基于行为特征的僵尸网络检测方法研究
发布时间:2018-09-09 13:17
【摘要】:互联网的迅猛发展,给人们的生活和工作带来了便利,但由此而引发的网络安全问题也不容小觑。僵尸网络就是一种巧妙设计并且已经发展的比较成熟了的技术,这项技术正在被越来越多的应用在如广告发送、垃圾邮件和分布式拒绝服务攻击等非法活动中。 僵尸网络由大量被控制的计算机组成,这些计算机接收控制者的指令,然后执行命令,通常这些指令都是恶意的。这样控制者不仅可以达到隐蔽自身的目的,而且可以用这些被控制的计算机来发动各种攻击。所以,如何检测僵尸网络,已经成为网络安全领域一个非常重要的问题。 对僵尸网络的恶意行为进行了详细的描述,并从中选取了六个典型的行为作为僵尸网络的普遍行为特征。然后在入侵检测系统的基础上实现了六个插件,分别用来产生这六个行为的初级告警。接着通过对这些初级告警进行关联分析,从而检测出僵尸网络。 对初级告警进行关联分析,只能检测出已知的僵尸网络。为了检测未知的僵尸网络,对被监控的所有主机,计算其告警的行为相似性和时间相似性,然后依据相似性的计算结果来检测未知的僵尸网络。 根据提出的检测机制实现了一个原型系统,并在真实环境网络环境下运行僵尸样本程序进行测试。实验结果表明,提出的检测机制能非常有效的检测出僵尸网络。
[Abstract]:The rapid development of the Internet has brought convenience to people's life and work, but the network security problems caused by it can not be underestimated. Botnet is a well-designed and developed mature technology, which is increasingly used in illegal activities such as advertising, spam and distributed denial of service attacks. Botnets consist of a large number of controlled computers that receive instructions from controllers and then execute commands, which are usually malicious. In this way, the controllers can not only conceal themselves, but also use these controlled computers to launch various attacks. Therefore, how to detect botnets has become a very important problem in the field of network security. The malicious behavior of botnet is described in detail, and six typical behaviors are selected as the general behavior characteristics of botnet. Then, six plug-ins are implemented on the basis of intrusion detection system, which are used to generate the primary alarm of these six behaviors. Then through the correlation analysis of these primary alarms, the botnet is detected. Correlation analysis of primary alarms can only detect known botnets. In order to detect unknown botnet, the behavior similarity and time similarity of alarm are calculated for all hosts monitored, and then the unknown botnet is detected according to the result of similarity calculation. According to the proposed detection mechanism, a prototype system is implemented, and a zombie sample program is run in a real network environment for testing. Experimental results show that the proposed detection mechanism can detect the botnet very effectively.
【学位授予单位】:华中科技大学
【学位级别】:硕士
【学位授予年份】:2011
【分类号】:TP393.08
本文编号:2232490
[Abstract]:The rapid development of the Internet has brought convenience to people's life and work, but the network security problems caused by it can not be underestimated. Botnet is a well-designed and developed mature technology, which is increasingly used in illegal activities such as advertising, spam and distributed denial of service attacks. Botnets consist of a large number of controlled computers that receive instructions from controllers and then execute commands, which are usually malicious. In this way, the controllers can not only conceal themselves, but also use these controlled computers to launch various attacks. Therefore, how to detect botnets has become a very important problem in the field of network security. The malicious behavior of botnet is described in detail, and six typical behaviors are selected as the general behavior characteristics of botnet. Then, six plug-ins are implemented on the basis of intrusion detection system, which are used to generate the primary alarm of these six behaviors. Then through the correlation analysis of these primary alarms, the botnet is detected. Correlation analysis of primary alarms can only detect known botnets. In order to detect unknown botnet, the behavior similarity and time similarity of alarm are calculated for all hosts monitored, and then the unknown botnet is detected according to the result of similarity calculation. According to the proposed detection mechanism, a prototype system is implemented, and a zombie sample program is run in a real network environment for testing. Experimental results show that the proposed detection mechanism can detect the botnet very effectively.
【学位授予单位】:华中科技大学
【学位级别】:硕士
【学位授予年份】:2011
【分类号】:TP393.08
【参考文献】
相关期刊论文 前3条
1 孙彦东;李东;;僵尸网络综述[J];计算机应用;2006年07期
2 诸葛建伟;韩心慧;周勇林;叶志远;邹维;;僵尸网络研究[J];软件学报;2008年03期
3 杜跃进,崔翔;僵尸网络及其启发[J];中国数据通信;2005年05期
,本文编号:2232490
本文链接:https://www.wllwen.com/wenyilunwen/guanggaoshejilunwen/2232490.html
