本文選題：僵尸網(wǎng)絡(luò) + 檢測(cè)��； 參考：《北京郵電大學(xué)》2014年博士論文

【摘要】：僵尸網(wǎng)絡(luò),一種大規(guī)模協(xié)同攻擊網(wǎng)絡(luò),具有演變迅速,隱蔽性強(qiáng),難以清除、危害巨大的特點(diǎn),已經(jīng)成為當(dāng)今互聯(lián)網(wǎng)最大威脅之一。如何有效對(duì)抗僵尸網(wǎng)絡(luò)是學(xué)術(shù)界一直研究的熱點(diǎn)和難點(diǎn)。本文首先概述了僵尸網(wǎng)絡(luò)的定義、演化、分類、危害、工作機(jī)制、新動(dòng)向等要素,介紹了當(dāng)前檢測(cè)和反制僵尸網(wǎng)絡(luò)的主流技術(shù)、方法和發(fā)展趨勢(shì),其次重點(diǎn)從僵尸網(wǎng)絡(luò)的檢測(cè)、反制和抑制三個(gè)方面研究了僵尸網(wǎng)絡(luò)的對(duì)抗技術(shù)。 在僵尸網(wǎng)絡(luò)檢測(cè)方面：針對(duì)僵尸網(wǎng)絡(luò)命令控制體系特點(diǎn),分析了國(guó)內(nèi)外僵尸網(wǎng)絡(luò)主流檢測(cè)方法的優(yōu)缺點(diǎn),提出了基于多維特征向量的僵尸網(wǎng)絡(luò)檢測(cè)方法。該方法首先利用馬爾科夫鏈為僵尸網(wǎng)絡(luò)的通聯(lián)狀態(tài)遷移建立了檢測(cè)模型、利用多元統(tǒng)計(jì)與聚類分析方法為僵尸網(wǎng)絡(luò)節(jié)點(diǎn)自相似性建立了檢測(cè)模型、利用熵估計(jì)理論為僵尸網(wǎng)絡(luò)加密數(shù)據(jù)流特性建立了檢測(cè)模型,并根據(jù)以上僵尸網(wǎng)絡(luò)特異性特征設(shè)計(jì)了多維特征向量提取算法；其次借鑒協(xié)同檢測(cè)的思想,研究了樸素貝葉斯、支持向量機(jī)、J48、Rotation Forest、PART和后向傳播神經(jīng)網(wǎng)絡(luò)六種基礎(chǔ)分類器的性能,并利用最小二乘估計(jì)算法在基礎(chǔ)分類器上建立了僵尸網(wǎng)絡(luò)決策判決組合分類器；最后依托ISOT數(shù)據(jù)集進(jìn)行了檢測(cè)實(shí)驗(yàn),驗(yàn)證了組合分類器相比單一分類器可以獲得更高的正確檢測(cè)率。 在僵尸網(wǎng)絡(luò)反制方面：一是建立了擴(kuò)展有限狀態(tài)機(jī)的僵尸網(wǎng)絡(luò)命令控制體系通信模型,研究了針對(duì)僵尸網(wǎng)絡(luò)服務(wù)程序的黑盒Fuzzing測(cè)試方法,提出了基于狀態(tài)轉(zhuǎn)移驅(qū)動(dòng)的測(cè)試用例生成模型。該模型首先研究了網(wǎng)絡(luò)狀態(tài)有效測(cè)試路徑遍歷算法,獲得了可觸發(fā)漏洞的狀態(tài)轉(zhuǎn)移過程,再利用動(dòng)靜結(jié)合的方法生成了原始測(cè)試向量的變異因子,其次給出了測(cè)試向量生成和變異模型及算法,獲得了優(yōu)質(zhì)的測(cè)試向量。為了提高測(cè)試效率和覆蓋率,設(shè)計(jì)了基于風(fēng)險(xiǎn)狀態(tài)轉(zhuǎn)移流的適應(yīng)度函數(shù)及實(shí)現(xiàn)算法,利用遺傳算法的思想指導(dǎo)測(cè)試向量逐步進(jìn)化為優(yōu)質(zhì)的測(cè)試用例,達(dá)到了增加漏洞發(fā)現(xiàn)概率的目的。二是重點(diǎn)研究了僵尸網(wǎng)絡(luò)拓?fù)浣Y(jié)構(gòu)脆弱性問題,發(fā)現(xiàn)了半分布式僵尸網(wǎng)絡(luò)組網(wǎng)方式存在相繼故障的缺陷,提出了一種基于僵尸網(wǎng)絡(luò)橋梁節(jié)點(diǎn)的相繼故障反制策略,并以復(fù)雜網(wǎng)絡(luò)負(fù)荷容量模型為基礎(chǔ),建立了橋梁節(jié)點(diǎn)的相繼故障模型,完成了相應(yīng)的理論分析與數(shù)值模擬,仿真驗(yàn)證了反制策略的有效性。三是以案例分析的形式介紹了針對(duì)僵尸網(wǎng)絡(luò)Bagle-CB FTP服務(wù)器漏洞挖掘、Eggdrop僵尸變種命令控制服務(wù)器對(duì)等組網(wǎng)相繼故障和Zuesbot域名搶注的反制技術(shù)。 在僵尸網(wǎng)絡(luò)抑制方面：一是在網(wǎng)絡(luò)蠕蟲雙因素傳播模型的基礎(chǔ)上,結(jié)合復(fù)雜網(wǎng)絡(luò)無尺度特性以及APT攻擊方式,提出了SAPM僵尸網(wǎng)絡(luò)傳播模型,完成了復(fù)雜網(wǎng)絡(luò)環(huán)境下基于APT攻擊的僵尸網(wǎng)絡(luò)傳播動(dòng)力學(xué)分析,從理論上給出了最佳抑制策略。二是分析了基于APT攻擊的僵尸網(wǎng)絡(luò)傳播特性,提出了傳播抑制策略,指出了創(chuàng)新Linux/Unix環(huán)境下文檔格式處理軟件脆弱性測(cè)試算法、研制相應(yīng)的安全測(cè)試工具是抑制此類僵尸網(wǎng)絡(luò)傳播的核心環(huán)節(jié)。三是針對(duì)Linux/Unix系統(tǒng)中不同文件格式軟件大多開放源碼的特點(diǎn),深入研究了二進(jìn)制程序脆弱性動(dòng)態(tài)測(cè)試?yán)碚摵图夹g(shù)的不足,設(shè)計(jì)了程序路徑約束條件符號(hào)模型的構(gòu)建方法和PWA覆蓋測(cè)試算法并實(shí)現(xiàn)了基于白盒的EWFT原型工具。經(jīng)實(shí)驗(yàn)驗(yàn)證,PWA算法相比國(guó)際流行的SAGE測(cè)試算法表現(xiàn)更優(yōu),EWFT夠更加有效的檢測(cè)出多種類型的漏洞,啟到了對(duì)基于APT攻擊的僵尸網(wǎng)絡(luò)實(shí)施積極防御的作用。 在工程實(shí)現(xiàn)方面。概述了基于云計(jì)算的僵尸網(wǎng)絡(luò)監(jiān)測(cè)與緩解原型系統(tǒng)的設(shè)計(jì)理念、體系架構(gòu)、功能模塊和關(guān)鍵技術(shù),充分利用了Apache Spark云平臺(tái)運(yùn)算能力強(qiáng)、節(jié)點(diǎn)分布廣的特點(diǎn),實(shí)現(xiàn)了僵尸網(wǎng)絡(luò)檢測(cè)、監(jiān)測(cè)、反制和抑制等功能,在實(shí)際應(yīng)用中,取得了較好的社會(huì)效益。 論文主要的創(chuàng)新工作歸納如下： 1)針對(duì)現(xiàn)有基于內(nèi)容、網(wǎng)絡(luò)流特征的檢測(cè)方法受協(xié)議限制,難以對(duì)抗加密、擾亂等技術(shù)的不足,建立了僵尸網(wǎng)絡(luò)通聯(lián)狀態(tài)遷移檢測(cè)模型、節(jié)點(diǎn)命名相似性檢測(cè)模型和加密數(shù)據(jù)通信熵估計(jì)檢測(cè)模型,提取了狀態(tài)轉(zhuǎn)移、身份識(shí)別和加密會(huì)話等反映僵尸網(wǎng)絡(luò)典型特征的多維特征向量,構(gòu)建了基于最小二乘估計(jì)算法的組合分類器,獲得了較為滿意的檢測(cè)效果。 2)針對(duì)基于擴(kuò)展有限狀態(tài)機(jī)的僵尸網(wǎng)絡(luò)命令控制體系通信模型,提出了基于狀態(tài)轉(zhuǎn)移驅(qū)動(dòng)的測(cè)試用例生成模型,研究了針對(duì)僵尸網(wǎng)絡(luò)服務(wù)程序的黑盒Fuzzing測(cè)試方法,提高了基于協(xié)議分析的僵尸網(wǎng)絡(luò)服務(wù)程序的漏洞挖掘能力。 3)發(fā)現(xiàn)了半分布式僵尸網(wǎng)絡(luò)組網(wǎng)方式存在相繼故障的缺陷,提出了一種基于僵尸網(wǎng)絡(luò)橋梁節(jié)點(diǎn)的相繼故障反制策略,并以復(fù)雜網(wǎng)絡(luò)負(fù)荷容量模型為基礎(chǔ),建立了橋梁節(jié)點(diǎn)的相繼故障模型,完成了相應(yīng)的理論分析與數(shù)值模擬,仿真驗(yàn)證了反制策略的有效性,開辟了僵尸網(wǎng)絡(luò)反制技術(shù)研究的新方向。 4)針對(duì)基于APT攻擊的僵尸網(wǎng)絡(luò)傳播特性,建立了SAPM僵尸網(wǎng)絡(luò)傳播模型,完成了復(fù)雜網(wǎng)絡(luò)環(huán)境下模型動(dòng)力學(xué)分析,明確了創(chuàng)新Linux/Unix環(huán)境下開源文檔格式處理軟件脆弱性測(cè)試算法、研制相應(yīng)的白盒Fuzzing工具是抑制此類僵尸網(wǎng)絡(luò)傳播的核心環(huán)節(jié)。最后設(shè)計(jì)了PWA覆蓋測(cè)試算法,實(shí)現(xiàn)了EWFT原型工具。經(jīng)實(shí)驗(yàn)驗(yàn)證,PWA算法相比國(guó)際流行的SAGE測(cè)試算法表現(xiàn)更優(yōu),有效提高了程序執(zhí)行路徑空間的測(cè)試覆蓋率和路徑測(cè)試深度。
[Abstract]:Zombie network, a large-scale cooperative attack network, has the characteristics of rapid evolution, strong concealment, difficult to clear and great harm. It has become one of the greatest threats to the Internet today. How to effectively combat zombie network is a hot and difficult problem that academic circles have been studying. This paper first outlines the definition, evolution, classification and harm of Botnet. The main technologies, methods and trends of the current detection and anti zombie network are introduced. Secondly, the zombie network is studied in three aspects: the detection of zombie network, the anti system and the suppression.
In zombie network detection: in view of the characteristics of zombie network command control system, this paper analyzes the advantages and disadvantages of the mainstream detection methods of Botnet home and abroad, and puts forward a botnet detection method based on multidimensional eigenvector. This method first sets up a detection model by using the Markoff chain for the general state migration of the botnet. The method of meta statistics and cluster analysis is used to establish a detection model for the self similarity of Botnet nodes. The entropy estimation theory is used to establish a detection model for the data flow characteristics of Botnet encryption. Based on the specific features of the zombie network, a multi-dimensional feature vector extraction algorithm is designed. Bias, support vector machine, J48, Rotation Forest, PART and back propagation neural network, the performance of six basic classifiers, and using the least square estimation algorithm to establish the zombie network decision decision combination classifier on the base classifier. Finally, based on the ISOT data set, the test experiment is carried out to verify that the combination classifier is compared to a single point. The class device can get a higher correct detection rate.
In the aspect of Botnet countermaking, the first is to establish a communication model of the botnet command control system that extends the finite state machine, and studies the black box Fuzzing test method for the botnet service program, and puts forward a test case generation model based on the state transfer drive. The model first studies the effective test path of network state. According to the algorithm, the state transfer process of the trigger vulnerability is obtained, and the mutation factor of the original test vector is generated by the method of combination of dynamic and static. Secondly, the test vector generation and mutation model and algorithm are given, and the high quality test vector is obtained. In order to improve the test efficiency and coverage rate, a risk state transfer flow is designed. The degree function and the realization algorithm, using the idea of genetic algorithm to guide the test vectors to gradually evolve into high quality test cases, achieve the purpose of increasing the probability of vulnerability discovery. Two, the focus is on the research of the topology fragility of the botnet. On the basis of the complex network load capacity model, a succession fault model of bridge nodes is built on the basis of the complex network load capacity model. The corresponding theoretical analysis and numerical simulation are completed, and the effectiveness of the reverse strategy is verified by simulation. Three is a case analysis to introduce the zombie network Bagle- CB FTP server Vulnerability mining, Eggdrop botnet variant command control server, peer to peer networking failure and Zuesbot domain name preemptive technology.
In the field of Botnet suppression: first, on the basis of the two factor propagation model of the network worm, combining the scale free characteristics of the complex network and the APT attack mode, the SAPM botnet propagation model is proposed, and the botnet dynamic analysis of the botnet based on the APT attack in the complex network environment is completed, and the optimal suppression strategy is given in theory. Two is to analyze the propagation characteristics of Botnet based on APT attack, put forward the propagation suppression strategy, and point out the vulnerability testing algorithm of document format processing software under the environment of innovation Linux/Unix, and develop the corresponding security test tool is the core link to suppress the transmission of such botnet. Three is the different file formats in the Linux/Unix system. Most of the software is open source, and the shortcomings of the dynamic testing theory and technology of the vulnerability of binary program are deeply studied. The construction method of the program path constraint condition symbol model and the PWA coverage test algorithm are designed and the EWFT prototype tool based on white box is realized. The PWA algorithm is compared with the international popular SAGE test. The method performs better. EWFT is more effective in detecting multiple types of vulnerabilities, and has launched a positive defense against botnets based on APT attacks.
In the aspect of engineering implementation, the design concept, architecture, function module and key technology of the zombie network monitoring and mitigation prototype system based on cloud computing are summarized, which fully utilize the strong computing power of Apache Spark cloud platform and the wide distribution of nodes, and realize the functions of Botnet detection, monitoring, anti system and suppression in the actual application of zombie network. In this way, good social benefits have been achieved.
The main innovative work of this paper is summarized as follows:
1) in view of the existing protocol based on content, the detection method of network flow characteristics is limited by protocol, and it is difficult to combat the shortage of encryption and disturbing technology. The model of the state migration detection in the zombie network is established, the node naming similarity detection model and the encrypted data communication entropy estimation detection mode are established, and the state transfer, identification and encrypted session are extracted. A multidimensional feature vector that reflects the typical features of botnets is constructed, and a combined classifier based on least squares estimation algorithm is constructed to achieve satisfactory results.
2) aiming at the communication model of zombie network command control system based on extended finite state machine, a test case generation model based on state transfer driven is proposed, and the black box Fuzzing testing method for botnet service program is studied, which improves the vulnerability mining ability of Botnet service program based on protocol analysis.
3) the defects of the semi distributed botnet networking mode have been found out, and a sequential fault anti system strategy based on the bridge node of the botnet is proposed. Based on the complex network load capacity model, the successive failure model of the bridge node is established, and the corresponding theoretical analysis and numerical simulation are completed. The simulation is verified by simulation. The effectiveness of the counter strategy has opened up a new direction for botnet counter technology research.
4) aiming at the transmission characteristics of Botnet based on APT attack, the SAPM botnet propagation model is established, the model dynamics analysis is completed under the complex network environment, and the vulnerability testing algorithm of the open source document format processing software under the environment of innovation Linux/Unix is clarified, and the corresponding white box Fuzzing tool is developed to suppress the transmission of such botnet. Finally, the PWA coverage test algorithm is designed and the EWFT prototype tool is implemented. The experiment shows that the PWA algorithm performs better than the international popular SAGE test algorithm, and effectively improves the test coverage rate and the path test depth of the program execution path space.

【學(xué)位授予單位】：北京郵電大學(xué)
【學(xué)位級(jí)別】：博士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前10條

1 于戈;于曉聰;董曉梅;秦玉海;;P2P僵尸網(wǎng)絡(luò)的快速檢測(cè)技術(shù)[J];東北大學(xué)學(xué)報(bào)(自然科學(xué)版);2010年12期

2 應(yīng)凌云;馮登國(guó);蘇璞睿;;基于P2P的僵尸網(wǎng)絡(luò)及其防御[J];電子學(xué)報(bào);2009年01期

3 方濱興;崔翔;王威;;僵尸網(wǎng)絡(luò)綜述[J];計(jì)算機(jī)研究與發(fā)展;2011年08期

4 王雅文;姚欣洪;宮云戰(zhàn);楊朝紅;;一種基于代碼靜態(tài)分析的緩沖區(qū)溢出檢測(cè)算法[J];計(jì)算機(jī)研究與發(fā)展;2012年04期

5 陳端兵;萬英;田軍偉;傅彥;;一種基于社會(huì)網(wǎng)絡(luò)分析的P2P僵尸網(wǎng)絡(luò)反制策略[J];計(jì)算機(jī)科學(xué);2009年06期

6 孫彥東;李東;;僵尸網(wǎng)絡(luò)綜述[J];計(jì)算機(jī)應(yīng)用;2006年07期

7 范軼彥;鄔國(guó)銳;;動(dòng)態(tài)僵尸網(wǎng)絡(luò)模型研究[J];計(jì)算機(jī)應(yīng)用;2010年03期

8 楊尚森;胡蓓;;基于入侵誘騙技術(shù)的主動(dòng)蜜罐系統(tǒng)的設(shè)計(jì)[J];計(jì)算機(jī)應(yīng)用與軟件;2008年01期

9 楊丁寧;肖暉;張玉清;;基于Fuzzing的ActiveX控件漏洞挖掘技術(shù)研究[J];計(jì)算機(jī)研究與發(fā)展;2012年07期

10 歐陽晨星;譚良;;無尺度網(wǎng)絡(luò)下的僵尸網(wǎng)絡(luò)傳播模型研究[J];計(jì)算機(jī)工程與應(yīng)用;2013年09期

，

本文編號(hào)：1794613