基于数据流特征向量识别的P2P僵尸网络检测方法研究
发布时间:2018-11-15 15:20
【摘要】:僵尸网络是目前被公认的最具威胁的网络安全问题之一。僵尸网络是指通过在网络传播传统的恶意代码(计算机病毒、网络蠕虫、木马),发现易感染节点,将其纳入自身控制网络之内,进而利用这些节点实施大规模恶意攻击的平台。由于僵尸网络的隐蔽性、破坏性远远强于普通网络攻击,成为近年来最为流行的网络攻击方式。 早期的僵尸网络主要包括基于IRC协议的和基于HTTP协议的两种,都是通过具有中心控制能力的节点,进行命令与控制信息的分发,将易感染节点加入到这个网络中,这一时期的僵尸网络主要通过固定的端口、协议来进行控制信息传输(协议中携带特定的字符串)。目前国内外研究学者提出了通过对特定端口的监听以及对协议中特定字符串的识别,能够高效识别出这类僵尸网络。随着P2P技术以及僵尸网络的发展,P2P僵尸网络产生,该类型僵尸网络实现了僵尸网络控制的非中心化,优化了传统僵尸网络的依靠中心节点进行命令和控制分发的弊端,给僵尸网络检测带来一定的困难。 目前,关于P2P僵尸网络的检测方法主要分为四类:基于终端节点、基于网络流量、基于协议特征和基于行为特征的检测。基于终端节点的检测主要目标是检测所监控主机中的恶意代码和可疑的活动,对于包含中心节点的P2P僵尸网络具有较好的检测效果,但对于其他类型P2P僵尸网络检测误报率较高;后两者分别通过网络通信协议识别以及应用层特征识别,对P2P僵尸网络进行检测,这两类方法对特定协议的P2P僵尸网络具有较好检测效果,但通用性较差;基于网络流量的检测主要通过分析所监控网络中网络通信流量所表现出的特征和变化规律,找出P2P僵尸网络与其它网络之间的网络数据流特征区别,具有较好检测效果,但目前的检测方法并未分析P2P僵尸网络在通信过程中表现出的动态特征。 本文在前人研究基础之上,针对P2P僵尸网络通信过程所表现出的动态特征提出一种基于数据流特征向量识别的P2P僵尸网络检测方法。考虑到网络中绝大多数为正常数据流,其来源或者目的不可能成为僵尸网络的攻击节点,我们首先通过黑白灰名单的数据包过滤器对网络数据流进行预处理,结合构建的端口规则库和协议特征字段识别库,对已有典型协议的数据流进行过滤,标识其中存在可疑流量的数据节点。通过该预处理,我们降低了分析样本的数量级,便于构建僵尸网络数据流特征向量。在此基础之上,我们对网络数据流按照源、目的分类,,并分析其在横向时间维度以及纵向数据流之间的数据包速率、数据包速率变化率、数据流字节速率、数据流字节速率变化率的特征,根据验证实验所获得的各类数据流的特征阈值,对数据流进行二次分类,从而识别出具有僵尸网络特征的一类节点,达到较好的检测效果。
[Abstract]:Botnet is one of the most dangerous network security problems. Botnet refers to the spread of traditional malicious code (computer viruses, network worms, Trojan horses) in the network, find vulnerable nodes, and bring them into their own control network. Furthermore, these nodes are used to carry out large-scale malicious attacks on the platform. Because of its concealment, botnet is far more destructive than common network attack, and it has become the most popular network attack method in recent years. The early botnets mainly include two kinds based on IRC protocol and HTTP protocol. They are distributed command and control information through the nodes with central control ability to join the vulnerable nodes in this network. During this period, botnets used fixed ports, protocols to control the transmission of information (the protocol carries a specific string). At present, researchers at home and abroad have proposed that this kind of botnet can be recognized efficiently by listening to specific ports and recognizing specific strings in the protocol. With the development of P2P technology and botnet, P2P botnet comes into being. This type of botnet realizes the non-centralization of botnet control, and optimizes the drawback of traditional botnet relying on central node for command and control distribution. It brings some difficulties to botnet detection. At present, the detection methods of P2P botnet are divided into four categories: terminal node, network traffic, protocol feature and behavior based detection. The main target of terminal node based detection is to detect malicious code and suspicious activity in the monitored host, which has good detection effect for P2P botnet with central nodes. But for other types of P2P botnet detection false alarm rate is high; The latter two methods detect P2P botnet through network communication protocol recognition and application layer feature recognition respectively. These two methods have better detection effect to P2P botnet with specific protocol, but the universality is poor. The detection based on network traffic is mainly based on the analysis of the characteristics and changes of network traffic in the monitored network, and finds out the difference between P2P botnet and other networks, which has a better detection effect. However, the current detection methods do not analyze the dynamic characteristics of P2P botnets in the communication process. Based on previous studies, this paper proposes a P2P botnet detection method based on data stream feature vector recognition for the dynamic features of P2P botnet communication process. Considering that the vast majority of the network is normal data flow, its source or purpose can not become a botnet attack node, we first through the black and white grey list of data packets filter to pre-process the network data flow. Combined with the port rule base and the protocol characteristic field identification library, the existing data stream of typical protocols is filtered to identify the data nodes with suspicious traffic. Through the preprocessing, we reduce the order of magnitude of the analysis samples and construct the feature vectors of the botnet data stream. On this basis, we classify the network data flow according to the source and destination, and analyze the packet rate, the rate of change of data packet rate, the byte rate of data stream in the transverse time dimension and the longitudinal data stream. According to the characteristic threshold of different data streams obtained from the verification experiments, the data streams are classified twice, and a class of nodes with botnet features are identified, which achieves a better detection effect.
【学位授予单位】:中国海洋大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.02
本文编号:2333669
[Abstract]:Botnet is one of the most dangerous network security problems. Botnet refers to the spread of traditional malicious code (computer viruses, network worms, Trojan horses) in the network, find vulnerable nodes, and bring them into their own control network. Furthermore, these nodes are used to carry out large-scale malicious attacks on the platform. Because of its concealment, botnet is far more destructive than common network attack, and it has become the most popular network attack method in recent years. The early botnets mainly include two kinds based on IRC protocol and HTTP protocol. They are distributed command and control information through the nodes with central control ability to join the vulnerable nodes in this network. During this period, botnets used fixed ports, protocols to control the transmission of information (the protocol carries a specific string). At present, researchers at home and abroad have proposed that this kind of botnet can be recognized efficiently by listening to specific ports and recognizing specific strings in the protocol. With the development of P2P technology and botnet, P2P botnet comes into being. This type of botnet realizes the non-centralization of botnet control, and optimizes the drawback of traditional botnet relying on central node for command and control distribution. It brings some difficulties to botnet detection. At present, the detection methods of P2P botnet are divided into four categories: terminal node, network traffic, protocol feature and behavior based detection. The main target of terminal node based detection is to detect malicious code and suspicious activity in the monitored host, which has good detection effect for P2P botnet with central nodes. But for other types of P2P botnet detection false alarm rate is high; The latter two methods detect P2P botnet through network communication protocol recognition and application layer feature recognition respectively. These two methods have better detection effect to P2P botnet with specific protocol, but the universality is poor. The detection based on network traffic is mainly based on the analysis of the characteristics and changes of network traffic in the monitored network, and finds out the difference between P2P botnet and other networks, which has a better detection effect. However, the current detection methods do not analyze the dynamic characteristics of P2P botnets in the communication process. Based on previous studies, this paper proposes a P2P botnet detection method based on data stream feature vector recognition for the dynamic features of P2P botnet communication process. Considering that the vast majority of the network is normal data flow, its source or purpose can not become a botnet attack node, we first through the black and white grey list of data packets filter to pre-process the network data flow. Combined with the port rule base and the protocol characteristic field identification library, the existing data stream of typical protocols is filtered to identify the data nodes with suspicious traffic. Through the preprocessing, we reduce the order of magnitude of the analysis samples and construct the feature vectors of the botnet data stream. On this basis, we classify the network data flow according to the source and destination, and analyze the packet rate, the rate of change of data packet rate, the byte rate of data stream in the transverse time dimension and the longitudinal data stream. According to the characteristic threshold of different data streams obtained from the verification experiments, the data streams are classified twice, and a class of nodes with botnet features are identified, which achieves a better detection effect.
【学位授予单位】:中国海洋大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.02
【参考文献】
相关期刊论文 前4条
1 方滨兴;崔翔;王威;;僵尸网络综述[J];计算机研究与发展;2011年08期
2 冉宏敏;柴胜;冯铁;张家晨;;P2P僵尸网络研究[J];计算机应用研究;2010年10期
3 诸葛建伟;;狩猎女神守护Web安全[J];中国教育网络;2009年09期
4 王康;朱磊明;杨智丹;;Linux/Slapper蠕虫分析[J];信息安全与通信保密;2008年10期
相关博士学位论文 前1条
1 王斌斌;僵尸网络检测方法研究[D];华中科技大学;2010年
本文编号:2333669
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2333669.html
