基于流角色检测P2P botnet

doi:10.3969/j.issn.1000-436x.2012.z1.035

通信学报 ›› 2012, Vol. 33 ›› Issue (Z1): 262-269.doi: 10.3969/j.issn.1000-436x.2012.z1.035

基于流角色检测P2P botnet

宋元章¹,何俊婷²,张波¹,王俊杰¹,王安邦¹

¹ 中国科学院长春光学精密机械与物理研究所，吉林长春 130033
² 中国第一汽车股份有限公司技术中心汽车电子部电控产品设计室，吉林长春 130011

出版日期:2012-09-25 发布日期:2017-08-03
基金资助:
国家自然科学基金资助项目;激光与物质相互作用国家重点实验室研究基金资助项目

Detecting P2P botnet based on the role of flows

Yuan-zhang SONG¹,Jun-ting HE²,Bo ZHANG¹,Jun-jie WANG¹,An-bang WANG¹

¹ Changchun Institute of Optics,Fine Mechanics and Physics,Chinese Academy of Sciences,Changchun 130033,China
² Electronic Control Automotive Electronics Department,Ltd R＆D Center,China FAW Co.,Changchun 130011,China

Online:2012-09-25 Published:2017-08-03
Supported by:
The National Natural Science Foundation of China;The State Key Laboratory Laser Interaction with Material Research Fund

摘要/Abstract

摘要：

提出了一种基于流角色的实时检测P2P botnet的模型，该模型从流本身的特性出发，使其在检测P2P botnet时处于不同的角色，以发现P2P botnet的本质异常和攻击异常，同时考虑到了网络应用程序对检测的影响。为进一步提高检测精度，提出了一种基于滑动窗口的实时估算Hurst指数的方法，并采用Kaufman算法来动态调整阈值。实验表明，该模型能有效检测新型P2P botnet。

关键词: P2Pbotnet, 自相似性, multi-chartCUSUM, Kaufman

Abstract:

Towards the weaknesses of the existing detection methods of P2P botnet,a novel real-time detection model based on the role of flows was proposed,which was named as RF.According to the characteristics of flows,the model made the flows play the different roles in the detection of the P2P botnet to detect the essential abnormality and the attacking abnormality.And the model considered the influence on the detection of the P2P botnet which the Web applications generated,especially the applications based on the P2P protocols.To minimize the false positive rate and false negative rate,a real-time method based on the sliding window to estimate the Hurst parameter was proposed,and the Kaufman algorithm was applied to adjust the threshold dynamically.The experiments showed that the model was able to detect the new P2P botnet with a relatively high precision.

Key words: P2P botnet, self-similarity, multi-chart CUSUM, Kaufman

宋元章,何俊婷,张波,王俊杰,王安邦. 基于流角色检测P2P botnet[J]. 通信学报, 2012, 33(Z1): 262-269.

Yuan-zhang SONG,Jun-ting HE,Bo ZHANG,Jun-jie WANG,An-bang WANG. Detecting P2P botnet based on the role of flows[J]. Journal on Communications, 2012, 33(Z1): 262-269.

图/表 7

图1

图2

图3

图4

图5

图6

表1

参考文献 19

[1]	JOE STEWART . Storm Worm DDOS Attack[R]. SecureWorks,Inc,Atlanta GA, 2007.
[2]	GRIZZARD J B , SHARMA V , NUNNERY C . Peer-to-peer botnets:overview and case study[A]. HotBots’07 conference[C]. 2007.
[3]	SARAT S , TERZIS A . Measuring the Storm Worm Network[R]. Technical Report 01-10-2007,HiNRG Johns Hopkins University, 2007.
[4]	HOLZ T , STEINER M , DAHL F . Measurements and mitigation of peer-to-peer-based botnets:a case study on storm worm[A]. 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats[C]. San Francisco, 2008.
[5]	STEGGINK M , IDZIEJCZAK I . Detection of Peer-to-Peer Botnets[R]. University of Amsterdam,Netherlands, 2007.
[6]	PORRAS P , SAIDI H , YEGNESWARAN V . A multi-perspective analysis of the storm (peacomm)worm[A]. Computer Science Laboratory,SRI International[C]. CA, 2007.
[7]	王海龙, 胡宁, 龚正虎 . Bot_CODA:僵尸网络协同检测体系结构[J]. 通信学报, 2009,30(10A): 15-22. WANG H L , HU N , GONG Z H . Bot_CODA:botnet collaborative detection architecture[J]. Journal on Communications, 2009,30(10A): 15-22.
[8]	王劲松, 刘帆, 张健 . 基于组特征过滤器的僵尸主机检测方法的研究[J]. 通信学报, 2010,31(2): 29-35. WANG J S , LIU F , ZHANG J . Botnet detecting method based on group-signature filter[J]. Journal on Communications, 2010,31(2): 29-35.
[9]	臧天宁, 云晓春, 张永铮 . 僵尸网络关系云模型分析算法[J]. 武汉大学学报(信息科学版), 2012,37(2): 247-251. ZANG T N , WANG X CCC , ZHANG Y Z . A botnet relationship analyzer based on cloud model[J]. Geomatics and Information Science of Wuhan University, 2012,37(2): 247-251.
[10]	诸葛建伟, 韩心慧, 周勇林 . 僵尸网络研究[J]. 软件学报, 2008,19(3): 702-715. ZHUGE J W , HAN X H , ZHOU Y L . Research and development of botnets[J]. Journal of Software, 2008,19(3): 702-715.
[11]	江健, 诸葛建伟, 段海新 . 僵尸网络机理与防御技术[J]. 软件学报, 2012,23(1): 82-96. JIANG J , ZHUGE J W , DUAN H X . Research on botnet mechanisms and defenses[J]. Journal of Software, 2012,23(1): 82-96.
[12]	LELAND W E , TAQQU M S , WILLINGER W . On the self-similar nature of Ethernet traffic(extended version)[J]. IEEE/ACM Trans on Networking, 1994,2(1): 1-15.
[13]	BERAN J , SHERMAN R , TRAQQU M S . Long range dependence in variable bit rate video traffic[A]. IEEE Trans on Communication[C]. 1995,43(234): 1566-1579.
[14]	KIM J S , KAHNG B , KIM D . Self-similarity in fractal and non-fractal networks[J]. Journal of the Korean Physical Society, 2008,52: 350-356.
[15]	KARAGIANNIS T , MOLLE M , FALOUTSOS M . Understanding the Limitations of Estimation Methods for Long-range Dependence[R]. University of Califomia,Tech ReP:TRUCR-CS-2006-10245, 2006.
[16]	KARAGIANNIS T , MOLLE M , FALOUTSOS M . Long-range dependence:Ten years of Internet traffic modeling[J]. IEEE Intenet Computing, 2004,8(5): 57-64.
[17]	TARTAKOVSKY A G , ROZOVSKII B , SHAH K . A Nonparametric Multichart CUSUM test for rapid intrusion detection[A]. Proceedings of Joint Statistical Meetings[C]. 2005.
[18]	KASERA S , PINHEIRO J , LOADER C . Fast and robust signaling overload control[A]. Proceedings of Ninth International Conference on Network Protocols[C]. 2001. 323-331.
[19]	SEN S , SPATSCHECK O , WANG D M . Accurate,scalable in-network identification of P2P traffic using application signatures[A]. Proceedings of the 13th international conference on World Wide Web[C]. New York, 2004. 512-521.

检测方案	No.1	No.2	No.3	No.4
真实情况	0	0	100	100
UDP	11	42	79	143:69
ICMP	16	20	61	135:57
SMTP	11	14	68	105:63
RF	5	3	92	113:77

基于流角色检测P2P botnet

Detecting P2P botnet based on the role of flows

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 7

参考文献 19

相关文章 6

Metrics

推荐阅读 0

[1]	魏德宾,沈婷,杨力,戚耀文. 基于自相似流量水平分级预测的网络队列调度算法[J]. 通信学报, 2020, 41(4): 182-189.
[2]	宣蕾,卢锡城,于瑞厚,赵学明. 网络威胁时序的自相似性分析[J]. 通信学报, 2008, 29(4): 45-50.
[3]	吴援明,肖联珠,李乐民. 改进的长度自适应门限组装算法[J]. 通信学报, 2006, 27(4): 37-41.
[4]	谭永明,邓立虎. 取样鉴相数字合成器环中的混沌动力学行为[J]. 通信学报, 2006, 27(4): 49-53.
[5]	陈宇峰,董亚波,鲁东明,潘云鹤. 面向大规模网络的聚集TCP流量模拟方法研究[J]. 通信学报, 2006, 27(2): 100-106.
[6]	程华,邵志清,房一泉. Internet流量的多重分形分析[J]. 通信学报, 2005, 26(1A): 27-30.