基于主机的P2P僵尸病毒检测技术研究
|
摘要
僵尸网络作为一种日趋严重的互联网安全威胁,已成为安全领域研究者所共同关注的热点。由于目前IRC协议仍是僵尸网络的主流控制协议,所以几乎所有的相关研究都是关注IRC僵尸网络控制信道的检测和刻画。基于IRC协议的命令与控制机制具有集中控制点,使得这种基于客户端/服务器架构的僵尸网络容易被跟踪、检测和反制。而基于P2P技术的僵尸网络在健壮性、安全性和隐蔽性等方面都有很大的提高,这给僵尸网络的发现和监测带来了挑战。P2P僵尸网络由于具有较强的个性化差异,目前还没有一种通用的检测方法。但随着这类僵尸网络近年来的不断发展,构建对P2P僵尸网络的有效检测方法将是一个重要的研究课题。
本文将数据挖掘技术引入互联网信息安全领域,选取P2P僵尸病毒作为研究对象,对其进行有害内容提取、主机行为分析及网络通信分析,析取出其内在活动规律与传播机制,挖掘出主机上的非法行为与非法链接,在此基础上,提出了一种通用且高效的P2P僵尸病毒检测方法,从恶意行为分析与P2P流量识别两个方面来对P2P僵尸病毒进行检测。这一课题在僵尸病毒的研究上具有较大的创新性,同时也具有较高的应用价值。
本文首先收集了大量僵尸病毒样本,选取几种典型的P2P僵尸病毒进行深入分析,抽象出其功能结构模块,研究其在主机上的恶意行为、传播方式、攻击手段以及对等端之间的连接特性等,在此基础上完成了详细的病毒分析报告。接着本文将N-gram算法应用于恶意行为的动态分析,通过提取并量化可执行程序的API函数调用序列,得出API子串的频率分布特征,据此判断该程序是否发生了恶意行为。然后,本文在现有流量检测技术的基础上做出改进,提出了一种基于连接行为特征的P2P协议识别方法。通过对各种P2P应用协议进行系统的分析,找出P2P流量存在的特性及共性,从而构建P2P行为特征模型,用于检测可执行程序是否发生了P2P通信。最后,将恶意行为分析和P2P协议识别进行有效结合,设置一个合理的时间窗口,动态监测可执行程序的主机行为及网络通信,从而实现对P2P僵尸病毒的实时检测。实验表明,本文提出的基于行为特征的P2P僵尸病毒检测方法具有较高的准确率。
Being an increasing threat to the security of Internet, Botnet has been brought into focus among researchers attention in the area of network security. As IRC is still the dominate protocol used by Botnets, almost all the relevant research are concerned about the detection on the Command and Control (C&C) channel of IRC Botnets. IRC-based C&C channel is highly centralized which makes this structure based on Client/Server pattern is easy to be tracked, detected and controlled. Compared with the IRC Botnets, Botnets using P2P technique are well improved in robustness and ability of concealment, which bring big challenges to detect and track such kind of Botnets. At present, there is no general detection approach because of the strong characteristic of P2P Botnets. However, with the constant development of P2P Botnets recently, constructing the effective detection method of P2P Botnets will be an important research subject.
In this thesis, data mining techniques have been brought into the field of information security. We choose P2P-controlled bots as research content, analyzing their malicious behaviors on the host and communication so as to understand the rules of their activities and transmission mechanism. Furthermore, a general and efficient detection method of P2P-controlled bots is proposed based on above analysis so as to find out the unusual activities and connections. Through combining analysis of malicious behaviors and identification of P2P protocol together, the general detection method of P2P-controlled bots is achieved which not only with great innovation in this research area but also with high application values.
In this paper, large numbers of bot samples are collected firstly. These samples are analyzed in order to understand their operation principles, content signatures, behavior characters, transmission rules and attacks. Bots analysis reports are accomplished in details. Secondly, text classification algorithm - N-gram is utilized to construct the detection model which is used to identify malicious behaviors. Through extracting and quantifying API function calls of executables, we can get the frequency distribution of the substring intersected from the API sequence so as to verify if the executable has malicious behaviors on the host. Thirdly, improvements are made on current traffic detection techniques. A method to identify P2P traffic is constructed. We emphasize on the analysis of P2P connection behaviors, and give a detailed description of the process of constructing the P2P behavior model. Finally, the detection approach combines malicious behavior analysis and P2P protocol identification together effectively. A time window is set to monitor the behaviors on the host and the communication traffic dynamically, through which the detection of P2P-contriolled bots on the host is realized. And then, series of experiments are launched to show that the way of detecting P2P-controlled bots proposed in this paper is effective.
本文将数据挖掘技术引入互联网信息安全领域,选取P2P僵尸病毒作为研究对象,对其进行有害内容提取、主机行为分析及网络通信分析,析取出其内在活动规律与传播机制,挖掘出主机上的非法行为与非法链接,在此基础上,提出了一种通用且高效的P2P僵尸病毒检测方法,从恶意行为分析与P2P流量识别两个方面来对P2P僵尸病毒进行检测。这一课题在僵尸病毒的研究上具有较大的创新性,同时也具有较高的应用价值。
本文首先收集了大量僵尸病毒样本,选取几种典型的P2P僵尸病毒进行深入分析,抽象出其功能结构模块,研究其在主机上的恶意行为、传播方式、攻击手段以及对等端之间的连接特性等,在此基础上完成了详细的病毒分析报告。接着本文将N-gram算法应用于恶意行为的动态分析,通过提取并量化可执行程序的API函数调用序列,得出API子串的频率分布特征,据此判断该程序是否发生了恶意行为。然后,本文在现有流量检测技术的基础上做出改进,提出了一种基于连接行为特征的P2P协议识别方法。通过对各种P2P应用协议进行系统的分析,找出P2P流量存在的特性及共性,从而构建P2P行为特征模型,用于检测可执行程序是否发生了P2P通信。最后,将恶意行为分析和P2P协议识别进行有效结合,设置一个合理的时间窗口,动态监测可执行程序的主机行为及网络通信,从而实现对P2P僵尸病毒的实时检测。实验表明,本文提出的基于行为特征的P2P僵尸病毒检测方法具有较高的准确率。
Being an increasing threat to the security of Internet, Botnet has been brought into focus among researchers attention in the area of network security. As IRC is still the dominate protocol used by Botnets, almost all the relevant research are concerned about the detection on the Command and Control (C&C) channel of IRC Botnets. IRC-based C&C channel is highly centralized which makes this structure based on Client/Server pattern is easy to be tracked, detected and controlled. Compared with the IRC Botnets, Botnets using P2P technique are well improved in robustness and ability of concealment, which bring big challenges to detect and track such kind of Botnets. At present, there is no general detection approach because of the strong characteristic of P2P Botnets. However, with the constant development of P2P Botnets recently, constructing the effective detection method of P2P Botnets will be an important research subject.
In this thesis, data mining techniques have been brought into the field of information security. We choose P2P-controlled bots as research content, analyzing their malicious behaviors on the host and communication so as to understand the rules of their activities and transmission mechanism. Furthermore, a general and efficient detection method of P2P-controlled bots is proposed based on above analysis so as to find out the unusual activities and connections. Through combining analysis of malicious behaviors and identification of P2P protocol together, the general detection method of P2P-controlled bots is achieved which not only with great innovation in this research area but also with high application values.
In this paper, large numbers of bot samples are collected firstly. These samples are analyzed in order to understand their operation principles, content signatures, behavior characters, transmission rules and attacks. Bots analysis reports are accomplished in details. Secondly, text classification algorithm - N-gram is utilized to construct the detection model which is used to identify malicious behaviors. Through extracting and quantifying API function calls of executables, we can get the frequency distribution of the substring intersected from the API sequence so as to verify if the executable has malicious behaviors on the host. Thirdly, improvements are made on current traffic detection techniques. A method to identify P2P traffic is constructed. We emphasize on the analysis of P2P connection behaviors, and give a detailed description of the process of constructing the P2P behavior model. Finally, the detection approach combines malicious behavior analysis and P2P protocol identification together effectively. A time window is set to monitor the behaviors on the host and the communication traffic dynamically, through which the detection of P2P-contriolled bots on the host is realized. And then, series of experiments are launched to show that the way of detecting P2P-controlled bots proposed in this paper is effective.
引文
[1] Geer D. Malicious bots threaten network security. IEEE Computer, 2005, 38(1): 18?20.
[2] Cooke E, Jahanian F, McPherson D. The zombie roundup: Understanding, detecting and disrupting botnets. In Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI’05), USENIX, 2005, 39–44.
[3] Bacher P, Holz T, Kotter M, et al. Know your enemy: Tracking botnets. Lecture Notes in Computer Science, 2005.
[4] MA. Rajab, J Zarfoss, F Monrose, et al. A multifaceted approach to understanding the botnet phenomenon. In Proceedings of the 6th Internet Measurement Conference, 2006.
[5]罗杰文.Peer-to-Peer综述.http://www.intsci.ac.cn/users/luojw/P2P/index.html, 2006.
[6]李江涛,姜永玲.P2P流量识别与管理技术.北京:电信科学, 2005, 21(3): 57-60.
[7] Han XH, Guo JP, Zhuge JW, et al. An investigation on the botnets activities. Journal on Communications, 2007, 28(12): 167?172.
[8] P Barford, V Yegneswaran. An inside look at botnets. Advances in Information Security, Springer Verlag, 2006.
[9] Grizzard JB, Sharma V, Nunnery C. Peer-to-Peer botnets: Overview and case study. In: Proc. of the 1st Workshop on Hot Topics in Understanding Botnets (HotBots 2007), 2007.
[10] J Canavan. The evolution of malicious IRC bots. In: Proc. of the 2005 Virus Bulletin Conf. (VB 2005), 2005.
[11] Arce I, Levy E. An analysis of the slapper worm. IEEE Security & Privacy, 2003, 1(1):82?87.
[12] Chiang K, Lloyd L. A case study of the rustock rootkit and spam bot. In: Proc. of the 1st Workshop on Hot Topics in Understanding Botnets (HotBots 2007), 2007.
[13] Wen WP, Qing SH, Jiang JC, et al. Research and development of Internet worms. Journal of Software, 2004, 15(8):1208?1219.
[14] McCarty B., Botnets: Big and Bigger. IEEE Security & Privacy Magazine, 2003, 1(4): 87-90.
[15] Clarke R. Building an Early Warning System in a Service Provider Network. Black Hat Briefings Europe, 2004.
[16] Dittrich D. Bots and Botnets - The Automation of Computer Network Attack. AusCERT 2005, Brisbane, Australia, 2005.
[17] Dittrich D. Beat back the botnets. SANS WebCast, 2005.
[18] Wicherski F, Holz T, Wicherski G. Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks. RWTH Aachen Technical Report, 2005.
[19] The Honeynet Project and The Honeynet Research Alliace. Know your Enemy: Tracking Botnets: Using honeynets to learn more about Bots, The Honeynet Project Whitepaper, 2005.
[20] T Holz., A Short Visit to the Bot Zoo. IEEE Security & Privacy Magazine, 2005, 3(3): 76-79.
[21] German Honeynet Project, mwcollect. http://www.mwcollect.org, 2005.
[22] Lee WK, Wang C, Dagon D. Botnet Detection: Countering the Largest Security Threat. New York: Springer-Verlag, 2007
[23] P Ferguson, D Senie. Network Ingress Filter: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing[J]. RFC2827, 2000.
[24]李德全.拒绝服务攻击对策及网络追踪的研究.北京:中国科学院软件研究所博士论文, 2004.
[25] Symantec Inc. Symantec Internet security threat report: Trends for January 06~June 06. Volume X. 2006.
[26] Symantec Inc. Symantec Internet security threat report: Trends for July 06~December 06. Volume XI. 2007.
[27] Zhuge JW, Han XH, Ye ZY, Zou W. Discover and track botnets. In: Proc. of the Chinese Symp. on Network and Information Security (NetSec 2005), 2005, 183?189.
[28] Zhuge JW, Han XH, Chen Y, Ye ZY, Zou W. Towards high level attack scenario graph through honeynet data correlation analysis.In: Proc. of the 7th IEEE Workshop on Information Assurance (IAW 2006). 2006. Piscataway: IEEE Computer Society Press, 2006.215?222.
[29] Zhuge JW, Han XH, Zhou YL, Song CY, Guo JP, Zou W. HoneyBow: An automated malware collection tool based on the high-interaction honeypot principle. Journal on Communications, 2007, 28(12):8?13 (in Chinese with English abstract).
[30] Binkley JR, Singh S. An algorithm for anomaly-based botnet detection. In: Proc. of the USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI 2006), 2006, 43?48.
[31] Binkley JR. Anomaly-Based botnet server detection. In: Proc. of the FloCon 2006 Analysis Workshop, 2006.
[32] Strayer T, Walsh R, Livadas C, Lapsley D. Detecting botnets with tight command and control. In: Proc. of the 31st IEEE Conf. on Local Computer Networks (LCN’06). Tampa: IEEEComputer Society Press, 2006, 195?202.
[33] Livadas C, Walsh B, Lapsley D, Strayer T. Using machine learning techniques to identify botnet traffic. In: Proc. of the 2nd IEEE LCN Workshop on Network Security, 2006, 967?974.
[34] Goebel J, Holz T. Rishi: Identify bot contaminated hosts by IRC nickname evaluation. In: Proc. of the 1st Workshop on Hot Topics in Understanding Botnets (HotBots 2007), 2007.
[35] Karasaridis A, Rexroad B, Hoeflin D. Wide-Scale botnet detection and characterization. In: Proc. of the 1st Workshop on Hot Topics in Understanding Botnets (HotBots 2007), 2007.
[36] Gu G, Porras P, Yegneswaran V, et al. BotHunter: Detecting malware infection through IDS-driven dialog correlation.In: Proc. of the 16th USENIX Security Symp. (Security 2007), 2007.
[37] Holz T, Steiner M, Dahl F, Biersack E, Freiling F. Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on StormWorm..2008
[38] Zou CC, Gong W, Towsley D. Code red worm propagation modeling and analysis. In: Atluri V, ed. Proc. of the 9th ACM Conf. on Computer and Communications Security (CCS 2002). New York: ACM Press, 2002, 138?147.
[39] Kim J, Radhakrishnan S, Dhall SK. Measurement and analysis of worm propagation on Internet network topology. In: Proc. of the IEEE Int’l Conf. on Computer Communications and Networks (ICCCN 2004), 2004, 495?500.
[40] Zou CC, Gong W, Towsley D. Worm propagation modeling and analysis under dynamic quarantine defense. In: Staniford S, ed.Proc. of the ACM CCS Workshop on Rapid Malcode (WORM 2003). New York: ACM Press, 2003, 51?60.
[41] Lurhq Threat Intelligence Group. Phatbot Trojan Analysis.http://www.lurhq.com/phatbot.html.
[42] Puri R. Bots & botnet: An overview. SANS White Paper, 2003.
[43] McCarty B. Botnets: Big and bigger. IEEE Security & Privacy, 2003, 1(4):87?90.
[44] Rajab MA, Zarfoss J, Monrose F, et al. A multifaceted approach to understanding the botnet phenomenon. In: Almeida JM, Almeida VAF, Barford P, eds. Proc. of the 6th ACM Internet Measurement Conf. (IMC 2006). Rio de Janeriro: ACM Press, 2006, 41?52.
[45]赵树升.计算机病毒分析与防治简明教程.北京:清华大学出版社. 2007, 14-17.
[46] Sen S, Spatscheck O, Wang D. Accurate, Scalable In-Network Identification of P2P Traffic Using Application Signatures. Proceedings of the 13th international conference on World Wide Web, 2004.
[47] Karagiannis T, Broido A, Faloutsos M. Transport Layer Identification of P2P Traffic.Proceedings of the 4th ACM SIGCOMM conference, 2004.
[48]王远.Windows系统API函数拦截技术研究.微计算机信息, 2006, 22(10): 23-26.
[49] WB Cavnar, JM Trenkle. N-gram-based text categorization. Ann Arbor MI, 1994.
[50] T Abou-Assaleh, N Cercone, V Keselj, R Sweidan. N-gram-based Detection of New Malicious Code. Computer Software and Applications Conference, 2004.
[51] K Wang, SJ Stolfo. Anomalous-Payload-based-NIDS. Lecture Notes in Computer Science, 2004.
[52] J Han, M Kamber. Data Mining Concepts and Techniques. Morgan Kaufmann Publishers, 2001.
[53]邓亚平.计算机网络安全.北京:人民邮电出版社, 2004.
[54] R Boyer, J Moore. A fast string matching algorithms[J], Communication of the ACM, 1977.
[55] D. E. Knuth, J. H. Morris, V. R. Pratt. Fast Pattern Matching in Strings. SIAM Journal on Computing, 1977.
[56] AV Aho, MJ Corasick. Efficient string matching: an aid to bibliographic search. Communication of the ACM, 1975.
[57] S Wu, U Manber. A fast algorithm for multi-pattern searching. Report TR-94-17, Department of Computer Science, University of Arizona, Tucson, AZ, 1994.
[2] Cooke E, Jahanian F, McPherson D. The zombie roundup: Understanding, detecting and disrupting botnets. In Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI’05), USENIX, 2005, 39–44.
[3] Bacher P, Holz T, Kotter M, et al. Know your enemy: Tracking botnets. Lecture Notes in Computer Science, 2005.
[4] MA. Rajab, J Zarfoss, F Monrose, et al. A multifaceted approach to understanding the botnet phenomenon. In Proceedings of the 6th Internet Measurement Conference, 2006.
[5]罗杰文.Peer-to-Peer综述.http://www.intsci.ac.cn/users/luojw/P2P/index.html, 2006.
[6]李江涛,姜永玲.P2P流量识别与管理技术.北京:电信科学, 2005, 21(3): 57-60.
[7] Han XH, Guo JP, Zhuge JW, et al. An investigation on the botnets activities. Journal on Communications, 2007, 28(12): 167?172.
[8] P Barford, V Yegneswaran. An inside look at botnets. Advances in Information Security, Springer Verlag, 2006.
[9] Grizzard JB, Sharma V, Nunnery C. Peer-to-Peer botnets: Overview and case study. In: Proc. of the 1st Workshop on Hot Topics in Understanding Botnets (HotBots 2007), 2007.
[10] J Canavan. The evolution of malicious IRC bots. In: Proc. of the 2005 Virus Bulletin Conf. (VB 2005), 2005.
[11] Arce I, Levy E. An analysis of the slapper worm. IEEE Security & Privacy, 2003, 1(1):82?87.
[12] Chiang K, Lloyd L. A case study of the rustock rootkit and spam bot. In: Proc. of the 1st Workshop on Hot Topics in Understanding Botnets (HotBots 2007), 2007.
[13] Wen WP, Qing SH, Jiang JC, et al. Research and development of Internet worms. Journal of Software, 2004, 15(8):1208?1219.
[14] McCarty B., Botnets: Big and Bigger. IEEE Security & Privacy Magazine, 2003, 1(4): 87-90.
[15] Clarke R. Building an Early Warning System in a Service Provider Network. Black Hat Briefings Europe, 2004.
[16] Dittrich D. Bots and Botnets - The Automation of Computer Network Attack. AusCERT 2005, Brisbane, Australia, 2005.
[17] Dittrich D. Beat back the botnets. SANS WebCast, 2005.
[18] Wicherski F, Holz T, Wicherski G. Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks. RWTH Aachen Technical Report, 2005.
[19] The Honeynet Project and The Honeynet Research Alliace. Know your Enemy: Tracking Botnets: Using honeynets to learn more about Bots, The Honeynet Project Whitepaper, 2005.
[20] T Holz., A Short Visit to the Bot Zoo. IEEE Security & Privacy Magazine, 2005, 3(3): 76-79.
[21] German Honeynet Project, mwcollect. http://www.mwcollect.org, 2005.
[22] Lee WK, Wang C, Dagon D. Botnet Detection: Countering the Largest Security Threat. New York: Springer-Verlag, 2007
[23] P Ferguson, D Senie. Network Ingress Filter: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing[J]. RFC2827, 2000.
[24]李德全.拒绝服务攻击对策及网络追踪的研究.北京:中国科学院软件研究所博士论文, 2004.
[25] Symantec Inc. Symantec Internet security threat report: Trends for January 06~June 06. Volume X. 2006.
[26] Symantec Inc. Symantec Internet security threat report: Trends for July 06~December 06. Volume XI. 2007.
[27] Zhuge JW, Han XH, Ye ZY, Zou W. Discover and track botnets. In: Proc. of the Chinese Symp. on Network and Information Security (NetSec 2005), 2005, 183?189.
[28] Zhuge JW, Han XH, Chen Y, Ye ZY, Zou W. Towards high level attack scenario graph through honeynet data correlation analysis.In: Proc. of the 7th IEEE Workshop on Information Assurance (IAW 2006). 2006. Piscataway: IEEE Computer Society Press, 2006.215?222.
[29] Zhuge JW, Han XH, Zhou YL, Song CY, Guo JP, Zou W. HoneyBow: An automated malware collection tool based on the high-interaction honeypot principle. Journal on Communications, 2007, 28(12):8?13 (in Chinese with English abstract).
[30] Binkley JR, Singh S. An algorithm for anomaly-based botnet detection. In: Proc. of the USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI 2006), 2006, 43?48.
[31] Binkley JR. Anomaly-Based botnet server detection. In: Proc. of the FloCon 2006 Analysis Workshop, 2006.
[32] Strayer T, Walsh R, Livadas C, Lapsley D. Detecting botnets with tight command and control. In: Proc. of the 31st IEEE Conf. on Local Computer Networks (LCN’06). Tampa: IEEEComputer Society Press, 2006, 195?202.
[33] Livadas C, Walsh B, Lapsley D, Strayer T. Using machine learning techniques to identify botnet traffic. In: Proc. of the 2nd IEEE LCN Workshop on Network Security, 2006, 967?974.
[34] Goebel J, Holz T. Rishi: Identify bot contaminated hosts by IRC nickname evaluation. In: Proc. of the 1st Workshop on Hot Topics in Understanding Botnets (HotBots 2007), 2007.
[35] Karasaridis A, Rexroad B, Hoeflin D. Wide-Scale botnet detection and characterization. In: Proc. of the 1st Workshop on Hot Topics in Understanding Botnets (HotBots 2007), 2007.
[36] Gu G, Porras P, Yegneswaran V, et al. BotHunter: Detecting malware infection through IDS-driven dialog correlation.In: Proc. of the 16th USENIX Security Symp. (Security 2007), 2007.
[37] Holz T, Steiner M, Dahl F, Biersack E, Freiling F. Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on StormWorm..2008
[38] Zou CC, Gong W, Towsley D. Code red worm propagation modeling and analysis. In: Atluri V, ed. Proc. of the 9th ACM Conf. on Computer and Communications Security (CCS 2002). New York: ACM Press, 2002, 138?147.
[39] Kim J, Radhakrishnan S, Dhall SK. Measurement and analysis of worm propagation on Internet network topology. In: Proc. of the IEEE Int’l Conf. on Computer Communications and Networks (ICCCN 2004), 2004, 495?500.
[40] Zou CC, Gong W, Towsley D. Worm propagation modeling and analysis under dynamic quarantine defense. In: Staniford S, ed.Proc. of the ACM CCS Workshop on Rapid Malcode (WORM 2003). New York: ACM Press, 2003, 51?60.
[41] Lurhq Threat Intelligence Group. Phatbot Trojan Analysis.http://www.lurhq.com/phatbot.html.
[42] Puri R. Bots & botnet: An overview. SANS White Paper, 2003.
[43] McCarty B. Botnets: Big and bigger. IEEE Security & Privacy, 2003, 1(4):87?90.
[44] Rajab MA, Zarfoss J, Monrose F, et al. A multifaceted approach to understanding the botnet phenomenon. In: Almeida JM, Almeida VAF, Barford P, eds. Proc. of the 6th ACM Internet Measurement Conf. (IMC 2006). Rio de Janeriro: ACM Press, 2006, 41?52.
[45]赵树升.计算机病毒分析与防治简明教程.北京:清华大学出版社. 2007, 14-17.
[46] Sen S, Spatscheck O, Wang D. Accurate, Scalable In-Network Identification of P2P Traffic Using Application Signatures. Proceedings of the 13th international conference on World Wide Web, 2004.
[47] Karagiannis T, Broido A, Faloutsos M. Transport Layer Identification of P2P Traffic.Proceedings of the 4th ACM SIGCOMM conference, 2004.
[48]王远.Windows系统API函数拦截技术研究.微计算机信息, 2006, 22(10): 23-26.
[49] WB Cavnar, JM Trenkle. N-gram-based text categorization. Ann Arbor MI, 1994.
[50] T Abou-Assaleh, N Cercone, V Keselj, R Sweidan. N-gram-based Detection of New Malicious Code. Computer Software and Applications Conference, 2004.
[51] K Wang, SJ Stolfo. Anomalous-Payload-based-NIDS. Lecture Notes in Computer Science, 2004.
[52] J Han, M Kamber. Data Mining Concepts and Techniques. Morgan Kaufmann Publishers, 2001.
[53]邓亚平.计算机网络安全.北京:人民邮电出版社, 2004.
[54] R Boyer, J Moore. A fast string matching algorithms[J], Communication of the ACM, 1977.
[55] D. E. Knuth, J. H. Morris, V. R. Pratt. Fast Pattern Matching in Strings. SIAM Journal on Computing, 1977.
[56] AV Aho, MJ Corasick. Efficient string matching: an aid to bibliographic search. Communication of the ACM, 1975.
[57] S Wu, U Manber. A fast algorithm for multi-pattern searching. Report TR-94-17, Department of Computer Science, University of Arizona, Tucson, AZ, 1994.