摘要
随着Internet的飞速发展,计算机和互联网已经成为人们日常生活中不可或缺的元素,然而互联网面临着大量的安全威胁,僵尸网络正是最严重的威胁之一。僵尸网络是攻击者利用互联网秘密建立的可以集中控制的计算机群,它不是一个特指的安全事件,而是攻击者手中的一个平台,利用该平台,攻击者可以实现覆盖面更广,力度更高,更难于防范的攻击。僵尸网络的高度活跃引起多方重视,目前针对僵尸网络的研究工作主要有五个方面,分别是检测、测量、追踪、主动防御和体系结构研究,其中检测是测量、追踪和主动防御的基础,体系结构研究是防治未来可能的僵尸网络的前导。检测、测量和追踪工作的一个强力支持为蜜罐蜜网技术,于是虽然蜜罐技术研究不属于僵尸网络的研究方向,但它为僵尸网络研究奠定基础。本文围绕着僵尸网络的研究方向,针对僵尸网络对抗技术进行深入研究,主要内容如下:
给出僵尸网络的定义、属性、演化脉络及危害分析。对僵尸网络五个研究方向的工作进行综述,进一步明确本文的研究内容及目标。
研究面向僵尸程序样本捕获的分布式蜜罐部署模型。僵尸程序样本分析可以为僵尸网络研究的各个方向提供强有力的支持,于是样本捕获是僵尸网络研究的基础。目前针对僵尸程序样本捕获的研究工作主要集中在蜜罐的设计、实现和应用,然而蜜罐部署策略研究能够提高部署效率、降低部署成本,有重要的实际意义。本文提出的模型阐述了僵尸程序样本分析需求、僵尸程序传播属性、检测时间、检测概率与蜜罐部署参数之间的关系。在模型分析的基础上,提出蜜罐部署阈值和网络距离两个参数,这两个参数分别刻画了蜜罐部署个数和蜜罐部署位置的最优选择,能够为实际构建分布式蜜罐系统提供理论依据,旨在达到经济与效益的平衡。
研究IRC僵尸网络检测算法。检测技术研究是僵尸网络对抗的重点,目前已有的IRC僵尸网络检测算法存在两个问题:需要先验知识以获取匹配模式,无法满足实时处理需求。为解决这两个问题,本文提出了基于昵称相似性和命令序列相似性这两个终端行为特征的IRC僵尸网络检测算法。文中提出三个属性分别从内容、组成和结构三方面互补的刻画两个昵称的相似性,给出了两个昵称相似性的量化因子,根据这量化因子生成弹性TRW算法以进行IRC僵尸网络实时检测。在分析僵尸终端登录服务器的行为的基础上,本文还提出了基于命令序列相似性的检测辅助算法。
研究可重构的僵尸网络体系结构。僵尸网络体系结构研究是僵尸网络对抗的另一方法,可以使安全研究人员提早预防未来可能出现的僵尸网络。僵尸网络命令控制信道是僵尸网络的核心,以健壮性为其设计目标。目前已有的命令控制结构大多具备二级健壮性,本文研究一个具备三级健壮性的可重构僵尸网络的体系结构。该僵尸网络具备两个命令控制信道,采用Sniffer方式获取命令,采用TORHiddenService保护关键节点,当通信C&C失效时,使用重构C&C对僵尸网络进行重建。本文在分析其体系结构的同时,研究其弱点,扩展僵尸网络生命周期,给出三种对抗可重构僵尸网络的方法。
在已完成工作的基础上,设计并实现大规模网络环境下僵尸网络检测系统。该系统以高性能网络捕包平台为基础,以蜜猴、蜜罐获取僵尸程序样本并自动生成的URL和敏感关键字为匹配规则,以规则驱动的HTTP僵尸网络检测算法和基于终端行为特征的IRC僵尸网络检测算法为核心,完成僵尸网络的实时检测。本文详细分析了两周内的检测结果,可以看出目前僵尸网络处于活跃期,相应的,证明该检测系统有效。
With the fast developing of Internet, computer and network becomes to be the in-dispensable element of daily life. However, Internet is facing a lot of security threats andbotnet is one of them. Botnet is a set of computers which are secretly controlled by theattacker. Botnet is not a certain attack but a platform, which can be used to launch attackswith broader coverage, higher intensity and more difficulty to prevent. Highly activityof the botnet causes multi attention of defenders. There are five areas to research botnet:detection, measurement, tracking, proactive defense and botnet architecture research. De-tection is the foundation of measurement, tracking and active defense. Architecture re-search is the precursor of defending future botnet. Although honeypot is not a researcharea of botnet, it can provide deeply support for detection, measurement and tracking. Soresearch on honeypot is important for botnet defense. This dissertation focuses on thecountermeasure techniques of botnet. The main contents are as follows:
Definition, attribute, timeline and the main danger of botnets are proposed first.Then this dissertation gives a survey of the current research for five areas of botnets andmakes clear contents and aims of the dissertation.
Research on the distributed honeypot deployment model for capturing bot samples.Capturing bot samples is the foundation of botnet research and analyzing bot samples canprovide a high support for researching botnet. There is few research works for honeypotdeployment. The model discussed in this dissertation expounds the relationship amongthe need of bot sample analyzing, spreading attributes of bot samples, detection time, de-tection probability and honeypot deployment parameters. Based on analysis of the model,honeypot deployment threshold and network distance are proposed. The two parametersgive the information of number and position for honeypot deployment. This can guidethe construction of distributed honeypot system and achieve the balance of economy andefficiency. This work fills gaps of honeypot deployment.
Research on the detection of IRC-based botnet. There are two problems in currentalgorithms for IRC-based botnets detection. One is that detection algorithms require someprior knowledge of botnet to generate matching patterns. The other is that algorithmscan not perform detection online. To solve these problems, this dissertation proposes two IRC botnet detection algorithms based on host behavior. Three attributes, LCS rate,compositive distance and RN dice coefficient, are discussed to quantify the similarity ofnicknames from three aspects: content, composition and structure. To detect IRC botnetsonline, extended TRW algorithm based on the similarity of nicknames is proposed. Thisdissertation also proposes a detection algorithm based on the command sequence of IRCclients.
Research on the architecture of recoverable botnet. Botnet architecture research isanother way to defense botnets. It can provide the guard for future botnets. The commandand control channel is the anchor point of a botnet which has the robustness as its designgoals. Most command and control structure of current botnets can reach second levelof robustness. This dissertation proposed a recoverable botnet which can reach thirdlevel of robustness. This botnet has two command and control channels. It uses Sniffermethod to obtain commands and uses TOR Hidden Service to protect the key nodes of thebotnet. When the communication C&C can not work, it uses recovery C&C to rebuild thebotnet. This dissertation discusses the week point of this recoverable botnet and extendsthe lifecycle of botnet. To defend against such an advanced botnet, preventing publicservices abused, infiltrating botnet to tracking its activities, and monitoring the subsequentaction of zombies may play an important role.
Design and implement a botnet detection system on large-scale network. This sys-tem is based on a high-speed packet capturing platform. It uses honeymonkey and hon-eypots to catch bot samples and generate botnet rules in the form of URL and sensitivecontents keywords. HTTP-based botnet detection algorithm based on rules and IRC basedbotnet detection algorithm based on host behaviors are the kernel of this system. This dis-sertation analyzes the detection results in detail. The results re?ect that botnets are stillactive and the detection results prove that the detection system is correct and valid.
引文
1诸葛建伟,韩心慧,周勇林等.僵尸网络研究[J].软件学报, 2008, 19(3):702–7152 W. Lee, C. Wang, D. Dagon. Botnet Detection: Countering the Largest SecurityThreat[M]. New York: Springer-Verlag, 2007
3 CNCERT/CC. CNCERT/CC 2007年上半年网络安全工作报告. http://www.cert.org.cn/articles/docs/common/2007082123431.shtml, 2007
4 CNCERT/CC. 2009年中国互联网网络安全工作报告. http://www.cert.org.cn/articles/docs/common/2010040924914.shtml, 2010
5杜跃进,崔翔.僵尸网络及其启发[J].中国数据通信, 2005, 7(5):9–13
6 P. Puri. Bots & Botnet:an Overview[C]//Proceedings of the Research on Topics inInformation Security. 2003
7 Honeynet Project. Know Your Enemy: Tracking Botnets. http://www.honeynet.org/papers/bots, 2005
8 A. Karasaridis, B. Rexroad. Wide-Scale Botnet Detection and Characteriza-tion[C]//Proceedings of the HotBots’07, First Workshop on Hot Topics in Under-standing Botnets. Cambridge, MA, 2007
9 E. Cooke, F. Jahanian, D. McPherson. The Zombie Roundup: Understanding, De-tecting, and Disrupting Botnets[C]//Proceedings of SRUTI: Steps to Reducing Un-wanted Traffic on the Internet. July 2005
10 M. Rajab, J. Zarfoss, F. Monrose. A Multifaceted Approach to Understanding theBotnet Phenomenon[C]//Proceedings of the 6th ACM Internet Measurement Con-ference. Brazil: ACM Press, 2006:41–52
11 P. Wang, S. Sparks, C. Zou. An Advanced Hybrid Peer to Peer Bot-net[C]//Proceedings of the First Workshop on Hot Topics in Understanding Botnets.Cambridge, MA, 2007
12 Egghead. Eggdrop. http://www.eggheads.org/, 2004
13 P. Barford, V. Yegneswaran. An Inside Look at Botnets[C]//Proceedings of theSpecial Workshop on Malware Detection, Advances in Information Security. 2006
14 R. Hund, M. Hamann, T. Holz. Towards Next-generation Botnets[C]//Proceedingsof the fourth European Conference on Computer Network Defense. 2008
15 I. Arce, E. Levy. An Analysis of the Slapper Worm[J]. IEEE Security and Privacy,2003, 1(1):82–87
16 J. Stewart. Sinit P2P Trojan Analysis. Http://www.secureworks.com/research/threats/sinit, 2003
17 Lurhq Threat Intelligence Group. Phatbot Trojan Analysis. Http://www.lurhq.com/phatbot.html
18 J. Grizzard, V. Sharma, C. Nunnery. Peer-to-Peer Botnets: Overview and CaseStudy[C]//Proceedings of the HotBots’07, First Workshop on Hot Topics in Under-standing Botnets. Cambridge, MA, 2007
19 Lurhq Threat Intelligence Group. Bobax Trojan Analysis. http://www.lurhq.com/bobax.html
20 T. Holz, M. Steiner, F. Dahl, et al. Measurements and Mitigation of Peer-to-Peer-based Botnets:a Case Study on Stormworm[C]//Proceedings of the first Wrokshopon Lager-Scale Exploits and Emergent Threats. San Francisco, CA, April 2008
21 G. Wicherski. Stormfucker: Owning the Storm Botnet[C]//Proceedings of the 25thChaos Communication Congress. 2008
22 F. Leder, T. Werner. Know Your Enemy: Containing Conficker[C]//HoneynetProject. 2009
23 P. Porras, H. Saidi, V. Yegneswaran. An Analysis of Conficker’s Logic and Ren-dezvous Points[C]//SRI International Technical Report. 2009
24 K. Lyngby. Peer-to-Peer Botnets: A Case Study on Waledac[D]. Den-mark:Technical University of Denmark, 2009:23–42
25 J. Baltazar, J. Costoya, R. Flores. Infiltrating Waledac Botnet’s Convert Oper-ation. http://us.trendmicro.com/imperia/md/content/us/pdf/threats/securitylibrary/infiltrating the waledac botnet v2.pdf, 2009
26 Y. Xie, F. Yu, K. Achan, et al. Spamming Botnets: Signatures and Characteris-tics[C]//In Proceedings of ACM SIGCOMM’08. Seattle,WA, 2008
27陆伟宙,余顺争.僵尸网络检测方法研究[J].电信科学, 2007, 23(12):71–77
28 A. Kiayias, J. Neumann, D. Walluck, et al. A Combined Fusion and Data Min-ing Framework for the Detection of Botnets[C]//Proceedings of the CybersecurityApplications & Technology Conference For Homeland Security. Washington DC,2009:273–284
29 B. McCarty. Botnets: Big and Bigger[J]. IEEE Security & Privacy Magazine, 2003,1(4):87–90
30 Honeynet Project. Know Your Enemy: GenII Honeynets. http://www.honeynet.org/papers/gen2, 2005
31 V. Yegneswaran, P. Barford, D. Plonka. On the Design and Use of Internet Sinksfor Network Abuse Monitoring[C]//Proceedings of Recent Advances on IntrusionDetection. France, Sep. 2004
32 Laboratory for Dependable Distributed Systems of the University of Mannheim.German Honeynet Project. http://pi1.informatik.uni-mannheim.de/index.php?pagecontent=site/Research.menu/Honeynet.page
33 L. Spitzner. The Honeynet Project: Trapping the Hackers[J]. IEEE Security andPrivacy Magazine, 2003, 1(2):15–23
34诸葛建伟,韩心慧,周勇林. Honeybow:一个基于高交互式蜜罐技术的恶意代码自动捕获器[J].通信学报,2007,28(12):8–13
35 D. Malan. Rapid Detection of Botnets Through Collaborative Networks of Peers.http://www.eecs.harvard.edu/malan/publications/thesis.pdf
36 Y. Al-Hammadi, U. Aickelin. Detecting Botnets Through Log Correla-tion[C]//Proceedings of the IEEE/IST Workshop on Monitoring, Attack Detectionand Mitigation. Sep. 2006
37 J. Binkley, S. Singh. An Algorithm for Anomaly-based Botnet Detec-tion[C]//Proceedings of the 2nd Workshop on Steps to Reducing Unwanted Trafficon the Internet. San Jose, CA, 2006:43–48
38 W. Strayer, R. Walsh. Detecting Botnets with Tight Command and Con-trol[C]//Proceedings of the 31st IEEE Conference on Local Computer Networks.Nov. 2006
39 C. Dewes, A. Wichmann, A. Feldmann. An Analysis of Internet Chat Sys-tems[C]//Proceedings of the 3rd ACM SIGCOMM Conf. on Internet Measurement.Miami Beach, FL, 2003
40 S. Sen, O. Spatscheck, D. Wang. Accurate, Scalable In-Network Identification ofP2P Traffic Using Application Signatures[C]//Proceedings of the 13th InternationalConf. on World Wide Web. New York, 2004
41 A. Moore, D. Zuev. Internet Traffic Classification Using Bayesian Analysis Tech-niques[C]//Proceedings of the International Conf. on Measurement and Modelingof Computer Systems. Canada: ACM SIGMETRICS, 2005
42 C. Livadas, B. Walsh. Using Machine Learning Techniques to Identify Bot-net Trafic[C]//Proceedings of the 2nd IEEE LCN Workshop on Network security.Tampa, FL, Nov. 2006
43 J. Goebel, T. Holz. Rishi: Identify Bot Contaminated Hosts by IRC NicknameEvaluation[C]//Proceedings of the HotBots’07, First Workshop on Hot Topics inUnderstanding Botnets. Cambridge, MA, 2007
44 R. Schoof, R. Koning. Detecting Peer-to-Peer Botnets[C]//Technical Report. 2006
45 C. Nunnery. Locating Zombie Nodes and Botmasters in Decentralized Peer-to-PeerBotnets[C]//Proceedings of the 16th USENIX Security Sysposium. August 2007
46 M. Bailey, E. Cook, F. Jahanian, et al. A Survey of Botnet Technology and De-fenses[C]//Proceedings of the Conference For Homeland Security, CybersecurityApplications and Technology. 200:299–304
47 M. Rajab, J. Zarfoss, F. Monrose, et al. My Botnet Is Bigger Than Yours (maybe,Better Than Yours): Why Size Estimates Remain Challenging[C]//Proceedings ofthe First Workshop on Hot Topics in Understanding Botnets. Cambridge, MA, 2007
48 A. Ramachandran, N. Feamster, D. Dagon. Revealing Botnet Membership UsingDNSBL Counter-intelligence[C]//Proceedings of the Workshop on Steps to Reduc-ing Unwanted Traffic in the Internet. USENIX Association, 2006
49李润恒,王明华,贾焰.基于通信特征提取和IP聚集的僵尸网络相似性度量模型[J].计算机学报,2010,33(1):45–54
50 M. Collins, T. Shimeall, S. Faber, et al. Using Uncleanliness to Predict FutureBotnet Addresses[C]//Proceedings of the 2007 Internet MeasurementConference(IMC’07). 2007
51 J. Caballero, P. Poosankam, C. Kreibich, et al. Dispatcher: Enabling Active BotnetInfiltration Using Automatic Protocol Reverse-engineering[C]//Proceedings of theACM Conference on Computer and Communications Security. Chicago, 2009
52 S. Antonatos, K. Anagnostakis, E. Markatos. Honey@home: A New Approachto Large-Scale Threat Monitoring[C]//Proceedings of the 5th ACM Workshop onRecurring Malcode. 2007
53 F. Jahanian. Enter the Botnet: An Introduction to the Post-WormEra[C]//Proceedings of the ARO-DARPA-DHS Special Workshop on Botnets. 2006
54 F. Freiling, T. Holz, G. Wicherski. Botnet Tracking: Exploring a Root-causeMethodology to Prevent Distributed Denial-of-service Attacks[C]//Proceedings ofthe 10th European Symp. on Research in Computer Security. Milan: Springer-Verlag, 2005:319–333
55 P. Bacher, M. Koetter, T. Holz, et al. The Nepenthes Platform: An Efficient Ap-proach to Collect Malware[C]//Proceedings of the 9th Int’l Symp. on Recent Ad-vances in Intrusion Detection. Springer-Verlag, 2006:165–184
56 V. Thomas, N. Jyoti. Bot Countermeasures[J]. Journal in Computer Virology
57 D. Ramsbrock, X. Wang, X. Jiang. A First Step Towards Live Botmaster Trace-back[C]//Proceedings of the 11th International Symposium on Recent Advances inIntrusion Detection. Cambridge, MA: MIT, 2008
58诸葛建伟,韩心慧,叶志远等.僵尸网络的发现与跟踪[C]//全国网络与信息安全技术研讨会.2005:183–189
59韩心慧,郭晋鹏,周勇林等.僵尸网络活动调查分析[J].通信学报, 2007,28(12):167–172
60 M. Overton. Bots and Botnets: Risks, Issues and Prevention[C]//Proceedings of theVirus Bulletin Conference. IBM Global Services, Oct. 2005
61 F. Leder, T. Werner. Proactive Botnet Countermeasures - an Offensive Approach.In Cooperative Cyber Defence Centre of Excellence Tallinn, 2009
62 D. Dagon, C.Zou, W. Lee. Modeling Botnet Propagation Using TimeZones[C]//Proceedings of the 13th Annual Network and Distributed System Se-curity Symp. 2006
63 R. Salomon, J. Brustoloni. Identifying Botnets Using Anomaly Detection Tech-niques Applied to DNS Traffic[C]//Proceedings of the 13th Annual Network andDistributed System Security Symp. 2006
64 R. Salomon, J. Brustoloni. Bayesian Bot Detection Based on DNS Traffic Similar-ity[C]//Proceedings of the 2009 ACM symposium on Applied Computing. Hawaii,2009:2035–2041
65 H. Choi, H. Lee, H. Kim. Identifying Botnets Using Anomaly Detection TechniquesApplied to DNS Traffic[C]//Proceedings of the 7th IEEE International Conferenceon Computer adn Information Technology. 2007:715–720
66 C. Zou, R. Cunningham. Honeypot-Aware Advanced Botnet Construction andMaintenance[C]//Proceedings of the 2006 International Conference on DependableSystems and Networks. 2006
67 R. Vogt, J. Aycock, M. Jacobson. Army of Botnets[C]//Proceedings of the 2007Network and Distributed System Security Symposium. 2007:111–123
68 G. Starnberger, C. Kruegel, E. Kirda. Overbot-a Botnet Protocol Based on Kadem-lia[C]//Proceedings of the 4th International Conference on Security and Privacy inCommunication Networks. 2008
69诸葛建伟,吴智发,张芳芳等.利用蜜网技术深入剖析互联网安全威胁[C]//2005中国计算机大会.武汉:中国计算机学会,2005
70 V. Maheswari, P. Sankaranarayanan. Honeypots: Deployment and Data ForensicAnalysis[C]//Proceedings of the International Conference on Computational Intel-ligence and Multimedia Application. Sivakasi, India, 2007:129–131
71 E. Stinson, J. Mitchell. Towards Systematic Evaluation of the Evadability ofBot/botnet Detection Methods[C]//Proceedings of the Usenix Workshop on Offen-sive Technologies. 2008
72 S. Cianvecchio, M. Xie, Z. Wu, et al. Measurement and Classification of Humansand Bots in Internet Chat[C]//Proceedings of the 17th USENIX Security Sympo-sium. San Jose, CA, 2008
73 M. Rajab, F. Monrose, A. Terzis. On the Effectiveness of Distributed Worm Moni-toring[C]//Proceedings of the 14th USENIX Security Symposium. Baltimore, MD,2005:225–237
74马莉波,李星,张亮.有效扫描监测系统建模与部署[J].软件学报, 2009,20(4):845–857
75姜启源,谢金星,叶俊.数学模型(第三版)[M].北京:高等教育出版社, 2003
76 J. Wu, S. Vanagala, L. Gao, et al. An Effective Architecture and Algorithm forDetecting Worms with Various Scan Techniques[C]//Proceedings of the ISOC Net-work and Distributed Systems Security Symposium. San Diego, 2004:143–156
77文伟平,卿斯汉,蒋建春等.网络蠕虫研究与进展[J].软件学报, 2004,15(8):1208–1219
78姜汇军. Internet蠕虫传播及预警研究[D].武汉,湖北:华中科技大学, 2006
79 S. Staniford, V. Paxson, N. Weaver. How to Own the Internet in Your SpareTime[C]//Proceedings of the 11th USENIX Security Symposium. San Francisco,2002
80郑辉. Internet蠕虫研究[D].天津:南开大学, 2003
81 J. Kephart, S. White. Measuring and Modeling Computer Virus Preva-lence[C]//Proceedings of the IEEE Symposium on Security and Privacy. Oakland,1993:2–15
82 M. Kern. Codegreen Beta Release. http://online.securityfocus.com/archive/82/211462, 2001
83 Codered Worm. 2001-07-19/2007-09-10. http://www.symantec.com/securityresponse/writeup.jsp?docid=2001-071911-5755-99, 2007
84 W32.sqlexp.worm. 2003-01-25/2007-09-10. http://www.symantec.com/securityresponse/writeup.jsp?docid=2003-012502-3306-99, 2007
85 F-secure Secure Information Center. Global Slapper Worm Information Center.http://www.f-secure.com/slapper/, 2002
86 W32.sasser.worm. 2004-05-01/2007-09-10. http://www.symantec.com/securityresponse/writeup.jsp?docid=2004-050116-1831-99, 2007
87 CoderedII. 2001-08-04/2007-09-10. http://www.symantec.com/security response/writeup.jsp?docid=2001-080421-3353-99, 2007
88 W32.blaster.worm. 2003-08-11/2007-09-10. http://www.symantec.com/securityresponse/writeup.jsp?docid=2003-081113-0229-99, 2007
89 W32.nimda.Amm. 2001-09-18/2007-09-10. http://www.symantec.com/securityresponse/writeup.jsp?docid=2001-091816-3508-99, 2007
90 T. Dubendorfer. Analysis of Internet Relay Chat Usage by DDoS Zombies[D].Zurich:ETH, 2004
91 Y. Chen. IRC-based Botnet Detection on High Speed Routers[C]//Proceedings ofthe ARO-DARPA-DHS Special Workshop on Botnets. Arlington, VA, 2006
92 J. Binkley. Anomaly-based Botnet Server Detection[C]//Proceedings of the FloCon2006 Analysis Workshop. Vancouver, WA, 2006
93 J. Jung, V. Paxson, A. Berger, et al. Fast Portscan Detection Using Sequential Hy-pothesis Testing[C]//Proceedings of the IEEE Symposium on Security and Privacy.Oakland, CA, 2007:211–225
94 A. Wald. Sequential Tests of Statistical Hypotheses[J]. The Annals of MathematicalStatistics, 1945, 16(2):117–186
95 B. Kang, E. Tin, C. Lee, et al. Towards Complete Node Enumeration in a Peer-to-Peer Botnet[C]//Proceedings of the ACM Symposium on Information, Computerand Communication Security (ASIACCS). Sydney,Australia, 2009
96 K. Singh, A. Srivastava. Evaluating Email’s Feasibility for Botnet Command andControl[C]//Proceedings of The 38th Annual IEEE/IFIP International Conferenceon Dependable Systems and Networks (DSN 2008). Anchorage, Alaska, 2008
97 J. Douceur. The Sybil Attack[C]//Proceedings of the First International Workshopon Peer-to-Peer Systems (IPTPS). 2002
98 P. Wang, L. Wu, B. Aslam, et al. A Systematic Study on Peer-to-Peer Bot-nets[C]//Proceedings of the 18th International Conference on Computer Communi-cations and Networks. San Francisco, CA, 2009
99 Z. Zhu, G. Lu, Y. Chen. Botnet Research Survey[C]//Proceedings of the AnnualIEEE International Computer Software and Applications Conference. 2008:967–
972100 J. Nazario, T. Holz. As the Net Churns: Fast-Flux Botnet Observa-tions[C]//Proceedings of the 3rd International Conference on Malicious and Un-wanted Software. 2008:24–31
101 T. Holz, C. Gorecki, K. Rieck, et al. Detection and Mitigation of Fast-Flux ServiceNetworks[C]//Proceedings of the 15th Annual Network and Distributed System Se-curity Symposium. 2008
102 M. Casado, M. Freedman. Peering Through the Shroud: The Effect of Edge Opac-ity on IP-based Client Authentication[C]//Proceedings of USENIX Symposium onNetworked Systems Design and Implementation. 2007
103 J. Lee, Y. Chang, C. Chang. Secure Authentication Protocols for Mobile CommerceTransactions[J]. International Journal of Innovative Computing, Information andControl, 2008, 4(9):2305–2314
104 R. Dingledine, N. Mathewson, P. Syverson. Tor: The Second-Generation OnionRouter[C]//Proceedings of the 13th USENIX Security Symposium. 2004
105 A. Gottlieb, S. Johnson. MONET WDM Network Elements[C]//Proceedings of theMilitary Communications Conference. 1999:963–967
106 D. Yue, E. Tian, Y. Zhang. Stability Analysis of Discrete Systems with Stochas-tic Delay and its Applications[J]. International Journal of Innovative Computing,Information and Control, 2009, 5(8):2391–2403
107 P. Amini, C. Kraken. Botnet Infiltration. http://dvlabs.tippingpoint.com, 2009
108 C. Overbeck. Botspy - Efficient Observation of Botnet. http://www.redteam-pentesting.de, 2007
109 G. Gu, R. Perdisct, J. Zhang, et al. BotMiner: Clustering Analysis of NetworkTraffic for Protocol- and Structure- Independent Botnet Detection[C]//Proceedingsof the 17th USENIX Security Symposium. San Jose, CA, 2008:139–154
110 Symantec Corporation. Symantec Global Internet Security Threat Report.http://eval.symantec.com/mktginfo/enterprise/white papers/b-whitepaper internetsecurity threat report xiv 04-2009.en-us.pdf, 2009
111 G. Gu, P. Porras, V. Yegneswaran. BotHunter: Detecting Malware InfectionThrough IDS-Driven Dialog Correlation[C]//Proceedings of the 16th USENIX Se-curity Symposium. Boston, MA, 2007:167–182
112 G. Gu, J. Zhang, W. Lee. BotSniffer: Detecting Botnet Command and ControlChannels in Network Traffic[C]//Proceedings of the 15th Annual Network and Dis-tributed System Security Symposium. San Diego, CA, 2008:269–286
113王佰玲,方滨兴,云晓春.零拷贝报文捕获平台的研究与发现[J].计算机学报,2005, 28(1):47–51
114罗浩,云晓春,方滨兴.多线程TCP/IP还原技术的研究[J].高技术通讯, 2003,13(11):15–19
115张兆心,方滨兴,胡铭曾.支持IDS的高速网络信息获取体系结构[J].北京邮电大学学报,2006,29(2):118–122
116陈训逊,方滨兴,李蕾.高速网络环境下入侵检测系统结构研究[J].计算机研究与发展,2004,41(9):1481–1487
117 A. Kurmann, F. Rauch, T. Stricker. Speculative Defragmentation-leading GigabitEthernet to True Zero-copy Communication[J]. Cluster Computing, 2001, 4(1):7–18
118 J. Rantwijk. Data Transmission in the Antares Data Acquisition System[D].Delft,India:Delft University of Technology, 2002
119 M.Zilker, P. Heimann. High-speed Data Acquisition with the Solaris and LinuxOperating System[J]. Fusion Engineering and Design, 2000, 48:193–197
120 Y. Wang, D. Beck, X. Jiang. Automated Web Patrol with Strider Honeymonkeys:Finding Web Sites That Exploit Brower Vulnerabilities[C]//Proceedings of the 13thNetwork and Distributed System Security Symposium. San Diego, California, 2006
121 M. Polychronakis, P. Mavrommatis, N. Provos. Ghost Turns Zombie: Exploring theLife Cycle of Web-based Malware[C]//Proceedings of the In 1st USENIX Work-shop on Large-Scale Exploits and Emergent Threats. 2008
122 N. Daswani, M. Stoppelman. The Anatomy of Clickbot.a[C]//Proceedings of theHotBots’07, First Workshop on Hot Topics in Understanding Botnets. Cambridge,MA, 2007
123 M.Christodorescu, S.Jha. Testing Malware Detectors[C]//Proceeding of the ACMSIGSOFT International Symposium on Software Testing and Analysis. Boston,MA: ACM Press, 2004:34–44
124 M. Rosenblum, T. Garfinkel. Virtual Machine Monitors: Current Technology andFuture Trends[J]. Computer, 2005, 38(5):39–47
125 N. Provos. A Virtual Honeypot Framework[C]//Proceedings of the 13th USENIXSecurity Symposium. 2004
126 G. Hunt, D. Brubacher. Detours: Binary Interception of Win32 Func-tions[C]//Proceedings of the 3rd USENIX Windows NT Symposium. Seattle, WA,1999:135–144
127 A. Aho, M. Corasick. Efficient String Matching: An Aid to BibliographicSearch[J]. Communications of the ACM, 1975, 18(6):333–340