摘要
伴随着互联网技术的高速发展,网络设备与计算机已经深入到国家机关、企业和千家万户中,我们对计算机网络的依赖性日益增强。同时我们要看到,许多计算机用户甚至网络管理人员安全意识薄弱,不能有效地保护自己的主机和网络。加上网络威胁层出不穷,不断变换着方式,严重威胁了计算机网络的安全。如何能保证计算机网络的安全,是一个富有挑战性的任务。
僵尸木马、计算机病毒和蠕虫是目前网络中普遍存在的恶意代码。传统的基于应用层Payload的检测方法存在不能检测加密Payload或新出现的恶意代码,无法在Gbit/s级流量下进行检测和不能长期保存历史数据等不足。而且往往需要大量先验知识,在如今恶意代码更新迅速的情况下,该方法具有明显的滞后性。为此本文提出了一种基于流特征的恶意代码检测方法,能够较好地弥补上述不足。并且流作为标准(RFC 3917)已经被众多网络设备厂商支持,具备在真实环境下实验的条件。
通过对校园网核心路由交换机发出的NetFlow数据的收集、统计与分析,本文发现了10余种网络漏洞扫描、3种蠕虫及1种僵尸木马的流特征,以及一些目前暂时无法定性的异常流特征。此外,本文还实现了图形化的流特征统计,包括常用协议分布、主机双向流量TOP N、主机对外SYN连接TOP N、校园网TCP_flag位统计、校园网实时流量等功能。通过多种角度对数据统计并以图形界面显示,能更直观地发现什么时候校园网出现了异常流量,并且可以通过进一步分析流数据,以确定是何种异常流量。
本文通过真实环境下的实验证明了基于流特征的恶意代码检测技术是可行的,并且能够有效弥补基于应用层Payload检测方法的不足。
With the rapid development of Internet technology, network equipment and computer have been penetrated into the government offices deeply, business and families. At the same time, many computer users even network administrators are weak in security, and can not protect their host and network effectively. What is more, the threats to network are becoming more and more serious. How to ensure the security of computer networks is a challenging task.
Botnet, virus and worm are malicious code in the current network. The traditional method which is based on application layer Payload can not detect the encryption Payload, can not discover new emerging malicious code, can not detecte in Gbit/s level and can not preserve historical data for long time, etc. It often requires significant priori knowledge of malicious code, in today's fast update case of malicious code, the method has obvious lag. In this paper, we propose the detection of malicious code based on flow feature, which can make up those deficiencies, and as a standard (RFC 3917), it has been supported by a number of network equipment vendors. This method can be experimented in a real environment.
The data NetFlow used in this paper is collected from the router of campus network core. By analyzing the data, we find ten more kinds of network vulnerability, three kinds of worms, and one kind of botnet, and other abnormal flow features that we can not ensure. In addition, we achieve the flow feature of graphical statistics, including the distribution of commonly used protocol, the host two-way traffic TOP N, the host external SYN connection to TOP N, campus network TCP_flag bit statistics, and campus real-time traffic and so on. From the result, we can find out when exception occurred in the campus network, and can further analyze the flow data to determine what kind of abnormal traffic.
In this paper, the real-environment experiments show that the detection of malicious code based on flow feature is feasible and can effectively compensate for deficiencies of Payload detection method based on application layer.
引文
[1]陆伟宙,余顺争,僵尸网络检测方法研究[J],电信科学,2007(12),71-72
[2]周佳骏,汪婷婷,韦刚等,基于计算机网络对抗的僵尸网络研究与进展[J],计算机应用研究,2009,26(5),1621-1622
[3]金双民,郑辉,段海新,僵尸网络研究概述[J],中国教育网络,2006.6,51-52
[4]霍建滨,白凤娥,僵尸网络的检测技术研究[J],科技情报开发与经济,2007,17(3),229-230
[5]Zhaosheng Zhu, Guohan Lu, Yan Chen, Botnet Research Survey[C], Annual IEEE International Computer Software and Applications Conference,2008,967-968
[6]周勇林,崔翔,僵尸网络的发现与对策[C],全国网络与信息安全技术研讨会,2005,135-136
[7]李晓芸,吴德钢,僵尸网络的检测与防范策略[J],软件导刊,2008,7(10),195-196
[8]安德智,僵尸网络的攻击原理及其对策[J],计算机安全,2007(5),73-75
[9]Zhenhua Chi,Zixiang,Zhao,Detecting and Blocking Malicious Traffic Cause by IRC Protocol Based Botnet[C],2007 IFIP International Conference on Network and Parallel Computing Workshops,2007,485-488
[10]B. McCarty. Botnets:Big and bigger[J]. IEEE Security &Privacy Magazine,1(4), July 2003.
[11]J. Goebel and T. Holz. Rishi:Identify bot contaminated hosts by irc nickname evaluation[C]. InProceedings of USENIX HotBots'07,2007.
[12]Jae-Seo Leel, HyunCheol Jeong2, Jun-Hyung Park3.etc, The Activity Analysis of Malicious HTTP-based Botnets using Degree of Periodic Repeatability[C],2008,83-85
[13]Sang-Kyun Noh, Joo-Hyung Oh, Jae-Seo Lee.etc, Detecting P2P Botnets using a Multi-Phased Flow Model[C],2009 Third International Conference on Digital Society,2009,247-250
[14]金双民,段海新,郑辉,IRC僵尸网络控制端识别系统的设计与实现[C],全国网络与信息安全技术研讨会'2007,2007,191-195
[15]涂浩,李之棠,周丽娟,基于DNS通信数据挖掘的Botnet检测方法研究[J],厦门大学学报(自然科学版),2007(46),98-99
[16]赵佐,蔡皖东,田广利,基于异常行为监控的僵尸网络发现技术研究[J],信息安全与通信保密,2007.9,44-45
[17]John F. Shoch and Jon A. Hupp. The "Worm" Programs—Early Experience with a Distributed Computation, Communications of the ACM,25(3):172-180,1982.
[18]Spafford EH. The Internet worm program:An analysis[R]. Technical Report,CSD-TR-823, West Lafayette:Department of Computer Science, Purdue University,1988.1-29
[19]Weaver N. Rotential strategies for high speed active worms[Z].2002.
[20]Staniford S, Paxson V, Weaver N. How to own the Internet in your spare time[C]. In:Boneh D,ed.Proc.of the 11 th Usenix Security Symp. San Francisco,2002.
[21]Weaver N. Warhol worms:The potential for very fast Internet plagues[Z].2002
[22]Kephart JO,Chess DM,White SR. Computer and epidemiology[C]. IEEE Spectrum,1993,30(5):20-26
[23]Kephart JO,White SR. Measuring and modeling computer virus prevalence[C]. In:Proc.of the IEEE Symp.on Security and Privacy. Oakland,1993.2-15
[24]Lu Guangl,Yu Fei,Guangxue Yue.etc,Worm Intrusion Alarm Modeling Based on Network Traffic Character[C],Proceedings of the First International Multi-Symposiums on Computer and Computational Sciences (IMSCCS'06),2006
[25]毕海英,Internet安全网关蠕虫过滤技术的研究[D],硕士学位论文,华北电力大学,2007
[26]黄家林,张超,孙谦,基于netflow数据流的蠕虫探测算法[J],网络安全技术与应用,2005.10,49-51
[27]王琦,基于异常检测的蠕虫检测系统模型设计[D],硕十学位论文,南京师范大学
[28]杨愫,张国清,韦卫等,基于NetFlow流量分析的网络攻击行为发现[J],计算机工程,2005,31(13),137-138
[29]肖志新,杨岳湘,杨霖,一个基于NetFlow的异常流量检测与防护系统[J],微电子学与计算机,2006,23(5),209-210
[30]曾嘉,金跃辉,叶小卫,基于NetFlow的网络异常流量检测[J],微计算机应用,2007,28(7),709-710
[31]杨愫,张国清,韦卫等,基于NetFlow流量分析的网络攻击行为发现[J],计算机工程,2005,31(13),137-138
[32]陈灏,NetFlow原理以及在互联网流量分析中的应用[D],硕士学位论文,华东师范大学,2006
[33]潘煜,惠燕JFreeChart在网络性能管理系统中的应用[J],计算机工程与设计,2008,29(16),42-43
[34]Jfreechart主页[Z]http://www.jfree.org/jfreechart/
[35]JfreeChart参考手册[Z]
[36]MYSQL主页[Z]http://www.mysql.com/
[37]Rising主页[Z]http://www.rising.com.cn/
[38]吴功宜,计算机网络高级教程[M],北京,清华大学出版社,2007,200-202