發(fā)布時(shí)間：2018-06-06 05:12

  本文選題：僵尸網(wǎng)絡(luò) + 僵尸網(wǎng)絡(luò)檢測(cè)�。� 參考：《中國(guó)科學(xué)院大學(xué)（工程管理與信息技術(shù)學(xué)院）》2014年碩士論文

【摘要】：根據(jù)國(guó)家互聯(lián)網(wǎng)應(yīng)急中心發(fā)布的《2013年中國(guó)互聯(lián)網(wǎng)網(wǎng)絡(luò)安全報(bào)告》中指出,每年我國(guó)有超過(guò)千萬(wàn)臺(tái)的計(jì)算機(jī)感染惡意程序后淪為僵尸主機(jī),而且數(shù)量在持續(xù)增加,被境外IP操控實(shí)施各種違法行為,尤其是依托其強(qiáng)大的協(xié)同性發(fā)起各類(lèi)大規(guī)模攻擊,嚴(yán)重危害了網(wǎng)絡(luò)安全,進(jìn)而威脅國(guó)家安全。因此,研制高效僵尸網(wǎng)絡(luò)檢測(cè)發(fā)現(xiàn)系統(tǒng)尤為迫切。目前檢測(cè)方法大多依賴于在獲得僵尸樣本程序后,對(duì)已知的僵尸樣本進(jìn)行逆向分析,進(jìn)而發(fā)現(xiàn)特征進(jìn)行查殺,這種方法是在僵尸網(wǎng)絡(luò)大規(guī)模爆發(fā)后,才能進(jìn)行有效的發(fā)現(xiàn)和控制,而對(duì)未知的僵尸網(wǎng)絡(luò)則無(wú)能為力。 本文以實(shí)現(xiàn)對(duì)Windows平臺(tái)下已知和未知類(lèi)僵尸網(wǎng)絡(luò)的檢測(cè)為目標(biāo),通過(guò)研究和剖析典型的僵尸網(wǎng)絡(luò)的特性,包括其工作原理、命令與控制機(jī)制、通信流量及主機(jī)行為特征等,在此基礎(chǔ)上,突破僵尸網(wǎng)絡(luò)檢測(cè)關(guān)鍵技術(shù),研究形成僵尸網(wǎng)絡(luò)檢測(cè)和識(shí)別的通用方法,設(shè)計(jì)并實(shí)現(xiàn)Windows平臺(tái)下僵尸網(wǎng)絡(luò)檢測(cè)原型系統(tǒng)。具體內(nèi)容包括： (1)剖析典型IRC、HTTP、P2P類(lèi)型僵尸網(wǎng)絡(luò)的工作原理、生命周期、命令與控制機(jī)制等特性,分析和提取僵尸網(wǎng)絡(luò)的主機(jī)特征和流量特征。 (2)對(duì)已有僵尸網(wǎng)絡(luò)檢測(cè)技術(shù)進(jìn)行了分析總結(jié),在此基礎(chǔ)上,提出多源數(shù)據(jù)采集技術(shù)、幀流分層聯(lián)合識(shí)別的業(yè)務(wù)識(shí)別技術(shù)、僵尸樣本程序自動(dòng)分析技術(shù)和基于時(shí)空協(xié)同與相似特性的通用流量特征檢測(cè)技術(shù)等僵尸網(wǎng)絡(luò)檢測(cè)關(guān)鍵技術(shù)。 (3)Windows平臺(tái)下僵尸網(wǎng)絡(luò)檢測(cè)原型系統(tǒng)的設(shè)計(jì)與實(shí)現(xiàn)。充分考慮檢測(cè)系統(tǒng)架構(gòu)的合理性和高效性,設(shè)計(jì)了C/S結(jié)構(gòu)的檢測(cè)系統(tǒng)框架,包括各子系統(tǒng)的邏輯組成,各模塊的功能實(shí)現(xiàn)。最后,對(duì)整個(gè)原型系統(tǒng)功能性能進(jìn)行了實(shí)驗(yàn)驗(yàn)證。
[Abstract]:According to the 2013 China Internet Network Security report released by the State Internet Emergency response Center, more than 10 million computers in China become zombie hosts after they become infected with malicious programs every year, and the number is increasing. Being manipulated by overseas IP to carry out various illegal acts, especially relying on its strong cooperation to launch a variety of large-scale attacks, serious harm to network security, and then threaten national security. Therefore, it is urgent to develop an efficient botnet detection and discovery system. At present, most of the detection methods rely on reverse analysis of the known zombie samples after obtaining the zombie sample program, and then find out the characteristics of the botnet. This method is after the botnet broke out on a large scale. This paper aims at detecting known and unknown botnets under Windows platform and analyzes the characteristics of typical botnets. It includes its working principle, command and control mechanism, communication flow and host behavior characteristics, etc. On this basis, the key technology of botnet detection is broken through, and a general method of botnet detection and identification is developed. A botnet detection prototype system based on Windows platform is designed and implemented. The main contents are as follows: 1) analyzing the working principle, life cycle, command and control mechanism of typical IRC / HTTP P2P botnet. Based on the analysis and summary of the existing botnet detection technology, the multi-source data acquisition technology and the service identification technology of frame stream hierarchical joint identification are proposed, which is based on the analysis and extraction of host and traffic characteristics of botnet. The design and implementation of botnet detection prototype system based on Windows platform, such as botnet automatic analysis technology and general traffic feature detection technology based on spatio-temporal collaboration and similarity, are presented in this paper. Considering the rationality and efficiency of the detection system architecture, the detection system framework of C / S structure is designed, including the logical composition of each subsystem and the function realization of each module. Finally, the functional performance of the whole prototype system is verified experimentally.
【學(xué)位授予單位】：中國(guó)科學(xué)院大學(xué)（工程管理與信息技術(shù)學(xué)院）
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類(lèi)號(hào)】：TP393.06

【參考文獻(xiàn)】

相關(guān)期刊論文 前9條

1 向輝,沈建國(guó);關(guān)于Hook技術(shù)以及Windows消息的研究[J];電子工程師;2004年12期

2 方濱興;崔翔;王威;;僵尸網(wǎng)絡(luò)綜述[J];計(jì)算機(jī)研究與發(fā)展;2011年08期

3 李鶴帥;朱俊虎;周天陽(yáng);王清賢;;基于Kademlia的新型半分布式僵尸網(wǎng)絡(luò)[J];計(jì)算機(jī)工程;2012年08期

4 劉丹;李毅超;胡躍;;多階段過(guò)濾的P2P僵尸網(wǎng)絡(luò)檢測(cè)方法[J];計(jì)算機(jī)應(yīng)用;2010年12期

5 劉建波;;基于流量分析的P2P僵尸網(wǎng)絡(luò)檢測(cè)[J];計(jì)算機(jī)與數(shù)字工程;2011年03期

6 張藝瀕;張志斌;趙詠;郭莉;;TCP與UDP網(wǎng)絡(luò)流量對(duì)比分析研究[J];計(jì)算機(jī)應(yīng)用研究;2010年06期

7 諸葛建偉;韓心慧;周勇林;葉志遠(yuǎn);鄒維;;僵尸網(wǎng)絡(luò)研究[J];軟件學(xué)報(bào);2008年03期

8 諸葛建偉;韓心慧;周勇林;宋程昱;郭晉鵬;鄒維;;HoneyBow:一個(gè)基于高交互式蜜罐技術(shù)的惡意代碼自動(dòng)捕獲器[J];通信學(xué)報(bào);2007年12期

9 涂浩;李之棠;周麗娟;;基于DNS通信數(shù)據(jù)挖掘的Botnet檢測(cè)方法研究[J];廈門(mén)大學(xué)學(xué)報(bào)(自然科學(xué)版);2007年S2期

相關(guān)博士學(xué)位論文 前2條

1 王威;僵尸網(wǎng)絡(luò)對(duì)抗技術(shù)研究[D];哈爾濱工業(yè)大學(xué);2010年

2 鐘金鑫;惡意代碼二進(jìn)制程序行為分析關(guān)鍵技術(shù)研究[D];北京郵電大學(xué);2012年

，

本文編號(hào)：1985263