摘要 一般對於惡意程式(Malicious Software;Malware)之定義為:任何惡意、未經授權、不符合預期的程式。本研究的目的在於分析網路上惡意程式的活動(意指網路上駭客攻擊的行為),藉由分析的結果,可以讓資訊安全人員瞭解目前惡意程式的攻擊行為與意圖,並且擬定因應的措施以確保網路安全。 本研究為了收集網路入侵的資料,將入侵偵測系統放置於某企業防火牆之外,讓入侵偵測系統可以蒐集到該企業防火牆對外網路進出的流量,資料分析的期間為2004年12月與2005年3、4、6月共計四個月。本研究對於分析網路上惡意程式的活動,設計了一套分析的流程,主要分為以下四個步驟:(1)入侵偵測系統收集資料,(2)過濾與儲存資料,(3)分割與處理資料,(4)資料分析。 透過入侵偵測系統之管理程式與本研究所設計的輔助分析程式,能夠以不同面向來分析攻擊的時間特性、攻擊的空間特性、攻擊者與被攻擊的目標之相關特性,藉以瞭解攻擊者的行為特性、攻擊的類型、攻擊的來源、攻擊之目的、攻擊的目標、最後得知攻擊的工具與方式。本研究根據資料分析的結果,發現以下的現象:(1)駭客會對目標系統作持續性或重覆性的攻擊行為;(2)Netbios的相關攻擊是大多數攻擊者最常使用的攻擊方式; (3)駭客的主要攻擊目的是造成目標系統與網路無法正常提供應有的服務;(4)駭客可能會透過某些工具得知目標主機開啟的通訊埠,並且以同樣的方式攻擊Windows與非Windows作業系統的主機。 Abstract This thesis presents an empirical study of the activities of malicious software, which is referred as any malicious, unauthorized, or unexpected program or code, to help network security specialists to understand the network attacks caused by this kind of software and thus be able to setup appropriate plans to ensure network security. To get the realistic attack data, we set up a Snort IDS (Intrusion Detection System) outside of a company’s firewall to collect the attack packets coming from Internet. The collecting time period were four months (December of 2004, and March, April and June of 2005). By the management system of IDS and the aided analysis program which was designed for this study, we can analyze the characteristics of attack time, attack source, attack victim. We also can infer the attack tools used by hackers. We found some interesting phenomenon in this study: (1)Hackers would try to attack some target system continuously and repeatedly, (2) netbios attack is the most frequent way that used by hackers, (3)most hackers try to cause the target system and network service unavailable. (4) hackers may use some tools to get the available ports of target system, and use the same way to attack windows and non-windows system.
