隨著網際網路的蓬勃發展,以Botnet為主的網路犯罪及攻擊活動以逐漸成為網路資訊安全上的重大議題。Botnet可以是木馬程式、後門及蠕蟲等三種惡意程式的其中一種型態,或結合三種惡意行為出現的一種新型態的攻擊活動,因此並不容易被偵測。在研究相關偵測的方法上,目前都有其本身偵測方法的優點與缺點。 為了能夠有效的偵測出Botnet,本論文以實作架設仿真網路環境。同時藉由實際的活動行為,將Botnet的生命週期分為四個階段來模擬並觀察活動的行為模式。並使用以網路行為關聯性的分析方法,來偵測區域網路內Botnet活動的網路行為特徵。從研究上我們發現病毒本身的特徵容易變化,但病毒的網路活動行為特徵卻不容易改變,也就是說即使特徵改變了但行為特徵並未隨特徵碼改變。因此本論文使用網路行為關聯性來分析出Botnet行為特徵,同時採用本論文所設計的偵測機制來偵測區域網路內的Botnet活動。Along with the flourishing development of Internet, many network crimes and malicious attacking activities base on Botnet become a major issue in network security. The Botnet can be either one of backdoors, Trojan horses, and worms or a new form of malicious code that combines those three types. Therefore, it is hard to be detected. The existing researches of detecting method have their own advantages and disadvantages. In order to detect Botnet effectively, we build up an emulable network environment to observe real Botnet activities, and divide the life cycle of Botnet into four different stages to simulate and observe behaviors of its activities. In the same time, we use the correlation of network behavior to detect Botnet activities and their characteristics in LAN network. Eventfully, we found that even the binary code of bot is changed easily, the characteristics of its network behavior is not easy to change. In other words, the change of characteristics doesn’t always come along with the change of bot code. In this research, we analyze the characteristic of Botnet by using correlation of network behavior and using the detection scheme we designed to detect the Botnet activities in LAN network.
