中大機構典藏-NCU Institutional Repository-提供博碩士論文、考古題、期刊論文、研究計畫等下載:Item 987654321/63530
English  |  正體中文  |  简体中文  |  全文筆數/總筆數 : 80990/80990 (100%)
造訪人次 : 41659677      線上人數 : 1865
RC Version 7.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
搜尋範圍 查詢小技巧:
  • 您可在西文檢索詞彙前後加上"雙引號",以獲取較精準的檢索結果
  • 若欲以作者姓名搜尋,建議至進階搜尋限定作者欄位,可獲得較完整資料
  • 進階搜尋


    請使用永久網址來引用或連結此文件: http://ir.lib.ncu.edu.tw/handle/987654321/63530


    題名: Detect Web-Based Botnet according to Bot communication traffic
    作者: 張雅晴;Chang,Ya-Ching
    貢獻者: 資訊工程學系
    關鍵詞: 殭屍網路;偵測疆屍網路;botnet;web-based botnet;botnet detection
    日期: 2014-01-27
    上傳時間: 2014-04-02 15:47:04 (UTC+8)
    出版者: 國立中央大學
    摘要: 有感於殭屍網路(botnet) 越來越龐大,早期的botnet 是透過
    IRC(Internet Relay Chat) 通訊協定取得bot client 的控制權,再加以
    癱瘓網路,或是從事不法行為獲取高額收益;例如: 策動阻斷式服務攻
    擊(DDoS),寄送垃圾/廣告郵件(Spam),竊取資料...等等。由於早
    期botnet 普遍使用IRC 為主要的通訊協定,導致早期botnet 防堵方
    式就是一律不接受IRC 協定的封包,相對於防堵方式,殭屍網路也慢
    慢演化,因為目前電腦的使用行為大多是以瀏覽網頁為主,因此http/
    port 80 是所有電腦絕對接受的協定與封包,從而發展出使用http/
    port 80 為主的web-based botnet,導致對於殭屍網路的防堵不能再以
    拒絕接收殭屍網路使用通訊協定來避免殭屍網路的感染,因此近期興
    起的殭屍網路都是以web-based 殭屍網路為主。
    本篇論文希望可以找出web-based botnet 的中繼站(C&C Server)
    伺服器位址(IP Address),論文的研究方法基於對botnet 的認識,從
    而發展出分析模組,模組會先比較bot client 與C& C Server 溝通行
    為和正常提供網路服務伺服器(web server) 與使用者(user) 之間溝通
    行為兩者的差異,比較的方式是觀察兩種不同溝通方式的封包資訊差
    異,差異內容包括單位時間內傳送封包的平均封包位元組(Bytes) ﹑
    存取次數以及相同時間區段重複存取的次數...等等,接著,參考觀
    測的數據,設定基準值來判斷正常網路流量與不正常botnet 溝通流
    量。分析數據為了更貼近真實結果,蒐集真實環境流量記錄檔再使用
    分析模組找出web-based botnet 的C&C server(中繼站) 網路位址。; Up to now, botnet had been growing up rapidly and strongly.
    Whereas in the past, botnets worked through IRC (Internet Relay Chat)
    protocol to manipulate the bot clients and use bot clients to paralyze the
    internet or gain tremendous profit by illegal operation such as DDoS,
    Spam, sniffer traffic...etc. Also, since the IRC is the key communication
    protocol for botnets. The best way to prevent it is to deny all IRC
    packets. But, these days, the main activity of all users is to surfing on
    the websites, users can't deny all internet traffic to defense botnet.
    Therefore, botnet is evolved to be the web-based botnet because uses
    will accept all internet (http/port 80) traffic. That is, we could not defense
    the web-based botnet by refusing the IRC traffic anymore. That
    is why the existence and emergence of web-based botnet recently.
    The objective of this thesis is to find the C&C server IP address
    of the web-based botnet. The way to develop analysis modules is based
    on the knowledge of botnets and the result of compare communication
    pattern between bot clients with C&C server and web server with uses.
    By observing the differences of communication pattern and the packet'
    s information such as the average bytes of packets, access count and
    number of access host group within unit time…etc. Further, by referring
    to these data, we could be able to provide a baseline value to distinguish
    normal or abnormal web traffic. In sum, we try to get the real world
    results, so we collect the real traffic and use our modules to find the
    C&C Server IP address of web-based botnets.
    顯示於類別:[資訊工程研究所] 博碩士論文

    文件中的檔案:

    檔案 描述 大小格式瀏覽次數
    index.html0KbHTML433檢視/開啟


    在NCUIR中所有的資料項目都受到原著作權保護.

    社群 sharing

    ::: Copyright National Central University. | 國立中央大學圖書館版權所有 | 收藏本站 | 設為首頁 | 最佳瀏覽畫面: 1024*768 | 建站日期:8-24-2009 :::
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - 隱私權政策聲明