基于日志的僵尸网络攻击数据分析  被引量：2

作　　者：朱涛 夏玲玲 李鹏辉 徐忠毅 ZHU Tao;XIA Lingling;LI Penghui;XU Zhongyi(Department of Computer Information and Cyber Security,Jiangsu Police Institute,Nanjing 210031,China;Beijing Qihoo Technology Co.,Ltd,,Beijing 100020,China)

机构地区：[1]江苏警官学院计算机信息与网络安全系,南京210031 [2]北京奇虎科技有限公司,北京100020

出　　处：《信息网络安全》2022年第10期82-90,共9页Netinfo Security

基　　金：国家自然科学基金[61802155];江苏省教育科学“十四五”规划课题[C-c/2021/01/11];江苏省高等教育学会“十四五”高等教育科学研究规划课题[YB074];江苏警官学院高层次引进人才科研启动费资助项目[JSPIGKZ];江苏省教育厅项目[2019SJA0443]。

摘　　要：僵尸网络是近年来有组织进行黑客攻击的一种重要手段,其独特的攻击方式使数据具有不同于其他网络攻击手段的特点。文章基于采集的网络攻击报文,对僵尸网络攻击数据进行提取分析。首先,运用蜜罐域名服务代理技术构建网络攻击日志分析系统,并设计攻击日志文件的存储格式;然后,通过多种密文鉴别方法实现网络攻击明文的清洗提取,并根据僵尸网络攻击行为不同于网络扫描和黑客攻击的特点,提取僵尸网络的攻击数据,同时运用正则匹配方式发现僵尸网络攻击数据中包含5种类型的特定关键词,通过构建字符串库方式提高对僵尸网络的识别效率;最后,基于僵尸网络攻击数据选取特定聚类特征,运用两阶段聚类算法进行分析。实验结果表明,僵尸网络攻击具有端口偏向性特点,病毒下载是僵尸网络攻击展开的重要手段之一,特定端口攻击的属性数据分布明显不同于其他端口,选取的属性中除了与发送包大小相关的4个属性外,大多具有较强的聚类区分能力,可以作为进一步智能分析的重要特征。Botnet is an important means of organized hacker attack in recent years.Its unique attack mode makes its data different from other network attack methods.Based on the collected network attack packets,this paper extracted and analyzed the botnet attack data.Firstly,the network attack log analysis system was constructed by using honeypot domain name service agent technology,and the storage format of the attack log file was designed.Then,it realized the cleaning and extraction of the plaintext of the network attack through a variety of ciphertext identification methods,and extracted the botnet attack data according to the characteristics of the botnet attack behavior different from the network scanning and hacker attack.At the same time,the regular matching method was used to find that the botnet attack data contains five types of specific keywords,which could improve the identification efficiency of the botnet by building a string library.Finally,specific clustering features were selected based on the botnet attack data and analyzed by using two-stage clustering algorithm.The experimental results show that botnet attacks have port-biased characteristics.Virus downloading is an important means for botnet attacks.The attribute data distribution of specific port attacks was obviously different from that of other ports.Except for the four attributes related to the size of the sent packet,most of the selected attributes have strong clustering and discrimination ability,which can be used as an important feature for further intelligent analysis.

关 键 词：僵尸网络 日志 两阶段聚类 聚类特征 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]