隨著科技進步所帶來的便利，物聯網(Internet of Thing, IoT)裝置早已深入至民眾的日常生活中，且日趨重要，從個人穿載裝置、電視及冰箱等智慧家電，到智慧城市的網路攝影機、智慧停車和智慧交通等，IoT的應用越來越普及。然而伴隨著IoT應用的多元化，其潛在問題卻逐漸浮現，主要係因IoT裝置缺乏重視安全性及隱私性，且無主動修補漏洞機制，易成為駭客攻擊的目標，例如數據隱私洩漏、竊聽、惡意攻擊或病毒入侵等。
IoT裝置的普及係造成殭屍網路(Botnet)迅速擴散的主因之一，其具有命令和可控制的功能，用於發起各種惡意攻擊。其中，近年以Mirai殭屍網路最為著名，目前已發展出數種家族的變種病毒，曾多次利用被感染的IoT裝置發動分散式阻斷服務攻擊(Distributed Denial of Service, DDoS)攻擊。為有效因應此威脅，本論文提出一個適用於IoT裝置的輕量檢測方式，透過即時偵測系統，能透過連線IP數量，發掘出潛在可疑的病毒，以防止病毒擴散感染其它IoT裝置，以避免其成為DDoS攻擊的來源。
由於Mirai家族病毒所針對之IoT裝置多以Linux作業系統為開發基礎，因此為了讓實驗符合真實環境，本論文採用ubuntu作業系統作為實驗環境，將Mirai家族病毒和一般正常程式分別放入實驗環境中，觀察是否可從系統資源的異常狀態，偵測出Mirai病毒的特徵行為，再使用不同的Mirai家族病毒及一般正常程式作為實際測試樣本，實驗結果發現均能正確判斷出是否為Mirai家族病毒。

The Internet of Things (IoT) has become an increasingly important part of everyday life, from personal wearable devices, smart appliances such as TVs and refrigerators, to smart city webcams, smart parking and smart transportation, IoT applications are everywhere. With the convenience brought by technological advances, the Internet of Things applications are diversified, but less attention to security and privacy, and no active mechanism to repair vulnerabilities. That is to say it is easy to become the target of attacks, as well as bringing various risks, such as data privacy leakage, eavesdropping, third-party attacks or virus invasion, forming a situation where any connected device may be attacked.
Botnets are one of the biggest threats to the rapid proliferation of the Internet of Things, with command and control functions for various malicious activities. Among them, Mirai botnet has developed several families of variant viruses that have been used to launch DDoS attacks on infected IoT devices. This paper proposes a lightweight detection method suitable for IoT devices, through a real-time detection system, which can find suspicious viruses through the number of connected IPs for processing, in order to prevent viruses from continuously infecting other IoT devices and prevent IoT devices from becoming tools for DDoS attacks.
As the Mirai family of viruses against the target, IoT devices are mostly developed based on Linux operating systems. Therefore, in order to make the experiment close to the living state, the ubuntu operating system is used as the experimental environment. In this paper, Miari family viruses and normal programs are put into the experimental environment separately to see whether the characteristic behaviors of Mirai viruses can be detected from the abnormal system resources. Then, different Mirai family viruses and normal programs were used as the actual test samples, and both of them could correctly determine whether they were Mirai family viruses.

第一章 緒論	1
1.1研究背景與動機	1
1.2研究目的	3
1.3論文架構	4
第二章 相關研究	5
2.1 Mirai病毒源起	5
2.2 Mirai變種病毒	11
2.3 相關研究	12
第三章 實驗架構	14
3.1問題陳述	14
3.2研究方法	16
3.2.1 實驗環境建立	16
3.2.2蒐集Mirai病毒研究其相關特徵行為	17
3.2.3系統資源異常偵測之流程	20
第四章 實驗結果	23
4.1 病毒對系統資源之影響	23
4.2 偵測程式測試結果	29
第五章 結論與未來展望	35
參考資料：	37
附錄A 英文論文	41

圖目錄
圖2.1 Mirai C&C 網域名稱	8
圖2.2 Mirai原始程式支援攻擊類型	8
圖2.3 Mirai Botnet架構及攻擊示意圖	10
圖3.1 TCP 三向交握傳輸協定示意圖	15
圖 3.2 環境架構圖	17
圖3.3檢測異常之實驗步驟	21
圖4.1 Firefox IP連線數	24
圖4.2 Zoom IP連線數	25
圖4.3 gPodder IP連線數	26
圖4.4 Mirai1 IP嘗試連線數	27
圖4.5 sora1 IP嘗試連線數	27
圖4.6 Satori IP嘗試連線數	28
圖4.7 Telegram IP連線數	30
圖4.8 YouTube Music IP連線數	30
圖4.9 Remmina IP連線數	31
圖4.10 Mirai2 IP嘗試連線數	32
圖4.11 sora2 IP嘗試連線數	33
圖4.12 Loligang IP嘗試連線數	34

表目錄
表 2.1 Mirai暴力攻擊用預設密碼	7
表 3.1 Mirai家族病毒種類	19

[1]	J. Manyika et al., "The Internet of Things: Mapping the value beyond the hype," 2015.
[2]	O. I. S. Team., "OWASP-IoT-Top-10-2018-final," 2018.
[3]	維基百科. 密碼強度. Available: https://zh.wikipedia.org/wiki/%E5%AF%86%E7%A0%81%E5%BC%BA%E5%BA%A6
[4]	維基百科. 路由器. Available: https://zh.wikipedia.org/wiki/%E8%B7%AF%E7%94%B1%E5%99%A8
[5]	W. GORDON. (2018-12-6). Six router settings you should change right now. Available: https://www.popsci.com/router-security-settings/
[6]	D. Bonderud. (2016-10-04). Leaked Mirai Malware Boosts IoT Insecurity Threat Level. Available: https://securityintelligence.com/news/leaked-mirai-malware-boosts-iot-insecurity-threat-level/
[7]	E. i. C. Chris Williams. (2016-10-21). Today the web was broken by countless hacked devices – your 60-second summary. Available: https://www.theregister.com/2016/10/21/dyn_dns_ddos_explained/
[8]	B. Krebs. (2016-11-30). New Mirai Worm Knocks 900K Germans Offline. krebsonsecurity.com. Available: https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/
[9]	J. Chase. (2016-11-29). German leaders angry at cyberattack, hint at Russian involvement. Available: https://www.dw.com/en/german-leaders-angry-at-cyberattack-hint-at-russian-involvement/a-36573668
[10]	I. Trend Micro. (2021-2-23). A Constant State of Flux
Trend Micro 2020 Annual Cybersecurity Report. Available: https://documents.trendmicro.com/assets/rpt/rpt-a-constant-state-of-flux.pdf
[11]	D. o. Justice. (2017-12-13). Justice Department Announces Charges And Guilty Pleas In Three Computer Crime Cases Involving Significant Cyber Attacks. Available: https://www.justice.gov/usao-nj/pr/justice-department-announces-charges-and-guilty-pleas-three-computer-crime-cases
[12]	C. Kolias, G. Kambourakis, A. Stavrou, and J. Voas, "DDoS in the IoT: Mirai and Other Botnets," Computer, vol. 50, no. 7, pp. 80-84, 2017.
[13]	T. Yu, V. Sekar, S. Seshan, Y. Agarwal, and C. Xu, "Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the internet-of-things," in Proceedings of the 14th ACM Workshop on Hot Topics in Networks, 2015, pp. 1-7.
[14]	A. Kumar and T. J. Lim, "EDIMA: Early Detection of IoT Malware Network Activity Using Machine Learning Techniques," in 2019 IEEE 5th World Forum on Internet of Things (WF-IoT), 2019, pp. 289-294.
[15]	維基百科. 蠻力攻擊. Available: https://zh.wikipedia.org/wiki/%E8%9B%AE%E5%8A%9B%E6%94%BB%E5%87%BB#cite_note-GBT25069-1
[16]	B. Krebs. (2017-1-18). Who is Anna-Senpai, the Mirai Worm Author? Available: https://web.archive.org/web/20170122013744/https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/
[17]	陳曉莉. (2019-09-06). 打造Satori殭屍網路的青少年認罪了. Available: https://www.ithome.com.tw/news/132918
[18]	360网络安全研究院. 安全威胁预警：Mirai变种Satori正在端口 37215 和 52869 上类似蠕虫式传播. Available: https://blog.netlab.360.com/wa-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869/
[19]	TWCERT/CC. (2017-12-26). IoT殭屍網路Satori正大肆攻擊華為家用型router. Available: https://www.twcert.org.tw/newepaper/cp-67-2372-0c9b4-3.html
[20]	FernandoMercês. (2020-07-28). Mirai Botnet Attack IoT Devices via CVE-2020-5902. Available: https://blog.trendmicro.com.tw/?p=65401
[21]	安信與誠. (2019-08-07). 安信與誠-威脅月報(7月份) Available: https://itw01.com/UPYH8E7.html
[22]	Z.-K. Zhang, M. C. Y. Cho, C.-W. Wang, C.-W. Hsu, C.-K. Chen, and S. Shieh, "IoT security: ongoing challenges and research opportunities," in 2014 IEEE 7th international conference on service-oriented computing and applications, 2014, pp. 230-234: IEEE.
[23]	Bitdefender. (2017-09-18). Mirai Code Still Runs on Many IoT Devices. Available: https://www.bitdefender.com/box/blog/iot-news/mirai-code-still-runs-many-iot-devices/
[24]	M. Antonakakis et al., "Understanding the mirai botnet," in 26th {USENIX} security symposium ({USENIX} Security 17), 2017, pp. 1093-1110.
[25]	T. S. Gopal, M. Meerolla, G. Jyostna, P. R. L. Eswari, and E. Magesh, "Mitigating Mirai Malware Spreading in IoT Environment," in 2018 International Conference on Advances in Computing, Communications and Informatics (ICACCI), 2018, pp. 2226-2230.
[26]	J. M. Ceron, K. Steding-Jessen, C. Hoepers, L. Z. Granville, and C. B. J. S. Margi, "Improving iot botnet investigation using an adaptive network layer," vol. 19, no. 3, p. 727, 2019.
[27]	L. E. S. J. J. o. I. S. E. Jaramillo and Management, "Malware detection and mitigation techniques: lessons learned from Mirai DDOS attack," vol. 3, no. 3, p. 19, 2018.
[28]	維基百科. 零日攻擊. Available: https://zh.wikipedia.org/wiki/%E9%9B%B6%E6%97%A5%E6%94%BB%E5%87%BB
[29]	A. Cui, M. Costello, and S. Stolfo, "When firmware modifications attack: A case study of embedded exploitation," 2013.
[30]	趨勢科技全球技術支援與研發中心. (2019-01-10). 趨勢科技 IoT Security 2.0 改善使用者防護、提升裝置製造商信譽. Available: https://blog.trendmicro.com.tw/?p=58581
[31]	T. I. Team. (2018-10-25). Seven new Mirai variants and the aspiring cybercriminal behind them. Available: https://blog.avast.com/hacker-creates-seven-new-variants-of-the-mirai-botnet
[32]	T. M. Incorporated. (2019/12/19). Into the Battlefield: A Security Guide to IoT Botnets. Available: https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/into-the-battlefield-a-security-guide-to-iot-botnets