本文選題：僵尸網(wǎng)絡 + 檢測��； 參考：《北京郵電大學》2014年博士論文

【摘要】：僵尸網(wǎng)絡,一種大規(guī)模協(xié)同攻擊網(wǎng)絡,具有演變迅速,隱蔽性強,難以清除、危害巨大的特點,已經成為當今互聯(lián)網(wǎng)最大威脅之一。如何有效對抗僵尸網(wǎng)絡是學術界一直研究的熱點和難點。本文首先概述了僵尸網(wǎng)絡的定義、演化、分類、危害、工作機制、新動向等要素,介紹了當前檢測和反制僵尸網(wǎng)絡的主流技術、方法和發(fā)展趨勢,其次重點從僵尸網(wǎng)絡的檢測、反制和抑制三個方面研究了僵尸網(wǎng)絡的對抗技術。 在僵尸網(wǎng)絡檢測方面：針對僵尸網(wǎng)絡命令控制體系特點,分析了國內外僵尸網(wǎng)絡主流檢測方法的優(yōu)缺點,提出了基于多維特征向量的僵尸網(wǎng)絡檢測方法。該方法首先利用馬爾科夫鏈為僵尸網(wǎng)絡的通聯(lián)狀態(tài)遷移建立了檢測模型、利用多元統(tǒng)計與聚類分析方法為僵尸網(wǎng)絡節(jié)點自相似性建立了檢測模型、利用熵估計理論為僵尸網(wǎng)絡加密數(shù)據(jù)流特性建立了檢測模型,并根據(jù)以上僵尸網(wǎng)絡特異性特征設計了多維特征向量提取算法；其次借鑒協(xié)同檢測的思想,研究了樸素貝葉斯、支持向量機、J48、Rotation Forest、PART和后向傳播神經網(wǎng)絡六種基礎分類器的性能,并利用最小二乘估計算法在基礎分類器上建立了僵尸網(wǎng)絡決策判決組合分類器；最后依托ISOT數(shù)據(jù)集進行了檢測實驗,驗證了組合分類器相比單一分類器可以獲得更高的正確檢測率。 在僵尸網(wǎng)絡反制方面：一是建立了擴展有限狀態(tài)機的僵尸網(wǎng)絡命令控制體系通信模型,研究了針對僵尸網(wǎng)絡服務程序的黑盒Fuzzing測試方法,提出了基于狀態(tài)轉移驅動的測試用例生成模型。該模型首先研究了網(wǎng)絡狀態(tài)有效測試路徑遍歷算法,獲得了可觸發(fā)漏洞的狀態(tài)轉移過程,再利用動靜結合的方法生成了原始測試向量的變異因子,其次給出了測試向量生成和變異模型及算法,獲得了優(yōu)質的測試向量。為了提高測試效率和覆蓋率,設計了基于風險狀態(tài)轉移流的適應度函數(shù)及實現(xiàn)算法,利用遺傳算法的思想指導測試向量逐步進化為優(yōu)質的測試用例,達到了增加漏洞發(fā)現(xiàn)概率的目的。二是重點研究了僵尸網(wǎng)絡拓撲結構脆弱性問題,發(fā)現(xiàn)了半分布式僵尸網(wǎng)絡組網(wǎng)方式存在相繼故障的缺陷,提出了一種基于僵尸網(wǎng)絡橋梁節(jié)點的相繼故障反制策略,并以復雜網(wǎng)絡負荷容量模型為基礎,建立了橋梁節(jié)點的相繼故障模型,完成了相應的理論分析與數(shù)值模擬,仿真驗證了反制策略的有效性。三是以案例分析的形式介紹了針對僵尸網(wǎng)絡Bagle-CB FTP服務器漏洞挖掘、Eggdrop僵尸變種命令控制服務器對等組網(wǎng)相繼故障和Zuesbot域名搶注的反制技術。 在僵尸網(wǎng)絡抑制方面：一是在網(wǎng)絡蠕蟲雙因素傳播模型的基礎上,結合復雜網(wǎng)絡無尺度特性以及APT攻擊方式,提出了SAPM僵尸網(wǎng)絡傳播模型,完成了復雜網(wǎng)絡環(huán)境下基于APT攻擊的僵尸網(wǎng)絡傳播動力學分析,從理論上給出了最佳抑制策略。二是分析了基于APT攻擊的僵尸網(wǎng)絡傳播特性,提出了傳播抑制策略,指出了創(chuàng)新Linux/Unix環(huán)境下文檔格式處理軟件脆弱性測試算法、研制相應的安全測試工具是抑制此類僵尸網(wǎng)絡傳播的核心環(huán)節(jié)。三是針對Linux/Unix系統(tǒng)中不同文件格式軟件大多開放源碼的特點,深入研究了二進制程序脆弱性動態(tài)測試理論和技術的不足,設計了程序路徑約束條件符號模型的構建方法和PWA覆蓋測試算法并實現(xiàn)了基于白盒的EWFT原型工具。經實驗驗證,PWA算法相比國際流行的SAGE測試算法表現(xiàn)更優(yōu),EWFT夠更加有效的檢測出多種類型的漏洞,啟到了對基于APT攻擊的僵尸網(wǎng)絡實施積極防御的作用。 在工程實現(xiàn)方面。概述了基于云計算的僵尸網(wǎng)絡監(jiān)測與緩解原型系統(tǒng)的設計理念、體系架構、功能模塊和關鍵技術,充分利用了Apache Spark云平臺運算能力強、節(jié)點分布廣的特點,實現(xiàn)了僵尸網(wǎng)絡檢測、監(jiān)測、反制和抑制等功能,在實際應用中,取得了較好的社會效益。 論文主要的創(chuàng)新工作歸納如下： 1)針對現(xiàn)有基于內容、網(wǎng)絡流特征的檢測方法受協(xié)議限制,難以對抗加密、擾亂等技術的不足,建立了僵尸網(wǎng)絡通聯(lián)狀態(tài)遷移檢測模型、節(jié)點命名相似性檢測模型和加密數(shù)據(jù)通信熵估計檢測模型,提取了狀態(tài)轉移、身份識別和加密會話等反映僵尸網(wǎng)絡典型特征的多維特征向量,構建了基于最小二乘估計算法的組合分類器,獲得了較為滿意的檢測效果。 2)針對基于擴展有限狀態(tài)機的僵尸網(wǎng)絡命令控制體系通信模型,提出了基于狀態(tài)轉移驅動的測試用例生成模型,研究了針對僵尸網(wǎng)絡服務程序的黑盒Fuzzing測試方法,提高了基于協(xié)議分析的僵尸網(wǎng)絡服務程序的漏洞挖掘能力。 3)發(fā)現(xiàn)了半分布式僵尸網(wǎng)絡組網(wǎng)方式存在相繼故障的缺陷,提出了一種基于僵尸網(wǎng)絡橋梁節(jié)點的相繼故障反制策略,并以復雜網(wǎng)絡負荷容量模型為基礎,建立了橋梁節(jié)點的相繼故障模型,完成了相應的理論分析與數(shù)值模擬,仿真驗證了反制策略的有效性,開辟了僵尸網(wǎng)絡反制技術研究的新方向。 4)針對基于APT攻擊的僵尸網(wǎng)絡傳播特性,建立了SAPM僵尸網(wǎng)絡傳播模型,完成了復雜網(wǎng)絡環(huán)境下模型動力學分析,明確了創(chuàng)新Linux/Unix環(huán)境下開源文檔格式處理軟件脆弱性測試算法、研制相應的白盒Fuzzing工具是抑制此類僵尸網(wǎng)絡傳播的核心環(huán)節(jié)。最后設計了PWA覆蓋測試算法,實現(xiàn)了EWFT原型工具。經實驗驗證,PWA算法相比國際流行的SAGE測試算法表現(xiàn)更優(yōu),有效提高了程序執(zhí)行路徑空間的測試覆蓋率和路徑測試深度。
[Abstract]:Zombie network, a large-scale cooperative attack network, has the characteristics of rapid evolution, strong concealment, difficult to clear and great harm. It has become one of the greatest threats to the Internet today. How to effectively combat zombie network is a hot and difficult problem that academic circles have been studying. This paper first outlines the definition, evolution, classification and harm of Botnet. The main technologies, methods and trends of the current detection and anti zombie network are introduced. Secondly, the zombie network is studied in three aspects: the detection of zombie network, the anti system and the suppression.
In zombie network detection: in view of the characteristics of zombie network command control system, this paper analyzes the advantages and disadvantages of the mainstream detection methods of Botnet home and abroad, and puts forward a botnet detection method based on multidimensional eigenvector. This method first sets up a detection model by using the Markoff chain for the general state migration of the botnet. The method of meta statistics and cluster analysis is used to establish a detection model for the self similarity of Botnet nodes. The entropy estimation theory is used to establish a detection model for the data flow characteristics of Botnet encryption. Based on the specific features of the zombie network, a multi-dimensional feature vector extraction algorithm is designed. Bias, support vector machine, J48, Rotation Forest, PART and back propagation neural network, the performance of six basic classifiers, and using the least square estimation algorithm to establish the zombie network decision decision combination classifier on the base classifier. Finally, based on the ISOT data set, the test experiment is carried out to verify that the combination classifier is compared to a single point. The class device can get a higher correct detection rate.
In the aspect of Botnet countermaking, the first is to establish a communication model of the botnet command control system that extends the finite state machine, and studies the black box Fuzzing test method for the botnet service program, and puts forward a test case generation model based on the state transfer drive. The model first studies the effective test path of network state. According to the algorithm, the state transfer process of the trigger vulnerability is obtained, and the mutation factor of the original test vector is generated by the method of combination of dynamic and static. Secondly, the test vector generation and mutation model and algorithm are given, and the high quality test vector is obtained. In order to improve the test efficiency and coverage rate, a risk state transfer flow is designed. The degree function and the realization algorithm, using the idea of genetic algorithm to guide the test vectors to gradually evolve into high quality test cases, achieve the purpose of increasing the probability of vulnerability discovery. Two, the focus is on the research of the topology fragility of the botnet. On the basis of the complex network load capacity model, a succession fault model of bridge nodes is built on the basis of the complex network load capacity model. The corresponding theoretical analysis and numerical simulation are completed, and the effectiveness of the reverse strategy is verified by simulation. Three is a case analysis to introduce the zombie network Bagle- CB FTP server Vulnerability mining, Eggdrop botnet variant command control server, peer to peer networking failure and Zuesbot domain name preemptive technology.
In the field of Botnet suppression: first, on the basis of the two factor propagation model of the network worm, combining the scale free characteristics of the complex network and the APT attack mode, the SAPM botnet propagation model is proposed, and the botnet dynamic analysis of the botnet based on the APT attack in the complex network environment is completed, and the optimal suppression strategy is given in theory. Two is to analyze the propagation characteristics of Botnet based on APT attack, put forward the propagation suppression strategy, and point out the vulnerability testing algorithm of document format processing software under the environment of innovation Linux/Unix, and develop the corresponding security test tool is the core link to suppress the transmission of such botnet. Three is the different file formats in the Linux/Unix system. Most of the software is open source, and the shortcomings of the dynamic testing theory and technology of the vulnerability of binary program are deeply studied. The construction method of the program path constraint condition symbol model and the PWA coverage test algorithm are designed and the EWFT prototype tool based on white box is realized. The PWA algorithm is compared with the international popular SAGE test. The method performs better. EWFT is more effective in detecting multiple types of vulnerabilities, and has launched a positive defense against botnets based on APT attacks.
In the aspect of engineering implementation, the design concept, architecture, function module and key technology of the zombie network monitoring and mitigation prototype system based on cloud computing are summarized, which fully utilize the strong computing power of Apache Spark cloud platform and the wide distribution of nodes, and realize the functions of Botnet detection, monitoring, anti system and suppression in the actual application of zombie network. In this way, good social benefits have been achieved.
The main innovative work of this paper is summarized as follows:
1) in view of the existing protocol based on content, the detection method of network flow characteristics is limited by protocol, and it is difficult to combat the shortage of encryption and disturbing technology. The model of the state migration detection in the zombie network is established, the node naming similarity detection model and the encrypted data communication entropy estimation detection mode are established, and the state transfer, identification and encrypted session are extracted. A multidimensional feature vector that reflects the typical features of botnets is constructed, and a combined classifier based on least squares estimation algorithm is constructed to achieve satisfactory results.
2) aiming at the communication model of zombie network command control system based on extended finite state machine, a test case generation model based on state transfer driven is proposed, and the black box Fuzzing testing method for botnet service program is studied, which improves the vulnerability mining ability of Botnet service program based on protocol analysis.
3) the defects of the semi distributed botnet networking mode have been found out, and a sequential fault anti system strategy based on the bridge node of the botnet is proposed. Based on the complex network load capacity model, the successive failure model of the bridge node is established, and the corresponding theoretical analysis and numerical simulation are completed. The simulation is verified by simulation. The effectiveness of the counter strategy has opened up a new direction for botnet counter technology research.
4) aiming at the transmission characteristics of Botnet based on APT attack, the SAPM botnet propagation model is established, the model dynamics analysis is completed under the complex network environment, and the vulnerability testing algorithm of the open source document format processing software under the environment of innovation Linux/Unix is clarified, and the corresponding white box Fuzzing tool is developed to suppress the transmission of such botnet. Finally, the PWA coverage test algorithm is designed and the EWFT prototype tool is implemented. The experiment shows that the PWA algorithm performs better than the international popular SAGE test algorithm, and effectively improves the test coverage rate and the path test depth of the program execution path space.

【學位授予單位】：北京郵電大學
【學位級別】：博士
【學位授予年份】：2014
【分類號】：TP393.08

【參考文獻】

相關期刊論文 前10條

1 于戈;于曉聰;董曉梅;秦玉海;;P2P僵尸網(wǎng)絡的快速檢測技術[J];東北大學學報(自然科學版);2010年12期

2 應凌云;馮登國;蘇璞睿;;基于P2P的僵尸網(wǎng)絡及其防御[J];電子學報;2009年01期

3 方濱興;崔翔;王威;;僵尸網(wǎng)絡綜述[J];計算機研究與發(fā)展;2011年08期

4 王雅文;姚欣洪;宮云戰(zhàn);楊朝紅;;一種基于代碼靜態(tài)分析的緩沖區(qū)溢出檢測算法[J];計算機研究與發(fā)展;2012年04期

5 陳端兵;萬英;田軍偉;傅彥;;一種基于社會網(wǎng)絡分析的P2P僵尸網(wǎng)絡反制策略[J];計算機科學;2009年06期

6 孫彥東;李東;;僵尸網(wǎng)絡綜述[J];計算機應用;2006年07期

7 范軼彥;鄔國銳;;動態(tài)僵尸網(wǎng)絡模型研究[J];計算機應用;2010年03期

8 楊尚森;胡蓓;;基于入侵誘騙技術的主動蜜罐系統(tǒng)的設計[J];計算機應用與軟件;2008年01期

9 楊丁寧;肖暉;張玉清;;基于Fuzzing的ActiveX控件漏洞挖掘技術研究[J];計算機研究與發(fā)展;2012年07期

10 歐陽晨星;譚良;;無尺度網(wǎng)絡下的僵尸網(wǎng)絡傳播模型研究[J];計算機工程與應用;2013年09期

，

本文編號：1794613