僵尸网络对抗关键技术研究

发布时间：2018-04-24 02:00

本文选题：僵尸网络 + 检测　；参考：《北京邮电大学》2014年博士论文

【摘要】：僵尸网络,一种大规模协同攻击网络,具有演变迅速,隐蔽性强,难以清除、危害巨大的特点,已经成为当今互联网最大威胁之一。如何有效对抗僵尸网络是学术界一直研究的热点和难点。本文首先概述了僵尸网络的定义、演化、分类、危害、工作机制、新动向等要素,介绍了当前检测和反制僵尸网络的主流技术、方法和发展趋势,其次重点从僵尸网络的检测、反制和抑制三个方面研究了僵尸网络的对抗技术。在僵尸网络检测方面：针对僵尸网络命令控制体系特点,分析了国内外僵尸网络主流检测方法的优缺点,提出了基于多维特征向量的僵尸网络检测方法。该方法首先利用马尔科夫链为僵尸网络的通联状态迁移建立了检测模型、利用多元统计与聚类分析方法为僵尸网络节点自相似性建立了检测模型、利用熵估计理论为僵尸网络加密数据流特性建立了检测模型,并根据以上僵尸网络特异性特征设计了多维特征向量提取算法；其次借鉴协同检测的思想,研究了朴素贝叶斯、支持向量机、J48、Rotation Forest、PART和后向传播神经网络六种基础分类器的性能,并利用最小二乘估计算法在基础分类器上建立了僵尸网络决策判决组合分类器；最后依托ISOT数据集进行了检测实验,验证了组合分类器相比单一分类器可以获得更高的正确检测率。在僵尸网络反制方面：一是建立了扩展有限状态机的僵尸网络命令控制体系通信模型,研究了针对僵尸网络服务程序的黑盒Fuzzing测试方法,提出了基于状态转移驱动的测试用例生成模型。该模型首先研究了网络状态有效测试路径遍历算法,获得了可触发漏洞的状态转移过程,再利用动静结合的方法生成了原始测试向量的变异因子,其次给出了测试向量生成和变异模型及算法,获得了优质的测试向量。为了提高测试效率和覆盖率,设计了基于风险状态转移流的适应度函数及实现算法,利用遗传算法的思想指导测试向量逐步进化为优质的测试用例,达到了增加漏洞发现概率的目的。二是重点研究了僵尸网络拓扑结构脆弱性问题,发现了半分布式僵尸网络组网方式存在相继故障的缺陷,提出了一种基于僵尸网络桥梁节点的相继故障反制策略,并以复杂网络负荷容量模型为基础,建立了桥梁节点的相继故障模型,完成了相应的理论分析与数值模拟,仿真验证了反制策略的有效性。三是以案例分析的形式介绍了针对僵尸网络Bagle-CB FTP服务器漏洞挖掘、Eggdrop僵尸变种命令控制服务器对等组网相继故障和Zuesbot域名抢注的反制技术。在僵尸网络抑制方面：一是在网络蠕虫双因素传播模型的基础上,结合复杂网络无尺度特性以及APT攻击方式,提出了SAPM僵尸网络传播模型,完成了复杂网络环境下基于APT攻击的僵尸网络传播动力学分析,从理论上给出了最佳抑制策略。二是分析了基于APT攻击的僵尸网络传播特性,提出了传播抑制策略,指出了创新Linux/Unix环境下文档格式处理软件脆弱性测试算法、研制相应的安全测试工具是抑制此类僵尸网络传播的核心环节。三是针对Linux/Unix系统中不同文件格式软件大多开放源码的特点,深入研究了二进制程序脆弱性动态测试理论和技术的不足,设计了程序路径约束条件符号模型的构建方法和PWA覆盖测试算法并实现了基于白盒的EWFT原型工具。经实验验证,PWA算法相比国际流行的SAGE测试算法表现更优,EWFT够更加有效的检测出多种类型的漏洞,启到了对基于APT攻击的僵尸网络实施积极防御的作用。在工程实现方面。概述了基于云计算的僵尸网络监测与缓解原型系统的设计理念、体系架构、功能模块和关键技术,充分利用了Apache Spark云平台运算能力强、节点分布广的特点,实现了僵尸网络检测、监测、反制和抑制等功能,在实际应用中,取得了较好的社会效益。论文主要的创新工作归纳如下： 1)针对现有基于内容、网络流特征的检测方法受协议限制,难以对抗加密、扰乱等技术的不足,建立了僵尸网络通联状态迁移检测模型、节点命名相似性检测模型和加密数据通信熵估计检测模型,提取了状态转移、身份识别和加密会话等反映僵尸网络典型特征的多维特征向量,构建了基于最小二乘估计算法的组合分类器,获得了较为满意的检测效果。 2)针对基于扩展有限状态机的僵尸网络命令控制体系通信模型,提出了基于状态转移驱动的测试用例生成模型,研究了针对僵尸网络服务程序的黑盒Fuzzing测试方法,提高了基于协议分析的僵尸网络服务程序的漏洞挖掘能力。 3)发现了半分布式僵尸网络组网方式存在相继故障的缺陷,提出了一种基于僵尸网络桥梁节点的相继故障反制策略,并以复杂网络负荷容量模型为基础,建立了桥梁节点的相继故障模型,完成了相应的理论分析与数值模拟,仿真验证了反制策略的有效性,开辟了僵尸网络反制技术研究的新方向。 4)针对基于APT攻击的僵尸网络传播特性,建立了SAPM僵尸网络传播模型,完成了复杂网络环境下模型动力学分析,明确了创新Linux/Unix环境下开源文档格式处理软件脆弱性测试算法、研制相应的白盒Fuzzing工具是抑制此类僵尸网络传播的核心环节。最后设计了PWA覆盖测试算法,实现了EWFT原型工具。经实验验证,PWA算法相比国际流行的SAGE测试算法表现更优,有效提高了程序执行路径空间的测试覆盖率和路径测试深度。
[Abstract]:Zombie network, a large-scale cooperative attack network, has the characteristics of rapid evolution, strong concealment, difficult to clear and great harm. It has become one of the greatest threats to the Internet today. How to effectively combat zombie network is a hot and difficult problem that academic circles have been studying. This paper first outlines the definition, evolution, classification and harm of Botnet. The main technologies, methods and trends of the current detection and anti zombie network are introduced. Secondly, the zombie network is studied in three aspects: the detection of zombie network, the anti system and the suppression.
In zombie network detection: in view of the characteristics of zombie network command control system, this paper analyzes the advantages and disadvantages of the mainstream detection methods of Botnet home and abroad, and puts forward a botnet detection method based on multidimensional eigenvector. This method first sets up a detection model by using the Markoff chain for the general state migration of the botnet. The method of meta statistics and cluster analysis is used to establish a detection model for the self similarity of Botnet nodes. The entropy estimation theory is used to establish a detection model for the data flow characteristics of Botnet encryption. Based on the specific features of the zombie network, a multi-dimensional feature vector extraction algorithm is designed. Bias, support vector machine, J48, Rotation Forest, PART and back propagation neural network, the performance of six basic classifiers, and using the least square estimation algorithm to establish the zombie network decision decision combination classifier on the base classifier. Finally, based on the ISOT data set, the test experiment is carried out to verify that the combination classifier is compared to a single point. The class device can get a higher correct detection rate.
In the aspect of Botnet countermaking, the first is to establish a communication model of the botnet command control system that extends the finite state machine, and studies the black box Fuzzing test method for the botnet service program, and puts forward a test case generation model based on the state transfer drive. The model first studies the effective test path of network state. According to the algorithm, the state transfer process of the trigger vulnerability is obtained, and the mutation factor of the original test vector is generated by the method of combination of dynamic and static. Secondly, the test vector generation and mutation model and algorithm are given, and the high quality test vector is obtained. In order to improve the test efficiency and coverage rate, a risk state transfer flow is designed. The degree function and the realization algorithm, using the idea of genetic algorithm to guide the test vectors to gradually evolve into high quality test cases, achieve the purpose of increasing the probability of vulnerability discovery. Two, the focus is on the research of the topology fragility of the botnet. On the basis of the complex network load capacity model, a succession fault model of bridge nodes is built on the basis of the complex network load capacity model. The corresponding theoretical analysis and numerical simulation are completed, and the effectiveness of the reverse strategy is verified by simulation. Three is a case analysis to introduce the zombie network Bagle- CB FTP server Vulnerability mining, Eggdrop botnet variant command control server, peer to peer networking failure and Zuesbot domain name preemptive technology.
In the field of Botnet suppression: first, on the basis of the two factor propagation model of the network worm, combining the scale free characteristics of the complex network and the APT attack mode, the SAPM botnet propagation model is proposed, and the botnet dynamic analysis of the botnet based on the APT attack in the complex network environment is completed, and the optimal suppression strategy is given in theory. Two is to analyze the propagation characteristics of Botnet based on APT attack, put forward the propagation suppression strategy, and point out the vulnerability testing algorithm of document format processing software under the environment of innovation Linux/Unix, and develop the corresponding security test tool is the core link to suppress the transmission of such botnet. Three is the different file formats in the Linux/Unix system. Most of the software is open source, and the shortcomings of the dynamic testing theory and technology of the vulnerability of binary program are deeply studied. The construction method of the program path constraint condition symbol model and the PWA coverage test algorithm are designed and the EWFT prototype tool based on white box is realized. The PWA algorithm is compared with the international popular SAGE test. The method performs better. EWFT is more effective in detecting multiple types of vulnerabilities, and has launched a positive defense against botnets based on APT attacks.
In the aspect of engineering implementation, the design concept, architecture, function module and key technology of the zombie network monitoring and mitigation prototype system based on cloud computing are summarized, which fully utilize the strong computing power of Apache Spark cloud platform and the wide distribution of nodes, and realize the functions of Botnet detection, monitoring, anti system and suppression in the actual application of zombie network. In this way, good social benefits have been achieved.
The main innovative work of this paper is summarized as follows:
1) in view of the existing protocol based on content, the detection method of network flow characteristics is limited by protocol, and it is difficult to combat the shortage of encryption and disturbing technology. The model of the state migration detection in the zombie network is established, the node naming similarity detection model and the encrypted data communication entropy estimation detection mode are established, and the state transfer, identification and encrypted session are extracted. A multidimensional feature vector that reflects the typical features of botnets is constructed, and a combined classifier based on least squares estimation algorithm is constructed to achieve satisfactory results.
2) aiming at the communication model of zombie network command control system based on extended finite state machine, a test case generation model based on state transfer driven is proposed, and the black box Fuzzing testing method for botnet service program is studied, which improves the vulnerability mining ability of Botnet service program based on protocol analysis.
3) the defects of the semi distributed botnet networking mode have been found out, and a sequential fault anti system strategy based on the bridge node of the botnet is proposed. Based on the complex network load capacity model, the successive failure model of the bridge node is established, and the corresponding theoretical analysis and numerical simulation are completed. The simulation is verified by simulation. The effectiveness of the counter strategy has opened up a new direction for botnet counter technology research.
4) aiming at the transmission characteristics of Botnet based on APT attack, the SAPM botnet propagation model is established, the model dynamics analysis is completed under the complex network environment, and the vulnerability testing algorithm of the open source document format processing software under the environment of innovation Linux/Unix is clarified, and the corresponding white box Fuzzing tool is developed to suppress the transmission of such botnet. Finally, the PWA coverage test algorithm is designed and the EWFT prototype tool is implemented. The experiment shows that the PWA algorithm performs better than the international popular SAGE test algorithm, and effectively improves the test coverage rate and the path test depth of the program execution path space.

【学位授予单位】：北京邮电大学
【学位级别】：博士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】