【摘要】：互聯(lián)網(wǎng)的迅猛發(fā)展,給人們的生活和工作帶來(lái)了便利,但由此而引發(fā)的網(wǎng)絡(luò)安全問(wèn)題也不容小覷。僵尸網(wǎng)絡(luò)就是一種巧妙設(shè)計(jì)并且已經(jīng)發(fā)展的比較成熟了的技術(shù),這項(xiàng)技術(shù)正在被越來(lái)越多的應(yīng)用在如廣告發(fā)送、垃圾郵件和分布式拒絕服務(wù)攻擊等非法活動(dòng)中。 僵尸網(wǎng)絡(luò)由大量被控制的計(jì)算機(jī)組成,這些計(jì)算機(jī)接收控制者的指令,然后執(zhí)行命令,通常這些指令都是惡意的。這樣控制者不僅可以達(dá)到隱蔽自身的目的,而且可以用這些被控制的計(jì)算機(jī)來(lái)發(fā)動(dòng)各種攻擊。所以,如何檢測(cè)僵尸網(wǎng)絡(luò),已經(jīng)成為網(wǎng)絡(luò)安全領(lǐng)域一個(gè)非常重要的問(wèn)題。 對(duì)僵尸網(wǎng)絡(luò)的惡意行為進(jìn)行了詳細(xì)的描述,并從中選取了六個(gè)典型的行為作為僵尸網(wǎng)絡(luò)的普遍行為特征。然后在入侵檢測(cè)系統(tǒng)的基礎(chǔ)上實(shí)現(xiàn)了六個(gè)插件,分別用來(lái)產(chǎn)生這六個(gè)行為的初級(jí)告警。接著通過(guò)對(duì)這些初級(jí)告警進(jìn)行關(guān)聯(lián)分析,從而檢測(cè)出僵尸網(wǎng)絡(luò)。 對(duì)初級(jí)告警進(jìn)行關(guān)聯(lián)分析,只能檢測(cè)出已知的僵尸網(wǎng)絡(luò)。為了檢測(cè)未知的僵尸網(wǎng)絡(luò),對(duì)被監(jiān)控的所有主機(jī),計(jì)算其告警的行為相似性和時(shí)間相似性,然后依據(jù)相似性的計(jì)算結(jié)果來(lái)檢測(cè)未知的僵尸網(wǎng)絡(luò)。 根據(jù)提出的檢測(cè)機(jī)制實(shí)現(xiàn)了一個(gè)原型系統(tǒng),并在真實(shí)環(huán)境網(wǎng)絡(luò)環(huán)境下運(yùn)行僵尸樣本程序進(jìn)行測(cè)試。實(shí)驗(yàn)結(jié)果表明,提出的檢測(cè)機(jī)制能非常有效的檢測(cè)出僵尸網(wǎng)絡(luò)。
[Abstract]:The rapid development of the Internet has brought convenience to people's life and work, but the network security problems caused by it can not be underestimated. Botnet is a well-designed and developed mature technology, which is increasingly used in illegal activities such as advertising, spam and distributed denial of service attacks. Botnets consist of a large number of controlled computers that receive instructions from controllers and then execute commands, which are usually malicious. In this way, the controllers can not only conceal themselves, but also use these controlled computers to launch various attacks. Therefore, how to detect botnets has become a very important problem in the field of network security. The malicious behavior of botnet is described in detail, and six typical behaviors are selected as the general behavior characteristics of botnet. Then, six plug-ins are implemented on the basis of intrusion detection system, which are used to generate the primary alarm of these six behaviors. Then through the correlation analysis of these primary alarms, the botnet is detected. Correlation analysis of primary alarms can only detect known botnets. In order to detect unknown botnet, the behavior similarity and time similarity of alarm are calculated for all hosts monitored, and then the unknown botnet is detected according to the result of similarity calculation. According to the proposed detection mechanism, a prototype system is implemented, and a zombie sample program is run in a real network environment for testing. Experimental results show that the proposed detection mechanism can detect the botnet very effectively.
【學(xué)位授予單位】：華中科技大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2011
【分類(lèi)號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前3條

1 孫彥東;李東;;僵尸網(wǎng)絡(luò)綜述[J];計(jì)算機(jī)應(yīng)用;2006年07期

2 諸葛建偉;韓心慧;周勇林;葉志遠(yuǎn);鄒維;;僵尸網(wǎng)絡(luò)研究[J];軟件學(xué)報(bào);2008年03期

3 杜躍進(jìn),崔翔;僵尸網(wǎng)絡(luò)及其啟發(fā)[J];中國(guó)數(shù)據(jù)通信;2005年05期

，

本文編號(hào)：2232490