統破壞、資料外流、甚至成為重大網路攻擊的跳板。在近幾年的殭屍網路偵測研究中，大多研究都傾向於被動觀察網路流量的方式，來捕抓各類別的殭屍網路病毒，而這些以網路流量為基礎的偵測方式，經常使用網路流格式來作為殭屍網路偵測的基礎。然而，這種以網路流為基礎的偵測方式可能會因為殭屍網路經常性更換端口或是在部分網路流特徵值上刻意規避，而使得偵測準確度降低。因此，本論文提出一個新的以網路流量為基礎的主機式殭屍網路偵測系統，此偵測方法透過分群演算法找出殭屍網路指紋特徵流，並且結合去匿名化概念來判斷用戶上網路流是否為殭屍網路流。本研究希望能利用網路流統計特徵屬性，並且避免一些網路流偵測上的缺點，達到偵測出受殭屍病毒感染用戶之目的。

A botnet is a group of compromised computers collective controlled by a botmaster that often engages in malicious activities for financial gain such as sending spam mail, lauching Distributed Denial of Service (DDOS) attacks, performing click frauds, or stealing sensitive information. In recent years, many botnet detection studies tend to observe network traffic passively. These network-based detection methods often use netflow format to detect botnets. However, such flow-based detection methods may produce lower detection accuracy, because botnets often switch ports or change some part of their flow features. In this paper, we propose a host-based botnet detection system using network flow. The system use clustering algorithm to find out fingerprint flow of botnet traffic, while using similarity with de-anonymization technique to detect botnet flow.