dc.description.abstract | Up to now, botnet had been growing up rapidly and strongly.
Whereas in the past, botnets worked through IRC (Internet Relay Chat)
protocol to manipulate the bot clients and use bot clients to paralyze the
internet or gain tremendous profit by illegal operation such as DDoS,
Spam, sniffer traffic...etc. Also, since the IRC is the key communication
protocol for botnets. The best way to prevent it is to deny all IRC
packets. But, these days, the main activity of all users is to surfing on
the websites, users can’t deny all internet traffic to defense botnet.
Therefore, botnet is evolved to be the web-based botnet because uses
will accept all internet (http/port 80) traffic. That is, we could not defense
the web-based botnet by refusing the IRC traffic anymore. That
is why the existence and emergence of web-based botnet recently.
The objective of this thesis is to find the C&C server IP address
of the web-based botnet. The way to develop analysis modules is based
on the knowledge of botnets and the result of compare communication
pattern between bot clients with C&C server and web server with uses.
By observing the differences of communication pattern and the packet’
s information such as the average bytes of packets, access count and
number of access host group within unit time…etc. Further, by referring
to these data, we could be able to provide a baseline value to distinguish
normal or abnormal web traffic. In sum, we try to get the real world
results, so we collect the real traffic and use our modules to find the
C&C Server IP address of web-based botnets. | en_US |