基于節(jié)點(diǎn)度分布和網(wǎng)絡(luò)流異常的僵尸網(wǎng)絡(luò)檢測(cè)
發(fā)布時(shí)間:2019-01-02 14:02
【摘要】:近年來(lái),網(wǎng)絡(luò)犯罪活動(dòng)猖獗,犯罪手段多樣化。僵尸網(wǎng)絡(luò)以其傳播最廣、效率高和隱蔽性強(qiáng)等優(yōu)勢(shì),已成為網(wǎng)絡(luò)犯罪中使用最頻繁的網(wǎng)絡(luò)犯罪平臺(tái),它使因特網(wǎng)的安全面臨非常嚴(yán)峻的挑戰(zhàn)。僵尸網(wǎng)絡(luò)被用來(lái)進(jìn)行各種惡意網(wǎng)絡(luò)活動(dòng),例如分布式拒絕服務(wù)攻擊、發(fā)送垃圾郵件、網(wǎng)絡(luò)釣魚(yú)和敏感信息竊取等。因此,僵尸網(wǎng)絡(luò)的檢測(cè)成了時(shí)下網(wǎng)絡(luò)安全研究熱點(diǎn),其對(duì)保障網(wǎng)絡(luò)安全具有重要的意義。 僵尸網(wǎng)絡(luò)檢測(cè)主要分為兩個(gè)主流方向,一是建立蜜網(wǎng)蜜罐,二是被動(dòng)的網(wǎng)絡(luò)流量監(jiān)測(cè)。 目前,所有的研究基本都集中于對(duì)網(wǎng)絡(luò)流量的監(jiān)測(cè)。被動(dòng)網(wǎng)絡(luò)流量監(jiān)測(cè)技術(shù)的關(guān)鍵是準(zhǔn)確把握僵尸流量的特征。本文通過(guò)對(duì)不同僵尸網(wǎng)絡(luò)流量的研究,總結(jié)和概括了僵尸網(wǎng)絡(luò)流量的對(duì)話流特征,并在此基礎(chǔ)上進(jìn)一步提出基于網(wǎng)絡(luò)細(xì)胞的僵尸網(wǎng)絡(luò)檢測(cè)系統(tǒng)。 對(duì)僵尸網(wǎng)絡(luò)對(duì)話流特征的研究,從網(wǎng)絡(luò)數(shù)據(jù)包流中抽取網(wǎng)絡(luò)對(duì)話流,對(duì)比分析了正常網(wǎng)絡(luò)和僵尸網(wǎng)絡(luò)中對(duì)話流數(shù)量和對(duì)話流深度,總結(jié)僵尸網(wǎng)絡(luò)對(duì)話流的特征。運(yùn)用對(duì)話流建立起節(jié)點(diǎn)“度”概念,分析了僵尸節(jié)點(diǎn)的攻擊行為模式以及命令與控制流量的特點(diǎn),提出了表征僵尸流量特點(diǎn)的特征向量,并運(yùn)用數(shù)據(jù)挖掘策略對(duì)提出的特征向量進(jìn)行建模分析。 基于網(wǎng)絡(luò)細(xì)胞的檢測(cè)系統(tǒng)是在正常網(wǎng)絡(luò)細(xì)胞和僵尸網(wǎng)絡(luò)細(xì)胞研究基礎(chǔ)上提出的。將具有相似性的網(wǎng)絡(luò)數(shù)據(jù)包聚集成一個(gè)個(gè)網(wǎng)絡(luò)細(xì)胞,結(jié)合僵尸網(wǎng)絡(luò)對(duì)話流的研究,對(duì)比分析僵尸網(wǎng)絡(luò)細(xì)胞和正常網(wǎng)絡(luò)細(xì)胞的特征,提出檢測(cè)僵尸網(wǎng)絡(luò)流量的4個(gè)指標(biāo):病變細(xì)胞數(shù)、整體細(xì)胞數(shù)量水平、網(wǎng)絡(luò)組織自相似度和網(wǎng)絡(luò)組織IP集散度。根據(jù)4個(gè)指標(biāo)的異常情況,對(duì)照診斷表,判斷僵尸網(wǎng)絡(luò)的存在。 本文進(jìn)行了一系列實(shí)驗(yàn),論證了本文提出的方法的有效性和可用性,并在準(zhǔn)確性上有所提高。方法中所提出的網(wǎng)絡(luò)細(xì)胞開(kāi)放模型,對(duì)基于被動(dòng)流量監(jiān)測(cè)技術(shù)的僵尸網(wǎng)絡(luò)檢測(cè)方法研究具有一定的開(kāi)拓意義。
[Abstract]:In recent years, the network crime activity is rampant, the crime means diversification. Botnet has become the most frequently used network crime platform in cybercrime because of its advantages such as the most widely spread, high efficiency and strong concealment. It makes the security of the Internet face a very severe challenge. Botnets are used for various malicious network activities, such as distributed denial of service attacks, spam, phishing and theft of sensitive information. Therefore, botnet detection has become a hot topic in the research of network security, which is of great significance to the protection of network security. Botnet detection is divided into two main directions, one is to establish honeypot, the other is passive network traffic monitoring. At present, all the research focuses on the monitoring of network traffic. The key of passive network traffic monitoring technology is to accurately grasp the characteristics of zombie traffic. Based on the study of different botnet traffic, this paper summarizes and generalizes the characteristics of botnet traffic dialog flow, and then proposes a botnet detection system based on network cells. This paper studies the characteristics of botnet dialog flow, extracts the network dialog flow from the network packet flow, compares the number and depth of the conversation flow between the normal network and the botnet, and summarizes the characteristics of the botnet dialog flow. The concept of node "degree" is established by using dialog flow, the attack behavior mode of zombie node and the characteristics of command and control flow are analyzed, and the characteristic vector which represents the characteristics of zombie traffic is proposed. Data mining strategy is used to model and analyze the proposed feature vector. The detection system based on network cells is based on the study of normal network cells and botnet cells. The similar network data packets are assembled into network cells, and the characteristics of botnet cells and normal network cells are compared and analyzed in combination with the study of botnet conversation flow. Four indexes for detecting botnet traffic are proposed: the number of pathological cells, the total cell number, the self-similarity of network organization and the IP distribution degree of network tissue. According to the abnormal situation of 4 indexes, the existence of botnet is judged by comparing the diagnosis table. A series of experiments have been carried out to demonstrate the validity and availability of the proposed method, and the accuracy has been improved. The open model of network cell proposed in this method is of great significance to the research of botnet detection based on passive traffic monitoring technology.
【學(xué)位授予單位】:南京信息工程大學(xué)
【學(xué)位級(jí)別】:碩士
【學(xué)位授予年份】:2014
【分類號(hào)】:TP393.08
本文編號(hào):2398586
[Abstract]:In recent years, the network crime activity is rampant, the crime means diversification. Botnet has become the most frequently used network crime platform in cybercrime because of its advantages such as the most widely spread, high efficiency and strong concealment. It makes the security of the Internet face a very severe challenge. Botnets are used for various malicious network activities, such as distributed denial of service attacks, spam, phishing and theft of sensitive information. Therefore, botnet detection has become a hot topic in the research of network security, which is of great significance to the protection of network security. Botnet detection is divided into two main directions, one is to establish honeypot, the other is passive network traffic monitoring. At present, all the research focuses on the monitoring of network traffic. The key of passive network traffic monitoring technology is to accurately grasp the characteristics of zombie traffic. Based on the study of different botnet traffic, this paper summarizes and generalizes the characteristics of botnet traffic dialog flow, and then proposes a botnet detection system based on network cells. This paper studies the characteristics of botnet dialog flow, extracts the network dialog flow from the network packet flow, compares the number and depth of the conversation flow between the normal network and the botnet, and summarizes the characteristics of the botnet dialog flow. The concept of node "degree" is established by using dialog flow, the attack behavior mode of zombie node and the characteristics of command and control flow are analyzed, and the characteristic vector which represents the characteristics of zombie traffic is proposed. Data mining strategy is used to model and analyze the proposed feature vector. The detection system based on network cells is based on the study of normal network cells and botnet cells. The similar network data packets are assembled into network cells, and the characteristics of botnet cells and normal network cells are compared and analyzed in combination with the study of botnet conversation flow. Four indexes for detecting botnet traffic are proposed: the number of pathological cells, the total cell number, the self-similarity of network organization and the IP distribution degree of network tissue. According to the abnormal situation of 4 indexes, the existence of botnet is judged by comparing the diagnosis table. A series of experiments have been carried out to demonstrate the validity and availability of the proposed method, and the accuracy has been improved. The open model of network cell proposed in this method is of great significance to the research of botnet detection based on passive traffic monitoring technology.
【學(xué)位授予單位】:南京信息工程大學(xué)
【學(xué)位級(jí)別】:碩士
【學(xué)位授予年份】:2014
【分類號(hào)】:TP393.08
【參考文獻(xiàn)】
相關(guān)期刊論文 前10條
1 蔣麗華;王萬(wàn)剛;;一種基于僵尸機(jī)狀態(tài)轉(zhuǎn)換的僵尸網(wǎng)絡(luò)監(jiān)測(cè)方法[J];重慶電子工程職業(yè)學(xué)院學(xué)報(bào);2011年03期
2 柴勝;胡亮;梁波;;一種p2p Botnet在線檢測(cè)方法研究[J];電子學(xué)報(bào);2011年04期
3 王海龍;龔正虎;侯婕;;僵尸網(wǎng)絡(luò)檢測(cè)技術(shù)研究進(jìn)展[J];計(jì)算機(jī)研究與發(fā)展;2010年12期
4 方濱興;崔翔;王威;;僵尸網(wǎng)絡(luò)綜述[J];計(jì)算機(jī)研究與發(fā)展;2011年08期
5 金鑫;李潤(rùn)恒;甘亮;李政儀;;基于通信特征曲線動(dòng)態(tài)時(shí)間彎曲距離的IRC僵尸網(wǎng)絡(luò)同源判別方法[J];計(jì)算機(jī)研究與發(fā)展;2012年03期
6 王威;方濱興;崔翔;;基于終端行為特征的IRC僵尸網(wǎng)絡(luò)檢測(cè)[J];計(jì)算機(jī)學(xué)報(bào);2009年10期
7 李曉利;湯光明;;基于通信流量特征的隱秘P2P僵尸網(wǎng)絡(luò)檢測(cè)[J];計(jì)算機(jī)應(yīng)用研究;2013年06期
8 何毓錕;李強(qiáng);嵇躍德;郭東;;一種關(guān)聯(lián)網(wǎng)絡(luò)和主機(jī)行為的延遲僵尸檢測(cè)方法[J];計(jì)算機(jī)學(xué)報(bào);2014年01期
9 王宇科;王子榮;胡浩;;基于數(shù)據(jù)挖掘策略的P2P僵尸網(wǎng)絡(luò)檢測(cè)方法研究[J];計(jì)算技術(shù)與自動(dòng)化;2012年02期
10 魯剛;張宏莉;葉麟;;P2P流量識(shí)別[J];軟件學(xué)報(bào);2011年06期
,本文編號(hào):2398586
本文鏈接:http://sikaile.net/guanlilunwen/ydhl/2398586.html
最近更新
教材專著
