摘要僵尸频道是基于因特网在线聊天(Internet relay chat,IRC)协议僵尸网络传递控制命令,操纵整个网络的唯一途径。该文针对IRC僵尸网络频道检测问题,提出一种利用僵尸网络控制命令语法结构特征,实现检测僵尸网络频道的方法。使用可信系数描述频道中的字符串为僵尸网络控制命令的可能性,并结合可信系数,改进阈值随机游走(threshold random walk,TRW)算法,用以加快僵尸网络频道检测速度。实验结果表明:该方法对僵尸频道有很好的识别能力,检测效率明显提高。
Abstract:The command and control (C&C) channel is a unique way that a Internet relay chat (IRC) Botnet sends commands to control the Botnet. This study analyzed the syntax characteristics of the control command to develop a method to detect the control command channel. A creditable coefficient was defined to describe the possibility of a sentence in a channel being a Botnet control command. An improved threshold random walk (TRW) algorithm was used with the creditable coefficients to accelerate the C&C channel detection. Tests show that this method can efficiently detect Botnet C&C channels.
诸葛建伟, 韩心慧, 周勇林, 等. 僵尸网络研究[J]. 软件学报. 2008, 19(3):702-715.ZHU GE Jianwei, HAN Xinhui, ZHOU Yonglin, et al. Research and development of Botnets[J]. Journal of Software, 2008, 19(3):702-715. (in Chinese)
[2]
CNCERT/CC.2013年中国互联网网络安全报告..http://www.cert.org.cn/publish/main/46/2014/20140603151551324380013/20140603151551324380013_.html.CNCERT/CC. The China Internet network security report 2013.. http://www.cert.org.cn/publish/main/46/2014/20140603151551324380013/20140603151551324380013_.html.(in Chinese)
[3]
InfoSecurity:Anonymus hacking group uses IRC channles to co-ordinate DDoS attacks.. http://www.infosecurity-magazine.com/news/anonymous-hacking-group-uses-irc-channels-to-co/.
[4]
Gu G F, Yegneswaran V, Porras P, et al. Active Botnet probing to identify obscure command and control channels[C]//Proceedings of the Computer Security Applications Conference. Washington, DC:IEEE Computer Society Press, 2009:241-253.
[5]
Fedynyshyn G, Chuah M C, Tan G. Detection and classification of different Botnet C&C channels[C]//Proceedings of the 8th International Conference on Autonomic and Trusted Computing. Banff, Canada:Autonomic & Trusted Computing-international Conference Press, 2011:228-242.
[6]
Gu G F, Porras P, Yegneswaran V, et al. BotHunter:Detecting malware infection through ids driven dialog correlation[C]//Proceedings of the 16th USENIX Security Symposium. Boston, MA, USA:USENIX Association Press, 2007:167-182.
[7]
Livadas C, Walsh R, Lapsley D, et al. Using machine learning techniques to identify Botnet traffic[C]//Proceedings of the 2nd IEEE LCN Workshop on Network Security. Tampa, FL, USA:IEEE Computer Society Press, 2006:967-974.
[8]
Strayer W T, Walsh R. Detecting Botnets with tight command and control[C]//Proceedings of the 31st IEEE Conference on Local Computer Networks. Tampa, FL, USA:IEEE Computer Society Press, 2006:195-202.
[9]
Karasaridis A, Rexroad B, Hoeflin D. Wide-scale Botnet detection and characterization[C]//Proceedings of theUsenix Workshop on Hot Topics in Understanding Botnets. Cambridge, MA, USA:USENIX Association Press, 2007:7-7.
[10]
Binkley J R, Singh S. An algorithm for anomaly-based Botnet detection[C]//Proceedings of the 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet. San Jose, CA, USA:USENIX Association Press, 2006:43-48.
[11]
李润恒, 王明华, 贾焰. 基于通信特征提取和IP聚集的僵尸网络相似性度量模型[J].计算机学报, 2010, 33(1):45-54.LI Runheng, WANG Minghua, JIA Yan. Modeling Botnets similarity based on communication feature extraction and IP assembly[J].Chinese Journal of Computer, 2010, 33(1):45-54. (in Chinese)
[12]
Goebel J, Thorsten H. Rishi:Identify bot contaminated hosts by IRC nickname evaluation[C]//Proceedings of the HotBots'07, First Workshop on Hot Topics in Understanding Botnets. Cambridge, MA, USA:USENIX Association Press, 2007:8-8.
[13]
Ramachandran A, Feamster N, Dagon D. Revealing Botnet membership using DNSBL counter-intelligence[C]//Proceedings of the 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet. San Jose, CA, USA:USENIX Association Press, 2006:49-54.
[14]
Choi H, Lee H. Identifying Botnets by capturing group activities in DNS traffic[J]. Computer Networks, 2012, 56(1):20-33.
[15]
Wang K, Huang C Y, Lin S J, et al. A fuzzy pattern-based filtering algorithm for Botnet detection[J]. Computer Networks the International Journal of Computer & Telecommunications Networking, 2011, 55(15):3275-3286.
[16]
Giroire F, Chandrashekar J, Taft N, et al. Exploiting temporal persistence to detect covert Botnet channels[C]//Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection. Saint Malo, France:Springer-Verlag Press, 2009:326-345.
[17]
Yen T F, Reiter M K. Traffic aggregation for malware detection[C]//Proceedings of the Fifth GI International Conference on Detection of Intrusions and Malware and Vulnerability Assessment. Paris, France:Springer-Verlag Press, 2008:207-227.
[18]
Singh K, Guntuku S C, Thakur A, et al. Big data analytics framework for Peer-to-Peer Botnet detection using random forests[J]. Information Sciences, 2014, 278(19):488-497.
[19]
Khattak S, Ramay N R, Khan K R, et al. A taxonomy of Botnet behavior, detection, and defense[J]. Communications Surveys & Tutorials IEEE, 2014, 16(2):898-924.
[20]
Jung J, Paxson, Berger A W, et al. Fast ports can detection using sequential hypothesis testing[C]//Proceedings of the IEEE Symposium on Security and Privacy. Berkeley, CA, USA:IEEE Computer Society Press, 2004:211-225.
[21]
闫健恩, 张兆心, 许海燕. 基于命令语法结构特征的IRC僵尸网络控制命令识别方法[J].高技术通讯, 2013, 23(6):571-577.YAN Jianen, ZHANG Zhaoxin, XU Haiyan. A identification method of IRC Botnets control commands based on the syntax[J]. High Technology Letters, 2013, 23(6):571-577. (in Chinese)
[22]
Wald A. Sequential tests of statistical hypotheses[J]. The Annals of Mathematical Statistics, 1945, 16(2):117-186.