

【作者】 王明丽

【导师】 傅彦;

【作者基本信息】 电子科技大学 , 计算机软件与理论, 2009, 硕士

【摘要】 僵尸网络作为一种日趋严重的互联网安全威胁,已成为安全领域研究者所共同关注的热点。由于目前IRC协议仍是僵尸网络的主流控制协议,所以几乎所有的相关研究都是关注IRC僵尸网络控制信道的检测和刻画。基于IRC协议的命令与控制机制具有集中控制点,使得这种基于客户端/服务器架构的僵尸网络容易被跟踪、检测和反制。而基于P2P技术的僵尸网络在健壮性、安全性和隐蔽性等方面都有很大的提高,这给僵尸网络的发现和监测带来了挑战。P2P僵尸网络由于具有较强的个性化差异,目前还没有一种通用的检测方法。但随着这类僵尸网络近年来的不断发展,构建对P2P僵尸网络的有效检测方法将是一个重要的研究课题。本文将数据挖掘技术引入互联网信息安全领域,选取P2P僵尸病毒作为研究对象,对其进行有害内容提取、主机行为分析及网络通信分析,析取出其内在活动规律与传播机制,挖掘出主机上的非法行为与非法链接,在此基础上,提出了一种通用且高效的P2P僵尸病毒检测方法,从恶意行为分析与P2P流量识别两个方面来对P2P僵尸病毒进行检测。这一课题在僵尸病毒的研究上具有较大的创新性,同时也具有较高的应用价值。本文首先收集了大量僵尸病毒样本,选取几种典型的P2P僵尸病毒进行深入分析,抽象出其功能结构模块,研究其在主机上的恶意行为、传播方式、攻击手段以及对等端之间的连接特性等,在此基础上完成了详细的病毒分析报告。接着本文将N-gram算法应用于恶意行为的动态分析,通过提取并量化可执行程序的API函数调用序列,得出API子串的频率分布特征,据此判断该程序是否发生了恶意行为。然后,本文在现有流量检测技术的基础上做出改进,提出了一种基于连接行为特征的P2P协议识别方法。通过对各种P2P应用协议进行系统的分析,找出P2P流量存在的特性及共性,从而构建P2P行为特征模型,用于检测可执行程序是否发生了P2P通信。最后,将恶意行为分析和P2P协议识别进行有效结合,设置一个合理的时间窗口,动态监测可执行程序的主机行为及网络通信,从而实现对P2P僵尸病毒的实时检测。实验表明,本文提出的基于行为特征的P2P僵尸病毒检测方法具有较高的准确率。

【Abstract】 Being an increasing threat to the security of Internet, Botnet has been brought into focus among researchers attention in the area of network security. As IRC is still the dominate protocol used by Botnets, almost all the relevant research are concerned about the detection on the Command and Control (C&C) channel of IRC Botnets. IRC-based C&C channel is highly centralized which makes this structure based on Client/Server pattern is easy to be tracked, detected and controlled. Compared with the IRC Botnets, Botnets using P2P technique are well improved in robustness and ability of concealment, which bring big challenges to detect and track such kind of Botnets. At present, there is no general detection approach because of the strong characteristic of P2P Botnets. However, with the constant development of P2P Botnets recently, constructing the effective detection method of P2P Botnets will be an important research subject.In this thesis, data mining techniques have been brought into the field of information security. We choose P2P-controlled bots as research content, analyzing their malicious behaviors on the host and communication so as to understand the rules of their activities and transmission mechanism. Furthermore, a general and efficient detection method of P2P-controlled bots is proposed based on above analysis so as to find out the unusual activities and connections. Through combining analysis of malicious behaviors and identification of P2P protocol together, the general detection method of P2P-controlled bots is achieved which not only with great innovation in this research area but also with high application values.In this paper, large numbers of bot samples are collected firstly. These samples are analyzed in order to understand their operation principles, content signatures, behavior characters, transmission rules and attacks. Bots analysis reports are accomplished in details. Secondly, text classification algorithm - N-gram is utilized to construct the detection model which is used to identify malicious behaviors. Through extracting and quantifying API function calls of executables, we can get the frequency distribution of the substring intersected from the API sequence so as to verify if the executable has malicious behaviors on the host. Thirdly, improvements are made on current traffic detection techniques. A method to identify P2P traffic is constructed. We emphasize on the analysis of P2P connection behaviors, and give a detailed description of the process of constructing the P2P behavior model. Finally, the detection approach combines malicious behavior analysis and P2P protocol identification together effectively. A time window is set to monitor the behaviors on the host and the communication traffic dynamically, through which the detection of P2P-contriolled bots on the host is realized. And then, series of experiments are launched to show that the way of detecting P2P-controlled bots proposed in this paper is effective.
