基于网络流量异常的僵尸网络受控主机检测研究  被引量:6

Research on Botnet Controlled Host Detection Based on Netflow Abnormity

在线阅读下载全文

作  者:白涛[1] 刘成龙[1] 曲武[2,3] 王震[1] 

机构地区:[1]国网河北省电力公司信息通信分公司,石家庄050021 [2]北京启明星辰信息安全技术有限公司核心研究院,北京100193 [3]清华大学计算机科学与技术系,北京100084

出  处:《计算机工程》2015年第11期170-179,共10页Computer Engineering

基  金:国家自然科学基金资助项目(60875029)

摘  要:大规模僵尸网络已成为当前互联网的主要威胁之一,僵尸网络流量自动检测技术对于互联网服务提供商和大型企业网监控非常重要。为此,提出一种基于网络流量异常的僵尸网络实时检测算法,通过将网络流量组织成主机网络流量图谱和主机关系链,并提取内在命令与控制通信特征检测僵尸网络,同时实现Bot Scanner检测系统。使用4个主流的僵尸恶意代码家族训练Bot Scanner,采用模拟网络流量和真实网络流量数据集进行测试。实验结果表明,在无需深度包解析的情况下,Bot Scanner僵尸网络检测系统能够获得较高的平均检测率和较低的误报率。在数据量较大的交换机上,Bot Scanner能够有效地进行实时检测,验证了提出算法用于僵尸网络检测方面的可行性。With extensive botnet arising as one of the major current network security threats,the automatic detection of botnet communication traffic is of high importance for Internet service providers and large corporation network monitoring. To solve the problem,this paper proposes a novel approach for botnet detection, a real-time botnet detection algorithm, where netflow related data is correlated as the host netflow graph structure and the host access chain structure, and a feature extraction method is leveraged for exacting implicit characteristics. Meanwhile, this paper establishes BotScanner detection system, which is a real-time steam processing engine. It trains BotScanner system on the four representative bot families and evaluates BotScanner on simulated network traffic and real-world network traffic. Experimental results show that BotScanner is able to detect bots in network traffic without the need of deep packet inspection,while still achieving high detection rates with very few false positives. When the netflow data from the core switch is very large,BotScanner is able to detect botnet in real-time by the efficient algorithm. It proves the feasibility of applying BotScanner system to botnet detection.

关 键 词:异常检测 僵尸网络 网络流量 实时检测 恶意代码 

分 类 号:TP309[自动化与计算机技术—计算机系统结构]

 

参考文献:

正在载入数据...

 

二级参考文献:

正在载入数据...

 

耦合文献:

正在载入数据...

 

引证文献:

正在载入数据...

 

二级引证文献:

正在载入数据...

 

同被引文献:

正在载入数据...

 

相关期刊文献:

正在载入数据...

相关的主题
相关的作者对象
相关的机构对象