摘要
随着互联网技术的不断发展,网络的安全性和可靠性正在越来越多的受到人们的关注。作为网络安全的重要组成部分,僵尸网络的检测技术也受到日益的重视。目前僵尸网络的检测方法分为两类,分别为基于蜜网系统的检测和基于网络流量的监视与分析。第二类的检测方法分为四种:1)基于签名的检测,2)基于异常的检测,3)基于DNS的检测,4)基于数据挖掘的检测。
基于网络异常的检测技术由于其实时性,以及其检测过程中无需先验知识来进行规则匹配,而在僵尸网络的检测中得到广泛应用。本文的重点研究目标就是利用僵尸终端的网络特性,采用异常检测算法,对在局域网内的疑似主机进行多方面检测,从而达到准确判断僵尸终端的目的。
为解决僵尸终端检测中需先对其进行规则匹配和无法对其恶意行为进行防范的问题,本文在首先研究了不同种类僵尸程序特征的基础上,利用僵尸网络内部通讯特征流量,标记出监控范围,从而实现对疑似僵尸终端的监控。然后,提出了用输入报文有效载荷的相似性,输入输出报文对的时间距离来刻画疑似僵尸终端之间的整体相似度,并通过这个相似度来静态的描绘这些监控范围内主机在某一时间段内的通讯特征是否符合僵尸终端的特征。最后,把所得到整体相似度代入改进后的TRW算法,将每一个时间窗内的静态相似性的度量值作为该算法每一步运行的输入,多轮次的(多时间窗)的对监控范围内的僵尸终端进行检测判断,确定阈值,并最终标记出局域网内的僵尸终端。本文的以上工作为检测僵尸终端、防范僵尸网络提供了一个新的方法。实验证明该方法成功的实现了对僵尸终端的异常检测,无需规则匹配,并对其在执行恶意行为之前成功进行发现,提高了僵尸终端检测的准确度,对进一步研究防范僵尸网络奠定了基础。
With development of the internet, the reliability of the network security is becoming more and more important. Now the botnet detection has become the most concern in the network security. And its detection has been a major problem, which will lead to a difficult problem. At present, the research of methodology of the botnet detection mainly focus in two aspect, the honeynet based methodology and the net flow monitor methodology. And the second methodology is divided into 4 kinds of methods. These are 1) anomaly based detection,2) signature based detection,3) DNS based detection,4) and datamining based detection.
Anomaly based detection technology, which doesn't need priori knowledge to proceed rule match during intrusion detection process, is widely used in the botnet detection. The key point of our research is using the anomaly based detection algorithm, to detect the net flow feature of the compromised machines. After multi-round of detection, the suspicious compromised machines could finally be spotted.
Two kinds of problems had been met in the botnet detection in local area network. Firstly, it needed rule match during the intrusion detection process. Secondly, it could not be detected before it performed malbehavior. After the study of the different character of botnets, the communication feature of the compromised machines is used to form a monitor scope to realize the detection of suspect compromised machines. The similarity of the inbound packets payloads and the time distance of inbound and outbound packets pairs were put forwarded and to examine if the communication feature of them fits the bots. And then substitute the similarity to the modified TRW algorithm. conduct an real-time detection with TRW(Threshold Random Walk) algorithm. The compromised machines detection would be realized by the similarity based modified TRW algorithm. The similarity of the compromised machines in each time window would be the input of the algorithm in each calculating round. After multi rounds (time windows) judgments, the compromised machines would be marked. This research will provide a new kind of methodology for compromised machines detection before malbehavior without rule matching, and thus the whole botnet. The experiments had proved the modification is effective to improve the detection accuracy. And it is important for the future research.
引文
[1]中国互联网络信息中心.中国互联网络发展状况统计报告[EB].2011-01. http:// www. cnnic. net. cn/dtygg/dtgg/201101/P020110119328960192287. pdf
[2]国家互联网应急中心.网络安全信息与动态周报[EB].2011. http://www.cert.org.cn /UserFiles/File/201108weekly. pdf
[3]张岳公,基于代理的对等分布式入侵检测系统的研究[D].[博士学位论文].济南:山东大学,2006:69-102
[4]http://www.securityfocus.com/unix
[5]卢浩,胡华平,刘波,恶意软件分类方法研究[J],计算机应用研究,2006,23(9):4-12
[6]仁云涛,基于二进制多态变形的恶意代码反检测技术研究[D].[硕士学位论文].成都:电子科技大学,2006
[7]诸葛建伟,韩心慧,周勇林,等.僵尸网络研究[J].软件学报,19(3):702-715
[8]孙彦东,李东.僵尸网络综述[J],计算机应用,2006,26(7):1628-1630
[9]http://www.mcafee.com/cn/resources/white-papers/wp-new-era-of-botnets.pdf
[10]http://www.microsoft.com/china/technet/security/bulletin/MS10-066.mspx
[11]国家互联网应急中心(CNCERT).中国互联网网络安全报告(2010年上半年)[EB].2010.http://www. cert. org. cn/UserFiles/File/2010%20first%20half. pdf
[12]Julian B G, Vikram S, Chris N, et al. Peer-to-Peer Botnets:Overview and Case Study[C], Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets Cambridge, MA,2007:1-8
[13]趋势科技,ZeuS:A Persistent Criminal Enterprise [EB].2010. http://us. trendmicro. com/imperia/md/content/us/trendwatch/researchandanalysis/zeusap ersistentcriminalenterprise. pdf
[14]Puri R. Bots & botnet:An overview. SANS White Paper [EB].2003. http://www. sans.org/ reading_room/whitepapers/malicious/1299.php
[15]Rajab M A, Zarfoss J, Monrose F, et al. A multifaceted approach to under-standing the botnet phenomenon [C]. In:Almeida JM, Almeida VAF, Barford P, eds. Proceedings of the 6th ACM Internet Measurement Conf. (IMC 2006). Rio de Janeriro:ACM Press,2006:41-52
[16]Barford P, Yegneswaran V. An inside look at botnets [J]. In:Christodorescu M, Jha S, Maughan D, Song D, Wang C, eds. Advances in Information Security, Malware Detection, Vol.27. Springer-Verlag,2007(27):171-191
[17]Thorsten H. A Short Visit to the Bot Zoo [J]. IEEE Security & Privacy Magazine,2005, 3(3):76-79
[18]Kyoung S H, Eul G I, A Study on the Analysis of Netbot and Design of Detection Framework [C]. Proceedings Of Joint Workshop on Information Security, Aug.2009.
[19]Kutznet, K, Fuhrmann, T. Measuring large overlay networks-the overnet example [C]. Proceedings of Kommunikation in Verteilten Systemen (KiVS).2005:193-204
[20]Stoica, I, Morris, R, Karger, D, et al. Chord:a scalable peer-to-peer lookup service for internet applications [C]. Proceedings of the 2001 Conference on Applications, Technologies, Architectures, and Protocols For Computer Communications (SIGCOMM). San Diego, California, United States,2001:149-160
[21]Gnutella forum:Gnutella [EB]. http://www.gnutella.com
[22]Clarke I, Sandberg O, Wiley B, et al. Freenet:a distributed anonymous information storage and retrieval system [C]. Proceedings of ICSI Workshop on Design Issues in Anonymity and Unobservability.2000:311-320
[23]Maymounkov, P., Mazieres, D. Kademlia:A peer-to-peer information system based on the XOR metric [C]. Proceedings of Revised Papers from the 1st International Workshop on Peer-to-Peer Systems (IPTPS).2002:53-65
[24]Erdos P, Renyi A. On random graphs I [J]. Publicationes Mathematicae (Debrecen),1959 (6):290-297
[25]Barabasi A L, Albert R. Emergence of scaling in random networks [J]. Science 286,1999, 509-512.
[26]William H S, John F M. Stochastic Activity Networks:Formal Definitions and Concepts [C]. Proceedings of the 2009 IEEE international conference on Multimedia and Expo, New York, 2009,1162-1165,
[27]Elizabeth V R, William H S. Modeling Peer-to-Peer Botnets [C]. Proceedings of 2008 Fifth International Conference on Quantitative Evaluation of Systems, St. Malo,2008,307-316
[28]Felix F, Thorsten H, Georg W. Botnet tracking:Exploring a root-cause methodology to prevent distributed denial-of-service attacks [C]. Proceedings of the 10th European Symp. on Research in Computer Security (ESORICS 2005). LNCS 3679, Milan:Springer-Verlag, 2005:319-335.
[29]Binkley J R, Singh S. An algorithm for anomaly-based botnet detection [C]. Proceedings of the USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI 2006).2006:43-48.
[30]Guofei G, Roberto P, Junjie Z, et al. BotMiner:Clustering Analysis of Network Traffic for Protocol-and Structure-Independent Botnet Detection [C]. Proceedings of the 17th conference on Security symposium.2008:139-154.
[31]Guofei G, Phillip P, Vinod Y, et al. BotHunter:Detecting malware infection through IDS-driven dialog correlation. Proceedings of the 16th USENIX Security Symp(Security 2007).2007:167-182
[32]National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC), National Certificate of Network and Information Technology-Management Center of China(NTC-MC).Emergency and Practice Guideline of Network Security. Publishing House of Electronics Industry.2008.
[33]David D, Cliff Z, Wenke L. Modeling botnet propagation using time zones [C]. Proceedings of the 13th Annual Network and Distributed System Security Symp(NDSS 2006).2006:235-249
[34]Ivan D, Alexander H, Bernhard S. Cooperative Keep-Alives:An Efficient Outage Detection Algorithm for P2P Overlay Networks[C]. Proceedings of 7th IEEE International Conference on Peer-to-Peer Computing (P2P 2007). Galway, Ireland,2007:140-150
[35]Jaeyeon V, Jaeyeon J,Vern P, et al. Fast Portscan Detection Using Sequential Hypothesis Testing[C]. In Proceedings of the IEEE Symposium on Security and Privacy. Berkeley, California,2004:211-226
[36]Guofei G, Junjie Z, Wenke L. BotSniffer:Detecting Botnet Command and Control Channels in Network Traffic[C]. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08). San Diego, CA,2008:299-304
[37]李润恒,王明华,贾焰.基于通讯特征提取和IP聚集的僵尸网络相似性度量模型[J].计算机学报,2010,33(1):45-54.
[38]王威,方滨兴,崔翔.基于终端行为特征的IRC僵尸网络检测[J].计算机学报,2009,10:1980-1988
[39]A. Wald. Sequential Analysis[M]. New York, J. Wiley & Sons,1947
[40]Julian G, Vikram S, Chris N, et al. Peer-to-Peer Botnets:Overview and Case Study[C], Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets (HotBots'07). USENIX Association Berkeley, CA,2007:1-8
[41]Thorsten H, Moritz S, Frederic D, et al. Measurements and Mitigation of Peer-to-Peer-based Botnets:A Case Study on Storm Worm [C]. Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats(LEET'08). San Francisco, CA,2008.1-9