基于行為特征的僵尸網(wǎng)絡檢測方法研究
發(fā)布時間:2018-09-09 13:17
【摘要】:互聯(lián)網(wǎng)的迅猛發(fā)展,給人們的生活和工作帶來了便利,但由此而引發(fā)的網(wǎng)絡安全問題也不容小覷。僵尸網(wǎng)絡就是一種巧妙設計并且已經(jīng)發(fā)展的比較成熟了的技術,這項技術正在被越來越多的應用在如廣告發(fā)送、垃圾郵件和分布式拒絕服務攻擊等非法活動中。 僵尸網(wǎng)絡由大量被控制的計算機組成,這些計算機接收控制者的指令,然后執(zhí)行命令,通常這些指令都是惡意的。這樣控制者不僅可以達到隱蔽自身的目的,而且可以用這些被控制的計算機來發(fā)動各種攻擊。所以,如何檢測僵尸網(wǎng)絡,已經(jīng)成為網(wǎng)絡安全領域一個非常重要的問題。 對僵尸網(wǎng)絡的惡意行為進行了詳細的描述,并從中選取了六個典型的行為作為僵尸網(wǎng)絡的普遍行為特征。然后在入侵檢測系統(tǒng)的基礎上實現(xiàn)了六個插件,分別用來產(chǎn)生這六個行為的初級告警。接著通過對這些初級告警進行關聯(lián)分析,從而檢測出僵尸網(wǎng)絡。 對初級告警進行關聯(lián)分析,只能檢測出已知的僵尸網(wǎng)絡。為了檢測未知的僵尸網(wǎng)絡,對被監(jiān)控的所有主機,計算其告警的行為相似性和時間相似性,然后依據(jù)相似性的計算結果來檢測未知的僵尸網(wǎng)絡。 根據(jù)提出的檢測機制實現(xiàn)了一個原型系統(tǒng),并在真實環(huán)境網(wǎng)絡環(huán)境下運行僵尸樣本程序進行測試。實驗結果表明,提出的檢測機制能非常有效的檢測出僵尸網(wǎng)絡。
[Abstract]:The rapid development of the Internet has brought convenience to people's life and work, but the network security problems caused by it can not be underestimated. Botnet is a well-designed and developed mature technology, which is increasingly used in illegal activities such as advertising, spam and distributed denial of service attacks. Botnets consist of a large number of controlled computers that receive instructions from controllers and then execute commands, which are usually malicious. In this way, the controllers can not only conceal themselves, but also use these controlled computers to launch various attacks. Therefore, how to detect botnets has become a very important problem in the field of network security. The malicious behavior of botnet is described in detail, and six typical behaviors are selected as the general behavior characteristics of botnet. Then, six plug-ins are implemented on the basis of intrusion detection system, which are used to generate the primary alarm of these six behaviors. Then through the correlation analysis of these primary alarms, the botnet is detected. Correlation analysis of primary alarms can only detect known botnets. In order to detect unknown botnet, the behavior similarity and time similarity of alarm are calculated for all hosts monitored, and then the unknown botnet is detected according to the result of similarity calculation. According to the proposed detection mechanism, a prototype system is implemented, and a zombie sample program is run in a real network environment for testing. Experimental results show that the proposed detection mechanism can detect the botnet very effectively.
【學位授予單位】:華中科技大學
【學位級別】:碩士
【學位授予年份】:2011
【分類號】:TP393.08
本文編號:2232490
[Abstract]:The rapid development of the Internet has brought convenience to people's life and work, but the network security problems caused by it can not be underestimated. Botnet is a well-designed and developed mature technology, which is increasingly used in illegal activities such as advertising, spam and distributed denial of service attacks. Botnets consist of a large number of controlled computers that receive instructions from controllers and then execute commands, which are usually malicious. In this way, the controllers can not only conceal themselves, but also use these controlled computers to launch various attacks. Therefore, how to detect botnets has become a very important problem in the field of network security. The malicious behavior of botnet is described in detail, and six typical behaviors are selected as the general behavior characteristics of botnet. Then, six plug-ins are implemented on the basis of intrusion detection system, which are used to generate the primary alarm of these six behaviors. Then through the correlation analysis of these primary alarms, the botnet is detected. Correlation analysis of primary alarms can only detect known botnets. In order to detect unknown botnet, the behavior similarity and time similarity of alarm are calculated for all hosts monitored, and then the unknown botnet is detected according to the result of similarity calculation. According to the proposed detection mechanism, a prototype system is implemented, and a zombie sample program is run in a real network environment for testing. Experimental results show that the proposed detection mechanism can detect the botnet very effectively.
【學位授予單位】:華中科技大學
【學位級別】:碩士
【學位授予年份】:2011
【分類號】:TP393.08
【參考文獻】
相關期刊論文 前3條
1 孫彥東;李東;;僵尸網(wǎng)絡綜述[J];計算機應用;2006年07期
2 諸葛建偉;韓心慧;周勇林;葉志遠;鄒維;;僵尸網(wǎng)絡研究[J];軟件學報;2008年03期
3 杜躍進,崔翔;僵尸網(wǎng)絡及其啟發(fā)[J];中國數(shù)據(jù)通信;2005年05期
,本文編號:2232490
本文鏈接:http://lk138.cn/wenyilunwen/guanggaoshejilunwen/2232490.html
教材專著
