【作者】 王威；

【导师】 方滨兴；

【作者基本信息】 哈尔滨工业大学 ， 计算机系统结构， 2010， 博士

【摘要】 随着Internet的飞速发展,计算机和互联网已经成为人们日常生活中不可或缺的元素,然而互联网面临着大量的安全威胁,僵尸网络正是最严重的威胁之一。僵尸网络是攻击者利用互联网秘密建立的可以集中控制的计算机群,它不是一个特指的安全事件,而是攻击者手中的一个平台,利用该平台,攻击者可以实现覆盖面更广,力度更高,更难于防范的攻击。僵尸网络的高度活跃引起多方重视,目前针对僵尸网络的研究工作主要有五个方面,分别是检测、测量、追踪、主动防御和体系结构研究,其中检测是测量、追踪和主动防御的基础,体系结构研究是防治未来可能的僵尸网络的前导。检测、测量和追踪工作的一个强力支持为蜜罐蜜网技术,于是虽然蜜罐技术研究不属于僵尸网络的研究方向,但它为僵尸网络研究奠定基础。本文围绕着僵尸网络的研究方向,针对僵尸网络对抗技术进行深入研究,主要内容如下:给出僵尸网络的定义、属性、演化脉络及危害分析。对僵尸网络五个研究方向的工作进行综述,进一步明确本文的研究内容及目标。研究面向僵尸程序样本捕获的分布式蜜罐部署模型。僵尸程序样本分析可以为僵尸网络研究的各个方向提供强有力的支持,于是样本捕获是僵尸网络研究的基础。目前针对僵尸程序样本捕获的研究工作主要集中在蜜罐的设计、实现和应用,然而蜜罐部署策略研究能够提高部署效率、降低部署成本,有重要的实际意义。本文提出的模型阐述了僵尸程序样本分析需求、僵尸程序传播属性、检测时间、检测概率与蜜罐部署参数之间的关系。在模型分析的基础上,提出蜜罐部署阈值和网络距离两个参数,这两个参数分别刻画了蜜罐部署个数和蜜罐部署位置的最优选择,能够为实际构建分布式蜜罐系统提供理论依据,旨在达到经济与效益的平衡。研究IRC僵尸网络检测算法。检测技术研究是僵尸网络对抗的重点,目前已有的IRC僵尸网络检测算法存在两个问题:需要先验知识以获取匹配模式,无法满足实时处理需求。为解决这两个问题,本文提出了基于昵称相似性和命令序列相似性这两个终端行为特征的IRC僵尸网络检测算法。文中提出三个属性分别从内容、组成和结构三方面互补的刻画两个昵称的相似性,给出了两个昵称相似性的量化因子,根据这量化因子生成弹性TRW算法以进行IRC僵尸网络实时检测。在分析僵尸终端登录服务器的行为的基础上,本文还提出了基于命令序列相似性的检测辅助算法。研究可重构的僵尸网络体系结构。僵尸网络体系结构研究是僵尸网络对抗的另一方法,可以使安全研究人员提早预防未来可能出现的僵尸网络。僵尸网络命令控制信道是僵尸网络的核心,以健壮性为其设计目标。目前已有的命令控制结构大多具备二级健壮性,本文研究一个具备三级健壮性的可重构僵尸网络的体系结构。该僵尸网络具备两个命令控制信道,采用Sniffer方式获取命令,采用TORHiddenService保护关键节点,当通信C&C失效时,使用重构C&C对僵尸网络进行重建。本文在分析其体系结构的同时,研究其弱点,扩展僵尸网络生命周期,给出三种对抗可重构僵尸网络的方法。在已完成工作的基础上,设计并实现大规模网络环境下僵尸网络检测系统。该系统以高性能网络捕包平台为基础,以蜜猴、蜜罐获取僵尸程序样本并自动生成的URL和敏感关键字为匹配规则,以规则驱动的HTTP僵尸网络检测算法和基于终端行为特征的IRC僵尸网络检测算法为核心,完成僵尸网络的实时检测。本文详细分析了两周内的检测结果,可以看出目前僵尸网络处于活跃期,相应的,证明该检测系统有效。更多还原

【Abstract】 With the fast developing of Internet, computer and network becomes to be the in-dispensable element of daily life. However, Internet is facing a lot of security threats andbotnet is one of them. Botnet is a set of computers which are secretly controlled by theattacker. Botnet is not a certain attack but a platform, which can be used to launch attackswith broader coverage, higher intensity and more difficulty to prevent. Highly activityof the botnet causes multi attention of defenders. There are five areas to research botnet:detection, measurement, tracking, proactive defense and botnet architecture research. De-tection is the foundation of measurement, tracking and active defense. Architecture re-search is the precursor of defending future botnet. Although honeypot is not a researcharea of botnet, it can provide deeply support for detection, measurement and tracking. Soresearch on honeypot is important for botnet defense. This dissertation focuses on thecountermeasure techniques of botnet. The main contents are as follows:Definition, attribute, timeline and the main danger of botnets are proposed first.Then this dissertation gives a survey of the current research for five areas of botnets andmakes clear contents and aims of the dissertation.Research on the distributed honeypot deployment model for capturing bot samples.Capturing bot samples is the foundation of botnet research and analyzing bot samples canprovide a high support for researching botnet. There is few research works for honeypotdeployment. The model discussed in this dissertation expounds the relationship amongthe need of bot sample analyzing, spreading attributes of bot samples, detection time, de-tection probability and honeypot deployment parameters. Based on analysis of the model,honeypot deployment threshold and network distance are proposed. The two parametersgive the information of number and position for honeypot deployment. This can guidethe construction of distributed honeypot system and achieve the balance of economy andefficiency. This work fills gaps of honeypot deployment.Research on the detection of IRC-based botnet. There are two problems in currentalgorithms for IRC-based botnets detection. One is that detection algorithms require someprior knowledge of botnet to generate matching patterns. The other is that algorithmscan not perform detection online. To solve these problems, this dissertation proposes two IRC botnet detection algorithms based on host behavior. Three attributes, LCS rate,compositive distance and RN dice coefficient, are discussed to quantify the similarity ofnicknames from three aspects: content, composition and structure. To detect IRC botnetsonline, extended TRW algorithm based on the similarity of nicknames is proposed. Thisdissertation also proposes a detection algorithm based on the command sequence of IRCclients.Research on the architecture of recoverable botnet. Botnet architecture research isanother way to defense botnets. It can provide the guard for future botnets. The commandand control channel is the anchor point of a botnet which has the robustness as its designgoals. Most command and control structure of current botnets can reach second levelof robustness. This dissertation proposed a recoverable botnet which can reach thirdlevel of robustness. This botnet has two command and control channels. It uses Sniffermethod to obtain commands and uses TOR Hidden Service to protect the key nodes of thebotnet. When the communication C&C can not work, it uses recovery C&C to rebuild thebotnet. This dissertation discusses the week point of this recoverable botnet and extendsthe lifecycle of botnet. To defend against such an advanced botnet, preventing publicservices abused, infiltrating botnet to tracking its activities, and monitoring the subsequentaction of zombies may play an important role.Design and implement a botnet detection system on large-scale network. This sys-tem is based on a high-speed packet capturing platform. It uses honeymonkey and hon-eypots to catch bot samples and generate botnet rules in the form of URL and sensitivecontents keywords. HTTP-based botnet detection algorithm based on rules and IRC basedbotnet detection algorithm based on host behaviors are the kernel of this system. This dis-sertation analyzes the detection results in detail. The results re?ect that botnets are stillactive and the detection results prove that the detection system is correct and valid.更多还原