中大機構典藏-NCU Institutional Repository-提供博碩士論文、考古題、期刊論文、研究計畫等下載:Item 987654321/63530
English  |  正體中文  |  简体中文  |  Items with full text/Total items : 80990/80990 (100%)
Visitors : 41642935      Online Users : 1369
RC Version 7.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Tips:
  • please add "double quotation mark" for query phrases to get precise results
  • please goto advance search for comprehansive author search
  • Adv. Search
    HomeLoginUploadHelpAboutAdminister Goto mobile version


    Please use this identifier to cite or link to this item: http://ir.lib.ncu.edu.tw/handle/987654321/63530


    Title: Detect Web-Based Botnet according to Bot communication traffic
    Authors: 張雅晴;Chang,Ya-Ching
    Contributors: 資訊工程學系
    Keywords: 殭屍網路;偵測疆屍網路;botnet;web-based botnet;botnet detection
    Date: 2014-01-27
    Issue Date: 2014-04-02 15:47:04 (UTC+8)
    Publisher: 國立中央大學
    Abstract: 有感於殭屍網路(botnet) 越來越龐大,早期的botnet 是透過
    IRC(Internet Relay Chat) 通訊協定取得bot client 的控制權,再加以
    癱瘓網路,或是從事不法行為獲取高額收益;例如: 策動阻斷式服務攻
    擊(DDoS),寄送垃圾/廣告郵件(Spam),竊取資料...等等。由於早
    期botnet 普遍使用IRC 為主要的通訊協定,導致早期botnet 防堵方
    式就是一律不接受IRC 協定的封包,相對於防堵方式,殭屍網路也慢
    慢演化,因為目前電腦的使用行為大多是以瀏覽網頁為主,因此http/
    port 80 是所有電腦絕對接受的協定與封包,從而發展出使用http/
    port 80 為主的web-based botnet,導致對於殭屍網路的防堵不能再以
    拒絕接收殭屍網路使用通訊協定來避免殭屍網路的感染,因此近期興
    起的殭屍網路都是以web-based 殭屍網路為主。
    本篇論文希望可以找出web-based botnet 的中繼站(C&C Server)
    伺服器位址(IP Address),論文的研究方法基於對botnet 的認識,從
    而發展出分析模組,模組會先比較bot client 與C& C Server 溝通行
    為和正常提供網路服務伺服器(web server) 與使用者(user) 之間溝通
    行為兩者的差異,比較的方式是觀察兩種不同溝通方式的封包資訊差
    異,差異內容包括單位時間內傳送封包的平均封包位元組(Bytes) ﹑
    存取次數以及相同時間區段重複存取的次數...等等,接著,參考觀
    測的數據,設定基準值來判斷正常網路流量與不正常botnet 溝通流
    量。分析數據為了更貼近真實結果,蒐集真實環境流量記錄檔再使用
    分析模組找出web-based botnet 的C&C server(中繼站) 網路位址。; Up to now, botnet had been growing up rapidly and strongly.
    Whereas in the past, botnets worked through IRC (Internet Relay Chat)
    protocol to manipulate the bot clients and use bot clients to paralyze the
    internet or gain tremendous profit by illegal operation such as DDoS,
    Spam, sniffer traffic...etc. Also, since the IRC is the key communication
    protocol for botnets. The best way to prevent it is to deny all IRC
    packets. But, these days, the main activity of all users is to surfing on
    the websites, users can't deny all internet traffic to defense botnet.
    Therefore, botnet is evolved to be the web-based botnet because uses
    will accept all internet (http/port 80) traffic. That is, we could not defense
    the web-based botnet by refusing the IRC traffic anymore. That
    is why the existence and emergence of web-based botnet recently.
    The objective of this thesis is to find the C&C server IP address
    of the web-based botnet. The way to develop analysis modules is based
    on the knowledge of botnets and the result of compare communication
    pattern between bot clients with C&C server and web server with uses.
    By observing the differences of communication pattern and the packet'
    s information such as the average bytes of packets, access count and
    number of access host group within unit time…etc. Further, by referring
    to these data, we could be able to provide a baseline value to distinguish
    normal or abnormal web traffic. In sum, we try to get the real world
    results, so we collect the real traffic and use our modules to find the
    C&C Server IP address of web-based botnets.
    Appears in Collections:[Graduate Institute of Computer Science and Information Engineering] Electronic Thesis & Dissertation

    Files in This Item:

    File Description SizeFormat
    index.html0KbHTML433View/Open


    All items in NCUIR are protected by copyright, with all rights reserved.

    社群 sharing

    ::: Copyright National Central University. | 國立中央大學圖書館版權所有 | 收藏本站 | 設為首頁 | 最佳瀏覽畫面: 1024*768 | 建站日期:8-24-2009 :::
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - 隱私權政策聲明