通信学报 ›› 2013, Vol. 34 ›› Issue (10): 49-55.doi: 10.3969/j.issn.1000-436x.2013.10.006

• 学术论文 • 上一篇    下一篇

基于多维流量特征的IRC僵尸网络频道检测

闫健恩1,袁春阳2(),许海燕1,张兆心1   

  1. 1 哈尔滨工业大学 计算机科学与技术学院,黑龙江 哈尔滨150001
    2 国家计算机网络应急技术处理协调中心,北京100029
  • 出版日期:2013-10-25 发布日期:2017-08-10
  • 基金资助:
    国家高技术研究发展计划(“863”计划)基金资助项目;国家自然科学基金资助项目;国家自然科学基金资助项目;国家科技支撑计划基金资助项目;山东省中青年科学家奖励基金资助项目;威海市科技攻关基金资助项目;哈尔滨工业大学科研创新基金资助项目

Method of detecting IRC Botnet based on the multi-features of traffic flow

Jian-en YAN1,Chun-yang YUAN2(),Hai-yan XU1,Zhao-xin ZHANG1   

  1. 1 School of Computer Science and Technology,Harbin Institute of Technology,Harbin 150001,China
    2 National Computer Network Emergency Response Technical Team/Coordination Center of China,Beijing 100029,China
  • Online:2013-10-25 Published:2017-08-10
  • Supported by:
    The National High Technology Research and Development Program of China (863 Program);The National Natural Science Foundation of China;The National Natural Science Foundation of China;The National Science and Technology Support Pro-gram;Young and Middle-Aged Scientists Research Awards Fund of Shandong Province;Weihai Municipal Science and Technology Research;Harbin Institute of Technology Scientific Research Innovation Founda-tion

摘要:

针对IRC僵尸网络频道的检测问题,提出一种基于流量特征的检测方法。分析了僵尸网络频道数据流在不同周期内流量的聚类性、相似性、平均分组长度、流量高峰和协同流量高峰等特征,并以此作为僵尸网络频道检测的依据。检测过程中,采用改进的最大最小距离和k-means聚类分析算法,改善了数据聚类的效果。最后经过实验测试,验证了方法的有效性。

关键词: IRC协议, 僵尸网络, 数据流, 聚类分析

Abstract:

To resolve the problem of detecting IRC Botnet,a method based on traffic flow characteristics was proposed.The characteristics of Botnet channel traf?cwere analyzed in different periods such as data-clustering,data-similarity,the average length of packet,peak of synchronized traf?c,and peak of collaborative synchronized traf?c,and these characteristics were used to detect the botnet.In analyzing,improved max-min distance means and k-means cluster analysis algorithm were also presented to promote the efficiency of data clustering.At last,the availability of the method was verified by experiment.

Key words: IRC protocol, Botnet, raffic flow, cluster analysis

[1] 张卫华,范植华. 基于代价的主动式防御分析[J]. 通信学报, 2007, 28(5): 21 -136 .
[2] 李 浩,谢伦国. 片上多处理器共享cache的访存时间最优划分方法[J]. 通信学报, 2012, 33(4): 19 -142 .
[3] 王永川,陈自力. 基于冗余预编码的STBC-SC-FDE系统的频率域盲信道估计[J]. 通信学报, 2013, 34(1): 21 -190 .
[4] 张建明,赵玉娟,江浩斌,贾雪丹,王良民. 车辆自组网的位置隐私保护技术研究[J]. 通信学报, 2012, 33(8): 22 -189 .
[5] 于 娜,丁 群,陈 红. 异结构系统混沌同步及其在保密通信中的应用[J]. 通信学报, 2007, 28(10): 12 -78 .
[6] 刘奇旭,张翀斌,张玉清,张宝峰. 安全漏洞等级划分关键技术研究[J]. 通信学报, 2012, 33(Z1): 11 -87 .
[7] 朱晓建1,2,沈军1,2. 无线自组网中基于离散粒子群优化的睡眠调度感知最小功率广播[J]. 通信学报, 2013, 34(6): 3 -28 .
[8] 刘洋1,邱天爽2,李景春3. 脉冲噪声环境下改进的顽健循环时延估计算法[J]. 通信学报, 2013, 34(6): 22 -190 .
[9] 肖晴,王思伟. 开放互联网环境下电信运营商视频业务技术演进策略[J]. 电信科学, 2015, 31(4): 9 -14 .
[10] 郑雅菲,卫宏儒. 分组密码TWIS的三子集中间相遇攻击[J]. 通信学报, 2014, 35(6): 23 -184 .