【摘要】：互聯(lián)網(wǎng)的迅猛發(fā)展,給人們的生活和工作帶來了便利,但由此而引發(fā)的網(wǎng)絡(luò)安全問題也不容小覷。僵尸網(wǎng)絡(luò)就是一種巧妙設(shè)計并且已經(jīng)發(fā)展的比較成熟了的技術(shù),這項技術(shù)正在被越來越多的應(yīng)用在如廣告發(fā)送、垃圾郵件和分布式拒絕服務(wù)攻擊等非法活動中。 僵尸網(wǎng)絡(luò)由大量被控制的計算機組成,這些計算機接收控制者的指令,然后執(zhí)行命令,通常這些指令都是惡意的。這樣控制者不僅可以達到隱蔽自身的目的,而且可以用這些被控制的計算機來發(fā)動各種攻擊。所以,如何檢測僵尸網(wǎng)絡(luò),已經(jīng)成為網(wǎng)絡(luò)安全領(lǐng)域一個非常重要的問題。 對僵尸網(wǎng)絡(luò)的惡意行為進行了詳細的描述,并從中選取了六個典型的行為作為僵尸網(wǎng)絡(luò)的普遍行為特征。然后在入侵檢測系統(tǒng)的基礎(chǔ)上實現(xiàn)了六個插件,分別用來產(chǎn)生這六個行為的初級告警。接著通過對這些初級告警進行關(guān)聯(lián)分析,從而檢測出僵尸網(wǎng)絡(luò)。 對初級告警進行關(guān)聯(lián)分析,只能檢測出已知的僵尸網(wǎng)絡(luò)。為了檢測未知的僵尸網(wǎng)絡(luò),對被監(jiān)控的所有主機,計算其告警的行為相似性和時間相似性,然后依據(jù)相似性的計算結(jié)果來檢測未知的僵尸網(wǎng)絡(luò)。 根據(jù)提出的檢測機制實現(xiàn)了一個原型系統(tǒng),并在真實環(huán)境網(wǎng)絡(luò)環(huán)境下運行僵尸樣本程序進行測試。實驗結(jié)果表明,提出的檢測機制能非常有效的檢測出僵尸網(wǎng)絡(luò)。
[Abstract]:The rapid development of the Internet has brought convenience to people's life and work, but the network security problems caused by it can not be underestimated. Botnet is a well-designed and developed mature technology, which is increasingly used in illegal activities such as advertising, spam and distributed denial of service attacks. Botnets consist of a large number of controlled computers that receive instructions from controllers and then execute commands, which are usually malicious. In this way, the controllers can not only conceal themselves, but also use these controlled computers to launch various attacks. Therefore, how to detect botnets has become a very important problem in the field of network security. The malicious behavior of botnet is described in detail, and six typical behaviors are selected as the general behavior characteristics of botnet. Then, six plug-ins are implemented on the basis of intrusion detection system, which are used to generate the primary alarm of these six behaviors. Then through the correlation analysis of these primary alarms, the botnet is detected. Correlation analysis of primary alarms can only detect known botnets. In order to detect unknown botnet, the behavior similarity and time similarity of alarm are calculated for all hosts monitored, and then the unknown botnet is detected according to the result of similarity calculation. According to the proposed detection mechanism, a prototype system is implemented, and a zombie sample program is run in a real network environment for testing. Experimental results show that the proposed detection mechanism can detect the botnet very effectively.
【學(xué)位授予單位】：華中科技大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2011
【分類號】：TP393.08

【參考文獻】

相關(guān)期刊論文 前3條

1 孫彥東;李東;;僵尸網(wǎng)絡(luò)綜述[J];計算機應(yīng)用;2006年07期

2 諸葛建偉;韓心慧;周勇林;葉志遠;鄒維;;僵尸網(wǎng)絡(luò)研究[J];軟件學(xué)報;2008年03期

3 杜躍進,崔翔;僵尸網(wǎng)絡(luò)及其啟發(fā)[J];中國數(shù)據(jù)通信;2005年05期

，

本文編號：2232490