基于P2P的僵尸网络及关键技术研究
摘要
僵尸网络是由一个攻击者控制的,由很多脆弱主机形成的网络。僵尸网络是当今互联网上最大的威胁之一,攻击者通常利用它发起攻击,比如:垃圾邮件,分布式拒绝服务攻击,欺骗点击等等。早期的僵尸网络主要使用集中型的命令控制机制,这种僵尸网络使用IRC协议作为其通信协议,因为其协议的缺陷,这种僵尸网络有着天生的缺点。因此,当前的僵尸网络逐步的向P2P协议转化,攻击者通过P2P协议实现其命令与控制的通信,从而克服了集中型僵尸网络的单点失效问题,也增加了僵尸网络的鲁棒性和隐蔽性。因此本文从多个方面对基于P2P的僵尸网络进行了系统分析:命令控制机制、通信协议、评估模型、防御手段。为了更好地了解P2P僵尸网络及其以后的发展趋势,需要对P2P僵尸网络的关键技术、评估模型、发展趋势进行研究。本文深入分析了P2P僵尸网络,主要研究的方向有以下几个方面:
1.研究双层架构的P2P僵尸网络动态模型,通过对现有P2P僵尸网络的对比和分析,研究并提出了双层架构的P2P僵尸网络的通信协议和控制框架,从而为以后的防御工作提供重要的理论和技术支持。在节点的选择机制方面,提出了基于IP地址相似性的超级节点选择邻居节点列表的算法,以及基于AHP算法的普通节点对超级节点的选取算法,重点考虑了超级节点的三个方面:在线时间、往返时间和硬件配置。最后验证,通过自适应算法和IP地址相似性算法的辅助以及使用层次分析法对超级节点的评估,增强了整个僵尸网络的鲁棒性和效率
2.研究僵尸程序的主体个性和网络特性,提出一个全面的针对P2P僵尸网络的评估体系以及相应的评估指标:隐蔽性、效力、效率鲁棒性。隐蔽性方面主要包括主机自身的隐蔽性,以及终端植入后通信时的隐蔽性,主要包括以下几个方面:对抗查杀软件能力、通信加密机制、任务通信量、维护通信量。效力主要是用来评估僵尸网络可以产生的破坏能力,该指标在一定程度上等同于僵尸网络的大小,即可以控制的主机的数量。本文在对效力进行评估时,同时利用每台机器在线时间来估算在某一时刻可以利用的机器的总数量,从而评估其产生的效力。效率主要是用来评估僵尸网络执行命令的速度,从控制者下发命令到每个Bot都接收到命令所需要的时间,该指标和僵尸网络的直径密切相关。鲁棒性主要表示僵尸网络的架构的稳定性,bot上下线或者被破坏后对整个网络的影响。主要包括以下几个方面:是否存在单点失效节点,随机或者指定摧毁某些节点后对僵尸网络的影响。研究验证鲁棒性在一定程度上和僵尸节点的平均度数和度数差异有一定关系。在研究过程中,对评估模型中的重要指标以及相关的计算公式,同时对指标的提出给出实验结果。对于现有的P2P僵尸网络的通信机制可以归纳为两种模型:Send通信模型和Request通信模型,利用本章提出的评估指标对这两种模型进行评估和分析,研究它们与僵尸网络基本特征的关系。
3.针对使用私有协议的P2P僵尸网络提出了一种防御策略。超级节点在P2P僵尸网络中起到非常重要的作用,它们不仅具有普通节点的执行命令的功能,同时还承担任务转发和传播的重要任务。本文研究的防御策略主要对P2P僵尸网络的超级节点中的关键节点进行研究,提出两种可行的方法探测出僵尸网络中的关键节点,通过实验验证对关键节点的摧毁可以对P2P僵尸网络的防御起到关键的作用。
4.根据第二章的双层架构的P2P僵尸网络动态模型,实现了一个僵尸网络。为了加强僵尸网络的鲁棒性和隐蔽性,对命令控制机制中的关键技术,如时间同步机制、命令下发机制、加密认证机制、僵尸网络的管理以及通信过程中的消息类型做出了详细设计。并对僵尸网络的系统架构、功能模块和命令与控制机制进行了详细的描述。搭建真实环境,对该僵尸网络的通信量、鲁棒性和效率进行了测试,并对第二章提出的基于AHP的选择算法和基于IP地址相似性的选择算法进行了分析。
A "botnet" is a network of compromised computers (bots) that are controlled by an attacker (botmasters). Botnets are one of the most serious threats to today's Internet; they are the root cause of many current Internet attacks, such as email spam, distributed denial of service (DDoS) attacks, click fraud, etc. Early Botnet mainly used a centralized command and control mechanism. Such Botnet built command and control channel based on IRC protocol, this kind of Botnet is relatively mature, and has a weak security. Therefore, presently Botnet control technology is gradually transformed to P2P; they explored distributed command and control via P2P protocol to aginst the single point failure problem and increase robustness and concealment. Therefore, we systematically study peer to peer Botnets along multiple dimensions:command and control mechanisms and communication protocols, Botnet evaluation model and some defenses idea. To deepen the understanding of performance of P2P Botnet, it is necessary to study the key technologies of P2P Botnet, evaluation model and development trend. This paper investigates the key technologies of P2P Botnet, and the main research results are as follows:
1. Research the double-layer P2P botnet structure dynamic model, through contrast and analysis the existing P2P botnet, forecast and study the double-layer P2P botnet structure the communications protocol and control framework, which provide important theoretical and technical support for the defense work. In node selection mechanism, we propose the distance and degree strategy to aid the super-node choose its neighbor list, while using the AHP algorithm to achieve the common node selects the super-node in the P2P botnet, a strong focus on the three areas of super node:online time, round-trip time and hardware configuration. Finally, simulations results show that enhance the robustness and efficiency of the entire botnet by the support of IP address similarity algorithm and the use of AHP assessment of super node.
2. Research the sample and network characteristics of the Botnet; Present a comprehensive evaluation system and the corresponding evaluation indicators for the P2P botnet. Stealthy include the host's own stealthy, and the stealthy of communications after implantation of terminal, and the following areas:capabilities against the killing software, communications encryption mechanism, the traffic caused by task, maintaining traffic. The effectiveness of botnets is mainly used to evaluate the power of the destruction; this index is equivalent to the size which is the number of control hosts of botnets at a certain extent. When we evaluate the effectiveness, while taking advantage of online time of each machine to estimate total number of machines used at a time, then assess their effectiveness. Efficiency is mainly used to assess the speed of executing commands in the botnet, the time required for from the controller issues the command to each Bot receives commands, and the indicator is closely related to the diameter of the botnet. Robustness is mainly said the stability of the botnet structure, and the impact on the botnet after the destruction of bot and the bot on or off the line. Include the following:whether there is a single point of failure nodes, the impact on the botnet after randomly or specified destructive some nodes of a botnet. Studies have shown that robustness and the average degree, the difference degree of nodes have a certain relationship to some extent. In the research process, an important indicator in the evaluation model, the relevant formulas, and the proposed index are given in the proved results. Existing P2P botnet communication mechanism can be divided into two kinds of model, we evaluate and analysis the two models by the evaluation index, in order to study the relationship between basic characteristics of botnet and evaluation index.
3. The paper proposes a defense strategy for P2P botnets which use proprietary protocol. Super-node plays a very important role in the P2P botnet, they not only have the execution command function of common nodes, and also take on the important task of forward and spread task. In the paper defense strategy study mainly on the key nodes in super-node of P2P botnet, and propose two feasible ways to detect the key nodes in the botnet, experiments show that destruction of key nodes for the P2P botnet defense can play a multiplier effect.
4. According to the second chapter of double-layer structure of P2P botnet dynamic model to realize a botnet. In order to strengthen the botnet robustness and concealment of command and control mechanism, the key chechniques for the detailed design:time synchronization mechanism, command issued mechanism, encryption authentication mechanism, the botnet management and message types in communication process makes a detailed design. At the same time make the detail design on the botnet system structure, function module and command and control mechanism. Build a real environment for the botnet, in order to test the traffic, robustness and efficiency, and analyze the selection algorithm based on AHP and based on IP address similarity proposed in second chapter.
1.研究双层架构的P2P僵尸网络动态模型,通过对现有P2P僵尸网络的对比和分析,研究并提出了双层架构的P2P僵尸网络的通信协议和控制框架,从而为以后的防御工作提供重要的理论和技术支持。在节点的选择机制方面,提出了基于IP地址相似性的超级节点选择邻居节点列表的算法,以及基于AHP算法的普通节点对超级节点的选取算法,重点考虑了超级节点的三个方面:在线时间、往返时间和硬件配置。最后验证,通过自适应算法和IP地址相似性算法的辅助以及使用层次分析法对超级节点的评估,增强了整个僵尸网络的鲁棒性和效率
2.研究僵尸程序的主体个性和网络特性,提出一个全面的针对P2P僵尸网络的评估体系以及相应的评估指标:隐蔽性、效力、效率鲁棒性。隐蔽性方面主要包括主机自身的隐蔽性,以及终端植入后通信时的隐蔽性,主要包括以下几个方面:对抗查杀软件能力、通信加密机制、任务通信量、维护通信量。效力主要是用来评估僵尸网络可以产生的破坏能力,该指标在一定程度上等同于僵尸网络的大小,即可以控制的主机的数量。本文在对效力进行评估时,同时利用每台机器在线时间来估算在某一时刻可以利用的机器的总数量,从而评估其产生的效力。效率主要是用来评估僵尸网络执行命令的速度,从控制者下发命令到每个Bot都接收到命令所需要的时间,该指标和僵尸网络的直径密切相关。鲁棒性主要表示僵尸网络的架构的稳定性,bot上下线或者被破坏后对整个网络的影响。主要包括以下几个方面:是否存在单点失效节点,随机或者指定摧毁某些节点后对僵尸网络的影响。研究验证鲁棒性在一定程度上和僵尸节点的平均度数和度数差异有一定关系。在研究过程中,对评估模型中的重要指标以及相关的计算公式,同时对指标的提出给出实验结果。对于现有的P2P僵尸网络的通信机制可以归纳为两种模型:Send通信模型和Request通信模型,利用本章提出的评估指标对这两种模型进行评估和分析,研究它们与僵尸网络基本特征的关系。
3.针对使用私有协议的P2P僵尸网络提出了一种防御策略。超级节点在P2P僵尸网络中起到非常重要的作用,它们不仅具有普通节点的执行命令的功能,同时还承担任务转发和传播的重要任务。本文研究的防御策略主要对P2P僵尸网络的超级节点中的关键节点进行研究,提出两种可行的方法探测出僵尸网络中的关键节点,通过实验验证对关键节点的摧毁可以对P2P僵尸网络的防御起到关键的作用。
4.根据第二章的双层架构的P2P僵尸网络动态模型,实现了一个僵尸网络。为了加强僵尸网络的鲁棒性和隐蔽性,对命令控制机制中的关键技术,如时间同步机制、命令下发机制、加密认证机制、僵尸网络的管理以及通信过程中的消息类型做出了详细设计。并对僵尸网络的系统架构、功能模块和命令与控制机制进行了详细的描述。搭建真实环境,对该僵尸网络的通信量、鲁棒性和效率进行了测试,并对第二章提出的基于AHP的选择算法和基于IP地址相似性的选择算法进行了分析。
A "botnet" is a network of compromised computers (bots) that are controlled by an attacker (botmasters). Botnets are one of the most serious threats to today's Internet; they are the root cause of many current Internet attacks, such as email spam, distributed denial of service (DDoS) attacks, click fraud, etc. Early Botnet mainly used a centralized command and control mechanism. Such Botnet built command and control channel based on IRC protocol, this kind of Botnet is relatively mature, and has a weak security. Therefore, presently Botnet control technology is gradually transformed to P2P; they explored distributed command and control via P2P protocol to aginst the single point failure problem and increase robustness and concealment. Therefore, we systematically study peer to peer Botnets along multiple dimensions:command and control mechanisms and communication protocols, Botnet evaluation model and some defenses idea. To deepen the understanding of performance of P2P Botnet, it is necessary to study the key technologies of P2P Botnet, evaluation model and development trend. This paper investigates the key technologies of P2P Botnet, and the main research results are as follows:
1. Research the double-layer P2P botnet structure dynamic model, through contrast and analysis the existing P2P botnet, forecast and study the double-layer P2P botnet structure the communications protocol and control framework, which provide important theoretical and technical support for the defense work. In node selection mechanism, we propose the distance and degree strategy to aid the super-node choose its neighbor list, while using the AHP algorithm to achieve the common node selects the super-node in the P2P botnet, a strong focus on the three areas of super node:online time, round-trip time and hardware configuration. Finally, simulations results show that enhance the robustness and efficiency of the entire botnet by the support of IP address similarity algorithm and the use of AHP assessment of super node.
2. Research the sample and network characteristics of the Botnet; Present a comprehensive evaluation system and the corresponding evaluation indicators for the P2P botnet. Stealthy include the host's own stealthy, and the stealthy of communications after implantation of terminal, and the following areas:capabilities against the killing software, communications encryption mechanism, the traffic caused by task, maintaining traffic. The effectiveness of botnets is mainly used to evaluate the power of the destruction; this index is equivalent to the size which is the number of control hosts of botnets at a certain extent. When we evaluate the effectiveness, while taking advantage of online time of each machine to estimate total number of machines used at a time, then assess their effectiveness. Efficiency is mainly used to assess the speed of executing commands in the botnet, the time required for from the controller issues the command to each Bot receives commands, and the indicator is closely related to the diameter of the botnet. Robustness is mainly said the stability of the botnet structure, and the impact on the botnet after the destruction of bot and the bot on or off the line. Include the following:whether there is a single point of failure nodes, the impact on the botnet after randomly or specified destructive some nodes of a botnet. Studies have shown that robustness and the average degree, the difference degree of nodes have a certain relationship to some extent. In the research process, an important indicator in the evaluation model, the relevant formulas, and the proposed index are given in the proved results. Existing P2P botnet communication mechanism can be divided into two kinds of model, we evaluate and analysis the two models by the evaluation index, in order to study the relationship between basic characteristics of botnet and evaluation index.
3. The paper proposes a defense strategy for P2P botnets which use proprietary protocol. Super-node plays a very important role in the P2P botnet, they not only have the execution command function of common nodes, and also take on the important task of forward and spread task. In the paper defense strategy study mainly on the key nodes in super-node of P2P botnet, and propose two feasible ways to detect the key nodes in the botnet, experiments show that destruction of key nodes for the P2P botnet defense can play a multiplier effect.
4. According to the second chapter of double-layer structure of P2P botnet dynamic model to realize a botnet. In order to strengthen the botnet robustness and concealment of command and control mechanism, the key chechniques for the detailed design:time synchronization mechanism, command issued mechanism, encryption authentication mechanism, the botnet management and message types in communication process makes a detailed design. At the same time make the detail design on the botnet system structure, function module and command and control mechanism. Build a real environment for the botnet, in order to test the traffic, robustness and efficiency, and analyze the selection algorithm based on AHP and based on IP address similarity proposed in second chapter.
引文
[1]国家计算机网络应急技术处理协调中心,http://www.cert.org.cn/
[2]诸葛建伟,韩心慧,周勇林,叶志远,邹维.僵尸网络研究.软件学报.37(1).2005:31-37
[3]B.Saha and A.Gairola. Botnet:An overview. Cert-In White PaperCIWP-2005-05,2005
[4]Wikipedia. Trojan horse. Http://en.wikipedia.org/wiki/Trojan_horse_(computing).
[5]Engin Kirda and Christopher Kruegel. Behavior-based Spyware Detection. Security'06:15th USENIX Security Symposium.2006:273-288.
[6]Colleen Shannon and David Moore. The Spread of the Witty Worm. IEEE Security & Privacy. 2(4).2004:46-50.
[7]Symantec,PrettyPark.Worm,1999,http://www.symantec.com/security_response/writeup.jsp?do cid=2000-121508-3334-99&tabid=2
[8]Paul Barford and Vinod Yegneswaran. An Inside Look at Botnets. In Series:Advances in Information Security,2006.
[9]Phatbot Trojan analysis. Http://www.lurhq.com/phatbot.html
[10]J.Nazario, BlackEnergy DDoS Bot Analysis, Arbor Networks,2007:26-30
[11]Carlton R. Davis, Jos'e M. Fernandez, Stephen Neville, and John McHugh. Sybil Attacks as a mitigation strategy against the Storm botnet. In Proc. of the 3rd International Conference on Malicious and Unwanted Software (Malware'08), October 2008.
[12]Niall Fitzgibbon and Mike Wood SophosLabs. Conficer.C A Technical Analysis.2009
[13]E.Florio, M. Ciubotariu, Peerbot:Catch me if you can, White Paper, Symantec Security Response,2007
[14]Binsalleeh, H. Ormerod, T. Boukhtouta, On the analysis of the Zeus botnet crimeware toolkit,2010 Eighth Annual International Conference on Privacy Security and Trust (PST),2010
[15]冯国富,毛莺池,陆桑璐,等.PeerRank:一种无结构化P2P资源发现策略[J].软件学报,2005,17(5):1098-1106.
[16]Liu L, Mackin S, Antonopoulos N. Small World Architecture for Peer-to-Peer Networks[C]. In:Proceedings of the 2006 IEEE/WIC/ACM International Conference on Web Intelligence and Intelligent Agent Technology. NW Washington, DC USA:IEEE Computer Society Press 2006.451-454.
[17]Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, and Andreas Terzis. A multifaceted approach to understanding the botnet phenomenon. In Proc. of the 6th ACM SIG-COMM Conference on Internet Measuremen, Rio de Janeiro, Brazil, October 2006.
[18]GEason, B.Noble,I.N.Sneddon, On Certain integrals of EggDrop:Open source IRC bot,1993,Http://www. eggheads.org
[19]Sinit P2P Trojan analysis. Http://www.lurhq.com/sinit.html
[20]Freiling F, Holz T, Wicherski G, Botnet tracking:exploring a root-cause methodology to prevent distributed denial-of-service attacks. In:Proc. of the 10th European Symposium on Research in Computer Security (ESORICS'05), Milan, Italy, Lecture Notes in Computer Science 3679, Springer, September 2005.319-335.
[21]R.Puri, Bots&botnet:An overview, SANS White Paper,2003, http://www.sans.org/reading_room/whitepapers/malicious/1299.php
[22]S.Stover, D.Dittrich, J.Hernandez, et al. Analysis of the Storm and Nugache Trojans:P2P is here, In proceedings of USENIX,2007:18-27
[23]Michael Bailey, Evan Cooke, Farnam Jahanian, Yunjing Xu, and Manish Karir. A Survey of Botnet Technology and Defenses. In Proc. of the 2009 Cybersecurity Appli-cations & Technology Conference for Homeland Security, March 2009.
[24]Liang Xie and Sencun Zhu. A Feasibility Study on Defending Against Ultra-Fast Topological Worms. In Proc. of The 7th IEEE International Conference on Peer-to- Peer Computing (P2P'07), Galway, Ireland, September 2007.
[25]Ryan Vogt, John Aycock, and Michael Jacobson. Army of Botnets. In Proc. of the 2007 Network and Distributed System Security Symposium (NDSS), Febuary 2007.
[26]Julian B. Grizzard, Vikram Sharma, Chris Nunnery, Brent ByungHoon Kang, and David Dagon. Peer-to-Peer Botnets:Overview and Case Study. In Proc. of the 1st USENIX Workshop on Hot Topics in Understanding Botnets (HotBots '07), Cam-bridge, MA, April 2007.
[27]Phillip Porras, Hassen Saidi, and Vinod Yegneswaran. A Multi-perspective Analysis of the Storm (Peacomm) Worm. Technical report, SRI, November 2007.
[28]C.Kalt, Internet Relay Chat:Client protocol, Reauest for Comment(RFC)2812(Informational),2000
[29]Jianwei Zhuge, Thorsten Holz, Xinhui Han, Jinpeng Guo,, and Wei Zou. Characterizing the IRC-based Botnet Phenomenon. Technical report, Peking University and University of Mannheim,2007.
[30]J.Canavan, The Evolution of Malicious IRC Bots, Symantec Security Response,2005:122-126
[31]Ping Wang, Lei Wu, Ryan Cunningham, and Cliff C. Zou. Honeypot Detection in Advanced Botnet Attacks. In International Journal of Information and Computer Security (IJICS),4(1), 30-51,2010.
[32]Lasse Trolle Borup. Peer-to-Peer botnet:a case study on Waledac. Mathematical Modelling. 2009
[33]Ben Stock, Jan Gobel, Markus Engelberth, Felix C.Freiling, and Thorsten Holz. Walowdac-Analysis of a Peer-to-Peer Botnet.2009 European Conference on Computer Network Defense.2009
[34]Zhaosheng Zhu, Guohan Lu, Yan Chen, Zhi Judy Fu, Phil Roberts, and Keesook Han. Botnet Research Survey. In Proc. of the 32nd Annual IEEE International Computer Software and Applications (COMPSAC'08), July 2008.
[35]Guenther Starnberger, Christopher Kruegel, and Engin Kirda. Overbot-A botnet protocol based on Kademlia. In Proc. of the 4th International Conference on Security and Privacy in Communication Networks (SecureComm), September 2008.
[36]Clarke R.Building an Early Warning System in a Service Provider Network. Black Hat Briefings Europe,2004
[37]P.Szor, The Art of Computer Virus Research and Defenses, Addison-Wesley Professional,2005
[38]M. Roesch, Snort-lightweight intrusion detection for networks, In Proceedings of the 13th systems Administration Conference(LISA'99), Seattle,Washington,USA,1999
[39]V. Paxson, Bro:A System for Detecting Network Intruders in Real Time, In Proceedings on the 7th USENIX Security Symposium(Security'98), San Antonio, Texas,USA,1998
[40]D.Wagner and P.Soto. Mimicry attacks on host based IDS. ACM CCS,2002
[41]尹一桦,基于木马行为特征的检测报警系统的设计与实现,[学位论文],电子科技大学,2006
[42]Ulrich Bayer. TTanalyze:A tool for Analyzing Malware, Master Thesis of Vienna University of Technology,2006
[43]王斌斌,僵尸网络检查方法研究,[学位论文],华中科技大学,2010:15-19
[44]Y. Chen. IRC-based botnet detection on high-speed routers,2006. ARO/DARPA/DHS Special Workshop on Botnet.
[45]J. R. Binkley and S. Singh. An algorithm for anomaly-based botnet detection. In USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI 06), June 2006.
[46]Guofei Gu, Junjie Zhang, and Wenke Lee. BotSniffer:Detecting Botnet Command and Control Channels in Network Traffic. In Proc. of the 15th Annual Network and Distributed System Security Symposium (NDSS'08), February 2008.
[47]J. Goebel, T.Holz, Rishi.identify bot contaminated hosts by irc nickname evaluation, In Proceeding of the first conference on First Workshop on Hot Topics in Understanding Botnets, Berkeley,CA,USA,2007,USENIX Association.
[48]Su Chang and Thomas E. Daniels. P2P botnet detection using behavior clustering & statistical tests. In Proc. of the 2nd ACM workshop on Security and artificial intelligence (AlSec'09), Chicago, November 2009.
[49]Evan Cooke, Farnam Jahanian, and Danny McPherson. The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets. In Proc. of the Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI'05), July 2005.
[50]Ricardo Villamarin-Salomon and Jose Carlos Brustoloni. Bayesian bot detection based on DNS traffic similarity. In Proc. of the 24th Annual ACM Symposium on Applied Computing (SAC'09), Honolulu, Hawaii, March 2009.
[51]M A Rajab, F Monrose and A Terzis. On the impact of dy2 namic addressing on malware propagation [A]. In Proc. ACM WORM'06[C].2006.51-56.
[52]Krishna Ramachandran and Biplab Sikdar. Modeling malware propagation in Gnutella type peer-to-peer networks. In Proc. of the 20th International Parallel and Distributed Processing Symposium (IPDPS'06), Rhodes Island, Greece, April 2006.
[53]Cliff C. Zou, Weibo Gong, and Don Towsley. Code Red worm propagation modeling and analysis. In Proc. of the 9th ACM Conference on Computer and Communication Security (CCS'02), Washington DC, November 2002.
[54]Richard Thommes and Mark Coates. Epidemiological Modeling of Peer-to-Peer Viruses and Pollution. In Proc. of the IEEE Infocom, Barcelona, Spain, April 2006.
[55]D. Nicol and M. Liljenstam. Models of active worm defenses. In Proceedings of the IPSI Studenica Conference, June 2004.
[56]Elizabeth Van Ruitenbeek and William H. Sanders. Modeling Peer-to-Peer Botnets. In Proc. of the 5th International Conference on Quantitative Evaluation of Systems (QEST'08), St Malo, France, September 2008.
[57]David Dagon, Cliff C. Zou, and Wenke Lee. Modeling Botnet Propagation Using Time Zones. In Proc. of the 13th Annual Network and Distributed System Security Symposium (NDSS'06), February 2006.
[58]Richard Thommes and Mark Coates. Epidemiological Modeling of Peer-to-Peer Viruses and Pollution. In Proc. of the IEEE Infocom, Barcelona, Spain, April 2006.
[59]Wei Yu, Philip Coyer Boyer, Sriram Chellappan, and Dong Xuan. Peer-to-Peer System-based Active Worm Attacks:Modeling and Analysis. In Proc. of the IEEE International Conference on Communications (ICC), May 2005.
[60]Andreas Pitsillidis, Kirill Levchenko, Christian Kreibich, Chris Kanich, Geoffrey M. Voelker, Vern Paxson, Nicholas Weaver, and Stefan Savage. Botnet Judo:Fighting Spam with Itself. In Proc. of the Network and Diestributed System Security Symposium (NDSS), San Diego, CA, February 2010.
[61]Chiang K,Lloyd L.A case study of the rustock rootkit and spam bot.In:Proc.of the 1st Workshop on Hot Topics in Understanding Botnets(HotBots 2007),2007.
[62]Jun Li, Toby Ehrenkranz, Geoff Kuenning, Simulation and Analysis on the Resiliency and Efficiency of malnets. Workshop on Principles of Advanced and Distributed Simulation (PADS'05),2005
[63]Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee. BotMiner:Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection. In Proc. of the 17th USENIX Security Symposium (Security'08),2008.
[64]Jing Liu, Yang Xiao, Kaveh Ghaboosi, Hongmei Deng, and Jingyuan Zhang. Botnet: Classification, Attacks, Detection, Tracing and Preventive. URASIP Journal on Wireless Communications and Networking.2009
[65]Stephanos Androutsellis-Theotokis and Diomidis Spinellis. A survey of peer-to-peer content distribution technologies. In ACM Computing Surveys,2004.11.
[66]Brent Byung, Hoon Kang and Chris Nunnery. Decentralized Peer-to-Peer Botnet Architectures. Studies in Computational Intelligence,2009.
[67]Napster, http://www.napster.com/
[68]Gnutella Protocol Specification. http://wiki.limewire.org/index.php?title=GDF
[69]D. Stutzbach acterizing and R. Rejaie, "Characterizing today's Gnutella topology," http://www.cs.uoregon.edu/~reza/PUB/tr04-02.pdf, Department of Computer Science, University of Ore-gon, Tech. Rep. CIS-TR-04-02, December 2004.
[70]Bittorrent. http://www.bittorrent.com/
[71]eMule. http://www.emule-project.net/
[72]Overnet. http://www.zeropaid.com/overnet/
[73]Petar Maymounkov and David Mazieres. Kademlia:A peer-to-peer information system based on the xor metric. In Proc. of the 1 st International Workshop on Peer-to-Peer Systems,2002
[74]Eric Rescorla. Introduction to Distributed Hash Tables. IAB Plenary, IETF 65.
[75]Ping Wang, Lei Wu, Baber Aslam, and Cliff C. Zou. A Systematic Study on Peer-to- Peer Botnets. In Proc. of the International Conference on Computer Communications and Networks (ICCCN'09), San Francisco, CA, August 2009.
[76]Chris Nunnery, Greg Sinclair, and Brent ByungHoon Kang. Tumbling Down the Rabbit Hole: Exploring the Idiosyncrasies of Botmaster Systems in a Multi-Tier Botnet Infrastructure. In Proc. of the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats, San Jose, CA, April 2010.
[77]Su Chang, Linfeng Zhang, Yong Guan, and Thomas E. Daniels. A Framework for P2P Botnets. In Proc. of the 2009 International Conference on Communications and Mobile Computing (CMC'09), Kunming, Yunnan, China, January 2009.
[78]Shuling Wang, Shoubao Yang, Kai shen. A Super node selecting mechanism based on AHP. 2008 Seventh International Conference on Grid and Cooperative Computing.2008.
[79]许通.P2P网络超级节点选举机制研究.[学位论文]中国科学技术大学.2008
[80]Gao jian, Zheng KangFeng, et al. Research of Key Nodes of Botnet Based on P2P,2010 Second International Conference on Future Computer and Communication (FCC 2010),2010
[81]Virus Scan and Analysis, http://virscan.org/
[82]David Dagon, Guofei Gu, Chris Lee, and Wenke Lee. A Taxonomy of Botnet Structures. In Proc. of the 23rd Annual Computer Security Applications Conference (AC-SAC'07), December 2007.
[83]http://www.gnu.org/software/bison/
[84]Evan Cooke, Farnam Jahanian, and Danny McPherson. The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets. In Proc. of the Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI'05), July 2005.
[85]Brent Byung,Hoon Kang, Eric Chan-Tin, Christopher P.Lee. Towards Complete Node Enumeration in a Peer-to-Peer Botnet. Proceedings of the 4th International Symposium on Information, Computer, and Communications Security-ASIACCS'09.2009
[86]Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Chris Kruegel, and Giovanni Vigna. Your Botnet is My Botnet:Analysis of a Botnet Takeover. In Proc. of the ACM CCS, Chicago, IL, November 2010.
[87]Chia Yuan Chox, Juan Caballeroyx, Chris Grierx, Vern Paxsonzx, and Dawn Song.Insights from the Inside:A View of Botnet Management from infiltration. In Proc. Of the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats, San Jose,CA, April 2010.
[88]M'ark Jelasity and Vilmos Bilicki. Towards automated detection of peer-to-peer botnets:On the limits of local approaches. In Proc. of the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET'09), Boston, MA, April 2009.
[89]T. Strayer. Detecting botnets with tight command and control,2006. ARO/DARPA/DHS Special Workshop on Botnet.
[90]Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel, and Engin Kirda. Automatically Generating Models for Botnet Detection. In Proc. of the 14th European Symposium on Research in Computer Security (ESORICS), Saint Malo, France, September 2009.
[91]J. Liang, N. Naoumov, and K. W. Ross, "The index poisoning attack in p2p file sharing systems," in Proc. of the IEEE INFOCOM, April 2006.
[92]John R. Douceur. The Sybil Attack. In Proc. of the 1st International Workshop on Peer-to-Peer Systems, March 2002.
[93]魏晴宇,张汝元,张建清.离散数学.北京:中国人民大学出版社,1993.304—305
[94]王传玉.图的割点的矩阵判别.芜湖:安徽师大学报.19(3),1996:226-227
[95]Liu X, Xiao L, Kreling A, Liu Y. Optimizing overlay topology by reducing cut vertices. In: Proc. of the ACM Int'l Workshop on Network and Operating System Support for Digital Audio and Video (NOSSDAV). Newport:ACM Special Interest Group on Multimedia.2006. http://portal.acm.org/citation.cfm?id= 1378213&jmp=references&coll=ACM&dl=ACM
[96]Gao jian, Zheng KangFeng, et al. Research of evaluation model of Botnet based on peer to peer,2011 International Conference on Computer Applications and Network Security (ICCANS2011),2011
[97]Phillip Porras, Hassen Saidi and Vinod Yegneswaran. An Analysis of the iKee.B iPhone Botnet. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering,2010.
[98]Jain Nehil, Lee Wenke, Sangal Samrit. Evaluating Bluetooth as a Medium for Botnet Command and Control. Lecture Notes in Computer Science,6201, p61-80,2010
[99]Norman SandBox Whitepaper. http://sandbox.norman.no/pdf/03-sand-box%20whitepaper.pdf
[100]I. Arce and E. Levy. An analysis of the slapper worm. IEEE Security & Privacy Magazine, Jan.-Feb.2003.
[101]M. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. A multifaceted approach to understanding the botnet phenomenon. In Proceedings of the 6th ACM SIGCOMM on Internet Mea-surement (IMC), pages 41-52,2006.
[102]Kelly Jackson Higgins. Researchers Infiltrate and 'Pollute' Storm Botnet,2008. http://www.darkreading.com/security/encryption/showArticle.jhtml?articleID=211201340.
[103]Thorsten Holz, Moritz Steiner, Frederic Dahl, Ernst W. Biersack, and Felix Freiling. Measurements and Mitigation of Peer-to-Peer-based Botnets:A Case Study on Storm Worm. In Proc. of the 1 st Usenix Workshop on Large-scale Exploits and Emergent Threats (LEET), San Francisco, CA, USA,2008.
[104]John R. Douceur. The Sybil Attack. In Proc. of the 1st International Workshop on Peer-to-Peer Systems, March 2002.
[105]Ping Wang, Lei Wu, Baber Aslam, and Cliff C. Zou. A Systematic Study on Peer-to- Peer Botnets. In Proc. of the International Conference on Computer Communications and Networks (ICCCN'09), San Francisco, CA, August 2009.
[106]王明丽,基于主机的P2P僵尸病毒检测技术研究,[学位论文],电子科技大学,2009
[107]刘彬斌,一种僵尸网络的拓扑分析及反制算法研究,[学位论文],电子科技大学2009
[108]Joe Stewart. Inside the Storm:Protocols and Encryption of the Storm Botnet,2008. http://www.blackhat.com/presentations/bh-usa-08/Stewart/BH US 08 Stewart Protocols of the Stom.pdf.
[109]Jun Zhang. Storm Worm&Botnet Analysis. Websense Security Labs.2008
[110]M. Bailey, E. Cooke, D. Watson, F. Jahanian, and N. Provos. Hybrid honeypot architecture for scalable network monitoring. Technical Report CSE-TR-499-04, U. Michigan, October 2004.
[111]M'ark Jelasity and Vilmos Bilicki. Towards automated detection of peer-to-peer botnets:On the limits of local approaches. In Proc. of the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET'09), Boston, MA, April 2009.
[112]Ben Stock, Jan Goel, Markus Engelberth, and Felix C. Freiling. Walowdac-Analysis of a Peer-to-Peer Botnet. In Proc. of the European Conference on Computer Network Defense (EC2ND'09), November 2009.
[113]Gao jian, Zheng KangFeng, et al. Research of An Innovative P2P-Based Botnet,2010 International Conference on Machine Vision and Human-machine Interface (MVHI 2010),2010
[114]J. Liang, N. Naoumov, and K. W. Ross, "The index poisoning attack in p2p file sharing systems," in Proc. of the IEEE INFOCOM, April 2006.
[115]Petar Maymounkov, David Mazieres. Kademlia:A Peer-to-Peer Information System Based on the XOR metric. http://www.cs.rice.edu/Conferences/IPTPS02/109.pdf.
[116]RENE BRUNNER. A Performance Evaluation of the Kad Protocol. Sinsheim:Corporate Communications Department,2006.
[117]Guofei Gu, Vinod Yegneswaran, Phillip Porras, Jennifer Stoll, and Wenke Lee. Active Botnet Probing to Identify Obscure Command and Control Channels. In Proc. of the Annual Computer Security Applications Conference (ACSAC09), Honolulu, Hawaii, December 2009.
[118]Zhichun Li, Anup Goyal, Yan Chen, and Vern Paxson. Automating Analysis of Large-Scale Botnet Probing Events. In Proc. of ACM Symposium on Information, Computer and Communications Security,2009.
[119]Linda Dailey Paulson. Hackers Strengthen Malicious Botnets by Shrinking Them,2006. http://csdl2.computer.org/comp/mags/co/2006/04/r4017.pdf.
[120]Anirudh Ramachandran, Nick Feamster, and David Dagon. Revealing Botnet Membership Using DNSBL Counter-Intelligence. In Proc. of the 2nd USENIX Steps to Reducing Unwanted Traffic on the Internet (SRUTI), July 2006.
[121]Lidong Zhou, Lintao Zhang, Frank McSherry, Nicole Immorlica, Manuel Costa, and Steve Chien. A First Look at Peer-to-Peer Wonns:Threats and Defenses. In Proc. of the 4th International Workshop on Peer-To-Peer Systems (IPTPS'05), February 2005.
[122]Cliff C. Zou and Ryan Cunningham. Honeypot-Aware Advanced Botnet Construction and Maintenance. In Proc. of the International Conference on Dependable Systems and Networks (DSN), June 2006.
[123]Li-Peng Song, Zhen Jin, and Gui-Quan Sun. Modeling and analyzing of botnet interactions. PHYSICA A-STATISTICAL MECHANICS AND ITS APPLICATIONS,390(2), p347-358, 2010.
[124]Jamie Condliffe. Smart Servers spot and block botnet attacks. NEW SCIENTIST,209(2797), p20-20,2011.
[125]Satoshi Kondo and Naoshi sato. Botnet Traffic Detection Techniques by C&C Session Classification Using SVM. Lecture Notes in Computer Science,2007.
[2]诸葛建伟,韩心慧,周勇林,叶志远,邹维.僵尸网络研究.软件学报.37(1).2005:31-37
[3]B.Saha and A.Gairola. Botnet:An overview. Cert-In White PaperCIWP-2005-05,2005
[4]Wikipedia. Trojan horse. Http://en.wikipedia.org/wiki/Trojan_horse_(computing).
[5]Engin Kirda and Christopher Kruegel. Behavior-based Spyware Detection. Security'06:15th USENIX Security Symposium.2006:273-288.
[6]Colleen Shannon and David Moore. The Spread of the Witty Worm. IEEE Security & Privacy. 2(4).2004:46-50.
[7]Symantec,PrettyPark.Worm,1999,http://www.symantec.com/security_response/writeup.jsp?do cid=2000-121508-3334-99&tabid=2
[8]Paul Barford and Vinod Yegneswaran. An Inside Look at Botnets. In Series:Advances in Information Security,2006.
[9]Phatbot Trojan analysis. Http://www.lurhq.com/phatbot.html
[10]J.Nazario, BlackEnergy DDoS Bot Analysis, Arbor Networks,2007:26-30
[11]Carlton R. Davis, Jos'e M. Fernandez, Stephen Neville, and John McHugh. Sybil Attacks as a mitigation strategy against the Storm botnet. In Proc. of the 3rd International Conference on Malicious and Unwanted Software (Malware'08), October 2008.
[12]Niall Fitzgibbon and Mike Wood SophosLabs. Conficer.C A Technical Analysis.2009
[13]E.Florio, M. Ciubotariu, Peerbot:Catch me if you can, White Paper, Symantec Security Response,2007
[14]Binsalleeh, H. Ormerod, T. Boukhtouta, On the analysis of the Zeus botnet crimeware toolkit,2010 Eighth Annual International Conference on Privacy Security and Trust (PST),2010
[15]冯国富,毛莺池,陆桑璐,等.PeerRank:一种无结构化P2P资源发现策略[J].软件学报,2005,17(5):1098-1106.
[16]Liu L, Mackin S, Antonopoulos N. Small World Architecture for Peer-to-Peer Networks[C]. In:Proceedings of the 2006 IEEE/WIC/ACM International Conference on Web Intelligence and Intelligent Agent Technology. NW Washington, DC USA:IEEE Computer Society Press 2006.451-454.
[17]Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, and Andreas Terzis. A multifaceted approach to understanding the botnet phenomenon. In Proc. of the 6th ACM SIG-COMM Conference on Internet Measuremen, Rio de Janeiro, Brazil, October 2006.
[18]GEason, B.Noble,I.N.Sneddon, On Certain integrals of EggDrop:Open source IRC bot,1993,Http://www. eggheads.org
[19]Sinit P2P Trojan analysis. Http://www.lurhq.com/sinit.html
[20]Freiling F, Holz T, Wicherski G, Botnet tracking:exploring a root-cause methodology to prevent distributed denial-of-service attacks. In:Proc. of the 10th European Symposium on Research in Computer Security (ESORICS'05), Milan, Italy, Lecture Notes in Computer Science 3679, Springer, September 2005.319-335.
[21]R.Puri, Bots&botnet:An overview, SANS White Paper,2003, http://www.sans.org/reading_room/whitepapers/malicious/1299.php
[22]S.Stover, D.Dittrich, J.Hernandez, et al. Analysis of the Storm and Nugache Trojans:P2P is here, In proceedings of USENIX,2007:18-27
[23]Michael Bailey, Evan Cooke, Farnam Jahanian, Yunjing Xu, and Manish Karir. A Survey of Botnet Technology and Defenses. In Proc. of the 2009 Cybersecurity Appli-cations & Technology Conference for Homeland Security, March 2009.
[24]Liang Xie and Sencun Zhu. A Feasibility Study on Defending Against Ultra-Fast Topological Worms. In Proc. of The 7th IEEE International Conference on Peer-to- Peer Computing (P2P'07), Galway, Ireland, September 2007.
[25]Ryan Vogt, John Aycock, and Michael Jacobson. Army of Botnets. In Proc. of the 2007 Network and Distributed System Security Symposium (NDSS), Febuary 2007.
[26]Julian B. Grizzard, Vikram Sharma, Chris Nunnery, Brent ByungHoon Kang, and David Dagon. Peer-to-Peer Botnets:Overview and Case Study. In Proc. of the 1st USENIX Workshop on Hot Topics in Understanding Botnets (HotBots '07), Cam-bridge, MA, April 2007.
[27]Phillip Porras, Hassen Saidi, and Vinod Yegneswaran. A Multi-perspective Analysis of the Storm (Peacomm) Worm. Technical report, SRI, November 2007.
[28]C.Kalt, Internet Relay Chat:Client protocol, Reauest for Comment(RFC)2812(Informational),2000
[29]Jianwei Zhuge, Thorsten Holz, Xinhui Han, Jinpeng Guo,, and Wei Zou. Characterizing the IRC-based Botnet Phenomenon. Technical report, Peking University and University of Mannheim,2007.
[30]J.Canavan, The Evolution of Malicious IRC Bots, Symantec Security Response,2005:122-126
[31]Ping Wang, Lei Wu, Ryan Cunningham, and Cliff C. Zou. Honeypot Detection in Advanced Botnet Attacks. In International Journal of Information and Computer Security (IJICS),4(1), 30-51,2010.
[32]Lasse Trolle Borup. Peer-to-Peer botnet:a case study on Waledac. Mathematical Modelling. 2009
[33]Ben Stock, Jan Gobel, Markus Engelberth, Felix C.Freiling, and Thorsten Holz. Walowdac-Analysis of a Peer-to-Peer Botnet.2009 European Conference on Computer Network Defense.2009
[34]Zhaosheng Zhu, Guohan Lu, Yan Chen, Zhi Judy Fu, Phil Roberts, and Keesook Han. Botnet Research Survey. In Proc. of the 32nd Annual IEEE International Computer Software and Applications (COMPSAC'08), July 2008.
[35]Guenther Starnberger, Christopher Kruegel, and Engin Kirda. Overbot-A botnet protocol based on Kademlia. In Proc. of the 4th International Conference on Security and Privacy in Communication Networks (SecureComm), September 2008.
[36]Clarke R.Building an Early Warning System in a Service Provider Network. Black Hat Briefings Europe,2004
[37]P.Szor, The Art of Computer Virus Research and Defenses, Addison-Wesley Professional,2005
[38]M. Roesch, Snort-lightweight intrusion detection for networks, In Proceedings of the 13th systems Administration Conference(LISA'99), Seattle,Washington,USA,1999
[39]V. Paxson, Bro:A System for Detecting Network Intruders in Real Time, In Proceedings on the 7th USENIX Security Symposium(Security'98), San Antonio, Texas,USA,1998
[40]D.Wagner and P.Soto. Mimicry attacks on host based IDS. ACM CCS,2002
[41]尹一桦,基于木马行为特征的检测报警系统的设计与实现,[学位论文],电子科技大学,2006
[42]Ulrich Bayer. TTanalyze:A tool for Analyzing Malware, Master Thesis of Vienna University of Technology,2006
[43]王斌斌,僵尸网络检查方法研究,[学位论文],华中科技大学,2010:15-19
[44]Y. Chen. IRC-based botnet detection on high-speed routers,2006. ARO/DARPA/DHS Special Workshop on Botnet.
[45]J. R. Binkley and S. Singh. An algorithm for anomaly-based botnet detection. In USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI 06), June 2006.
[46]Guofei Gu, Junjie Zhang, and Wenke Lee. BotSniffer:Detecting Botnet Command and Control Channels in Network Traffic. In Proc. of the 15th Annual Network and Distributed System Security Symposium (NDSS'08), February 2008.
[47]J. Goebel, T.Holz, Rishi.identify bot contaminated hosts by irc nickname evaluation, In Proceeding of the first conference on First Workshop on Hot Topics in Understanding Botnets, Berkeley,CA,USA,2007,USENIX Association.
[48]Su Chang and Thomas E. Daniels. P2P botnet detection using behavior clustering & statistical tests. In Proc. of the 2nd ACM workshop on Security and artificial intelligence (AlSec'09), Chicago, November 2009.
[49]Evan Cooke, Farnam Jahanian, and Danny McPherson. The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets. In Proc. of the Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI'05), July 2005.
[50]Ricardo Villamarin-Salomon and Jose Carlos Brustoloni. Bayesian bot detection based on DNS traffic similarity. In Proc. of the 24th Annual ACM Symposium on Applied Computing (SAC'09), Honolulu, Hawaii, March 2009.
[51]M A Rajab, F Monrose and A Terzis. On the impact of dy2 namic addressing on malware propagation [A]. In Proc. ACM WORM'06[C].2006.51-56.
[52]Krishna Ramachandran and Biplab Sikdar. Modeling malware propagation in Gnutella type peer-to-peer networks. In Proc. of the 20th International Parallel and Distributed Processing Symposium (IPDPS'06), Rhodes Island, Greece, April 2006.
[53]Cliff C. Zou, Weibo Gong, and Don Towsley. Code Red worm propagation modeling and analysis. In Proc. of the 9th ACM Conference on Computer and Communication Security (CCS'02), Washington DC, November 2002.
[54]Richard Thommes and Mark Coates. Epidemiological Modeling of Peer-to-Peer Viruses and Pollution. In Proc. of the IEEE Infocom, Barcelona, Spain, April 2006.
[55]D. Nicol and M. Liljenstam. Models of active worm defenses. In Proceedings of the IPSI Studenica Conference, June 2004.
[56]Elizabeth Van Ruitenbeek and William H. Sanders. Modeling Peer-to-Peer Botnets. In Proc. of the 5th International Conference on Quantitative Evaluation of Systems (QEST'08), St Malo, France, September 2008.
[57]David Dagon, Cliff C. Zou, and Wenke Lee. Modeling Botnet Propagation Using Time Zones. In Proc. of the 13th Annual Network and Distributed System Security Symposium (NDSS'06), February 2006.
[58]Richard Thommes and Mark Coates. Epidemiological Modeling of Peer-to-Peer Viruses and Pollution. In Proc. of the IEEE Infocom, Barcelona, Spain, April 2006.
[59]Wei Yu, Philip Coyer Boyer, Sriram Chellappan, and Dong Xuan. Peer-to-Peer System-based Active Worm Attacks:Modeling and Analysis. In Proc. of the IEEE International Conference on Communications (ICC), May 2005.
[60]Andreas Pitsillidis, Kirill Levchenko, Christian Kreibich, Chris Kanich, Geoffrey M. Voelker, Vern Paxson, Nicholas Weaver, and Stefan Savage. Botnet Judo:Fighting Spam with Itself. In Proc. of the Network and Diestributed System Security Symposium (NDSS), San Diego, CA, February 2010.
[61]Chiang K,Lloyd L.A case study of the rustock rootkit and spam bot.In:Proc.of the 1st Workshop on Hot Topics in Understanding Botnets(HotBots 2007),2007.
[62]Jun Li, Toby Ehrenkranz, Geoff Kuenning, Simulation and Analysis on the Resiliency and Efficiency of malnets. Workshop on Principles of Advanced and Distributed Simulation (PADS'05),2005
[63]Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee. BotMiner:Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection. In Proc. of the 17th USENIX Security Symposium (Security'08),2008.
[64]Jing Liu, Yang Xiao, Kaveh Ghaboosi, Hongmei Deng, and Jingyuan Zhang. Botnet: Classification, Attacks, Detection, Tracing and Preventive. URASIP Journal on Wireless Communications and Networking.2009
[65]Stephanos Androutsellis-Theotokis and Diomidis Spinellis. A survey of peer-to-peer content distribution technologies. In ACM Computing Surveys,2004.11.
[66]Brent Byung, Hoon Kang and Chris Nunnery. Decentralized Peer-to-Peer Botnet Architectures. Studies in Computational Intelligence,2009.
[67]Napster, http://www.napster.com/
[68]Gnutella Protocol Specification. http://wiki.limewire.org/index.php?title=GDF
[69]D. Stutzbach acterizing and R. Rejaie, "Characterizing today's Gnutella topology," http://www.cs.uoregon.edu/~reza/PUB/tr04-02.pdf, Department of Computer Science, University of Ore-gon, Tech. Rep. CIS-TR-04-02, December 2004.
[70]Bittorrent. http://www.bittorrent.com/
[71]eMule. http://www.emule-project.net/
[72]Overnet. http://www.zeropaid.com/overnet/
[73]Petar Maymounkov and David Mazieres. Kademlia:A peer-to-peer information system based on the xor metric. In Proc. of the 1 st International Workshop on Peer-to-Peer Systems,2002
[74]Eric Rescorla. Introduction to Distributed Hash Tables. IAB Plenary, IETF 65.
[75]Ping Wang, Lei Wu, Baber Aslam, and Cliff C. Zou. A Systematic Study on Peer-to- Peer Botnets. In Proc. of the International Conference on Computer Communications and Networks (ICCCN'09), San Francisco, CA, August 2009.
[76]Chris Nunnery, Greg Sinclair, and Brent ByungHoon Kang. Tumbling Down the Rabbit Hole: Exploring the Idiosyncrasies of Botmaster Systems in a Multi-Tier Botnet Infrastructure. In Proc. of the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats, San Jose, CA, April 2010.
[77]Su Chang, Linfeng Zhang, Yong Guan, and Thomas E. Daniels. A Framework for P2P Botnets. In Proc. of the 2009 International Conference on Communications and Mobile Computing (CMC'09), Kunming, Yunnan, China, January 2009.
[78]Shuling Wang, Shoubao Yang, Kai shen. A Super node selecting mechanism based on AHP. 2008 Seventh International Conference on Grid and Cooperative Computing.2008.
[79]许通.P2P网络超级节点选举机制研究.[学位论文]中国科学技术大学.2008
[80]Gao jian, Zheng KangFeng, et al. Research of Key Nodes of Botnet Based on P2P,2010 Second International Conference on Future Computer and Communication (FCC 2010),2010
[81]Virus Scan and Analysis, http://virscan.org/
[82]David Dagon, Guofei Gu, Chris Lee, and Wenke Lee. A Taxonomy of Botnet Structures. In Proc. of the 23rd Annual Computer Security Applications Conference (AC-SAC'07), December 2007.
[83]http://www.gnu.org/software/bison/
[84]Evan Cooke, Farnam Jahanian, and Danny McPherson. The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets. In Proc. of the Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI'05), July 2005.
[85]Brent Byung,Hoon Kang, Eric Chan-Tin, Christopher P.Lee. Towards Complete Node Enumeration in a Peer-to-Peer Botnet. Proceedings of the 4th International Symposium on Information, Computer, and Communications Security-ASIACCS'09.2009
[86]Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Chris Kruegel, and Giovanni Vigna. Your Botnet is My Botnet:Analysis of a Botnet Takeover. In Proc. of the ACM CCS, Chicago, IL, November 2010.
[87]Chia Yuan Chox, Juan Caballeroyx, Chris Grierx, Vern Paxsonzx, and Dawn Song.Insights from the Inside:A View of Botnet Management from infiltration. In Proc. Of the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats, San Jose,CA, April 2010.
[88]M'ark Jelasity and Vilmos Bilicki. Towards automated detection of peer-to-peer botnets:On the limits of local approaches. In Proc. of the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET'09), Boston, MA, April 2009.
[89]T. Strayer. Detecting botnets with tight command and control,2006. ARO/DARPA/DHS Special Workshop on Botnet.
[90]Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel, and Engin Kirda. Automatically Generating Models for Botnet Detection. In Proc. of the 14th European Symposium on Research in Computer Security (ESORICS), Saint Malo, France, September 2009.
[91]J. Liang, N. Naoumov, and K. W. Ross, "The index poisoning attack in p2p file sharing systems," in Proc. of the IEEE INFOCOM, April 2006.
[92]John R. Douceur. The Sybil Attack. In Proc. of the 1st International Workshop on Peer-to-Peer Systems, March 2002.
[93]魏晴宇,张汝元,张建清.离散数学.北京:中国人民大学出版社,1993.304—305
[94]王传玉.图的割点的矩阵判别.芜湖:安徽师大学报.19(3),1996:226-227
[95]Liu X, Xiao L, Kreling A, Liu Y. Optimizing overlay topology by reducing cut vertices. In: Proc. of the ACM Int'l Workshop on Network and Operating System Support for Digital Audio and Video (NOSSDAV). Newport:ACM Special Interest Group on Multimedia.2006. http://portal.acm.org/citation.cfm?id= 1378213&jmp=references&coll=ACM&dl=ACM
[96]Gao jian, Zheng KangFeng, et al. Research of evaluation model of Botnet based on peer to peer,2011 International Conference on Computer Applications and Network Security (ICCANS2011),2011
[97]Phillip Porras, Hassen Saidi and Vinod Yegneswaran. An Analysis of the iKee.B iPhone Botnet. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering,2010.
[98]Jain Nehil, Lee Wenke, Sangal Samrit. Evaluating Bluetooth as a Medium for Botnet Command and Control. Lecture Notes in Computer Science,6201, p61-80,2010
[99]Norman SandBox Whitepaper. http://sandbox.norman.no/pdf/03-sand-box%20whitepaper.pdf
[100]I. Arce and E. Levy. An analysis of the slapper worm. IEEE Security & Privacy Magazine, Jan.-Feb.2003.
[101]M. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. A multifaceted approach to understanding the botnet phenomenon. In Proceedings of the 6th ACM SIGCOMM on Internet Mea-surement (IMC), pages 41-52,2006.
[102]Kelly Jackson Higgins. Researchers Infiltrate and 'Pollute' Storm Botnet,2008. http://www.darkreading.com/security/encryption/showArticle.jhtml?articleID=211201340.
[103]Thorsten Holz, Moritz Steiner, Frederic Dahl, Ernst W. Biersack, and Felix Freiling. Measurements and Mitigation of Peer-to-Peer-based Botnets:A Case Study on Storm Worm. In Proc. of the 1 st Usenix Workshop on Large-scale Exploits and Emergent Threats (LEET), San Francisco, CA, USA,2008.
[104]John R. Douceur. The Sybil Attack. In Proc. of the 1st International Workshop on Peer-to-Peer Systems, March 2002.
[105]Ping Wang, Lei Wu, Baber Aslam, and Cliff C. Zou. A Systematic Study on Peer-to- Peer Botnets. In Proc. of the International Conference on Computer Communications and Networks (ICCCN'09), San Francisco, CA, August 2009.
[106]王明丽,基于主机的P2P僵尸病毒检测技术研究,[学位论文],电子科技大学,2009
[107]刘彬斌,一种僵尸网络的拓扑分析及反制算法研究,[学位论文],电子科技大学2009
[108]Joe Stewart. Inside the Storm:Protocols and Encryption of the Storm Botnet,2008. http://www.blackhat.com/presentations/bh-usa-08/Stewart/BH US 08 Stewart Protocols of the Stom.pdf.
[109]Jun Zhang. Storm Worm&Botnet Analysis. Websense Security Labs.2008
[110]M. Bailey, E. Cooke, D. Watson, F. Jahanian, and N. Provos. Hybrid honeypot architecture for scalable network monitoring. Technical Report CSE-TR-499-04, U. Michigan, October 2004.
[111]M'ark Jelasity and Vilmos Bilicki. Towards automated detection of peer-to-peer botnets:On the limits of local approaches. In Proc. of the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET'09), Boston, MA, April 2009.
[112]Ben Stock, Jan Goel, Markus Engelberth, and Felix C. Freiling. Walowdac-Analysis of a Peer-to-Peer Botnet. In Proc. of the European Conference on Computer Network Defense (EC2ND'09), November 2009.
[113]Gao jian, Zheng KangFeng, et al. Research of An Innovative P2P-Based Botnet,2010 International Conference on Machine Vision and Human-machine Interface (MVHI 2010),2010
[114]J. Liang, N. Naoumov, and K. W. Ross, "The index poisoning attack in p2p file sharing systems," in Proc. of the IEEE INFOCOM, April 2006.
[115]Petar Maymounkov, David Mazieres. Kademlia:A Peer-to-Peer Information System Based on the XOR metric. http://www.cs.rice.edu/Conferences/IPTPS02/109.pdf.
[116]RENE BRUNNER. A Performance Evaluation of the Kad Protocol. Sinsheim:Corporate Communications Department,2006.
[117]Guofei Gu, Vinod Yegneswaran, Phillip Porras, Jennifer Stoll, and Wenke Lee. Active Botnet Probing to Identify Obscure Command and Control Channels. In Proc. of the Annual Computer Security Applications Conference (ACSAC09), Honolulu, Hawaii, December 2009.
[118]Zhichun Li, Anup Goyal, Yan Chen, and Vern Paxson. Automating Analysis of Large-Scale Botnet Probing Events. In Proc. of ACM Symposium on Information, Computer and Communications Security,2009.
[119]Linda Dailey Paulson. Hackers Strengthen Malicious Botnets by Shrinking Them,2006. http://csdl2.computer.org/comp/mags/co/2006/04/r4017.pdf.
[120]Anirudh Ramachandran, Nick Feamster, and David Dagon. Revealing Botnet Membership Using DNSBL Counter-Intelligence. In Proc. of the 2nd USENIX Steps to Reducing Unwanted Traffic on the Internet (SRUTI), July 2006.
[121]Lidong Zhou, Lintao Zhang, Frank McSherry, Nicole Immorlica, Manuel Costa, and Steve Chien. A First Look at Peer-to-Peer Wonns:Threats and Defenses. In Proc. of the 4th International Workshop on Peer-To-Peer Systems (IPTPS'05), February 2005.
[122]Cliff C. Zou and Ryan Cunningham. Honeypot-Aware Advanced Botnet Construction and Maintenance. In Proc. of the International Conference on Dependable Systems and Networks (DSN), June 2006.
[123]Li-Peng Song, Zhen Jin, and Gui-Quan Sun. Modeling and analyzing of botnet interactions. PHYSICA A-STATISTICAL MECHANICS AND ITS APPLICATIONS,390(2), p347-358, 2010.
[124]Jamie Condliffe. Smart Servers spot and block botnet attacks. NEW SCIENTIST,209(2797), p20-20,2011.
[125]Satoshi Kondo and Naoshi sato. Botnet Traffic Detection Techniques by C&C Session Classification Using SVM. Lecture Notes in Computer Science,2007.