《僵尸网络检测方法研究》由会员分享,可在线阅读,更多相关《僵尸网络检测方法研究(129页珍藏版)》请在金锄头文库上搜索。
1、华中科技大学 博士学位论文 僵尸网络检测方法研究 姓名:王斌斌 申请学位级别:博士 专业:信息安全 指导教师:李芝棠 2010-05-28 I 华 中 科 技 大 学 博 士 学 位 论 文 摘 要 摘 要 僵尸网络是被攻击者远程控制、而其用户尚无感知的一群计算机组成的综合攻 击平台,已发展为当今互联网的最严重安全威胁之一。僵尸网络区别于传统木马、 蠕虫等恶意攻击方式的基本特性是,攻击者使用了一对多的命令与控制机制 (Command and Control,C the latter is difficult to identify a single zombie host due to the
2、 precondition that there should be many zombie hosts of the same kind in the monitored network. The active measurement technology mentioned above is effective to identify P2P zombie hosts. However, it introduces much unnecessary flow traffic into network and has significant effects to the communicat
3、ion of normal peers. In this work, an active measurement method named AASD is proposed to identify Storm bots based on the anomaly relationship between logical address and the communication address. AASD can identify the storm botnet which parasitizes on current Overnet peer-to-peer network and is o
4、f enormous harm. Overnet is a kind of DHT network, where there exists one-to-one relationship between the node identifier and communication IV 华 中 科 技 大 学 博 士 学 位 论 文 address (IP address and Port) theoretically. However, actually there exists one-to-many or many-to-one relationship between them. The
5、 former is called the identifier aliasing while the latter is called communication address aliasing. Based on analyzing the two phenomena, we discover two characteristics of these Storm Zombie entries: (i)The identifier and communication address in the same entries both have aliasing phenomenon; (ii
6、)The corresponding IP addresses for each aliasing identifier are not concentrated in a specific subnet. After deploying the high-speed crawler of the Overnet Network on PlanetLab testbed, we can collect a large number of Index-Address for experiment. Then the Index-Address nodes which are both ident
7、ifier aliasing and communicate address aliasing by set theory can be identified. We quantify the divergence of IP addresses using the maximum entropy theory and take the divergence as the important basis to identify zombies. If the divergence exceeds a predefined threshold, the aliasing identifier i
8、s the one used by Storm bots. Compared with the existing active detection methods, AASD can not only identify active Storm bots with 95% detection ratio, but also identify non-active Storm bots. Whats more, AASD consumes 60% less bandwidth and effectively reduce the interference on the normal Overne
9、t peers. A method named SIDPI to identify P2P zombie hosts based on the similarity distribution of interactive flow-aggregation is also proposed, which can identify the encrypted Storm zombie hosts. A flow-aggregation is a set of all flows of an (IP, Port) within a certain period of time. For non-zo
10、mbie applications, the average length of all flow through the port monitored in different time windows are widely distributed while distributions of zombie hosts seem similar. We quantify the distance between two adjacent time windows using the theory of relative entropy and calculate the average pa
11、cket length of flow-aggregation among multiple consecutive time windows. As a metric of identification, if the distance among distributions exceeds a predefined threshold, the host that deployed this (IP, Port) is identified as zombie. In order to reduce network traffic and improve the efficiency of
12、 measurement for similarity distribution of flow-aggregations, we have proposed a small flow-aggregation (SFAFA) algorithm to extract the suspicious (IP, Port) pairs. The advantages of SFAFA are as follows: (1) it can identify zombie utilizing encrypted communication; (2) it can identify the single
13、zombie host in the supervised network, especially in the early time of the dissemination since it is independent of the similarity of the communication and aggressive behavior among multiple zombies. The results show that SFAFA algorithm can filter out more than 98% of the ports (IP, Port) in the ne
14、twork and improve the efficiency of the next procedure. And the accuracy of SIDPI V 华 中 科 技 大 学 博 士 学 位 论 文 can be up to 94.45% on average with both encrypted and unencrypted samples. We also proposed a BMBD algorithm to identify the IRC and HTTP zombie hosts in the supervised network by matching th
15、e network connection behavior models of the zombies. Analysis has shown that the different connections to zombie nodes are similar in the respect that there is a periodic interval between these connections. So BCM model (Bot Connection-Behavior Model) should be created by aggregating similar link us
16、ing an unsupervised clustering method and mining potential period using cyclic correlation function. Then, after crawling the network border traffic, hosts can be identified as zombie hosts based on BCM pattern match. The results show that BDA is neither dependent on the content of communications among zombie hosts nor the group behaviors of zombie hosts. The detection accuracy of a single zombie node in monitored network is over 95%. Besides, BMBD can detect the variants of zombie whose BCM
