基于數(shù)據(jù)流特征向量識(shí)別的P2P僵尸網(wǎng)絡(luò)檢測(cè)方法研究
發(fā)布時(shí)間:2018-11-15 15:20
【摘要】:僵尸網(wǎng)絡(luò)是目前被公認(rèn)的最具威脅的網(wǎng)絡(luò)安全問(wèn)題之一。僵尸網(wǎng)絡(luò)是指通過(guò)在網(wǎng)絡(luò)傳播傳統(tǒng)的惡意代碼(計(jì)算機(jī)病毒、網(wǎng)絡(luò)蠕蟲、木馬),發(fā)現(xiàn)易感染節(jié)點(diǎn),將其納入自身控制網(wǎng)絡(luò)之內(nèi),進(jìn)而利用這些節(jié)點(diǎn)實(shí)施大規(guī)模惡意攻擊的平臺(tái)。由于僵尸網(wǎng)絡(luò)的隱蔽性、破壞性遠(yuǎn)遠(yuǎn)強(qiáng)于普通網(wǎng)絡(luò)攻擊,成為近年來(lái)最為流行的網(wǎng)絡(luò)攻擊方式。 早期的僵尸網(wǎng)絡(luò)主要包括基于IRC協(xié)議的和基于HTTP協(xié)議的兩種,都是通過(guò)具有中心控制能力的節(jié)點(diǎn),進(jìn)行命令與控制信息的分發(fā),將易感染節(jié)點(diǎn)加入到這個(gè)網(wǎng)絡(luò)中,這一時(shí)期的僵尸網(wǎng)絡(luò)主要通過(guò)固定的端口、協(xié)議來(lái)進(jìn)行控制信息傳輸(協(xié)議中攜帶特定的字符串)。目前國(guó)內(nèi)外研究學(xué)者提出了通過(guò)對(duì)特定端口的監(jiān)聽以及對(duì)協(xié)議中特定字符串的識(shí)別,能夠高效識(shí)別出這類僵尸網(wǎng)絡(luò)。隨著P2P技術(shù)以及僵尸網(wǎng)絡(luò)的發(fā)展,P2P僵尸網(wǎng)絡(luò)產(chǎn)生,該類型僵尸網(wǎng)絡(luò)實(shí)現(xiàn)了僵尸網(wǎng)絡(luò)控制的非中心化,優(yōu)化了傳統(tǒng)僵尸網(wǎng)絡(luò)的依靠中心節(jié)點(diǎn)進(jìn)行命令和控制分發(fā)的弊端,給僵尸網(wǎng)絡(luò)檢測(cè)帶來(lái)一定的困難。 目前,關(guān)于P2P僵尸網(wǎng)絡(luò)的檢測(cè)方法主要分為四類:基于終端節(jié)點(diǎn)、基于網(wǎng)絡(luò)流量、基于協(xié)議特征和基于行為特征的檢測(cè);诮K端節(jié)點(diǎn)的檢測(cè)主要目標(biāo)是檢測(cè)所監(jiān)控主機(jī)中的惡意代碼和可疑的活動(dòng),對(duì)于包含中心節(jié)點(diǎn)的P2P僵尸網(wǎng)絡(luò)具有較好的檢測(cè)效果,但對(duì)于其他類型P2P僵尸網(wǎng)絡(luò)檢測(cè)誤報(bào)率較高;后兩者分別通過(guò)網(wǎng)絡(luò)通信協(xié)議識(shí)別以及應(yīng)用層特征識(shí)別,對(duì)P2P僵尸網(wǎng)絡(luò)進(jìn)行檢測(cè),這兩類方法對(duì)特定協(xié)議的P2P僵尸網(wǎng)絡(luò)具有較好檢測(cè)效果,但通用性較差;基于網(wǎng)絡(luò)流量的檢測(cè)主要通過(guò)分析所監(jiān)控網(wǎng)絡(luò)中網(wǎng)絡(luò)通信流量所表現(xiàn)出的特征和變化規(guī)律,找出P2P僵尸網(wǎng)絡(luò)與其它網(wǎng)絡(luò)之間的網(wǎng)絡(luò)數(shù)據(jù)流特征區(qū)別,具有較好檢測(cè)效果,但目前的檢測(cè)方法并未分析P2P僵尸網(wǎng)絡(luò)在通信過(guò)程中表現(xiàn)出的動(dòng)態(tài)特征。 本文在前人研究基礎(chǔ)之上,針對(duì)P2P僵尸網(wǎng)絡(luò)通信過(guò)程所表現(xiàn)出的動(dòng)態(tài)特征提出一種基于數(shù)據(jù)流特征向量識(shí)別的P2P僵尸網(wǎng)絡(luò)檢測(cè)方法?紤]到網(wǎng)絡(luò)中絕大多數(shù)為正常數(shù)據(jù)流,其來(lái)源或者目的不可能成為僵尸網(wǎng)絡(luò)的攻擊節(jié)點(diǎn),我們首先通過(guò)黑白灰名單的數(shù)據(jù)包過(guò)濾器對(duì)網(wǎng)絡(luò)數(shù)據(jù)流進(jìn)行預(yù)處理,結(jié)合構(gòu)建的端口規(guī)則庫(kù)和協(xié)議特征字段識(shí)別庫(kù),對(duì)已有典型協(xié)議的數(shù)據(jù)流進(jìn)行過(guò)濾,標(biāo)識(shí)其中存在可疑流量的數(shù)據(jù)節(jié)點(diǎn)。通過(guò)該預(yù)處理,我們降低了分析樣本的數(shù)量級(jí),便于構(gòu)建僵尸網(wǎng)絡(luò)數(shù)據(jù)流特征向量。在此基礎(chǔ)之上,我們對(duì)網(wǎng)絡(luò)數(shù)據(jù)流按照源、目的分類,,并分析其在橫向時(shí)間維度以及縱向數(shù)據(jù)流之間的數(shù)據(jù)包速率、數(shù)據(jù)包速率變化率、數(shù)據(jù)流字節(jié)速率、數(shù)據(jù)流字節(jié)速率變化率的特征,根據(jù)驗(yàn)證實(shí)驗(yàn)所獲得的各類數(shù)據(jù)流的特征閾值,對(duì)數(shù)據(jù)流進(jìn)行二次分類,從而識(shí)別出具有僵尸網(wǎng)絡(luò)特征的一類節(jié)點(diǎn),達(dá)到較好的檢測(cè)效果。
[Abstract]:Botnet is one of the most dangerous network security problems. Botnet refers to the spread of traditional malicious code (computer viruses, network worms, Trojan horses) in the network, find vulnerable nodes, and bring them into their own control network. Furthermore, these nodes are used to carry out large-scale malicious attacks on the platform. Because of its concealment, botnet is far more destructive than common network attack, and it has become the most popular network attack method in recent years. The early botnets mainly include two kinds based on IRC protocol and HTTP protocol. They are distributed command and control information through the nodes with central control ability to join the vulnerable nodes in this network. During this period, botnets used fixed ports, protocols to control the transmission of information (the protocol carries a specific string). At present, researchers at home and abroad have proposed that this kind of botnet can be recognized efficiently by listening to specific ports and recognizing specific strings in the protocol. With the development of P2P technology and botnet, P2P botnet comes into being. This type of botnet realizes the non-centralization of botnet control, and optimizes the drawback of traditional botnet relying on central node for command and control distribution. It brings some difficulties to botnet detection. At present, the detection methods of P2P botnet are divided into four categories: terminal node, network traffic, protocol feature and behavior based detection. The main target of terminal node based detection is to detect malicious code and suspicious activity in the monitored host, which has good detection effect for P2P botnet with central nodes. But for other types of P2P botnet detection false alarm rate is high; The latter two methods detect P2P botnet through network communication protocol recognition and application layer feature recognition respectively. These two methods have better detection effect to P2P botnet with specific protocol, but the universality is poor. The detection based on network traffic is mainly based on the analysis of the characteristics and changes of network traffic in the monitored network, and finds out the difference between P2P botnet and other networks, which has a better detection effect. However, the current detection methods do not analyze the dynamic characteristics of P2P botnets in the communication process. Based on previous studies, this paper proposes a P2P botnet detection method based on data stream feature vector recognition for the dynamic features of P2P botnet communication process. Considering that the vast majority of the network is normal data flow, its source or purpose can not become a botnet attack node, we first through the black and white grey list of data packets filter to pre-process the network data flow. Combined with the port rule base and the protocol characteristic field identification library, the existing data stream of typical protocols is filtered to identify the data nodes with suspicious traffic. Through the preprocessing, we reduce the order of magnitude of the analysis samples and construct the feature vectors of the botnet data stream. On this basis, we classify the network data flow according to the source and destination, and analyze the packet rate, the rate of change of data packet rate, the byte rate of data stream in the transverse time dimension and the longitudinal data stream. According to the characteristic threshold of different data streams obtained from the verification experiments, the data streams are classified twice, and a class of nodes with botnet features are identified, which achieves a better detection effect.
【學(xué)位授予單位】:中國(guó)海洋大學(xué)
【學(xué)位級(jí)別】:碩士
【學(xué)位授予年份】:2014
【分類號(hào)】:TP393.02
本文編號(hào):2333669
[Abstract]:Botnet is one of the most dangerous network security problems. Botnet refers to the spread of traditional malicious code (computer viruses, network worms, Trojan horses) in the network, find vulnerable nodes, and bring them into their own control network. Furthermore, these nodes are used to carry out large-scale malicious attacks on the platform. Because of its concealment, botnet is far more destructive than common network attack, and it has become the most popular network attack method in recent years. The early botnets mainly include two kinds based on IRC protocol and HTTP protocol. They are distributed command and control information through the nodes with central control ability to join the vulnerable nodes in this network. During this period, botnets used fixed ports, protocols to control the transmission of information (the protocol carries a specific string). At present, researchers at home and abroad have proposed that this kind of botnet can be recognized efficiently by listening to specific ports and recognizing specific strings in the protocol. With the development of P2P technology and botnet, P2P botnet comes into being. This type of botnet realizes the non-centralization of botnet control, and optimizes the drawback of traditional botnet relying on central node for command and control distribution. It brings some difficulties to botnet detection. At present, the detection methods of P2P botnet are divided into four categories: terminal node, network traffic, protocol feature and behavior based detection. The main target of terminal node based detection is to detect malicious code and suspicious activity in the monitored host, which has good detection effect for P2P botnet with central nodes. But for other types of P2P botnet detection false alarm rate is high; The latter two methods detect P2P botnet through network communication protocol recognition and application layer feature recognition respectively. These two methods have better detection effect to P2P botnet with specific protocol, but the universality is poor. The detection based on network traffic is mainly based on the analysis of the characteristics and changes of network traffic in the monitored network, and finds out the difference between P2P botnet and other networks, which has a better detection effect. However, the current detection methods do not analyze the dynamic characteristics of P2P botnets in the communication process. Based on previous studies, this paper proposes a P2P botnet detection method based on data stream feature vector recognition for the dynamic features of P2P botnet communication process. Considering that the vast majority of the network is normal data flow, its source or purpose can not become a botnet attack node, we first through the black and white grey list of data packets filter to pre-process the network data flow. Combined with the port rule base and the protocol characteristic field identification library, the existing data stream of typical protocols is filtered to identify the data nodes with suspicious traffic. Through the preprocessing, we reduce the order of magnitude of the analysis samples and construct the feature vectors of the botnet data stream. On this basis, we classify the network data flow according to the source and destination, and analyze the packet rate, the rate of change of data packet rate, the byte rate of data stream in the transverse time dimension and the longitudinal data stream. According to the characteristic threshold of different data streams obtained from the verification experiments, the data streams are classified twice, and a class of nodes with botnet features are identified, which achieves a better detection effect.
【學(xué)位授予單位】:中國(guó)海洋大學(xué)
【學(xué)位級(jí)別】:碩士
【學(xué)位授予年份】:2014
【分類號(hào)】:TP393.02
【參考文獻(xiàn)】
相關(guān)期刊論文 前4條
1 方濱興;崔翔;王威;;僵尸網(wǎng)絡(luò)綜述[J];計(jì)算機(jī)研究與發(fā)展;2011年08期
2 冉宏敏;柴勝;馮鐵;張家晨;;P2P僵尸網(wǎng)絡(luò)研究[J];計(jì)算機(jī)應(yīng)用研究;2010年10期
3 諸葛建偉;;狩獵女神守護(hù)Web安全[J];中國(guó)教育網(wǎng)絡(luò);2009年09期
4 王康;朱磊明;楊智丹;;Linux/Slapper蠕蟲分析[J];信息安全與通信保密;2008年10期
相關(guān)博士學(xué)位論文 前1條
1 王斌斌;僵尸網(wǎng)絡(luò)檢測(cè)方法研究[D];華中科技大學(xué);2010年
本文編號(hào):2333669
本文鏈接:http://sikaile.net/guanlilunwen/ydhl/2333669.html
最近更新
教材專著
