基于神经网络的僵尸网络检测

目前主流的僵尸网络检测方法主要利用网络流量分析技术,这往往需要数据包的内部信息,或者依赖于外部系统提供的信息或僵尸主机的恶意行为,并且大多数方法不能自动存储僵尸网络的流量特征,不具有联想记忆功能.为此提出了一种基于BP神经网络的僵尸网络检测方法,通过大量的僵尸网络和正常流量样本训练BP神经网络分类器,使其学会辨认僵尸网络的流量,自动记忆僵尸流量特征,从而有效检测出被感染的主机.该神经网络分类器以主机对为分析对象,提取2个主机间通信的流量特征,将主机对的特征向量作为输入,有效地区分出正常主机和僵尸主机.实验表明,该方法的检测率达到99%,误报率在1%以下,具有良好的性能.     

基于集成SVM和Bagging的未知恶意流量检测

未知恶意网络流量检测是异常检测领域亟待解决的核心问题之一. 从高速网络数据流中获取的流量数据往往具有不平衡性和多变性. 虽然在恶意网络流量异常检测特征处理和检测方法方面已存在诸多研究, 但这些方法在同时解决数据不平衡性和多变性以及模型检测性能方面仍存在不足. 因此, 本文针对未知恶意网络流量检测目前存在的困难, 提出了一种基于集成SVM和Bagging的未知恶意流量检测模型. 首先, 针对网络流量数据的不平衡性, 提出一种基于Multi-SMOTE过采样的流量处理方法, 以提高流量处理后的特征质量; 第二, 针对网络流量数据分布的多样性, 提出一种基于半监督谱聚类的未知流量筛选方法, 以实现从具有多样分布的混合流量中筛选出未知流量; 最后, 基于Bagging思想, 训练了集成SVM未知恶意流量检测器. 实验结果表明, 本文所提出的基于集成SVM与Bagging的未知流量攻击类型检测模型在综合评价(F1分值)上优于目前同类未知恶意流量检测方法, 同时在不同数据集上具有较好的泛化能力.     

基于域名系统流量的Fast-Flux僵尸网络检测方法

在僵尸网络中,为保持服务器的可用性和隐蔽性,与域名关联的Flux-Agent的IP地址需要不停地变动,而黑名单策略对于阻止Fast-Flux僵尸网络攻击已经失效。为解决该问题,基于域名系统流量的分析和识别技术,提出一种新的Fast-Flux僵尸网络检测方法,用于检测互联网中使用Fast-Flux技术的僵尸网络,且对域名的分析不局限于来自垃圾邮件、点击欺诈或黑名单列表的可疑域名。实验结果表明,该方法能够以较高的准确率检测Fast-Flux僵尸网络,并且有利于完善黑名单列表。     

基于集成学习的僵尸网络在线检测方法

僵尸网络已经成为网络基础设施面临的最严重的威胁之一,针对现有的僵尸网络研究工作所检测的僵尸网络生命周期的阶段较为单一的问题,提出基于集成学习的僵尸网络在线检测方法。首先,细粒度地标记僵尸网络多个阶段的流量,生成僵尸网络数据集;其次,结合多种特征选择算法生成包含23个特征的重要特征集和包含28个特征的次重要特征集,基于Stacking集成学习技术集成多种深度学习模型,并针对不同的初级分类器提供不同的输入特征集,得到僵尸网络在线检测模型;最后,将僵尸网络在线检测模型部署在网络入口处在线检测多种僵尸网络。实验表明,所提基于集成学习的僵尸网络在线检测方法能够有效地检测出多个阶段的僵尸网络流量,恶意流量检测率可达96.47％。     

基于通信流量特征的隐秘P2P僵尸网络检测

针对目前基于网络的P2P僵尸网络检测中特征建模不完善、不深入的问题, 以及僵尸网络中通信具有隐蔽性的特点, 提出一种对通信流量特征进行聚类分析的检测方法。分析P2P僵尸网络在潜伏阶段的通信流量统计特征, 使用结合主成分分析法和X-means聚类算法的两阶段聚类方法对特征数据集进行聚类分析, 进而达到检测P2P僵尸网络的目的。实验结果表明, 该方法具有较高的检测率和较好的识别准确性, 并保证了较快的执行效率。     

基于主机行为异常的P2P僵尸网络在线检测方法

僵尸网络已经成为当前最为严重的网络威胁之一,其中P2P僵尸网络得到迅速发展,其自身的通信特征给检测带来巨大的挑战.针对P2P僵尸网络检测技术的研究已经引起研究人员的广泛关注.提出一种P2P僵尸网络在线检测方法,首先采用信息熵技术发现网络流量中的异常点,然后通过分析P2P僵尸网络中主机的行为异常,利用统计学中的假设检验技术,从正常的网络流量数据中识别出可疑P2P僵尸主机,同时根据僵尸主机通信模式的相似性进行最终确认.实验结果表明该方法能够有效实现P2P僵尸网络的在线检测.     

中心式结构僵尸网络的检测方法研究

从近年发展趋势看,僵尸网络的结构正呈现多样化发展的趋势,中心式结构僵尸网络因控制高效、规模较大成为网络安全最大的威胁之一.中心式结构僵尸网络采用一对多的命令与控制信道,而且僵尸主机按照预定的程序对接收到的命令做出响应,因此,属于同一僵尸网络的受控主机的行为往往具有很大的相似性与同步性.针对中心式结构僵尸网络命令控制流量的特点,本文提出一种基于网络群体行为特点分析的检测方法并用于僵尸网络的早期检测与预警.实际网络流的实验表明,本方法能够有效检测当前流行的中心式结构僵尸网络.     

半分布式P2P僵尸网络的伪蜜罐检测方法

在攻击与防御的博弈中,半分布式P2P僵尸网络随着P2P的广泛应用已成为僵尸网络最主要的形式。为此,描述攻击者组建的半分布式P2P僵尸网络的构建原理和增长模型,提出蜜罐与流量分析技术相结合的“伪蜜罐”检测模型,即在主机出现网络异常时,关闭已知程序和服务,使主机向蜜罐身份靠近,并用流量分析技术检测的一种模型。实验结果表明,该检测方法能够有效地提高半分布式P2P僵尸网络的检出率。     

基于排列熵与决策级多传感器数据融合的P2P僵尸网络检测方法

提出了一种基于排列熵和决策级多传感器数据融合的P2P僵尸网络检测算法。首先分别构建流量异常检测传感器和异常原因区分传感器:前者利用排列熵刻画网络流量的复杂度特征(该特征并不依赖于特定类型的P2P僵尸网络),通过利用Kalman滤波器检测该特征是否存在异常;后者利用TCP流量特征在一定程度上减弱P2P应用等网络应用程序对P2P僵尸网络检测的误差影响。最后利用D-S证据理论对上述传感器的检测结果进行决策级数据融合以获得最终的检测结果。实验表明,提出的方法可有效检测新型P2P僵尸网络。     

基于流量分析的P2P僵尸网络检测

通过对P2P僵尸运行协议及其机制的深入研究,提出一种基于流量分析的检测算法。在三层交换机上抓取流量,按照流量数据的相同元素划分集合并得到三个向量（源地址、目的地址和包大小）集合,合理定义时间滑动窗口,基于连接成功率检测算法动态分析快速定位僵尸网络,为僵尸网络的检测提供依据。     

Identifying botnets by capturing group activities in DNS traffic

Botnets have become the main vehicle to conduct online crimes such as DDoS, spam, phishing and identity theft. Even though numerous efforts have been directed towards detection of botnets, evolving evasion techniques easily thwart detection. Moreover, existing approaches can be overwhelmed by the large amount of data needed to be analyzed. In this paper, we propose a light-weight mechanism to detect botnets using their fundamental characteristics, i.e., group activity. The proposed mechanism, referred to as BotGAD (botnet group activity detector) needs a small amount of data from DNS traffic to detect botnet, not all network traffic content or known signatures. BotGAD can detect botnets from a large-scale network in real-time even though the botnet performs encrypted communications. Moreover, BotGAD can detect botnets that adopt recent evasion techniques. We evaluate BotGAD using multiple DNS traces collected from different sources including a campus network and large ISP networks. The evaluation shows that BotGAD can automatically detect botnets while providing real-time monitoring in large scale networks.     

一种分布式的僵尸网络实时检测算法

僵尸网络通过控制的主机实现多类恶意行为,使得当前的检测方法失效,其中窃取敏感数据已经成为主流。鉴于僵尸网络实现的恶意行为,检测和减轻方法的研究已经势在必行。提出了一种新颖的分布式实时僵尸网络检测方法,该方法通过将Netflow组织成主机Netflow图谱和主机关系链,并提取隐含的C&C通信特征来检测僵尸网络。同时,基于Spark Streaming分布式实时流处理引擎,使用该算法实现了BotScanner分布式检测系统。为了验证该系统的有效性,采用5个主流的僵尸网络家族进行训练,并分别使用模拟网络流量和真实网络流量进行测试。实验结果表明,在无需深度包解析的情况下,BotScanner分布式检测系统能够实时检测指定的僵尸网络,并获得了较高的检测率和较低的误报率。而且,在真实的网络环境中,BotScanner分布式检测系统能够进行实时检测,加速比接近线性,验证了Spark Streaming引擎在分布式流处理方面的优势,以及用于僵尸网络检测方面的可行性。     

A novel method of mining network flow to detect P2P botnets

Botnets are a serious threat to cyber-security. As a consequence, botnet detection has become an important research topic in network protection and cyber-crime prevention. P2P botnets are one of the most malicious zombie networks, as their architecture imitates P2P software. Characteristics of P2P botnets include (1) the use of multiple controllers to avoid single-point failure; (2) the use of encryption to evade misuse detection technologies; and (3) the capacity to evade anomaly detection, usually by initiating numerous sessions without consuming substantial bandwidth. To overcome these difficulties, we propose a novel data mining method. First, we identify the differences between P2P botnet behavior and normal network behavior. Then, we use these differences to tune the data-mining parameters to cluster and distinguish normal Internet behavior from that lurking P2P botnets. This method can identify a P2P botnet without breaking the encryption. Furthermore, the detection system can be deployed without altering the existing network architecture, and it can detect the existence of botnets in a complex traffic mix before they attack. The experimental results reveal that the method is effective in recognizing the existence of botnets. Accordingly, the results of this study will be of value to information security academics and practitioners.     

Bloccess: Enabling Fine-Grained Access Control Based on Blockchain

Botnets pose significant threats to cybersecurity. The infected Internet of Things (IoT) devices are used to launch unsupported malicious activities on target entities to disrupt their operations and services. To address this danger, we propose a machine learning-based method, for detecting botnets by analyzing network traffic data flow including various types of botnet attacks. Our method uses a hybrid model where a Variational AutoEncoder (VAE) is trained in an unsupervised manner to learn latent representations that describe the benign traffic data, and one-class classifier (OCC) for detecting anomaly (also called novelty detection). The main aim of this research is to learn the discriminating representations of the normal data in low dimensional latent space generated by VAE, and thus improve the predictive power of the OCC to detect malicious traffic. We have evaluated the performance of our model, and compared it against baseline models using a real network based dataset, containing popular IoT devices, and presenting a wide variety of attacks from two recent botnet families Mirai and Bashlite. Tests showed that our model can detect botnets with a satisfactory performance.

     

Clustering botnet communication traffic based on n-gram feature selection

Recognized as one the most serious security threats on current Internet infrastructure, botnets can not only be implemented by existing well known applications, e.g. IRC, HTTP, or Peer-to-Peer, but also can be constructed by unknown or creative applications, which makes the botnet detection a challenging problem. Previous attempts for detecting botnets are mostly to examine traffic content for bot command on selected network links or by setting up honeypots. Traffic content, however, can be encrypted with the evolution of botnet, and as a result leading to a fail of content based detection approaches. In this paper, we address this issue and propose a new approach for detecting and clustering botnet traffic on large-scale network application communities, in which we first classify the network traffic into different applications by using traffic payload signatures, and then a novel decision tree model is used to classify those traffic to be unknown by the payload content (e.g. encrypted traffic) into known application communities where network traffic is clustered based on n-gram features selected and extracted from the content of network flows in order to differentiate the malicious botnet traffic created by bots from normal traffic generated by human beings on each specific application. We evaluate our approach with seven different traffic trace collected on three different network links and results show the proposed approach successfully detects two IRC botnet traffic traces with a high detection rate and an acceptable low false alarm rate.     

Detecting P2P botnets by discovering flow dependency in C&C traffic

Botnets are widely used by attackers and they have evolved from centralized structures to distributed structures. Most of the modern P2P bots launch attacks in a stealthy way and the detection approaches based on the malicious traffic of bots are inefficient. In this paper, an approach that aims to detect Peer-to-Peer (P2P) botnets is proposed. Unlike previous works, the approach is independent of any malicious traffic generated by bots and does not require bots’ information provided by external systems. It detects P2P bots by focusing on the instinct characteristics of their Command and Control (C&C) communications, which are identified by discovering flow dependencies in C&C traffic. After discovering the flow dependencies, our approach distinguishes P2P bots and normal hosts by clustering technique. Experimental results on real-world network traces merged with synthetic P2P botnet traces indicate that 1) flow dependency can be used to detect P2P botnets, and 2) the proposed approach can detect P2P botnets with a high detection rate and a low false positive rate.     

P2P僵尸网络研究

P2P僵尸网络是一种新型网络攻击方式,因其稳定可靠、安全隐蔽的特性被越来越多地用于实施网络攻击,给网络安全带来严峻挑战.为深入理解P2P僵尸网络工作机理和发展趋势,促进检测技术研究,首先分析了P2P僵尸程序功能结构,然后对P2P僵尸网络结构进行了分类,并分析了各类网络结构的特点;在介绍了P2P僵尸网络生命周期的基础上,着重阐述了P2P僵尸网络在各个生命周期的工作机制;针对当前P2P僵尸网络检测研究现状,对检测方法进行了分类并介绍了各类检测方法的检测原理;最后对P2P僵尸网络的发展趋势进行了展望,并提出一种改进的P2P僵尸网络结构.     

Resource monitoring for the detection of parasite P2P botnets

Detecting botnet behaviors in networks is a popular topic in the current research literature. The problem of detection of P2P botnets has been denounced as one of the most difficult ones, and this is even sounder when botnets use existing P2P networks infrastructure (parasite P2P botnets). The majority of the detection proposals available at present are based on monitoring network traffic to determine the potential existence of command-and-control communications (C&C) between the bots and the botmaster. As a different and novel approach, this paper introduces a detection scheme which is based on modeling the evolution of the number of peers sharing a resource in a P2P network over time. This allows to detect abnormal behaviors associated to parasite P2P botnet resources in this kind of environments. We perform extensive experiments on Mainline network, from which promising detection results are obtained while patterns of parasite botnets are tentatively discovered.     

Structural analysis and detection of android botnets using machine learning techniques

Nowadays, smartphone devices are an integral part of our lives since they enable us to access a large variety of services from personal to banking. The worldwide popularity and adoption of smartphone devices continue to approach the capabilities of traditional computing environments. The computer malware like botnets is becoming an emerging threat to users and network operators, especially on popular platform such as android. Due to the rapid growth of botnet applications, there is a pressing need to develop an effective solution to detect them. Most of the existing detection techniques can detect only malicious android applications, but it cannot detect android botnet applications. In this paper, we propose a structural analysis-based learning framework, which adopts machine learning techniques to classify botnets and benign applications using the botnet characteristics-related unique patterns of requested permissions and used features. The experimental evaluation based on real-world benchmark datasets shows that the selected patterns can achieve high detection accuracy with low false positive rate. The experimental and statistical tests show that the support vector machine classifier performs well compared to other classification algorithms.     

社交僵尸网络发展综述

随着社交平台的发展,社交媒体网络逐渐成为攻击者进行僵尸网络渗透的理想平台。社交僵尸网络利用社交平台自动化程度高、灵活性强与普及度高等特性构建隐蔽信道进行通信,以达到窃取社交平台用户信息、散布不良信息污染网络环境、引导控制舆论等目的。传统的僵尸网络检测机制无法有效地检测社交僵尸网络,为社交媒体的安全性带来极大的挑战。从社交僵尸网络的概念入手,阐述社交僵尸网络在不同社交平台上的发展脉络和发展趋势,研究不同社交媒体上的社交僵尸网络攻击原理和群体特征以及隐蔽型社交僵尸网络的隐蔽手段。在此基础上,将社交僵尸网络的检测方法分为服务器端检测方法和客户端检测方法,并对近年来出现的基于隐写技术和基于机器学习的检测方法进行分析,同时给出社交僵尸网络的反制技术和接管方法的研究现状及发展思路,并对该领域的未来研究方向进行展望。