基于节点度分布和网络流异常的僵尸网络检测
发布时间:2019-01-02 14:02
【摘要】:近年来,网络犯罪活动猖獗,犯罪手段多样化。僵尸网络以其传播最广、效率高和隐蔽性强等优势,已成为网络犯罪中使用最频繁的网络犯罪平台,它使因特网的安全面临非常严峻的挑战。僵尸网络被用来进行各种恶意网络活动,例如分布式拒绝服务攻击、发送垃圾邮件、网络钓鱼和敏感信息窃取等。因此,僵尸网络的检测成了时下网络安全研究热点,其对保障网络安全具有重要的意义。 僵尸网络检测主要分为两个主流方向,一是建立蜜网蜜罐,二是被动的网络流量监测。 目前,所有的研究基本都集中于对网络流量的监测。被动网络流量监测技术的关键是准确把握僵尸流量的特征。本文通过对不同僵尸网络流量的研究,总结和概括了僵尸网络流量的对话流特征,并在此基础上进一步提出基于网络细胞的僵尸网络检测系统。 对僵尸网络对话流特征的研究,从网络数据包流中抽取网络对话流,对比分析了正常网络和僵尸网络中对话流数量和对话流深度,总结僵尸网络对话流的特征。运用对话流建立起节点“度”概念,分析了僵尸节点的攻击行为模式以及命令与控制流量的特点,提出了表征僵尸流量特点的特征向量,并运用数据挖掘策略对提出的特征向量进行建模分析。 基于网络细胞的检测系统是在正常网络细胞和僵尸网络细胞研究基础上提出的。将具有相似性的网络数据包聚集成一个个网络细胞,结合僵尸网络对话流的研究,对比分析僵尸网络细胞和正常网络细胞的特征,提出检测僵尸网络流量的4个指标:病变细胞数、整体细胞数量水平、网络组织自相似度和网络组织IP集散度。根据4个指标的异常情况,对照诊断表,判断僵尸网络的存在。 本文进行了一系列实验,论证了本文提出的方法的有效性和可用性,并在准确性上有所提高。方法中所提出的网络细胞开放模型,对基于被动流量监测技术的僵尸网络检测方法研究具有一定的开拓意义。
[Abstract]:In recent years, the network crime activity is rampant, the crime means diversification. Botnet has become the most frequently used network crime platform in cybercrime because of its advantages such as the most widely spread, high efficiency and strong concealment. It makes the security of the Internet face a very severe challenge. Botnets are used for various malicious network activities, such as distributed denial of service attacks, spam, phishing and theft of sensitive information. Therefore, botnet detection has become a hot topic in the research of network security, which is of great significance to the protection of network security. Botnet detection is divided into two main directions, one is to establish honeypot, the other is passive network traffic monitoring. At present, all the research focuses on the monitoring of network traffic. The key of passive network traffic monitoring technology is to accurately grasp the characteristics of zombie traffic. Based on the study of different botnet traffic, this paper summarizes and generalizes the characteristics of botnet traffic dialog flow, and then proposes a botnet detection system based on network cells. This paper studies the characteristics of botnet dialog flow, extracts the network dialog flow from the network packet flow, compares the number and depth of the conversation flow between the normal network and the botnet, and summarizes the characteristics of the botnet dialog flow. The concept of node "degree" is established by using dialog flow, the attack behavior mode of zombie node and the characteristics of command and control flow are analyzed, and the characteristic vector which represents the characteristics of zombie traffic is proposed. Data mining strategy is used to model and analyze the proposed feature vector. The detection system based on network cells is based on the study of normal network cells and botnet cells. The similar network data packets are assembled into network cells, and the characteristics of botnet cells and normal network cells are compared and analyzed in combination with the study of botnet conversation flow. Four indexes for detecting botnet traffic are proposed: the number of pathological cells, the total cell number, the self-similarity of network organization and the IP distribution degree of network tissue. According to the abnormal situation of 4 indexes, the existence of botnet is judged by comparing the diagnosis table. A series of experiments have been carried out to demonstrate the validity and availability of the proposed method, and the accuracy has been improved. The open model of network cell proposed in this method is of great significance to the research of botnet detection based on passive traffic monitoring technology.
【学位授予单位】:南京信息工程大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
本文编号:2398586
[Abstract]:In recent years, the network crime activity is rampant, the crime means diversification. Botnet has become the most frequently used network crime platform in cybercrime because of its advantages such as the most widely spread, high efficiency and strong concealment. It makes the security of the Internet face a very severe challenge. Botnets are used for various malicious network activities, such as distributed denial of service attacks, spam, phishing and theft of sensitive information. Therefore, botnet detection has become a hot topic in the research of network security, which is of great significance to the protection of network security. Botnet detection is divided into two main directions, one is to establish honeypot, the other is passive network traffic monitoring. At present, all the research focuses on the monitoring of network traffic. The key of passive network traffic monitoring technology is to accurately grasp the characteristics of zombie traffic. Based on the study of different botnet traffic, this paper summarizes and generalizes the characteristics of botnet traffic dialog flow, and then proposes a botnet detection system based on network cells. This paper studies the characteristics of botnet dialog flow, extracts the network dialog flow from the network packet flow, compares the number and depth of the conversation flow between the normal network and the botnet, and summarizes the characteristics of the botnet dialog flow. The concept of node "degree" is established by using dialog flow, the attack behavior mode of zombie node and the characteristics of command and control flow are analyzed, and the characteristic vector which represents the characteristics of zombie traffic is proposed. Data mining strategy is used to model and analyze the proposed feature vector. The detection system based on network cells is based on the study of normal network cells and botnet cells. The similar network data packets are assembled into network cells, and the characteristics of botnet cells and normal network cells are compared and analyzed in combination with the study of botnet conversation flow. Four indexes for detecting botnet traffic are proposed: the number of pathological cells, the total cell number, the self-similarity of network organization and the IP distribution degree of network tissue. According to the abnormal situation of 4 indexes, the existence of botnet is judged by comparing the diagnosis table. A series of experiments have been carried out to demonstrate the validity and availability of the proposed method, and the accuracy has been improved. The open model of network cell proposed in this method is of great significance to the research of botnet detection based on passive traffic monitoring technology.
【学位授予单位】:南京信息工程大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
【参考文献】
相关期刊论文 前10条
1 蒋丽华;王万刚;;一种基于僵尸机状态转换的僵尸网络监测方法[J];重庆电子工程职业学院学报;2011年03期
2 柴胜;胡亮;梁波;;一种p2p Botnet在线检测方法研究[J];电子学报;2011年04期
3 王海龙;龚正虎;侯婕;;僵尸网络检测技术研究进展[J];计算机研究与发展;2010年12期
4 方滨兴;崔翔;王威;;僵尸网络综述[J];计算机研究与发展;2011年08期
5 金鑫;李润恒;甘亮;李政仪;;基于通信特征曲线动态时间弯曲距离的IRC僵尸网络同源判别方法[J];计算机研究与发展;2012年03期
6 王威;方滨兴;崔翔;;基于终端行为特征的IRC僵尸网络检测[J];计算机学报;2009年10期
7 李晓利;汤光明;;基于通信流量特征的隐秘P2P僵尸网络检测[J];计算机应用研究;2013年06期
8 何毓锟;李强;嵇跃德;郭东;;一种关联网络和主机行为的延迟僵尸检测方法[J];计算机学报;2014年01期
9 王宇科;王子荣;胡浩;;基于数据挖掘策略的P2P僵尸网络检测方法研究[J];计算技术与自动化;2012年02期
10 鲁刚;张宏莉;叶麟;;P2P流量识别[J];软件学报;2011年06期
,本文编号:2398586
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2398586.html
