通信学报 ›› 2014, Vol. 35 ›› Issue (1): 156-166.doi: 10.3969/j.issn.1000-436x.2014.01.018
王志,蔡亚运,刘露,贾春福
出版日期:
2014-01-25
发布日期:
2017-06-17
基金资助:
Zhi WANG,Ya-yun CAI,Lu LIU,Chun-fu JIA
Online:
2014-01-25
Published:
2017-06-17
Supported by:
摘要:
从僵尸程序执行轨迹对二进制代码块的覆盖规律出发,提出了一种僵尸网络控制命令发掘方法。通过分析执行轨迹对代码块的覆盖率特征实现对僵尸网络控制命令空间的发掘,根据代码空间是否被全覆盖来验证发现的僵尸网络命令空间的全面性。对僵尸网络Zeus、SdBot、AgoBot的执行轨迹进行了代码块覆盖率分析,结果表明,该方法能够快速准确地发掘出僵尸网络的控制命令集合,时间和空间开销小,且该命令集合所对应的执行轨迹可以覆盖僵尸程序95%以上的代码空间。
王志,蔡亚运,刘露,贾春福. 基于覆盖率分析的僵尸网络控制命令发掘方法[J]. 通信学报, 2014, 35(1): 156-166.
Zhi WANG,Ya-yun CAI,Lu LIU,Chun-fu JIA. Using coverage analysis to extract Botnet command-and-control protocol[J]. Journal on Communications, 2014, 35(1): 156-166.
[1] | 诸葛建伟, 韩心慧, 周林 等. 僵尸网络研究[J]. 软件学报, 2008,19(3): 702-715. ZHUGE J W , HAN X H , ZHOU L ,et al. Research and development of Botnets[J]. Journal of Software, 2008,19(3): 702-715. |
[2] | 方滨兴, 崔翔, 王威 . 僵尸网络综述[J]. 计算机研究与发展, 2011,48(8): 1315-1331. FANG B X , CUI X , WANG W . Survey of Botnets[J]. Journal of Computer Research and Development, 2011,48(8): 1315-1331. |
[3] | 王天佐, 王怀民, 刘波等 . 僵尸网络中的关键问题[J]. 计算机学报, 2012,35(6): 1192-1208. WANG T Z , WANG H M , LIU B ,et al. Some critical problems of Botnets[J]. Chinese Journal of Computers, 2012,35(6): 1192-1208. |
[4] | 江健, 诸葛建伟, 段海新 等. 僵尸网络机理与防御技术[J].2012,23(1):82-96. 2012,23(1): 82-96. JIANG J , ZHUGE J W , DUAN H X ,et al. Research on Botnet mechanisms and defenses[J]. Journal of Software, 2012,23(1): 82-96. |
[5] | NAZARIO J . DDoS attack evolution[J]. Network Security, 2008,7: 7-10. |
[6] | HUSNA H , PHITHAKKITNUKOON S , PALLA S ,et al. Behavior analysis of spam Botnets[A]. IEEE COMSWARE[C]. Bangalore,India, 2008. 246-253. |
[7] | FREILING F , HOLZ T , WICHERSKI G . Botnet tracking:exploring a root-cause methodology to prevent distributed denial-of-service attacks[A]. Proc of the ESORICS’05[C]. Milan,Italy, 2005. 319-335. |
[8] | BAECHER P , KOETTER M , HOLZ T ,et al. The nepenthes platform:an efficient approach to collect malware[A]. Proc of the RAID’06[C]. Hamburg,Germany, 2006. 165-184. |
[9] | 金鑫, 李润恒, 甘亮等 . 基于通信特征曲线动态时间弯曲距离的IRC 僵尸网络同源判别方法[J]. 计算机研究与发展, 2012,49(3): 481-490. JIN X , LI R H , GAN L ,et al. IRC Botnets' homology identifying method based on dynamic time warping distance of communication feature curves[J]. Journal of Computer Research and Development, 2012,49(3): 481-490. |
[10] | GU G , PORRAS P , YEGNESWARAN V ,et al. BotHunter:detecting malware infection through ids-driven dialog correlation[A]. Proc of the 16th USENIX Security Symp[C]. Boston,Massachusetts,USA, 2007. 167-182. |
[11] | GU G,PERDISCT R , ZHANG J , et a1 . BotMiner:clustering analysis of network traffic for protocol-and structure-independent botnet detection[A]. Proc of the 17th USENIX Security Symp[C]. San Jose,California,USA, 2008. 269-286. |
[12] | GU G , ZHANG J , LEE W . BotSniffer:detecting botnet command and control channels in network traffic[A]. Proc of the NDSS[C]. San Diego,USA, 2008. |
[13] | 王威, 方滨兴, 崔翔 . 基于终端行为特征的 IRC 僵尸网络检测[J]. 计算机学报, 2009,32(10): 1980-1988. WANG W , FANG B X , CUI X . IRC Botnet detection based on host behavior[J]. Chinese Journal of Computers, 2009,32(10): 1980-1988. |
[14] | HOLZ T , GORECKI C , RIECK C ,et al. Detection and mitigation of fast-flux service networks[A]. Proc of the NDSS[C]. San Diego,USA, 2008. |
[15] | CHING-HSIANG H , HUANG C Y , CHEN K T . Fast-flux bot detection in real time[A]. Proc of the RAID[C]. Menlo Park,California,USA, 2011. 464-483. |
[16] | 王海龙, 龚正虎, 侯捷 . 僵尸网络监测技术研究进展[J]. 计算机研究与发展, 2010,47(12): 2037-2048. WANG H L , GONG Z H , HOU J . Overview of Botnet detection[J]. Journal of Computer Research and Development, 2010,47(12): 2037-2048. |
[17] | FREILING F , HOLZ T , WICHERSKI G . Botnet tracking:exploring a root-cause methodology to prevent denial of service attacks[A]. Proc of the ESORICS[C]. Milan,Italy, 2005. 319-335. |
[18] | RAJAB M , ZARFOSS J , MONROSE F ,et al. A multifaceted approach to understanding the Botnet phenomenon[A]. Proc of the 6th ACM SIGCOMM Conf on Internet Measurement[C]. Pisa,Italy, 2006. 41-52. |
[19] | JUAN C , PONGSIN P , CHRISTIAN K ,et al. Dispatcher:enabling active botnet infiltration using automatic protocol reverse-engineering[A]. Proc of the CCS 2009[C]. Chicago,IL,USA, 2009. 621-634. |
[20] | KANICH C , KREIBICH C , LEVCHENKO K ,et al. Spamalytics:an empirical analysis of spam marketing conversion[A]. Proc of the CCS 2008[C]. Alexandria,VA,USA , 2008. 3-14. |
[21] | 应凌云, 杨轶, 冯登国 等. 恶意软件网络协议的语法和行为语义分析方法[J]. 软件学报, 2011,22(7): 1676-1689. YING L Y , YANG Y , FENG D G ,et al. Syntax and behavior semantics analysis of network protocol of malware[J]. Journal of Software, 2011,22(7): 1667-1689. |
[22] | 刘豫, 王明华, 苏璞睿 等. 基于动态污点分析的恶意代码通信协议逆向分析方法[J]. 电子学报, 2012,40(4): 661-668. LIU Y , WANG M H , SU P R ,et al. Communication protocol reverse engineering of malware using dynamic taint analysis[J]. Acta Electronica Sinica, 2012,40(4): 661-668. |
[23] | CHO C , BABIC D , SHIN E ,et al. Inference and analysis of formal models of botnet command and control protocols[A]. Proc of the CCS 2010[C]. Chicago,IL,USA, 2010. 426-439. |
[24] | KANG B , ERIC C , LEE C ,et al. Towards complete node enumeration in a peer-to-peer Botnet[A]. Proc of the CCS 2009[C]. Chicago,IL,USA, 2009. 23-34. |
[25] | STONE-GROSS B , COVA M , CAVALLARO L ,et al. Your Botnet is my botnet:analysis of a Botnet takeover[A]. Proc of the CCS 2009[C]. Chicago,IL,USA, 2009. 635-647. |
[26] | DAGON D , ZOU C , LEE W . Modeling botnet propagation using time zones[A]. Proc of the NDSS[C]. San Diego,USA, 2006. 235-249. |
[27] | VOGT R , AYCOCK J , JACOBSON M . Army of botnets[A]. Proc of the NDSS[C]. San Diego,USA, 2007. 111-123. |
[28] | WANG P , WU L , CUNNINGHAM R ,et al. Honeypot detection in advanced Botnet attacks[J]. International Journal of Information and Computer Security, 2010,4(1): 30-51. |
[29] | WANG W , FANG B , CUI X ,et al. A user ID-centralized recoverable Botnet:structure research and defense[J]. International Journal of Innovative Computing,Information and Control, 2010,6(4): 4307-4317. |
[30] | ZENG Y , SHIN K , HU X . Design of SMS commanded-and-controlled and P2P-structured mobile botnets[A]. Proc of the 5th ACM Conf on Security and Privacy in Wireless and Mobile Networks[C]. Tucson,Arizona,USA, 2012. 137-148. |
[31] | SINGH K , SENGAL S , JAIN N ,et al. Evaluating Bluetooth as a medium for Botnet command and control[A]. Proc of the Int Conf on Detection of Intrusions and Malware,and Vulnerability Assessment[C]. Bonn,Germany, 2010. 61-80. |
[32] | CUI X , FANG B , YIN L ,et al. Andbot:towards advanced mobile Botnets[A]. Proc of the 4th USENIX Workshop on Large-scale Exploits and Emergent Threats[C]. Berkeley,California,USA, 2011.11. |
[33] | ZHAO S , LEE P , LUI J ,et al. Cloud-based push-styled mobile botnets:a case study of exploiting the cloud to device messaging service[A]. Proc of the Annual Computer Security Applications Conf (ACSAC 2012)[C]. Florida,USA, 2012. 119-128. |
[34] | AMINI P , PIERCE C , , Kraken Botnet infiltration[EB/OL]. , 2005. |
[35] | CHIA Y , JUAN C , , Botnet infiltration:finding bugs in botnet command and control[EB/OL]. , 2009. |
[36] | DAVIS C , FERNANDEZ J , NEVILLE S ,et al. Sybil attacks as a mitigation strategy against the storm Botnet[A]. Proc of the 3rd Int Conf on Malicious and Unwanted Software[C]. Alexandria,Virginia,USA, 2008. 32-40. |
[37] | BARFORD P , YEGNESWARAN V . An inside look at Botnets[J]. Malware Detection, 2007,27: 171-191. |
[38] | SHACHAM H . The geometry of innocent flesh on the bone:return-into-libc with-out function calls (on the x86)[A]. Proc of the 14th ACM Conf on Computer and Communications Security[C]. Alexandria,VA,USA, 2007. 552-561. |
[39] | FALCARIN P , CARLO S , CABUTTO A ,et al. Exploiting code mobility for dynamic binary obfuscation[A]. Proc of the World Congress on Internet Security[C]. London,UK, 2011. 114-120. |
[40] | CUI W , KANNAN J , WANG H J . Discoverer:automatic protocol reverse engineering from network traces[A]. Proc of 16th USENIX Security Symposium on USENIX Security Symposium[C]. Boston,MA,USA, 2007. 1-14. |
[41] | VIGNA G . Static disassembly and code analysis[J]. Malware Detection, 2007,27: 19-41. |
[42] | CABALLERO J , POOSANKAM P , KREIBICH C ,et al. Bidirectional Protocol Reverse Engineering:Message Format Extraction and Field Semantics Inference[R]. 2009. |
[43] | LIM J , REPS T . BCE:Extracting Botnet Commands from Bot Executables[R]. 2010. |
[44] | 王志, 贾春福, 鲁凯 . 基于环境敏感分析的恶意代码脱壳方法[J]. 计算机学报, 2012,35(4): 693-702. WANG Z , JIA C F , LU K . Malicious hidden-code extracting based on environment-sensitive analysis[J]. Chinese Journal of Computers, 2012,35(4): 693-702. |
[45] | Qemu[EB/OL]. , 2013. |
[46] | SONG D , BRUMLEY D , YIN H ,et al. BitBlaze:a new approach to computer security via binary analysis[A]. Intl Conf on Information Systems Security(ICISS 2008)[C]. Hyderabad,India, 2008. 1-25. |
[47] | Pin:a dynamic binary instrumentation tool[EB/OL]. , 2013. |
[1] | 邹福泰, 谭越, 王林, 蒋永康. 基于生成对抗网络的僵尸网络检测[J]. 通信学报, 2021, 42(7): 95-106. |
[2] | 刘浩然,赵赫瑶,邓玉静,王星淇,尹荣荣. 基于非合作博弈的无线传感器网络覆盖控制算法[J]. 通信学报, 2019, 40(1): 71-78. |
[3] | 李中捷,陈燚雷,刘倩倩,朱翠涛. 毫米波蜂窝网络混合频谱接入方案的性能研究[J]. 通信学报, 2018, 39(8): 160-168. |
[4] | 吴迪,方滨兴,崔翔,刘奇旭. BotCatcher:基于深度学习的僵尸网络检测系统[J]. 通信学报, 2018, 39(8): 18-28. |
[5] | 李光辉,胡世红. 基于VF-CS的移动传感器网络覆盖优化算法[J]. 通信学报, 2018, 39(3): 95-107. |
[6] | 尹涛,李世淙,庹宇鹏,张永铮. 强抗毁性社交僵尸网络的构建及其防御[J]. 通信学报, 2017, 38(1): 97-105. |
[7] | 阎少宏,吴宇航,龚佃选. 基于蜂窝通信系统的中继器分布优化研究[J]. 通信学报, 2016, 37(Z1): 72-77. |
[8] | 李可,方滨兴,崔翔,刘奇旭,严志涛. 基于Webshell的僵尸网络研究[J]. 通信学报, 2016, 37(6): 11-19. |
[9] | 樊富有,杨国武,乐千桤,吕凤毛,赵超. 基于量子遗传算法的无线视频传感网络优化覆盖算法[J]. 通信学报, 2015, 36(6): 94-104. |
[10] | 郭晓军,程 光,朱琛刚,TRUONG Dinh-Tu,周爱平. 主动网络流水印技术研究进展[J]. 通信学报, 2014, 35(7): 22-192. |
[11] | 郭晓军,程光,朱琛刚,周爱平. 主动网络流水印技术研究进展[J]. 通信学报, 2014, 35(7): 178-192. |
[12] | 陈 伟,周诗文,殷承宇. 流量自适应的移动僵尸网络云控机制研究[J]. 通信学报, 2014, 35(11): 4-30. |
[13] | 陈伟,周诗文,殷承宇. 流量自适应的移动僵尸网络云控机制研究[J]. 通信学报, 2014, 35(11): 32-38. |
[14] | 司成祥,孙波,杨文瀚,张慧琳,薛晓楠. 基于分布式的僵尸网络主动探测方法研究[J]. 通信学报, 2013, 34(Z1): 197-206. |
[15] | 司成祥1,孙波1,杨文瀚2,张慧琳2,薛晓楠2. 基于分布式的僵尸网络主动探测方法研究[J]. 通信学报, 2013, 34(Z1): 26-206. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|