98級-郭權緯-建構P2P防火牆之HTTP-Botnet防禦機制

98級-郭權緯-建構P2P防火牆之HTTP-Botnet防禦機制

[ 摘要 ]
這幾年來， Botnet有增加的趨勢，如果沒有相對的解決辦法，未來必會有越來越嚴重的惡意攻擊情況發生。HTTP Botnet使用的是HTTP協定，利用一般HTTP 協定的80 port，達到隱藏的效果，可以順利通過防火牆跟IDS系統。
本研究採用重複標準差的方法偵測出HTTP Bot的連線，再使用JXTA P2P的網路分享偵測出結果，使用者利用名單過濾機制，進行封包的比對。
利用P2P交換資訊，已感染HTTP Bot的使用者，可以找出與HTTP Server與Bot的連線，而未感染的使用者，可以使用這些資訊，當作是比對的樣本，當有新的封包進來，可以判斷是否為惡意的連線，達到聯合防禦的目的。名單的過濾機制可以讓重複進到電腦的封包，只做第一次與黑名單的比對。使用P2P傳送，減少了建置成本，也讓整個網路變得更強韌。

[ 英文摘要 ]
The scale of Botnet is still increasing on the Internet in recently years. If there is no corresponding solution, there will be more serious and malicious attacks in the future. HTTP Botnet uses HTTP protocol. By using the general HTTP protocol and 80 port, the attacks not only can be hidden more easily, but go through the firewall and IDS systems without detected.
In this study, we use the Repeatability Standard Deviation method to detect the connection of Botnets within HTTP protocol. Furthermore, we use the JXTA P2P network to share the results we have detected, and users can compare the packets of traffic with lists of the filtering mechanism.
Using P2P technique to exchange the information we have detected, users who have been infected can find the connection of HTTP Botnet servers. And uninfected users can use this information as a comparison sample, when there are new packets. Users can use it for determining whether the connections are malicious or not, to achieve the purpose of co-defensive. Lists of filtering mechanism allow the duplicated packets entered in computers, compared only one time with the large number of blacklist. By using the P2P technique, we can not only decrease the cost of implementation, but also let the network more resilient.