通信学报 ›› 2017, Vol. 38 ›› Issue (1): 97-105.doi: 10.11959/j.issn.1000-436x.2017012

• 学术论文 • 上一篇    下一篇

强抗毁性社交僵尸网络的构建及其防御

尹涛1,2,李世淙3,庹宇鹏1,2,张永铮1,2   

  1. 1 中国科学院信息工程研究所,北京 100093
    2 中国科学院大学,北京100049
    3 国家计算机应急技术处理协调中心,北京 100029
  • 修回日期:2016-10-25 出版日期:2017-01-01 发布日期:2017-01-23
  • 作者简介:尹涛(1989-),男,重庆人,中国科学院信息工程研究所博士生,主要研究方向为网络与信息安全。|李世淙(1981-),男,山东临沂人,国家计算机应急技术处理协调中心工程师,主要研究方向为网络安全事件监测、网络行为分析。|庹宇鹏(1984-),男,河北廊坊人,中国科学院信息工程研究所助理研究员,主要研究方向为网络异常检测、移动互联网大数据挖掘。|张永铮(1978-),男,黑龙江哈尔滨人,博士,中国科学院信息工程研究所研究员、博士生导师,主要研究方向为网络安全态势感知。
  • 基金资助:
    国家自然科学基金资助项目(61572496);国家高技术研究发展计划(“863”计划)基金资助项目(2013AA014703);国家高技术研究发展计划(“863”计划)基金资助项目(2012AA012801)

Modeling and countermeasures of a social network-based botnet with strong destroy-resistance

Tao YIN1,2,Shi-cong LI3,Yu-peng TUO1,2,Yong-zheng ZHANG1,2   

  1. 1 Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100093,China
    2 University of Chinese Academy of Sciences,Beijing 100049,China
    3 National Computer Network Emergency Response Technical Team / Coordination Center of China,Beijing 100029,China
  • Revised:2016-10-25 Online:2017-01-01 Published:2017-01-23
  • Supported by:
    The National Natural Science Foundation of China(61572496);The National High Technology Research and Development Program of China (863 Program)(2013AA014703);The National High Technology Research and Development Program of China (863 Program)(2012AA012801)

摘要:

为打击僵尸网络,保障网络空间安全,提出一种新型的具备强抗毁性的社交僵尸网络(DR-SNbot),并给出了针对性的防御方法。DR-SNbot 基于社交网络搭建命令与控制服务器(C&C-Server,command and control server),每个 C&C-Server 对应一个不同的伪随机昵称,并利用信息隐藏技术将命令隐藏在日志中发布,进而提出一种新型的命令与控制信道。当C&C-Server不同比例地失效时,DR-SNbot会发出不同等级的预警,通知攻击者构建新的C&C-Server,并自动修复C&C通信以保障其强抗毁性。在实验环境中,即使当前C&C-Server全部失效,DR-SNbot仍能在短期内修复C&C通信,将控制率维持在100%。最后,基于伪随机僵尸昵称与合法昵称在词法特征上的差异性,提出一种僵尸昵称检测方法,可有效检测社交僵尸网络利用自定义算法批量生成的伪随机僵尸昵称。实验结果表明,该方法召回率达到93%,准确率达到96.88%。

关键词: 网络安全, 社交网络, 僵尸网络, 命令与控制信道, 防御策略

Abstract:

To defeat botnets and ensure cyberspace security,a novel social network-based botnet with strong destroy-resistance (DR-SNbot),as well as its corresponding countermeasure,was proposed.DR-SNbot constructed command and control servers (C&C-Servers) based on social network.Each C&C-Server corresponded to a unique pseudo-random nickname.The botmaster issues commanded by hiding them in diaries using information hiding techniques,and then a novel C&C channel was established.When different proportions of C&C-Servers were invalid,DR-SNbot would send out different levels of alarms to inform attackers to construct new C&C-Servers.Then,DR-SNbot could automatically repair C&C communication to ensure its strong destroy-resistance.Under the experimental settings,DR-SNbot could resume the C&C communication in a short period of time to keep 100% of the control rate even if all the current C&C-Servers were invalid.Finally,a botnet nickname detecting method was proposed based on the difference of lexical features of legal nicknames and pseudo-random nicknames.Experimental results show that the proposed method can effectively (precision:96.88%,recall:93%) detect pseudo-random nicknames generated by social network-based botnets with customized algorithms.

Key words: network security, social networks, botnet, command and control channel, countermeasure

中图分类号: 

  • TP393.08