跳到主要內容

簡易檢索 / 詳目顯示

回結果列表
研究生: 彭士家
Shi-Jia Peng
論文名稱: 使用Openflow 交換器偵測Botnet 受害者與通知機制
Botnet Victim Detection and Notification based on Openflow Switch
指導教授: 曾黎明
Li-Ming Tseng
口試委員:
學位類別: 碩士
Master
系所名稱: 資訊電機學院 - 資訊工程學系
Department of Computer Science & Information Engineering
畢業學年度: 98
語文別: 中文
論文頁數: 57
中文關鍵詞: Openflow封包轉向NetFPGA殭屍網路
外文關鍵詞: Botnet, Openflow, redirect, NetFPGA
相關次數: 點閱:6下載:0
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 隨著網路不斷的發展,網路上的資料越來越重要,網路交易也越來越頻繁。
    同時網路犯罪開始興起,而殭屍網路(botnet)就是其中一種。殭屍網路有攻擊
    者隱密、且彈性大的特性,而且能夠一次對多台電腦進行控制。
    本篇論文以IRC 協定的botnet 為研究對象,首先說明botnet 的運作機制,
    和botnet 對於資安人員難以解決的問題。接著介紹由史丹佛大學開發的NetFPGA
    網卡和openflow 計劃的特色及優點,並說明用linux gateway 來阻擋的效率問題。
    本篇論文透過史丹佛大學設計的NetFPGA 和openflow 網路,設計了一套可以使
    用openflow switch 來偵測已中毒的電腦。我們假設正常使用者皆會瀏覽網頁,
    利用openflow switch 將中毒的電腦導向至一個警告頁面,告知使用者中毒資訊,
    再透過網路的封鎖策略,讓使用者了解解決中毒情況的必要性和急迫性。

    Over the years, the network developed quickly and constantly. Because the rise
    of trade networks, data on the network become more and more important.
    Unfortunately, the rise of internet crime became a big problem at the same time such
    as Botnet. Botnet have hidden attackers, and the characteristics of high flexibility, but
    also an ability to control multiple computers.
    This paper describes the IRC-based botnet. First, we explain the botnet behavior
    and the hard to solve problems for security officer. Then we introduced the NetFPGA
    card developed by the Stanford University and explained the openflow project
    features and advantages. These devices are used as a linux gateway to be an efficient
    firewall. This paper use the NetFPGA card and openflow network project designed by
    Stanford University to detect bot in the botnet. Assume that normal users browser web
    everyday, we use openflow switch redirect the bot traffic to a particular page that
    show the warning information. Then through the network disconnected strategy, we
    try to let the user know the necessity and urgency.

    第一章 簡介 ............................................................................................................... 1 1.1 研究背景.................................................................................................... 1 1.2 研究動機.................................................................................................... 5 1.3 論文架構.................................................................................................... 6 第二章 相關研究 ....................................................................................................... 7 2.1 偵測botnet 的方法 ...................................................................................... 7 2.2 利用Honey Pot 來取得可疑C&C 名單 ..................................................... 7 2.3 透過封包分析偵測並瓦解殭屍網路........................................................... 8 2.4 Ethane ......................................................................................................... 10 2.5 Openflow ..................................................................................................... 12 第三章 問題分析與對策 ......................................................................................... 14 3.1 針對botnet 的bot 部份進行阻擋 ............................................................. 14 3.2 使用linux 閘道與NetFPGA 的差異性 ................................................ 14 3.3 如何通知使用者中毒資訊......................................................................... 15 3.4 導向通知頁面............................................................................................. 16 3.4.1 利用DNS 導向[8] ........................................................................... 16 3.4.2 利用DNS 的WPAD RECORD ................................................... 17 3.4.3 利用Transparent Proxy 導向 .......................................................... 17 3.5 中毒後之網路封鎖策略............................................................................. 18 3.6 使用者已解毒之判定................................................................................. 18 3.7 總結............................................................................................................. 19 第四章 系統設計 ..................................................................................................... 20 4.1 系統設計之假設......................................................................................... 20 4.1.1 使用者皆會使用www 服務之假設 ............................................... 20 4.1.2 使用honeypot 誘捕系統蒐集到可疑位址之假設 ........................... 20 4.2 實驗架構..................................................................................................... 21 4.3 系統流程..................................................................................................... 23 4.4 規劃中毒封鎖策略..................................................................................... 24 4.5 中毒通知頁面設計 .................................................................................... 26 4.6 規劃解毒之判定......................................................................................... 26 第五章 系統實驗與分析 ......................................................................................... 28 5.1 實驗環境..................................................................................................... 28 5.2 系統架設..................................................................................................... 29 5.3 封包過濾與轉向......................................................................................... 31 5.3.2 紀錄封包資訊.................................................................................. 32 5.3.3 將特定來源封包轉向...................................................................... 34 5.3.4 通知使用者中毒資訊...................................................................... 34 5.3.5 中毒期間將封包轉向且紀錄封包.................................................. 36 5.3.6 阻擋特定來源封包.......................................................................... 38 5.4 效能分析..................................................................................................... 39 5.5 實驗結果與討論 ........................................................................................ 42 第六章 結論與未來工作 ......................................................................................... 43 參考文獻 ……………………………………………………………………………..44

    [1] Chao Li, et. al.,”Botnet: Survey and Case Study”, 2009 Fourth International
    Conference on Innovative Computing, Information and Control, Kaohsiung,
    Taiwan, pp.1184-1187
    [2] C. Kalt, “Internet Relay Chat: Architecture.” RFC 2810, 2000
    [3] http://www.openflowswitch.org/foswiki/bin/view/OpenFlow/Deployment/H
    OWTO/LabSetup
    [4] https://uncia.cc.ncu.edu.tw/dormnet/
    [5] Nick McKeown, et. al. , “Prototyping Fast, Simple, Secure Switches for
    Ethane”, 15th IEEE Symposium on High-Performance Interconnects 2007,
    pp.73 - 82
    [6] Nick McKeown, et. al., “Openflow : Enabling Innovation in Campus
    Networks”, Openflow White Paper March 14, 2008
    [7] Nick McKeown, et. al. “Implementing an OpenFlow Switch on the
    NetFPGA platform” ANCS ’08, November 6–7, 2008, San Jose, CA, USA
    [8] 郭廖軒,“以網域名稱伺服器為基礎之色情網站過濾系統“,國立中央大
    學資訊工程學系碩士論文,民92
    [9] Paul Barford, et. al. “An Inside Look at Botnets”, Computer Sciences
    Department University of Wisconsin, Madison, 2007
    [10] Dae-il Jang, et. al. “Analysis of HTTP2P Botnet: Case Study Waledac”,
    Proceedings of the 2009 IEEE 9th Malaysia International Conference on
    Communications 15-17 December 2009 Kuala Lumpur Malaysia,
    pp.409-412
    [11] David Dagon, et. al. ,”A Taxonomy of Botnet Structures”, 23rd Annual
    Computer Security Applications Conference, pp.325-339
    [12] http://www.malwaredomains.com/
    [13] Cliff C. Zou, et. al. ,”Honeypot-Aware Advanced Botnet Construction and
    Maintenance”, Proceedings of the 2006 International Conference on
    Dependable Systems and Networks(DSN’06),pp.199-208
    [14] Kazuya Kuwabara, et. al. ,”Heuristics for Detecting Botnet Coordinated
    Attacks”, 2010 International Conference on Availability, Reliability and
    Security,pp.603-607
    [15] Jose Nazario, et. al.,”As the Net Churns: Fast-Flux Botnet Observations”,
    2008 3rd International Conference on Malicious and Unwanted
    Software(MALWARE) at the Hilton Alexandria Mark Center, Fairfax,
    Virginia ,pp. 24-31
    [16] Cliff C. Zou, Ryan Cunningham, “Honeypot-Aware Advanced Botnet
    Construction and Maintenance” 2006 International Conference on
    Dependable Systems and Networks,pp. 199-208
    [17] OpenFlow Switch Specification Version 0.8.9(Wire Protocol 0x97)
    December 2, 2008
    [18] Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose and Andreas Terzis, ”A
    Multifaceted Approach to Understanding the Botnet Phenomenon”, In
    IMC’06, October 25–27, 2006, Rio de Janeiro, Brazil
    [19] 陳天豪,“透過封包分析偵測並瓦解殭屍網路”,國立中央大學資訊工程
    學系碩士論文,民98
    [20] Trends for 2009 “Symantec Global Internet Security Threat Report” 網路安
    全威脅研究報告Published April 2010

    QR CODE
    :::