面向可扩展僵尸网络的安全控制方法

doi:10.11959/j.issn.2096-109x.2023002

摘要/Abstract

摘要：

僵尸网络是互联网面临的主要威胁之一。当前，网络服务类型多样、安全漏洞频出、以物联网设备为代表的海量联网设备部署更加有利于僵尸网络全球扩展。未来僵尸网络将更加具有跨平台特性和隐匿性，这给网络空间带来了严重的安全隐患。因此，针对僵尸网络自身开展深入研究，可以为新的僵尸网络防御研究提供研究对象，对于设计下一代网络安全防护体系具有重要意义。提出一种基于HTTP的可扩展僵尸网络框架来解决僵尸网络自身存在的兼容性、隐匿性与安全性问题，该框架基于中心式控制模型, 采用HTTP 作为僵尸网络通信协议，并对通信内容进行基于对称密码学的块加密。进一步地，提出了一种面向多平台架构的僵尸网络安全控制方法，该方法利用源码级代码集成与交叉编译技术解决兼容性问题，引入动态密钥加密通信机制克服传统僵尸网络流量存在规律性和易被分析的不足，设计服务器迁移与重连机制解决中心式僵尸网络模型存在的单点失效问题，以提高僵尸网络存活率。3 个不同控制性水平场景下的仿真实验结果表明，僵尸网络的规模与其命令与控制（C＆amp;C，command and control）服务器服务负载之间存在线性关系；此外，在僵尸网络规模相同的条件下，越高的控制性会带来越高的吞吐量和越大的系统负载，从而验证了所提方法的有效性和现实可行性。

关键词: 僵尸网络, 安全控制, 多平台架构, 高级加密标准

Abstract:

Botnet is one of main threats towards the Internet.Currently, botnets can expand to the whole world due to various types of network services, pervasive security vulnerabilities and massive deployment of networked devices, e.g., internet of things (IoT) devices.Future botnets will become more cross-platform and stealthy, which introduces severe security risks to cyberspace.Therefore, in-depth research on botnets can offer study targets to corresponding defensive studies, which is very meaningful for designing an architecture to secure the next-generation cyberspace.Hence, an HTTP-based scalable botnet framework was proposed to address the problems of compatibility, stealthiness and security.Specifically, the framework adopted a centralized controlling model.Moreover, it used the HTTP protocol as the designed botnet’s communication protocol and block encryption mechanisms based on symmetric cryptography to protect the botnet’s communication contents.Furthermore, a secure control mechanism for multi-platform botnets was designed.In particular, the proposed mechanism utilized source-level code integration and cross-compilation techniques to solve the compatibility challenge.It also introduced encrypted communication with dynamic secret keys to overcome the drawbacks of network traffic regularity and ease of analysis in traditional botnets.Moreover, it designed server migration and reconnection mechanisms to address the weakness of single-point-failure in centralized botnet models.Simulation results in three experimental scenarios with different levels of botnet controllability show that there is a linear relationship between the size of a botnet and the service overhead of the related C＆amp;C servers.In addition, under the condition of the same botnet scale, a higher level of controllability introduces a higher throughput and a greater system overhead.The above results demonstrate the effectiveness and the practical feasibility of the proposed method.

Key words: botnet, secure control, multi-platform architecture, advanced encryption standard

中图分类号:

TP393

刘强, 李鹏飞, 付章杰. 面向可扩展僵尸网络的安全控制方法[J]. 网络与信息安全学报, 2023, 9(1): 42-55.

Qiang LIU, Pengfei LI, Zhangjie FU. Secure controlling method for scalable botnets[J]. Chinese Journal of Network and Information Security, 2023, 9(1): 42-55.

图/表 18

图1

图2

图3

图4

图5

图6

表1

表2

图7

图8

图9

图10

图11

图12

图13

图14

图15

图16

参考文献 7

[8]	肖喜生, 龙春, 杜冠瑶 ,等. 基于流量摘要的僵尸网络检测[J]. 计算机系统应用, 2021,30(8): 186-193.
	XIAO X S , LONG C , DU G Y ,et al. Botnet detection based on flow summary[J]. Computer Systems ＆ Applications, 2021,30(8): 186-193.
[9]	罗扶华, 张爱新 . 基于深度学习的僵尸网络检测技术研究[J]. 通信技术, 2020,53(1): 174-179.
	LUO F H , ZHANG A X . Botnet detection technology based on deep learning[J]. Communications Technology, 2020,53(1): 174-179.
[10]	WANG X F , ZHANG D F , SU X . Design of mobile botnets Integrated SMS and HTTP protocol C＆C channel[J]. Journal of Chinese Computer Systems, 2014,35(7): 1458-1463.
[11]	KNYSZ M , HU X , ZENG Y ,et al. Open Wi-Fi networks:Lethal weapons for botnets[C]// Proceedings of the 2012 IEEE INFOCOM. 2012: 2631-2635.
[12]	WANG P , SPARKS S , ZOU C C . An advanced hybrid peer-to-peer botnet[J]. IEEE Transactions on Dependable and Secure Computing, 2010,7(2): 113-127.
[13]	HAN Q , YU W , ZHANG Y ,et al. Modeling and evaluating of typical advanced peer-to-peer botnet[J]. Performance Evaluation, 2014,72: 1-15.
[14]	高见, 芦天亮, 王威 . 基于P2P的僵尸网络C＆C设计与仿真[J]. 中国人民公安大学学报(自然科学版), 2015,21(3): 65-70.
	GAO J , LU T L , WANG W . C＆C design and simulation of P2P-based botnets[J]. Journal of Chinese People's Public Security University (Science and Technology), 2015,21(3): 65-70.
[15]	柳淑婷, 傅梓怡, 范亚芹 . 基于 Android 的僵尸网络设计与实现[J]. 吉林大学学报(信息科学版), 2016,34(2): 182-185.
	LIU S T , FU Z Y , FAN Y Q . Design and implementation of mobile botnet based on android system[J]. Journal of Jilin University (Information Science Edition), 2016,34(2): 182-185.
[16]	张翕然 . 物联网僵尸网络病毒传播模型研究及仿真[D]. 重庆:重庆理工大学, 2021.
	ZHANG X R . Research and Simulation of internet of things botnet virus propagation model[D]. Chongqing:Chongqing University of Technology, 2021.
[1]	HAN B , YANG X R , SUN Z G ,et al. OverWatch:A cross-plane DDoS attack defense framework with collaborative intelligence in SDN[J]. Security and Communication Networks, 2018.
[2]	腾讯云T-Sec DDoS防护团队,绿盟科技威胁情报团队. 2021年全球DDoS威胁报告[R]. 2022.
	Tencent Cloud T-SEC DDoS Defense Team,NSFOCUS Threat Intelligence Team. 2021 annual report of world-wide DDoS threats[R]. 2022.
[3]	European Union Agency for Cybersecurity (ENISA). ENISA threat landscape 2021[EB]. 2022.
[17]	BAUMGARTNER K , GARNAEVA M . BE2 custom plugins,router abuse,and target profiles[EB]. 2014.
[18]	周安民, 钟毅, 左政 ,等. D-BitBot:比特币网络双向通信的 P2P僵尸网络模型[J]. 哈尔滨工业大学学报, 2020,52(5): 66-74.
[4]	王钰蓥 . SAM Seamless Network报告显示2021年物联网攻击超过10亿次[J]. 互联网天地, 2022(5): 60.
	WANG Y Y . SAM Seamless Network report shows more than 1 billion IoT attacks in 2021[J]. China Internet, 2022(5): 60.
[18]	ZHOU A M , ZHONG Y , ZUO Z ,et al. D-BitBot:a P2P duplex botnet model in Bitcoin network[J]. Journal of Harbin Institute of Technology, 2020,52(5): 66-74.
[19]	赵昊, 舒辉, 康绯 ,等. 基于智能合约的高对抗性僵尸网络研究[J]. 网络与信息安全学报, 2021,7(4): 30-41.
[5]	HE J , YANG Y X , WANG X L ,et al. Adaptive traffic sampling for P2P botnet detection[J]. International Journal of Network Management, 2017,27(5): e1992.
[6]	吴迪, 方滨兴, 崔翔 ,等. BotCatcher:基于深度学习的僵尸网络检测系统[J]. 通信学报, 2018,39(8): 18-28.
[19]	ZHAO H , SHU H , KANG F ,et al. High resistance botnet based on smart contract[J]. Chinese Journal of Network and Information Security, 2021,7(4): 30-41.
[20]	WANG W , MA X . Blockchain-based botnets for command-and control resilience[J]. Botnets:Architectures,Countermeasures,and Challenges, 2019:217.
[6]	WU D , FANG B X , CUI X ,et al. BotCatcher:botnet detection system based on deep learning[J]. Journal on Communications, 2018,39(8): 18-28.
[7]	沈琦, 涂哲, 李坤 ,等. 基于集成学习的僵尸网络在线检测方法[J]. 计算机应用研究, 2022,39(6): 1845-1851.
	SHEN Q , TU Z , LI K ,et al. Online botnet detection method based on ensemble learning[J]. Application Research of Computers, 2022,39(6): 1845-1851.

测试机	IP地址	操作系统	磁盘空间	CPU	内存大小/GB
物理机	192.168.8.100	Windows 10	—	Intel Core i7-8700 CPU @ 3.20 GHz	64
虚拟机	192.168.8.177	Ubuntu 16.04	50 GB		2

测试场景	报到间隔区间/s	僵尸主机规模/个	僵尸主机规模增长速度/(个.波次^-1)	每波次测试时间/s
低控制性	180～360	100～1 000	100	30
中控制性	60～120	100～1 000	100	30
高控制性	10～30	100～1 000	100	30