【作者】 庄岩；

【导师】 翟光群；

【作者基本信息】 郑州大学 ， 计算机系统结构， 2011， 硕士

【摘要】 随着互联网技术的不断发展,网络的安全性和可靠性正在越来越多的受到人们的关注。作为网络安全的重要组成部分,僵尸网络的检测技术也受到日益的重视。目前僵尸网络的检测方法分为两类,分别为基于蜜网系统的检测和基于网络流量的监视与分析。第二类的检测方法分为四种：1)基于签名的检测,2)基于异常的检测,3)基于DNS的检测,4)基于数据挖掘的检测。基于网络异常的检测技术由于其实时性,以及其检测过程中无需先验知识来进行规则匹配,而在僵尸网络的检测中得到广泛应用。本文的重点研究目标就是利用僵尸终端的网络特性,采用异常检测算法,对在局域网内的疑似主机进行多方面检测,从而达到准确判断僵尸终端的目的。为解决僵尸终端检测中需先对其进行规则匹配和无法对其恶意行为进行防范的问题,本文在首先研究了不同种类僵尸程序特征的基础上,利用僵尸网络内部通讯特征流量,标记出监控范围,从而实现对疑似僵尸终端的监控。然后,提出了用输入报文有效载荷的相似性,输入输出报文对的时间距离来刻画疑似僵尸终端之间的整体相似度,并通过这个相似度来静态的描绘这些监控范围内主机在某一时间段内的通讯特征是否符合僵尸终端的特征。最后,把所得到整体相似度代入改进后的TRW算法,将每一个时间窗内的静态相似性的度量值作为该算法每一步运行的输入,多轮次的(多时间窗)的对监控范围内的僵尸终端进行检测判断,确定阈值,并最终标记出局域网内的僵尸终端。本文的以上工作为检测僵尸终端、防范僵尸网络提供了一个新的方法。实验证明该方法成功的实现了对僵尸终端的异常检测,无需规则匹配,并对其在执行恶意行为之前成功进行发现,提高了僵尸终端检测的准确度,对进一步研究防范僵尸网络奠定了基础。更多还原

【Abstract】 With development of the internet, the reliability of the network security is becoming more and more important. Now the botnet detection has become the most concern in the network security. And its detection has been a major problem, which will lead to a difficult problem. At present, the research of methodology of the botnet detection mainly focus in two aspect, the honeynet based methodology and the net flow monitor methodology. And the second methodology is divided into 4 kinds of methods. These are 1) anomaly based detection,2) signature based detection,3) DNS based detection,4) and datamining based detection.Anomaly based detection technology, which doesn’t need priori knowledge to proceed rule match during intrusion detection process, is widely used in the botnet detection. The key point of our research is using the anomaly based detection algorithm, to detect the net flow feature of the compromised machines. After multi-round of detection, the suspicious compromised machines could finally be spotted.Two kinds of problems had been met in the botnet detection in local area network. Firstly, it needed rule match during the intrusion detection process. Secondly, it could not be detected before it performed malbehavior. After the study of the different character of botnets, the communication feature of the compromised machines is used to form a monitor scope to realize the detection of suspect compromised machines. The similarity of the inbound packets payloads and the time distance of inbound and outbound packets pairs were put forwarded and to examine if the communication feature of them fits the bots. And then substitute the similarity to the modified TRW algorithm. conduct an real-time detection with TRW(Threshold Random Walk) algorithm. The compromised machines detection would be realized by the similarity based modified TRW algorithm. The similarity of the compromised machines in each time window would be the input of the algorithm in each calculating round. After multi rounds (time windows) judgments, the compromised machines would be marked. This research will provide a new kind of methodology for compromised machines detection before malbehavior without rule matching, and thus the whole botnet. The experiments had proved the modification is effective to improve the detection accuracy. And it is important for the future research.更多还原