强抗毁性社交僵尸网络的构建及其防御

尹涛; 李世淙; 庹宇鹏; 张永铮

doi:10.11959/j.issn.1000-436x.2017012

您当前的位置：

首页 >

文章列表页 >

强抗毁性社交僵尸网络的构建及其防御

学术论文 | 更新时间：2024-06-05

- 强抗毁性社交僵尸网络的构建及其防御
- Modeling and countermeasures of a social network-based botnet with strong destroy-resistance
- 通信学报 2017年38卷第1期页码：97-105
- 作者机构：
  
  1. 中国科学院信息工程研究所，北京 100093
  2. 中国科学院大学，北京100049
  3. 国家计算机应急技术处理协调中心，北京 100029
- 作者简介：
  
  [ "尹涛（1989-），男，重庆人，中国科学院信息工程研究所博士生，主要研究方向为网络与信息安全。" ]
  [ "李世淙（1981-），男，山东临沂人，国家计算机应急技术处理协调中心工程师，主要研究方向为网络安全事件监测、网络行为分析。" ]
  [ "庹宇鹏（1984-），男，河北廊坊人，中国科学院信息工程研究所助理研究员，主要研究方向为网络异常检测、移动互联网大数据挖掘。" ]
  [ "张永铮（1978-），男，黑龙江哈尔滨人，博士，中国科学院信息工程研究所研究员、博士生导师，主要研究方向为网络安全态势感知。" ]
- 基金信息：
  
  国家自然科学基金资助项目(61572496);国家高技术研究发展计划(“863”计划)基金资助项目(2013AA014703);国家高技术研究发展计划（“863”计划）基金资助项目(2012AA012801)
- DOI：10.11959/j.issn.1000-436x.2017012
  中图分类号： TP393.08
- 网络出版日期：2017-01，
  
  纸质出版日期：2017-01-25
- 稿件说明：
移动端阅览
尹涛, 李世淙, 庹宇鹏, 等. 强抗毁性社交僵尸网络的构建及其防御[J]. 通信学报, 2017,38(1):97-105.

Tao YIN, Shi-cong LI, Yu-peng TUO, et al. Modeling and countermeasures of a social network-based botnet with strong destroy-resistance[J]. Journal on communications, 2017, 38(1): 97-105.
尹涛, 李世淙, 庹宇鹏, 等. 强抗毁性社交僵尸网络的构建及其防御[J]. 通信学报, 2017,38(1):97-105. DOI： 10.11959/j.issn.1000-436x.2017012.

Tao YIN, Shi-cong LI, Yu-peng TUO, et al. Modeling and countermeasures of a social network-based botnet with strong destroy-resistance[J]. Journal on communications, 2017, 38(1): 97-105. DOI： 10.11959/j.issn.1000-436x.2017012.

摘要

为打击僵尸网络，保障网络空间安全，提出一种新型的具备强抗毁性的社交僵尸网络（DR-SNbot），并给出了针对性的防御方法。DR-SNbot 基于社交网络搭建命令与控制服务器（C＆C-Server

command and control server），每个 C＆C-Server 对应一个不同的伪随机昵称，并利用信息隐藏技术将命令隐藏在日志中发布，进而提出一种新型的命令与控制信道。当C＆C-Server不同比例地失效时，DR-SNbot会发出不同等级的预警，通知攻击者构建新的C＆C-Server，并自动修复C＆C通信以保障其强抗毁性。在实验环境中，即使当前C＆C-Server全部失效，DR-SNbot仍能在短期内修复C＆C通信，将控制率维持在100%。最后，基于伪随机僵尸昵称与合法昵称在词法特征上的差异性，提出一种僵尸昵称检测方法，可有效检测社交僵尸网络利用自定义算法批量生成的伪随机僵尸昵称。实验结果表明，该方法召回率达到93%，准确率达到96.88%。

Abstract

To defeat botnets and ensure cyberspace security

a novel social network-based botnet with strong destroy-resistance (DR-SNbot)

as well as its corresponding countermeasure

was proposed.DR-SNbot constructed command and control servers (C＆C-Servers) based on social network.Each C＆C-Server corresponded to a unique pseudo-random nickname.The botmaster issues commanded by hiding them in diaries using information hiding techniques

and then a novel C＆C channel was established.When different proportions of C＆C-Servers were invalid

DR-SNbot would send out different levels of alarms to inform attackers to construct new C＆C-Servers.Then

DR-SNbot could automatically repair C＆C communication to ensure its strong destroy-resistance.Under the experimental settings

DR-SNbot could resume the C＆C communication in a short period of time to keep 100% of the control rate even if all the current C＆C-Servers were invalid.Finally

a botnet nickname detecting method was proposed based on the difference of lexical features of legal nicknames and pseudo-random nicknames.Experimental results show that the proposed method can effectively (precision:96.88%

recall:93%) detect pseudo-random nicknames generated by social network-based botnets with customized algorithms.

关键词

Keywords

references

FABIAN M , TERZIM s . A multifaceted approach to understanding the botnet phenomenon [C ] // 2006 ACM SIGCOMM Internet Measurement Conference (IMC) . 2006 .

KWAK H , LEE C , PARK H , et al . What is twitter,a social network or a news media [C ] // 19th International Conference on World Wide Web,ACM . 2010 : 591 - 600 .

ABRAHAM S,CHENGALUR-SMITH I . An overview of social engineering malware:Trends,tactics and implications [J ] . Technology in Society , 2010 , 32 ( 3 ):18196.

LI S , YUN X , HAO Z , et al . Modeling social engineering botnet dynamics across multiple social networks [J ] . Information Security and Privacy Research , 2012 : 261 - 272 .

ATHANASOPOULOS E , MAKRIDAKIS A , ANTONATOS S , et al . Antisocial networks:turning a social network into a botnet [C ] // Information Security,ICS . 2008 : 146 - 160 .

MA X , GUAN X , TAO J , et al . A novel IRC botnet detection method based on packet size sequence [C ] // 2010 IEEE International Conference on Communications (ICC) . 2010 : 1 - 5 .

ZOU C , CUNNINGHAM R . Honeypot-aware advanced botnet construction and maintenance [C ] // Dependable Systems and Networks,2006.DSN 2006.International Conference . 2006 : 199 - 208 .

SU C , ZHANG L F , GUAN Y , et al . A framework for P2P botnets [C ] // International Conference on Communications and Mobile Computing . 2009 .

WANG P , SPARKS S , ZOU C . An advanced hybrid peer-to-peer botnet [J ] . Dependable and Secure Computing,IEEE Transactions , 2010 , 7 ( 2 ):11127.

VOGT R , AYCOCK J . Attack of the 50 foot Botnet [EB/OL ] . http://pages.cpsc.ucalgary.ca/～aycock/papers/50foot.pdf http://pages.cpsc.ucalgary.ca/～aycock/papers/50foot.pdf .

李书豪 , 云晓春 , 郝志宇 , 等 . MRRbot:基于冗余机制的多角色P2P僵尸网络模型 [J ] . 计算机研究与发展 , 2011 , 48 ( 8 ): 1488 - 1496 .

LI S H , YUN X C , HAO Z Y , et al . MRRbot:a multi-role and redundancy-based P2P botnet model [J ] . Journal of Computer Research and Development , 2011 , 48 ( 8 ): 1488 - 1496 .

HA D , YAN G , EIDENBENZ S , et al . On the effectiveness of structural detection and defense against P2P-based botnets [C ] // IEEE/IFIP International Conference on Dependable Systems ＆ Networks,2009.DSN09 . 2009 : 297 - 306 .

李跃 , 翟立东 , 王宏霞 , 等 . 一种基于社交网络的移动僵尸网络研究 [J ] . 计算机研究与发展 , 2012 , 49 ( Suppl. ): 1 - 8 .

LI Y , ZHAI L D , WANG H X , et al . Mobile botnet based on SNS [J ] . Journal of Computer Research and Development , 2012 , 49 ( Suppl. ): 1 - 8 .

KARTALTEPE E , MORALES J , XU S , et al . Social network-based botnet command-and-control:emerging threats and countermeasures [C ] // Applied Cryptography and Network Security . 2010 : 511 - 528 .

THOMAS K , NICOL D . The koobface botnet and the rise of social malware [C ] // Malicious and Unwanted Software (MALWARE),2010 5th International Conference . 2010 : 63 - 70 .

NAGARAJA S , HOUMANSADR A , PIYAWONGWISAL P , et al . Stegobot:a covert social network botnet [C ] // Information Hiding,Springer . 2011 : 299 - 313 .

CUI X , FANG B , YIN L , et al . AndBot:towards advanced mobile botnets [C ] // 4th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET’11) . 2011 .

LIU C , LU W , ZHANG Z , et al . A recoverable hybrid C＆C botnet [C ] // 2011 6th International Conference on Malicious and Unwanted Software (MALWARE) . 2011 : 110 - 118 .

YADAV S , REDDY A K K , REDDY A L , et al . Detecting algorithmically generated malicious domain names [C ] // 10th ACM SIGCOMM Conference on Internet Measurement . 2010 : 48 - 61 .

BORGELT C , KRUSE R . Induction of association rules:apriori implementation [C ] // Compstat.Physica-Verlag HD . 2002 : 395 - 400 .

浏览量

981

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

主动网络流水印技术研究进展

基于改进马尔可夫链的高效域名生成算法

基于信誉的域间路由选择机制的研究与实现

基于空间感知的多级损失目标跟踪对抗攻击方法

基于生成对抗网络的僵尸网络检测