基于命令语法结构特征的IRC僵尸网络频道检测

doi:10.16511/j.cnki.qhdxxb.2017.26.040

摘要
图/表
参考文献
相关文章
Metrics

全文: PDF(1248 KB)
输出: BibTeX | EndNote (RIS)

摘要僵尸频道是基于因特网在线聊天（Internet relay chat，IRC）协议僵尸网络传递控制命令，操纵整个网络的唯一途径。该文针对IRC僵尸网络频道检测问题，提出一种利用僵尸网络控制命令语法结构特征，实现检测僵尸网络频道的方法。使用可信系数描述频道中的字符串为僵尸网络控制命令的可能性，并结合可信系数，改进阈值随机游走（threshold random walk，TRW）算法，用以加快僵尸网络频道检测速度。实验结果表明：该方法对僵尸频道有很好的识别能力，检测效率明显提高。

	服务

	把本文推荐给朋友
	加入引用管理器
	E-mail Alert
	RSS

	作者相关文章
	闫健恩
	张兆心
	许海燕
	张宏莉

关键词 ：僵尸网络, 命令语法结构, 阈值随机游走(TRW)

Abstract：The command and control (C&C) channel is a unique way that a Internet relay chat (IRC) Botnet sends commands to control the Botnet. This study analyzed the syntax characteristics of the control command to develop a method to detect the control command channel. A creditable coefficient was defined to describe the possibility of a sentence in a channel being a Botnet control command. An improved threshold random walk (TRW) algorithm was used with the creditable coefficients to accelerate the C&C channel detection. Tests show that this method can efficiently detect Botnet C&C channels.

Key words： Botnet instruction syntax threshold random walk (TRW)

收稿日期: 2016-06-27 出版日期: 2017-09-15

ZTFLH:

TP393.0

通讯作者: 许海燕,讲师,E-mail:grace3666@163.com E-mail: grace3666@163.com

引用本文:

闫健恩, 张兆心, 许海燕, 张宏莉. 基于命令语法结构特征的IRC僵尸网络频道检测[J]. 清华大学学报（自然科学版）, 2017, 57(9): 914-920.
YAN Jianen, ZHANG Zhaoxin, XU Haiyan, ZHANG Hongli. Detection of IRC Botnet C&C channels using the instruction syntax. Journal of Tsinghua University(Science and Technology), 2017, 57(9): 914-920.

链接本文:

http://jst.tsinghuajournals.com/CN/10.16511/j.cnki.qhdxxb.2017.26.040 或 http://jst.tsinghuajournals.com/CN/Y2017/V57/I9/914

表１　３种文法语法识别准确率结果

图１　僵尸网络控制命令与标准英文语句可信系数数分布

图２　僵尸网络命令与正常IRC聊天语句的可信系数分布

表２　３种句子可信系数分布统计

图３　E [N|H０]分析

图４　E [N|H１]分析

图５　僵尸控制命令与正常语句可信系数统计图

图６　僵尸频道分组测试结果

图７　正常频道分组测试结果

表３　误报检测语句可信系数统计表

[1]	诸葛建伟, 韩心慧, 周勇林, 等. 僵尸网络研究[J]. 软件学报. 2008, 19(3):702-715.ZHU GE Jianwei, HAN Xinhui, ZHOU Yonglin, et al. Research and development of Botnets[J]. Journal of Software, 2008, 19(3):702-715. (in Chinese)
[2]	CNCERT/CC.2013年中国互联网网络安全报告..http://www.cert.org.cn/publish/main/46/2014/20140603151551324380013/20140603151551324380013_.html.CNCERT/CC. The China Internet network security report 2013.. http://www.cert.org.cn/publish/main/46/2014/20140603151551324380013/20140603151551324380013_.html.(in Chinese)
[3]	InfoSecurity:Anonymus hacking group uses IRC channles to co-ordinate DDoS attacks.. http://www.infosecurity-magazine.com/news/anonymous-hacking-group-uses-irc-channels-to-co/.
[4]	Gu G F, Yegneswaran V, Porras P, et al. Active Botnet probing to identify obscure command and control channels[C]//Proceedings of the Computer Security Applications Conference. Washington, DC:IEEE Computer Society Press, 2009:241-253.
[5]	Fedynyshyn G, Chuah M C, Tan G. Detection and classification of different Botnet C&C channels[C]//Proceedings of the 8th International Conference on Autonomic and Trusted Computing. Banff, Canada:Autonomic & Trusted Computing-international Conference Press, 2011:228-242.
[6]	Gu G F, Porras P, Yegneswaran V, et al. BotHunter:Detecting malware infection through ids driven dialog correlation[C]//Proceedings of the 16th USENIX Security Symposium. Boston, MA, USA:USENIX Association Press, 2007:167-182.
[7]	Livadas C, Walsh R, Lapsley D, et al. Using machine learning techniques to identify Botnet traffic[C]//Proceedings of the 2nd IEEE LCN Workshop on Network Security. Tampa, FL, USA:IEEE Computer Society Press, 2006:967-974.
[8]	Strayer W T, Walsh R. Detecting Botnets with tight command and control[C]//Proceedings of the 31st IEEE Conference on Local Computer Networks. Tampa, FL, USA:IEEE Computer Society Press, 2006:195-202.
[9]	Karasaridis A, Rexroad B, Hoeflin D. Wide-scale Botnet detection and characterization[C]//Proceedings of theUsenix Workshop on Hot Topics in Understanding Botnets. Cambridge, MA, USA:USENIX Association Press, 2007:7-7.
[10]	Binkley J R, Singh S. An algorithm for anomaly-based Botnet detection[C]//Proceedings of the 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet. San Jose, CA, USA:USENIX Association Press, 2006:43-48.
[11]	李润恒, 王明华, 贾焰. 基于通信特征提取和IP聚集的僵尸网络相似性度量模型[J].计算机学报, 2010, 33(1):45-54.LI Runheng, WANG Minghua, JIA Yan. Modeling Botnets similarity based on communication feature extraction and IP assembly[J].Chinese Journal of Computer, 2010, 33(1):45-54. (in Chinese)
[12]	Goebel J, Thorsten H. Rishi:Identify bot contaminated hosts by IRC nickname evaluation[C]//Proceedings of the HotBots'07, First Workshop on Hot Topics in Understanding Botnets. Cambridge, MA, USA:USENIX Association Press, 2007:8-8.
[13]	Ramachandran A, Feamster N, Dagon D. Revealing Botnet membership using DNSBL counter-intelligence[C]//Proceedings of the 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet. San Jose, CA, USA:USENIX Association Press, 2006:49-54.
[14]	Choi H, Lee H. Identifying Botnets by capturing group activities in DNS traffic[J]. Computer Networks, 2012, 56(1):20-33.
[15]	Wang K, Huang C Y, Lin S J, et al. A fuzzy pattern-based filtering algorithm for Botnet detection[J]. Computer Networks the International Journal of Computer & Telecommunications Networking, 2011, 55(15):3275-3286.
[16]	Giroire F, Chandrashekar J, Taft N, et al. Exploiting temporal persistence to detect covert Botnet channels[C]//Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection. Saint Malo, France:Springer-Verlag Press, 2009:326-345.
[17]	Yen T F, Reiter M K. Traffic aggregation for malware detection[C]//Proceedings of the Fifth GI International Conference on Detection of Intrusions and Malware and Vulnerability Assessment. Paris, France:Springer-Verlag Press, 2008:207-227.
[18]	Singh K, Guntuku S C, Thakur A, et al. Big data analytics framework for Peer-to-Peer Botnet detection using random forests[J]. Information Sciences, 2014, 278(19):488-497.
[19]	Khattak S, Ramay N R, Khan K R, et al. A taxonomy of Botnet behavior, detection, and defense[J]. Communications Surveys & Tutorials IEEE, 2014, 16(2):898-924.
[20]	Jung J, Paxson, Berger A W, et al. Fast ports can detection using sequential hypothesis testing[C]//Proceedings of the IEEE Symposium on Security and Privacy. Berkeley, CA, USA:IEEE Computer Society Press, 2004:211-225.
[21]	闫健恩, 张兆心, 许海燕. 基于命令语法结构特征的IRC僵尸网络控制命令识别方法[J].高技术通讯, 2013, 23(6):571-577.YAN Jianen, ZHANG Zhaoxin, XU Haiyan. A identification method of IRC Botnets control commands based on the syntax[J]. High Technology Letters, 2013, 23(6):571-577. (in Chinese)
[22]	Wald A. Sequential tests of statistical hypotheses[J]. The Annals of Mathematical Statistics, 1945, 16(2):117-186.

[1]	夏卓群, 李文欢, 姜腊林, 徐明. 基于路径分析的电力CPS攻击预测方法[J]. 清华大学学报（自然科学版）, 2018, 58(2): 157-163.
[2]	赵俊, 包丛笑, 李星. 基于OpenFlow协议的覆盖网络路由器设计[J]. 清华大学学报（自然科学版）, 2018, 58(2): 164-169.
[3]	张庭, 汪漪, 杨仝, 卢建元, 刘斌. NDN名字查找算法的性能测试平台的设计和实现[J]. 清华大学学报（自然科学版）, 2018, 58(1): 1-7.
[4]	徐洪平, 刘洋, 易航, 阎小涛, 康健, 张文瑾. 运载火箭测发网络异常流量识别技术[J]. 清华大学学报（自然科学版）, 2018, 58(1): 20-26,34.
[5]	高洋, 马洋洋, 张亮, 王眉林, 王卫苹. 伴随随机攻击的信息物理系统的同步控制[J]. 清华大学学报（自然科学版）, 2018, 58(1): 14-19.
[6]	江卓, 吴茜, 李贺武, 吴建平. 基于链路通断预测的飞行器多路径传输优化[J]. 清华大学学报（自然科学版）, 2017, 57(12): 1239-1244.
[7]	张瑜, 潘小明, LIU Qingzhong, 曹均阔, 罗自强. APT攻击与防御[J]. 清华大学学报（自然科学版）, 2017, 57(11): 1127-1133.
[8]	韩心慧, 魏爽, 叶佳奕, 张超, 叶志远. 二进制程序中的use-after-free漏洞检测技术[J]. 清华大学学报（自然科学版）, 2017, 57(10): 1022-1029.
[9]	曹来成, 何文文, 刘宇飞, 郭显, 冯涛. 跨云存储环境下协同的动态数据持有方案[J]. 清华大学学报（自然科学版）, 2017, 57(10): 1048-1055.
[10]	刘武, 王永科, 孙东红, 任萍, 刘柯. 开源智能终端认证漏洞挖掘及登录认证改进[J]. 清华大学学报（自然科学版）, 2017, 57(9): 897-902.
[11]	马锐, 朱天保, 马科, 胡昌振, 赵小林. 基于单证人节点的分布式节点复制攻击检测[J]. 清华大学学报（自然科学版）, 2017, 57(9): 909-913,920.
[12]	陈宇, 王娜, 王晋东. 利用三角模糊数的语言变量项集减项算法[J]. 清华大学学报（自然科学版）, 2017, 57(8): 892-896.
[13]	李瑜, 赵勇, 郭晓栋, 刘国乐. 全系统一体的访问控制保障模型[J]. 清华大学学报（自然科学版）, 2017, 57(4): 432-436.
[14]	徐明伟, 夏安青, 杨芫, 王宇亮, 桑猛. 天地一体化网络域内路由协议OSPF+[J]. 清华大学学报（自然科学版）, 2017, 57(1): 12-17.
[15]	王伟平, 柏军洋, 张玉婵, 王建新. 基于代码改写的JavaScript动态污点跟踪[J]. 清华大学学报（自然科学版）, 2016, 56(9): 956-962,968.

Viewed

Full text

Abstract

Cited

Shared

Discussed