摘要
随着互联网的广泛应用,一些恶意软件在网络上泛滥肆虐,出现了各种网络攻击和网络欺骗行为,其中僵尸程序是目前最新型恶意软件之一。攻击者利用被植入僵尸程序的受控主机构建僵尸网络,并借助这个平台在互联网上执行各种恶意行为,如发动分布式拒绝服务(Distributed Denial of Service, DDoS)攻击、发送垃圾邮件(Spam)、网络钓鱼(Phishing)以及信息窃取(Information Theft)等。攻击者通过建立命令和控制机制实现与受控主机通信,并统一管理僵尸网络成员。一个典型僵尸网络可具有数万至数十万甚至数百万台受控主机,产生巨大攻击力,消耗大量网络带宽和处理能力。僵尸网络被认为是互联网安全的最大威胁。因此,探索如何检测识别僵尸网络,有效追踪、防御、控制、减轻其危害显得尤为重要。针对这些问题,本文着重研究以下几个方面内容:
首先,针对使用互联网中继聊天(Internet Relay Chat, IRC)协议和HTTP协议的集中式僵尸网络,提出基于通信流量相似性和域名查询特性的僵尸网络检测方法。在分析集中式僵尸网络通信行为特征和僵尸网络受控主机域名查询数据流群组特性的基础上引入云模型概念。定义僵尸网络通信流量相异度云模型,挖掘具有僵尸网络通信行为特性的主机组,分析该组主机访问DNS服务器的流量。通过域名访问度和DNS查询流量聚类分析,最终确定僵尸网络的受控主机。利用典型僵尸程序样本和真实背景流量评测本文方法的检测能力,并与相关工作进行比较分析,以此验证本文方法的先进性。
其次,针对僵尸网络结构日趋复杂,并且不同受控主机群之间可能存在潜在隐藏关系等问题,提出僵尸网络相似度的度量方法。分析僵尸网络内部通讯的数据流数量、流中数据包数量、主机通讯量和数据包负载等特征,定义特征相似度统计函数。在此基础上,利用改进D-S证据理论融合各特征相似度,建立僵尸网络关系分析模型,以此综合评测两个僵尸网络的相似度。实验结果表明本文的方法是有效的,对于采用加密通讯僵尸网络的评测,仍表现出良好效果。并且,应用该方法对基础网络安全监测平台捕获的实际僵尸网络数据进行分析,取得了理想效果。
再次,IRC僵尸网络和HTTP僵尸网络的命令与控制服务器经常发生迁移以躲避检测,针对此类问题,提出一种僵尸网络迁移识别方法。基于僵尸网络迁移过程中表现出的多种特征,采用C-F模型进行特征融合,综合分析判断给定的两批僵尸主机是否具有迁移关系。利用典型僵尸样本进行试验验证,结果显示本文方法能够有效识别僵尸网络的迁移行为。并与单纯采用IP地址重合度的方法进行对比,结果表明在僵尸网络成员数量动态变化的情况下,本文方法仍然表现出很好识别效果。
最后,为了识别发现开放互联网环境中不同地理位置、不同时间段发生的安全事件之间可能存在的潜在隐藏关系,提出基于通用图灵机思想的分布式网络安全事件检测识别协同联动模型(Cooperative Work Model, CWM),并基于此模型设计实现面向基础网络的分布式网络安全事件检测识别协同联动系统(Cooperative Work System, CWS)。分析了CWM的多层体系结构,并将其与基于安全域的安全操作中心(Security OperatingSystem, SOC)模型进行对比分析。通过应用实例验证,CWS能够协调骨干网上不同类型网络设备共同工作,追踪、检测、分析、识别僵尸网络。典型数据分析结果表明,CWS不仅能够分析识别不同时间和不同空间安全事件之间关系,还能够有效支持发现各安全事件关联引起的更深层次安全隐患。
本文主要研究了僵尸网络检测与识别关键技术,其中包括僵尸网络相似度度量和僵尸网络迁移行为分析,提出了协同检测识别僵尸网络方法、模型,并研发了相应系统。目的是有效的检测追踪僵尸网络和准确识别僵尸网络关系和规模,以便防控僵尸网络的危害。本文的研究成果对于僵尸网络防御技术研究具有重要理论和实践意义,也对检测防范其他分布式网络恶意事件有重要参考价值。
With widespread use of Internet, some malwares are overrunning like the plagues. Thereare various kinds of attacks and fraudulent activities on the Internet, and the bot is one of themost state-of-the-art malwares. The attackers build the botnet by the compromised controlledcomputers, which are called zombies and controlled by hosted bot software. This network isthen used as a platform to conduct fraudulent activities, such as Distributed Denial of Service(DDoS) attack, spam, phishing, information theft, etc. Attackers can communicate with thebots by creating command and control mechanisms and make united management of thebotnet members. A botnet typically contains tens to hundreds of thousands of bots, but someeven have several millions of bots. With the magnitude and the potency of attacks afforded bycombined bandwidth and processing power of zombies, botnets are now considered as thelargest threat to the Internet security. Therefore, it is more important to explore how to detectand identify a botnet, effectively track, defense, control and reduce the jeopardy caused by thebotnets. To address these issues, the research work of this dissertation focuses on thefollowing aspects:
Firstly, a method to detect centralized botnets adopting IRC (Internet Relay Chat) andHTTP protocols is proposed based on the similarity of communication flows and theproperties of DNS queries. On the basis of the features analysis of centralized botnetcommunication activities and the dataflow group for bots to query DNS, the concept of thecloud model is introduced. A cloud model is proposed to define the dissimilarity of the botnetcommunication flows. The group of bots, which have the features of the botnetcommunication activities, is mined. The flows of the communication between the bots and theDNSes are analyzed. By the cluster analysis of the access frequency and the data flows ofquery DNSes, the controlled computers are determined in the end. The proposed method isevaluated in terms of the detection capability by using typical botnet samples and realbackground traffic. It is also analyzed and compared with the related work. Hereby,theadvancement of this method is validated.
Secondly, to address the issues caused by increasingly structural complexity andpotential implicit relationship between different botnets, the measurement approach of thebotnet similarity is proposed. The botnet features, including the dataflow number of internalcommunication, the number of data packets of the data flows, the amount of communication between bots, the payload of data packets, and so on, are analyzed. The statistical function ispresented to define the botnet feature similarity. On the basis of this work, various kinds offeatures similarity are syncretized by means of the improved D-S (Dempster-Shafer) evidencetheory. The model is set up to analyze the relationship between botnets and syntheticallyevaluate the feature similarities of two botnets. The experimental results show that thepresented approach in this dissertation is effective, and can even work well during theevaluation for the botnets with encrypted communication. Moreover, the ideal effect isachieved by applying the approach to analyze practical bonet data captured by the securitymonitoring platform of the fundamental backbone network.
Thirdly, the command and control servers of the IRC botnets and the HTTP botnets areoften migrated to avoid the detection. To address this kind of issues, an approach is proposedfor identifying the migration of a botnet. Based on the multiple features appearing during themigration of a botnet, the migration relationships between two botnets are comprehensivelyanalyzed and determined by adopting the C-F model to fuse the features. Typical botnetsamples are used to conduct the evaluation experiments. The experimental results show thatproposed approach in this dissertation can effectively identify the migration activities of thebotnets. Compared with the method only using the overlap ratio of IP addresses, the presentedapproach in this dissertation still have a good identification in the case of the number of thebotnet members is dynamically changed.
Finally, in order to identify the potential implicit relationship between the security eventsoccurred at different geographic positions and time in open Internet environment, aCoordinative Work Model (CWM) is proposed based on the idea of the Universal TuringMachine to detect and identify distributed network security events. Based on this model, theCoordinative Work System (CWS) is designed and implemented to detect and identify thedistributed network security events occurring in the fundamental backbone network. TheCWM is analyzed in terms of multiple-layered architecture, and compared with the SOC(Security Operating System) based model. It is validated by practical cases that CWS cancoordinate different types of network equipments in the backbone network to work togethereffectively for the track, detection, analysis, and identification of the botnets. The analysis oftypical experiment data shows that CWS is not only able to analyze and identify therelationships between the security incidents occurred at different time and space, but alsoeffectively support the discovery of deeply hidden threat against safety raised by thecorrelation between different incidents.
The key technologies of the Botnet detection and identification are investigated in this dissertation, including the measurement of the Botnet similarity and the analysis of the Botnetmigration. The methods and models of coordinated detection and identification of the Botnetare presented, the corresponding systems are developed. This is intended to effectively detectand track the Botnet, and correctly identify the relationship between the Botnets and theirscales, so as to prevent and control the damage caused by the Botnets. The research results ofthis dissertation are of importantly theoretical and practical significance for the research of theBotnet defense technologies, and also have important reference value to detect and keep awayother distributed malware incidents in the Internet.
引文
[1]中国互联网络信息中心.中国互联网络发展状况统计报告.http://www.cnnic.net.cn/uploadfiles/pdf/2010/7/15/100708.pdf,2010
[2] List of countries by number of Internet users.http://en.wikipedia.org/wiki/List_of_countries_by_number_of_Internet_users,2010
[3]国家信息安全漏洞共享平台.http://www.cnvd.org.cn/,2010
[4]2010年互联网网络安全态势报告.http://www.cert.org.cn/User Files/File/2010.pdf,2010
[5] CNCERT/CC,CNCERT互联网安全威胁报告-2011年5月,http://www.cert.org.cn/UserFiles/File/201105monthly.pdf,2011
[6] Kalt C. RFC2810: Internet relay chat: Architechtur. RFC2810, IETF,2000.
[7] G.Macesanu, T.T.Codas, C. Suliman, B. Tarnauca, Development of GTBoT, a highperformance and modular indoor robot.2010IEEE International Conferenceon Automation Quality and Testing Robotics (AQTR), Cluj-Napoca, Romania,2010:28-30
[8] Liu Jingxiao, Yang Ghaboosi, Kaveh Deng, Hongmei Zhang, Jingyuan. Botnet-classification, attacks, detection, tracing, and preventive measures. Proceedings of the2009Fourth International Conference on Innovative Computing, Information andControl(ICICIC '09), Washington, DC, USA,2009. New York, NY, United States,Hindawi Publishing Corp,2009:1184-1187.
[9] Vrizlynn L. L. Thing, Morris Sloman, Naranker Dulay.A Survey of Bots Used forDistributed Denial of Service Attacks.IFIP International Information SecurityConference (SEC),2007:229-240
[10] D. Geer, Malicious bots threaten network security. Computer,2005,38(1):18-20
[11] J. Stewart.Sinit P2P Trojan analysis.http://www.secureworks.com/research/threats/sinit,2003
[12] S. Stover, D. Dittrich, J. Hernandez, and S. Dietrich. Analysis of the Storm andNugache Trojans:P2P is here.In USENIX; login:32(6),2007.
[13] J.Stewart.Bobax trojan analysis. http://www.secureworks.com/research/threats/bobax/,2004.
[14] P. Amini. Kraken.Botnet Infiltration.http://dvlabs.tippingpoint.com/blog/2008/04/28/kraken-botnet-infiltration,2008.
[15] J. Nazario. Blackenergy ddos bot analysis. Technical report, Arbor Networks,2007
[16] K. Chiang and L. Lloyd. A case study of the rustock rootkit and spam bot.Proceedings of the first conference on First Workshop on Hot Topics inUnderstanding Botnets,Cambridge,MA,2007.
[17] Neil Daswani, Michael Stoppelman.The anatomy of Clickbot.A.Proceedings of thefirst conference on First Workshop on Hot Topics in Understanding Botnets,Cambridge, MA,2007
[18] Thorsten Holz, Moritz Steiner, Frederic Dahl, Ernst Biersack, Felix Freiling.Measurements and mitigation of peer-to-peer-based botnets-a case study on stormworm. Proceedings of the First Usenix Workshop on Large-Scale Exploits andEmergent Threats, San Francisco, California,2008.
[19] T. Holz, C. Gorecki, K. Rieck, and F. C. Freiling. Detection and mitigation offast-flux service networks. In Proceedings of the15th Annual Network andDistributed System Security Symposium (NDSS'08), San Diego, CA,2008.
[20] J. Nazario, T. Holz. As the net churns-Fast-flux botnet observations. In InternationalConference on Malicious and Unwanted Software, Alexandria, VA, USA,2008.
[21] MA Rajab, J Zarfoss, F Monrose, A Terzis. A multifaceted approach to understandingthe botnet phenomenon. Almeida JM, Almeida VAF, Barford P, eds. Proc. of the6thACM Internet Measurement Conf.(IMC2006). Rio de Janeriro,2006. ACM Press,2006:4152.
[22] R Puri. Bots&botnet-An overview. SANS White Paper. http://www.sans.org/reading_room/whitepapers/malicious/1299.php,2003
[23] B McCarty. Botnets-Big and bigger. IEEE Security&Privacy,2003,1(4):8790.
[24] P Bacher, T Holz, M Kotter, Wicherski G. Know your enemy-Tracking botnets.http://www.honeynet.org/papers/bots,2005
[25] P Barford, V Yegneswaran. An inside look at botnets. Christodorescu M, Jha S,Maughan D, Song D, Wang C, eds. Advances in Information Security, MalwareDetection27. Springer-Verlag,2007.
[26] Chao Li,Wei Jiang,Xin Zou. Botnet-Survey and Case Study. Fourth InternationalConference on Innovative Computing, Information and Control (ICICIC), Kaohsiung,Taiwan,2009:1184-1187
[27]韩心慧,郭晋鹏,周勇林,诸葛健伟.僵尸网络活动调查分析.通信学报.2007,28(12):167172
[28]王威,方滨兴,崔翔.基于终端行为特征的IRC僵尸网络检测.计算机学报,2009,32(10):1980-1988
[29] Jan Goebel, Thorsten Holz, Rishi-identify bot contaminated hosts by IRC nicknameevaluation. Proceedings of the first conference on First Workshop on Hot Topics inUnderstanding Botnets, Cambridge, MA,2007
[30] J S Lee, H C Jeong, J H Park. The activity analysis of malicious http based botnetsusing degree of periodic repeatability. Proc of2008Int Conf on Security Technology(SecTech2008). Washington, DC,2008: IEEE Computer Society,2008:83-86.
[31] Avira AntiVir. Worm/Rbot.210944-Worm. http://www.avira.com/en/threats/section/fulldetails/id_vir/3469/worm_rbot.210944.html,2004
[32] P. Wang, L. Wu, B. Aslam, C. C. Zou. A Systematic Study on Peer-to-Peer Botnets. inProc. International Conference on Computer Communications and Networks(ICCCN),2009.
[33] C. R. Davis, J. M. Fernandez, S. Neville, J. McHugh. Sybil attacks as a mitigationstrategy against the storm botnet. in Proceeding of the3rd International Conferenceon Malicious and Unwanted Software (Malware '08), Alexandria, VA, USA,2008.
[34] Gu Guofei. Correlation-based botnet detection in enterprise networks. GeorgiaInstitute of Technology Degree of Doctor,2008:89-103
[35]王海龙,龚正虎,候捷.僵尸网络检测技术研究进展.计算机研究与发展.2010,47(12):2037-2048
[36] P Wurzinger, L Bilge, T Holz. Automatically generating models for botnet detection.LNCS5789. Proc of the14th European Sympon Research in Computer Security,Saint-Malo, France,2009. Berlin: Springer,2009:232-249
[37] Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke Lee. BotHunter-detecting malware infection through IDS-driven dialog correlation. Proceedings of16th USENIX Security Symposium on USENIX Security Symposium, Boston, MA,2007.
[38] Liu Lei.Chen Songqing,Yan Guanhua. BotTracer:Execution based bot-likemalware detection. INCS5222:Proc of the11th Int Conf on Information Security,Taipei, Taiwan,2008.Berlin:Springer,2008:97-113
[39] J R Binkley, S Singh. An algorithm for anomaly-based botnet detection. Proceedingsof the second Conference on Steps to Reducing Unwanted Traffic on the Internet.Berkeley, CA,2006: USENIX Association,2006:43-48
[40] J R Binkley. Anomaly-based botnet server detection. Proceedings of the FloCon2006Analysis Workshop, Berkeley, CA,2006: USENIX Association,2006:7-12
[41] Gao Yan, Zhao Yao, Schweller R. Detecting stealthy spreaders using online outdegree histograms. Proceedings of the Fifteenth IEEE International Workshop onQuality of Service. Washington, DC,2007. IEEE Computer Society,2007:145-153
[42] Li Zhichun, Goyal A, Chen Yan. Honeynet based botnet scan traffic analysis. Proc ofthe Conference on Botnet Detection-Countering the Largest Security Threat. Berlin:Springer,2008:25-44
[43] Li Zhuang, J Dunagan, D R Simon. Characterizing botnets from email spam records.Proceedings of the First USENIX Workshop on Large Scale Exploits and EmergentThreats (LEET’08), Berkeley, CA,2008. USENIX Association,2008:10-18
[44] C Ian, B Eimear. The automatic discovery, identification and measurement of botnets.Proceedings of the First International Workshop on Dependability and Security inComplex and Critical Information System, Washington, DC,2008. IEEE ComputerSociety,2008:127-132
[45] H Husna, S Phithakkitnukoon, R Dantu. Traffic shaping of spam botnets. Proceedingsof the Fifth IEEE Consumer Communications and Networking Conference.Washington, DC,2008. IEEE Computer Society,2008:786-787
[46] Xie Yinglian, Yu Fang, Achan K. Spamming botnets signatures and characteristics.Computer Communication Review,2008,38(4):171-182
[47] Duan Zhenhai, Chen Peng, Fernando S. Detecting spam zombies by monitoringoutgoing messages. Proceedings of IEEE International Conference on ComputerCommunications. Washington, DC2009. IEEE Computer Society,2009:1764-1772
[48] Zhao Yao, Xie Yinglian, Yu Fang. Botgraph-large scale spamming botnet detection.Proceedings of the Sixth USENIX Symposium on Networked Systems Design andImplementation (NSDI’09). Berkeley, CA,2009. USENIX Association,2009:321-334
[49] H F G Robledo. Types of hosts on a remote file inclusion(RFI) botnet. Proceedingsof the fifth Electronics, Robotics and Automotive Mechanics Conference. Washington,DC,2008. IEEE Computer Society,2008:105-109
[50] G Carl, G Kesidis, R R Brooks. Denial-of-service attack detection techniques. IEEEInternet Computing,2006,10(1):82-89
[51] T. Peng, C. Leckie, K. Ramamohanarao. Survey of network-based defensemechanisms countering the DoS and DDoS problems. ACM Computing. Surveys(CDUR),2007,(39)1:79-91.
[52] F Freiling, T Holz, G Wicherski. Botnet tracking-Exploring a root-causemethodology to prevent distributed denial-of-service attacks. Proceedings of theTenth European Symposium on Research in Computer Security (ESORICS2005),Milan, Italy,2005. Springer-Verlag,2005:319335.
[53] A Ramachandran, N Feamster, D Dagon. Revealing botnet membership usingDNSBL counter-intelligence. Proceedings of the Second conference on Steps toReducing Unwanted Traffic on the Internet, San Jose, CA,2006. Berlin: Springer,2008:131-142
[54] H. Choi, H. Lee, H. Kim. Botnet Detection by Monitoring Group Activities in DNSTraffic. in Proc.7th IEEE International Conference on Computer and InformationTechnology (CIT2007),2007:715-720.
[55] H. Choi, H. Lee, H. Kim. BotGAD-detecting botnets by capturing group activities innetwork traffic. Proceedings of the4th International ICST Conference oncommunication System software and middleware. New York, USA: ACM,2009:1-8
[56]诸葛建伟,韩心慧,周勇林.僵尸网络研究与进展.软件学报,2008,19(3):702-715
[57] T Strayer, R Walsh, C Livadas, D Lapsley. Detecting botnets with tight command andcontrol. Proceedings of the31st IEEE Conference on Local Computer Networks(LCN’06), Tampa,2006. IEEE Computer Society Press,2006:195-202
[58] C Livadas, B Walsh, D Lapsley, T Strayer. Using machine learning techniques toidentify botnet traffic. Proceedings of the2nd IEEE LCN Workshop on NetworkSecurity,2006:967-974.
[59] R Schoof, R Koning. Detecting peer to peer botnets. Amsterdam, Holland-Universityof Amsterdam,2007
[60] M Steggink, I Idziejczak. Detection of peer to peer botnets. Amsterdam, Holland:University of Amsterdam,2008
[61] V Nivargi, M Bhaowal, T Lee. Machine learning based botnet detection. CS229FinalProject Report. Stanford University,2006. http://www.stanford.edu/class/cs229/proj2006/NivargiBhaowalLee-MachineLearningBasedBotnetDetection.pdf
[62] Anestis Karasaridis, Brian Rexroad, David Hoeflin. Wide-scale botnet detection andcharacterization. Proceedings of the first conference on First Workshop on Hot Topicsin Understanding Botnets, Cambridge, MA,2007
[63] G. Gu, J. Zhang, W. Lee. BotSniffer-Detecting Botnet Command and ControlChannels in Network Traffic. In Proceedings of the15th Annual Network andDistributed System Security Symposium (NDSS'08),2008
[64] G. Gu, R. Perdisci, J. Zhang, W. Lee. Botminer-Clustering analysis of network trafficfor protocol-and structureindependent botnet detection. Proceedings of the17thconference on Security symposium. San Jose, CA,2008:139-154
[65] J. Jung, V. Paxson, A.W. Berger, H. Balakrishnan. Fast Portscan Detection UsingSequential Hypothesis Testing. In IEEE Symposium on Security and Privacy2004,Oakland, CA,2004
[66] P Baecher, M Koetter, T Holz, M Dornseif, FC Freiling. The nepenthes platform-Anefficient approach to collect malware. Vimercati SD, Syverson P. Proceedings of the9th International Symposium on Recent Advances in Intrusion Detection (RAID),Hamburg, Germany,2006. Springer-Verlag,2006:165-184
[67] Juan Caballero, Pongsin Poosankam, Christian Kreibich, Dawn Song. Dispatcher-enabling active botnet infiltration using automatic protocol reverse-engineering.Proceedings of the16th ACM conference on Computer and communications security,Chicago, Illinois, USA,2009
[68] C.Y. Cho, D. Babic, E.C. Shin, and D. Song. Inference and analysis of formal modelsof botnet command and control protocols. In Proceedings of the17th ACMconference on Computer and communications security, New York, NY, USA,2010:426–439
[69] C.Y. Cho, J. Caballero, C. Grier, V. Paxson, D. Song. Insights from the Inside-A Viewof Botnet Management from Infiltration. Proceedings of the3rd USENIX conferenceon Large-scale exploits and emergent threats-botnets, spyware, worms, and more.San Jose, California,2010
[70] Chris Kanich, Christian Kreibich, Kirill Levchenko, Brandon Enright, Geoffrey M.Voelker, Vern Paxson, Stefan Savage. Spamalytics-an empirical analysis of spammarketing conversion. Proceedings of the15th ACM conference on Computer andcommunications security, Alexandria, Virginia, USA,2008
[71] J. Baltazar, J. Costoya, R. Flores. Infiltrating WALEDAC Botnet's Covert Operations.http://us.trendmicro.com/imperia/md/content/us/pdf/threats/securitylibrary/infiltrating-the-waledac-botnet-v2.pdf,2009
[72] P. John, Alexander Moshchuk, D Steven. Gribble, Arvind Krishnamurthy. Studyingspamming botnets using Botlab. Proceedings of the6th USENIX symposium onNetworked systems design and implementation, Boston, Massachusetts,2009:291-306,
[73] MA Rajab, J Zarfoss, F Monrose, A Terzis. My botnet is bigger than yours (maybe,better than yours)-Why size estimates remain challenging. Proceedings of the1stWorkshop on Hot Topics in Understanding Botnets (HotBots2007), Cambridge, MA,2007
[74] David Dagon, Cliff Zou, and Wenke Lee. Modeling Botnet Propagation Using TimeZones. In Proceedings of the13th Network and Distributed System SecuritySymposium NDSS, San Diego, California, USA,2006
[75] B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C.Kruegel, G. Vigna. Your botnet is my botnet-Analysis of a botnet takeover. Tech.Rep.2009.
[76] Chris Kanich, Kirill Levchenko, Brandon Enright, Geoffrey M. Voelker, StefanSavage. The heisenbot uncertainty problem-challenges in separating bots from chaff.Proceedings of the1st Usenix Workshop on Large-Scale Exploits and EmergentThreats, San Francisco, California,2008-1-9
[77] Brent ByungHoon Kang, Eric Chan-Tin, Christopher P. Lee, James Tyra, Hun JeongKang, Chris Nunnery, Zachariah Wadler, Greg Sinclair, Nicholas Hopper, DavidDagon, Yongdae Kim. Towards complete node enumeration in a peer-to-peer botnet.Proceedings of the4th International Symposium on Information, Computer, andCommunications Security, Sydney, Australia,2009
[78] B. Stock, M. Engelberth, F. Freiling, T. Holz. Walowdac-Analysis of a Peer-to-PeerBotnet. In European Conference on Computer Network Defense,2009
[79] Wang, Tao and Yu, Shun-Zheng. Centralized Botnet Detection by Traffic Aggregation,2009IEEE International Symposium on Parallel and Distributed Processing withApplications, Chengdu, China,2009:86-93
[80]程杰仁,殷建平,刘运.蜜罐及密网技术研究进展.计算机研究与发展,2008,45(增刊):375-378
[81] K. Ishibashi, T. Toyono, K. Toyono. Detecting mass-mailing worm infected hosts bymining DNS traffic data. In Conference of the Special Interest Group on DataCommunication2005(SIGCOMM05), Philadelphia, Pennsylvania, USA,2005
[82] Hi-performance protocol identification engine. http://hippie.oofle.com/,2007.
[83]李德毅,杜鹤.不确定性人工智能.北京:国防工业出版社,2005
[84]杨朝晖,李德毅.二维云模型及其在预测中的应用.计算机学报,1998,21(11):961-969
[85] N. Ianelli, A. Hackworth. Botnets as a vehicle for online crime. http://www.cert.org/archive/pdf/Botnets. pdf,2005.
[86]杜跃进,崔翔.僵尸网络及其启发.中国数据通信,2005,7(5):9-13
[87] R. Vogt, J. Aycock, Jacobson, M. Army of botnets. In Proceedings of the14thNetwork and Distributed System Security Symposium (NDSS’07), San Diego, CA,2007
[88] A. Dempster Upper and lower probabilities induced by multivalued mapping. Annalsof Mathematical Statistics,1967,38(2):325339
[89] S Challa, Koks D. Bayesian, Dempster-Shafer fusion. Sadhana,2004,29(2):145-174
[90] Christos Siaterlis, Basil Maglaris. Towards multi-sensor data fusion for Dos detection.Proceedings of the2004ACM Symposium on Applied Computing. Nicosia, Cyprus,2004. Association for Computing Machinery,2004:439-446
[91] P. Orponen Dempster’s rule of combination is#P-complete. Artificial Intelligence,1990,44(1-2):245-253
[92] RR. Yager On the aggregation of prioritized belief structures. IEEE Transaction onSystems,1996,26(6):708-717.
[93] LA. Zadeh Review of books: A mathematical theory of evidence. AI Magazine,1984,5(3):81-83
[94] I. Toshiyuki Interdependence between safety-control policy and multiple-sensorschemes via dempster-shafer theory. IEEE Transaction on Reliability,1991,40(2):182-188
[95] D. Dubois, H. Prade Default reasoning and possibility theory. Artificial Intelligence,1988,35(2):243-257
[96] P. Smets Belief functions. P SMETS, A Mamdani, D Dubois, H Prade. NonstandardLogics for Automated Reasoning. London: Academic Press,1988:253-586.
[97]国家计算机网络应急技术处理协调中心(CNCERT/CC),全国网络与信息技术培训项目管理中心(NTC-MC).网络安全应急实践指南.电子工业出版社.2008
[98] P. Vixie, S. Thomson, Y. Rekhter, J. Bound. Dynamic updates in the domain namesystem (DNS update). http://www.faqs. org/rfcs/rfc2136.html/,1997
[99] Maryam Feily, Alireza Shahrestani. A survey of botnet and botnet detection. In Procof3th International Conference on Emerging Security Information, systems andTechnologies,2009:268-273
[100] Z. Zhu, G. Lu, Y. Chen, Z. J. Fu, P. Roberts, K. Han. Botnet Research Survey. inProceedings of32nd Annual IEEE International Conference on Computer Softwareand Applications (COMPSAC '08),2008:967-972
[101] Jun Hu, Zhitang Li, Dezhong Yao, Junfeng Yu. Measuring Botnet Size by Using URLand Collaborative MailServers. In Proc of5th International Conference onNetworking and Services,2009:161-164
[102] D.Dagon, G. Gu, C.P. Lee, W. Lee. A Taxonomy of Botnet Structures. in Proceedingsof23rd Annual Computer Security Applications Conference (ACSAC2007), MiamiBeach, Florida,2007:325-339
[103] P. Mockapetris. Domain Names-Concepts and Facilities. RFC1034, November1987.
[104] Internet Assigned Number Authority. Domain Name System Parameters. http://www.iana.org/assignments/dnsparameters/index.html
[105] Charles Handy, Beyond Certainty. the changing world of organization. HarvardBusiness School Publishing,1998
[106]李德毅,刘常昱等,不确定性人工智能.软件学报,2004,15(11):1583-1594
[107] B. Buchanan, E. Shortliffe. Rule-Based Expert Systems. The MYCIN Experiments ofthe Slan-ford Heuristic Programming Project, Addison-Wesley,1984
[108] SR Snapp, J Brentano, GV Dias, TL Goan, LT Heberlein, CL Ho, KN Levitt, BMukherjee, SE Smaha, T Grance, DM Teal, D Mansur. DIDS (distributed intrusiondetection system)—Motivation, architecture, and an early prototype. In Proceedingsof the14th National Computer Security Conference, Washington,1991(10):167176
[109] GB White, EA Fisch, UW Pooch. Cooperating security managers-A peer-basedintrusion detection system. IEEE Network,1996,10(1):2023
[110] P A. Porras, P G. Neumann. EMERALD-Event monitoring enabling responses toanomalous live disturbances. In Proceedings of the20th National InformationSystems Security Conference. Gaithersburg, USA: Information TechnologyLaboratory,1997
[111] M Asaka, A Taguchi, S Goto. The implementation of IDA-An intrusion detectionagent system. In Proceedings of the11th FIRST Conference. Brisbane,1999
[112](F.) Cuppens. Cooperative intrusion detection. International Symposium onInformation Superiority-tools for crisis and conflict-management, Paris, France,2001
[113] F Cuppens. Managing alerts in a multi-intrusion environment. In Proceedings of the17th Annual Computer Security Applications Conference,2001
[114] Renaud Bidou, Security Operation Center Concepts&Implementationhttp://www.iv2-technologies.com/rbidou/SOCConceptAndImplementation.pdf,2005.
[115] A Turing. On Computable Numbers, With an Application to the Entscheidungsproblem. Proceedings of the London Mathematical Society, Series2, Volume42,1936; reprinted in M. David (ed.), The Undecidable, Hewlett, NY: Raven Press:1965
[116] Michael Sipser. Introduction to the Theory of Computation. PWS Publishing,1997
[117] C.C.Zou, R.Cunningham. Honeypot-Aware Advanced Botnet Construction andMaintenance. The2006International Conference on Dependable Systems andNetworks (DSN-2006), Philadelphia, PA, USA,2006:199-208