本文選題：僵尸網(wǎng)絡(luò) + 僵尸網(wǎng)絡(luò)檢測�。� 參考：《中國科學(xué)院大學(xué)（工程管理與信息技術(shù)學(xué)院）》2014年碩士論文

【摘要】：根據(jù)國家互聯(lián)網(wǎng)應(yīng)急中心發(fā)布的《2013年中國互聯(lián)網(wǎng)網(wǎng)絡(luò)安全報告》中指出,每年我國有超過千萬臺的計算機(jī)感染惡意程序后淪為僵尸主機(jī),而且數(shù)量在持續(xù)增加,被境外IP操控實施各種違法行為,尤其是依托其強(qiáng)大的協(xié)同性發(fā)起各類大規(guī)模攻擊,嚴(yán)重危害了網(wǎng)絡(luò)安全,進(jìn)而威脅國家安全。因此,研制高效僵尸網(wǎng)絡(luò)檢測發(fā)現(xiàn)系統(tǒng)尤為迫切。目前檢測方法大多依賴于在獲得僵尸樣本程序后,對已知的僵尸樣本進(jìn)行逆向分析,進(jìn)而發(fā)現(xiàn)特征進(jìn)行查殺,這種方法是在僵尸網(wǎng)絡(luò)大規(guī)模爆發(fā)后,才能進(jìn)行有效的發(fā)現(xiàn)和控制,而對未知的僵尸網(wǎng)絡(luò)則無能為力。 本文以實現(xiàn)對Windows平臺下已知和未知類僵尸網(wǎng)絡(luò)的檢測為目標(biāo),通過研究和剖析典型的僵尸網(wǎng)絡(luò)的特性,包括其工作原理、命令與控制機(jī)制、通信流量及主機(jī)行為特征等,在此基礎(chǔ)上,突破僵尸網(wǎng)絡(luò)檢測關(guān)鍵技術(shù),研究形成僵尸網(wǎng)絡(luò)檢測和識別的通用方法,設(shè)計并實現(xiàn)Windows平臺下僵尸網(wǎng)絡(luò)檢測原型系統(tǒng)。具體內(nèi)容包括： (1)剖析典型IRC、HTTP、P2P類型僵尸網(wǎng)絡(luò)的工作原理、生命周期、命令與控制機(jī)制等特性,分析和提取僵尸網(wǎng)絡(luò)的主機(jī)特征和流量特征。 (2)對已有僵尸網(wǎng)絡(luò)檢測技術(shù)進(jìn)行了分析總結(jié),在此基礎(chǔ)上,提出多源數(shù)據(jù)采集技術(shù)、幀流分層聯(lián)合識別的業(yè)務(wù)識別技術(shù)、僵尸樣本程序自動分析技術(shù)和基于時空協(xié)同與相似特性的通用流量特征檢測技術(shù)等僵尸網(wǎng)絡(luò)檢測關(guān)鍵技術(shù)。 (3)Windows平臺下僵尸網(wǎng)絡(luò)檢測原型系統(tǒng)的設(shè)計與實現(xiàn)。充分考慮檢測系統(tǒng)架構(gòu)的合理性和高效性,設(shè)計了C/S結(jié)構(gòu)的檢測系統(tǒng)框架,包括各子系統(tǒng)的邏輯組成,各模塊的功能實現(xiàn)。最后,對整個原型系統(tǒng)功能性能進(jìn)行了實驗驗證。
[Abstract]:According to the 2013 China Internet Network Security report released by the State Internet Emergency response Center, more than 10 million computers in China become zombie hosts after they become infected with malicious programs every year, and the number is increasing. Being manipulated by overseas IP to carry out various illegal acts, especially relying on its strong cooperation to launch a variety of large-scale attacks, serious harm to network security, and then threaten national security. Therefore, it is urgent to develop an efficient botnet detection and discovery system. At present, most of the detection methods rely on reverse analysis of the known zombie samples after obtaining the zombie sample program, and then find out the characteristics of the botnet. This method is after the botnet broke out on a large scale. This paper aims at detecting known and unknown botnets under Windows platform and analyzes the characteristics of typical botnets. It includes its working principle, command and control mechanism, communication flow and host behavior characteristics, etc. On this basis, the key technology of botnet detection is broken through, and a general method of botnet detection and identification is developed. A botnet detection prototype system based on Windows platform is designed and implemented. The main contents are as follows: 1) analyzing the working principle, life cycle, command and control mechanism of typical IRC / HTTP P2P botnet. Based on the analysis and summary of the existing botnet detection technology, the multi-source data acquisition technology and the service identification technology of frame stream hierarchical joint identification are proposed, which is based on the analysis and extraction of host and traffic characteristics of botnet. The design and implementation of botnet detection prototype system based on Windows platform, such as botnet automatic analysis technology and general traffic feature detection technology based on spatio-temporal collaboration and similarity, are presented in this paper. Considering the rationality and efficiency of the detection system architecture, the detection system framework of C / S structure is designed, including the logical composition of each subsystem and the function realization of each module. Finally, the functional performance of the whole prototype system is verified experimentally.
【學(xué)位授予單位】：中國科學(xué)院大學(xué)（工程管理與信息技術(shù)學(xué)院）
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2014
【分類號】：TP393.06

【參考文獻(xiàn)】

相關(guān)期刊論文 前9條

1 向輝,沈建國;關(guān)于Hook技術(shù)以及Windows消息的研究[J];電子工程師;2004年12期

2 方濱興;崔翔;王威;;僵尸網(wǎng)絡(luò)綜述[J];計算機(jī)研究與發(fā)展;2011年08期

3 李鶴帥;朱俊虎;周天陽;王清賢;;基于Kademlia的新型半分布式僵尸網(wǎng)絡(luò)[J];計算機(jī)工程;2012年08期

4 劉丹;李毅超;胡躍;;多階段過濾的P2P僵尸網(wǎng)絡(luò)檢測方法[J];計算機(jī)應(yīng)用;2010年12期

5 劉建波;;基于流量分析的P2P僵尸網(wǎng)絡(luò)檢測[J];計算機(jī)與數(shù)字工程;2011年03期

6 張藝瀕;張志斌;趙詠;郭莉;;TCP與UDP網(wǎng)絡(luò)流量對比分析研究[J];計算機(jī)應(yīng)用研究;2010年06期

7 諸葛建偉;韓心慧;周勇林;葉志遠(yuǎn);鄒維;;僵尸網(wǎng)絡(luò)研究[J];軟件學(xué)報;2008年03期

8 諸葛建偉;韓心慧;周勇林;宋程昱;郭晉鵬;鄒維;;HoneyBow:一個基于高交互式蜜罐技術(shù)的惡意代碼自動捕獲器[J];通信學(xué)報;2007年12期

9 涂浩;李之棠;周麗娟;;基于DNS通信數(shù)據(jù)挖掘的Botnet檢測方法研究[J];廈門大學(xué)學(xué)報(自然科學(xué)版);2007年S2期

相關(guān)博士學(xué)位論文 前2條

1 王威;僵尸網(wǎng)絡(luò)對抗技術(shù)研究[D];哈爾濱工業(yè)大學(xué);2010年

2 鐘金鑫;惡意代碼二進(jìn)制程序行為分析關(guān)鍵技術(shù)研究[D];北京郵電大學(xué);2012年

，

本文編號：1985263