殭屍網路一直在電腦與網路科技的發展中在長時間扮演著威脅者的角色，而隨著物聯網時代的來臨，許多擁有較低自我防衛能力的電子設備加入到各個區域網路內的情況是可以預見的，在這樣的環境當中若有人將以被感染殭屍網路病毒的設備加入到區域網路內，由於防火牆對於區域網路內部的偵測機制一般而言較為寬鬆，很有可能在使用者沒有知覺的情況下遭受全面性的感染使得使用者的權益受到損害，因此我們利用了蜜罐的概念在區域網路內設置了一台專門用於進行入侵偵測系統的設備，專注於偵測殭屍網路使用TCP協定當中的握手動作進行通訊埠掃描時的行為，過濾到握手封包的時候將其對於系統的白名單進行比對，若不符合便顯示封包資訊的警告以供使用者做出反應。
而本系統使用多個開源程式以及Python程式組成，加上本身需求的系統資源不多加上偵測行為相當專一且單純，因此等同於提供了一個相當適合做為其它入侵偵測系統或是入侵防護系統的外掛程式或是組成作為防護系統的一員的部件。

Along with the development of computer technology by leaps and bounds, the damage of malware getting much more serious than before. One of the most notorious malware is the botnet. The most dangerous is, if you were infected unconsciously, it will update automatically and your computer will become one of the sources of infection. Changeable, elusive and able to spread are the properties of the botnet are a big trouble in decades. We try to make use of the habits that botnet can hardly stop to counter it.
In this thesis, we implement an IDS that can detect botnet when it trying to spread. The reason why we didn’t try to design a IPS against botnet is IDS can only resist that malware that it ever been seen. Contrary to what is expected, the rate of change of botnet is too high that system only uses intrusion detection system will be in window period between the new virus generating and been cracked frequently. So the IDS we implement is focused on detecting the propagation of botnet. By using a production honeypot that focuses on detecting the port scan that shouldn't appear in LAN to achieve an accurate, fast, and effective way against any botnet that wants to spread actively. Due to this system is using open source applications to simulate the situation and successfully achieve the goal we expected, it is also scalable and easy to combine with other IDS and IPS.
We think this system will be quite practical after the smart appliances popularize to must family because most of them can’t resist the threat from the intrusion of the botnet.

List of Contents i
List of Figures iii
List of Tables iv
Chapter 1 Introduction 1
1.1 Motivation 1
1.2 Organization 2
Chapter 2 Background 3
2.1 Botnet 3
2.1.1 Types of Botnet 3
2.1.2 Behaviors of Botnet 4
2.1.3 Purposes of Botnet 5
2.1.4 Botnet detection 6
2.2 Intrusion-detection system 6
2.3 Honeypot 7
2.3.1 Production honeypot 7
2.3.2 Research honeypot 8
2.3.3 Pure honeypot 8
2.3.4 High-interaction honeypot 8
2.3.5 Low-interaction honeypot 8
2.4 Software-Defined Networking 9
Chapter 3 Related work 10
3.1 Mininet 10
3.2 Wireshark 10
3.3 Snort 10
3.4 Scapy 11
Chapter 4 Design Architecture and Implementation 12
4.1 IDS architecture 12
4.2 Simulating environment 14
4.3 Experiment result 16
Chapter 5 21
Discussion 21
Chapter 6 Conclusion 22
6.1 Conclusion 22
6.2 Future Work 23

[1] Botnet. https://en.wikipedia.org/wiki/Botnet
[2] Khattak , S, Ramay, N.R., Khan, K.R., Syed, A.A., Khayam, S.A. A Taxonomy of Botnet Behavior, Detection, and Defense, Communications Surveys & Tutorials, IEEE, 2014.
[3] Hyunsang Choi, Hanwoo Lee, Heejo Lee, Hyogon Kim. Botnet Detection by Monitoring Group Activities in DNS Traffic, Computer and Information Technology, 2007. CIT 2007. 7th IEEE International Conference on, 2007.
[4] Feily, M, Shahrestani, A, Ramadass, S.A. Survey of Botnet and Botnet Detection Emerging Security Information, Systems and Technologies, 2009. SECURWARE '09. Third International Conference on, 2009.
[5] Intrusion detection system. https://en.wikipedia.org/wiki/Intrusion_detection_system
[6] Zeidanloo H.R., Shooshtari, M.J.Z. , Amoli, P.V., Safari, M., Zamani, M.
[7] A taxonomy of Botnet detection techniques. Computer Science and Information Technology (ICCSIT), 2010 3rd IEEE International Conference on, 2010.
[8] Honeypot. https://en.wikipedia.org/wiki/Honeypot_(computing)
[9] Software-Defined Networking. https://en.wikipedia.org/wiki/Software-defined_networking
[10] Software-Defined Networking (SDN) Definition. https://www.opennetworking.org/sdn-resources/sdn-definition
[11] Mininet. https://github.com/mininet/mininet/wiki/Introduction-to-Mininet
[12] Wireshark. https://en.wikipedia.org/wiki/Wireshark
[13] Snort. https://zh.wikipedia.org/wiki/Snort