【作者】 王海龙；

【导师】 龚正虎；

【作者基本信息】 国防科学技术大学 ， 计算机科学与技术， 2011， 博士

【摘要】 僵尸网络的肆虐给互联网带来了极大的威胁,使得僵尸网络检测技术成为近年来网络安全领域的热点研究课题。僵尸网络检测,首先通过各种途径获取可能存在僵尸网络活动的相关信息,然后根据僵尸网络在这些信息中表征出来的内在特性,应用多种分析技术识别并判断出僵尸网络的存在,最终确定攻击者、命令与控制服务器以及僵尸主机的位置。近年来,国内外学者已经取得了相当的研究成果,但是僵尸网络检测在信息采集与融合、内在特性提取、针对通信与行为的诊断、检测的关联分析以及系统体系结构等方面仍然存在一些亟需解决的问题。针对僵尸网络检测中的典型问题与共性需求,深入研究了关键技术以及应用部署的发展现状,提出了层次协同模型和基于该模型的僵尸网络协同检测系统,重点研究了僵尸网络威胁感知、特性分析两方面所涉及的模型和方法,并在此基础上设计实现了一个原型系统。主要贡献包括以下几个方面:一、在深入分析已有僵尸网络检测体系结构不足以及协同工作优势的基础上,提出了层次协同模型——HCO(Hierarchical Collaborative)模型,并且从模型框架、数据结构、建模过程、协同机制四个层面对模型进行了详细设计。基于HCO模型提出了僵尸网络协同检测系统——Bot_CODS(Botnet Collaborative Detection System),并从体系结构、物理结构、逻辑结构以及工作原理四个方面对该系统进行了详细设计。HCO模型紧扣僵尸网络检测的基本思想,合理结合协同理念,充分发掘检测在信息、特性、决策三个不同层次上的配合联动能力。基于该模型的Bot_CODS具有较强的可扩展性和可交互性,其检测组件可以灵活地部署在异构的网络上,适应各种应用环境,内部组件之间、检测系统之间以及与其它安全产品之间可以做到安全高效地交互。此外,HCO模型提供的紧密协同关系,能够使得Bot_CODS对广泛分布的僵尸网络活动做出快速反应。由此可见,Bot_CODS有效满足了僵尸网络检测的需求。二、根据僵尸网络活动的主要特点,提出了一种基于协同的僵尸网络分布式检测方法。首先,针对僵尸网络活动阶段多样、表现形式各异、活动范围广阔的特点,提出了一个基于角色的策略型协同威胁感知模型——RPCTAM(Role-based Politic Collaborative Threat Awareness Model)。该模型是在已有计算机支持的协同工作的研究基础上,引入“策略”定义,进一步定义了基本集合、基本关系以及相应规则,通过对角色、策略、任务的分解来划分协同的交互范围,并以工作组为单位保证组内/组间成员的交互和通信,提高了协同效率,加快了协同进程。然后,针对僵尸网络活动干扰安全工具诊断的特点,提出一种基于信任度量的恶意传感器判定方法。该方法通过计算Bot_CODS中部署威胁感知传感器(TAS)节点的信任值,判定节点上的TAS是否被僵尸网络攻陷,进而剔除恶意TAS发送的有害信息,提高了整个系统的可信性。最后,在确保Bot_CODS中TAS高效、可信协同工作的支持下,针对僵尸网络发起的隐秘DDoS攻击,提出了一种面向DDoS的僵尸网络协同检测方法。该方法的核心思想是:在DDoS攻击过程中,恶意报文加入正常流量导致一些流量的属性值发生了变化,将这些变化的流量属性合并为一个指标——流量状态快照(TSS);接着,计算不同时间间隔上TSS的整体偏差率(IDR),进而识别可疑的攻击源(恶意IP地址);再根据僵尸网络攻击行为的同步性,通过信息交互方式比对这些恶意IP地址,便可以从可疑攻击源中确认存在的僵尸主机。该协同检测方法减少了传统方法导致的漏报现象,节省了计算资源和存储空间,实现了对僵尸网络发起的隐秘DDoS攻击以及僵尸主机的快速准确检测。三、内在特性是指导僵尸网络检测的关键。为了获取有效的内在特性,提出一种面向命令与控制(C&C)的僵尸网络特性提取方法。首先,针对僵尸网络内在特性的表现形式(包括特征、异常以及特征模式)以及它们之间的联系,提出一种僵尸网络特性信息描述方法。该方法对特性信息的具体内容进行了定义,并使用巴克斯范式对特性信息进行抽象描述,还定义了一种基于XML的描述语言——FIDL(Feature Information Description Language),把特性信息描述为具有统一结构的文档形式供TAS使用,达到了提高检测工作效率和灵活性的目的。然后,针对C&C信道必定经过网络传输以及攻击命令具有相对固定的格式和命令字等特点,提出了一个C&C信道的特征(Signature)提取模型,主要由前期过滤、协议分类、数据预处理、特征提取以及特征判定五部分组成。其中,根据僵尸程序对攻击命令作出响应方式的差别,提出了一个针对攻击命令的判定方法。该模型应用于流经边缘网络的网络流量,主要解决蜜罐/蜜网适用性不强的问题,能够准确地从僵尸网络通信中提取出具有命令格式的特征,能够集成多种特征提取技术(例如本文采用的多序列联配算法),满足了面向C&C的僵尸网络特性提取的需求。四、针对僵尸网络扩张迅速、瞬间危害巨大的特点,提出一种基于前缀哈希树的僵尸网络特性融合方法,具体包括特性聚合和特性访问两个方面。Bot_CODS中所有威胁监控中心(TMC)在基于前缀哈希树构建的平台上将局部信息逐级汇聚,通过聚合规则获取最终的全局信息,并分布式存入特性库中,实现将局部特性信息以最短的时间在全网范围内进行确认,保证Bot_CODS中的相关TMC做好应对准备。此外,提出一种基于前缀哈希树的特性信息访问算法FIA-PHT(Feature Information Access algorithm based on PHT)。TAS根据命名/发布情况,使用多属性区间查询的方法,能够快速查询访问存储在特性库中的特性信息,进而确保TMC下的TAS具备更有针对性的检测能力。通过理论分析和互联网真实数据集的模拟实验验证了该方法的准确性和可行性,查询延迟、节点负载都明显优于同类型解决方案。五、基于上述关键问题的研究,设计并实现了Bot_CODS的原型系统,重点细化了其中的威胁感知传感器、威胁监控中心、威胁判决中心等关键组件。该原型系统集成了拓扑发现、流量采集、入侵检测等软件与工具,实现了基于协同的僵尸网络分布式检测方法、面向命令与控制的僵尸网络特性提取方法以及基于前缀哈希树的僵尸网络特性融合方法,验证了层次协同模型HCO。本文是对僵尸网络检测的一次有益探索,研究成果对于促进僵尸网络检测研究具有良好的理论价值和实践意义。本文所做的工作已在承研的国家863高技术研究发展计划基金、自然科学基金以及实际工程项目中得到了应用。更多还原

【Abstract】 With the rapid development of botnet, it has posed serious threat to Internet. Thus, the botnet detection has recently become a hot research topic in the field of network security. The botnet detection can be done through the following steps: first, obtain the information which may be related with the botnet activities; second, according to the essential features represented by the corresponding information, use various analysis techniques to identify and judge the existence of botnet; finally, determine the positions of attackers, command and control servers and zombies. Although there are several research results at home and abroad, the botnet detection still has some pressing problems such as information acquisition and fusion, essential feature extraction, diagnosis of the communication and behavior, correlation analysis of detection, and system architecture.Towards the typical problems and common requirements during the botnet detection process, we make an intensive study of the current key technologies and the application deployment. And then we propose a hierarchical collaborative model and a botnet collaborative detection system based on this model. Specially, we focus on the related models and methods of botnet threat awareness and feature analysis. We also design and implement a prototype system to validate our work. The major contributions of this thesis are as following:1. Based on the analysis of the disadvantages of existing botnet detection architectures and the advantages of the collaborative work, a hierarchical collaborative (HCO) model is proposed. And then, the HCO model is designed detailedly from four levels such as model framework, data structure, modeling process and collaborative mechanism. Besides, based on the HCO model, a botnet collaborative detection system (Bot_CODS) is presented. Bot_CODS is designed from four aspects including architecture, physical structure, logical structure and working principle. The HCO model fully reflects the basic idea of botnet detection, reasonably combines with the idea of collaboration, and fully draws out the collaborative abilities of the detection from three different levels such as information, feature and decision-making. Moreover, Bot_CODS based on the HCO model has good scalability and interoperability. The detection components can be flexibly deployed in heterogeneous networks and adapt to various application environments. And the interoperation among the internal components, detection systems and other security products can be done safely and efficiently. In addition, due to the close collaborative relationship provided by the HCO model, Bot_CODS can respond quickly to the widely distributed botnet activities. Thus, Bot_CODS effectively meets the requirements of botnet detection.2. Regarding the main characteristics of botnet activities, a distributed botnet detection method based on collaboration is proposed. The botnet activities have multiple phases, various representations and wide range. Considering these characteristics, a role-based politic collaborative threat awareness model (RPCTAM) is presented. Based on the study of the existing computer supported cooperative work (CSCW), this model introduces the definition of policy, and defines the basic sets, basic relationships and the corresponding rules. According to the decompositions of roles, policies and tasks, the collaborative interoperation scope is divided. Moreover, group is used as a unit to ensure the interoperation and communication processes of inter-group and intra-group members. In this way, the collaborative efficiency and progress can be greatly improved. Furthermore, botnet activities always interfere with the security tools to make a diagnosis. In terms of this characteristic, a malicious sensor determination method based on trust measurement is proposed. Through computing the trust values of the threat awareness sensors (TASs) deployed in Bot_CODS, this method can determine whether the TAS upon the node is captured by botnet. Thus, the malicious information sent by malicious TASs can be filtered out. Using this method, the dependability of the whole system can be improved. Finally, on the support of the efficient and trust collaborative work of TASs in Bot_CODS, a collaborative botnet detection method against DDoS attack is proposed, which especially focuses on the subtle DDoS attacks launched by botnet. The key ideas of the method are listed as follows. 1) During the DDoS attack process, some traffic attributies have been changed due to the addition of malicious packets. We merge those changing traffic attributies into an indicator, called TSS (Traffic Status Snapshot). 2) The integrated deviation rates (IDRs) of TSSes during different time intervals are computed, which are helpful for the identification of suspicious attack sources (malicious IP addresses). 3) According to the synchronization of botnet attack activities, the comparison among malicious IP addresses is done by exchanging information. Then, the existing zombies can be detected from the suspicious attack sources. The collaborative detection method can reduce the false negative rate caused by the traditional methods, save the computing resources and storage space, and realize the fast and accurate detection of subtle DDoS attacks launched by botnet and zombies.3. Essential feature is the key factor which guides the botnet detection process. In order to obtain the effective essential features, a botnet feature extraction method towards command and control (C&C) is proposed. Regarding the representation and relationships of botnet essential features including signature, anomaly, character pattern, a botnet feature description method is presented. Then, the detailed content of feature information is defined, and the abstract description of feature information is done by use of BNF (Backus-Naur Form). Besides, a description language based on XML called FIDL (Feature Information Description Language) is also defined. In FIDL, the feature information is described as the document format with unified structure used for the TAS. Thus, the efficiency and flexibility of detection work can be improved. In addition, C&C channel must pass through the network, and the attack commands always have a relatively fixed format and command strings. Thus, a signature generation model against C&C channel is proposed. The model is composed by five parts including pre-filtering, protocol classification, data preprocessing, signature generation and determination. Moreover, according to the differences of the response modes to the attack commands for bots, a determination method targeted at the attack commands is presented. This model can be applied to the network traffic of border networks, and mainly solve the problem of weak applicability of the honeypot or honeynet. It can generate the signatures with the command format from the botnet communication accurately. It also can integrate several signature generation techniques including the multi-sequence alignment algorithm used in this thesis, and meet the requirement of botnet feature extraction towards C&C.4. Toward the botnet characteristics such as rapid expansion, great and instant harm, a botnet feature fusion method based on PHT (Prefix Hash Tree) is proposed, which includes two aspects: feature aggregation and feature access. In Bot_CODS, all of the threat monitor centers (TMCs) aggregate the local feature information step by step through the platform which is built based on PHT. And then, according to the aggregation rules, the global information is formed by the gathered information and stored distributedly into the characteristics library. In this way, the local feature information can be comfirmed at the shortest time in the whole network, and the corresponding TMCs in Bot_CODS can prepare well for the coming task. Moreover, a feature information access algorithm based on PHT (FIA-PHT) is presented. According to the naming and distribution process, TASs use the multi-attribute range query method. Thus, the feature information of the feature library can be inquired and accessed quickly. The more specified detection ability can be assured for TASs under the TMC. By doing the theory analysis and the simulation based on real traffic, the accuracy and feasibility of this method is proved. Experimental results indicate that it is significantly better than the same kind of solutions in the aspects of request and access latency and node load.5. Based on the study of the key technologies described upon, a Bot_CODS prototype system is designed and implemented. We specify the design details of key equipments including TAS, TMC and TDC (Threat Decision-making Center), etc. The Bot_CODS prototype system integrates some softwares and tools including topology discovery, traffic capture and intrusion detection. And the distributed botnet detection method based on collaboration idea, botnet feature extraction method towards command and control, and botnet feature fusion method based on PHT are all implemented in the prototype system. According to the proposed testing content, the model correctness of HCO is also validated.To sum up, our research is a beneficial exploration of botnet detection. It has the good theoretical and practical value to the development of botnet detection. The research has been integrated into the national high-tech research and development plan of China, the natural science foundation of China and our actual project.更多还原