共查询到20条相似文献,搜索用时 93 毫秒
1.
2.
3.
《计算机学报》2014,(1)
僵尸网络对现有计算机网络安全构成了巨大的威胁.新型僵尸经常采用隐蔽技术躲避安全系统的检测.采用延迟响应手段的僵尸在网络活动和主机行为之间插入随机时间的延迟,迷惑现有使用关联的检测方法.针对延迟僵尸的网络活动和主机行为,提出了一个新的关联检测方法.针对延迟僵尸的网络活动和主机行为可能分散在不同时间窗口的问题,使用滑动时间窗口迭代算法,提高了检测准确率.针对单纯主机检测方法需要全局部署问题,使用推荐算法关联网络和主机行为,提高了检测的健壮性和准确率.分析了滑动时间窗口大小和主机检测工具部署率对检测准确率的影响.实验结果表明,方法能有效检测延迟僵尸,当网络中主机检测工具的部署率达到80%时,包括未部署检测工具的主机在内,准确率约为88%. 相似文献
4.
僵尸网络发起的分布式拒绝服务攻击、垃圾邮件发送以及敏感信息窃取等恶意活动已经成为网络安全面临的重要威胁。命令与控制信道正是僵尸网络操纵这些恶意活动的唯一途径。利用命令与控制信道中攻击命令具有相对固定的格式和命令字的特点,基于现有的特征提取技术,针对边缘网络的可疑流量,提出了一个新型的特征提取模型。实验结果表明,该模型能够准确地提取出具有命令格式的特征,而且由这些特征转化的入侵检测规则能够有效识别感染的僵尸主机。 相似文献
5.
6.
僵尸网络命令控制机制与检测技术分析 总被引:1,自引:0,他引:1
作为攻击者手中一个强有力的攻击平台,僵尸网络为攻击者提供了灵活、高效并且隐蔽的控制和攻击方式。僵尸网络是网络安全领域所关注的重要威胁之一,对我国网络安全的危害尤其严重。首先介绍了僵尸网络的结构和工作机制,然后着重分析了其命令与控制机制,并针对各种命令与控制机制介绍了当前检测僵尸网络的技术和方法。 相似文献
7.
基于通信特征曲线动态时间弯曲距离的IRC僵尸网络同源判别方法 总被引:1,自引:0,他引:1
IRC僵尸网络(botnet)是攻击者通过IRC服务器构建命令与控制信道方式控制大量主机(bot)组成的网络.IRC僵尸网络中IRC服务器与bot连接具有很强的动态特性.相关研究采用IRC僵尸网络的服务器域名、服务器IP、控制者ID等信息度量IRC僵尸网络的相似性,再根据相似性值检测同源IRC僵尸网络,但这些信息并不能代表IRC僵尸网络的本质特征,因此误差较大.为识别使用不同IRC控制服务器的同源僵尸网络,提取僵尸网络的通信量特征曲线、通信频率特征曲线,基于通信特征曲线的动态时间弯曲距离判别同源的僵尸网络.为了减小计算量和增加判别准确率,根据通信特征曲线的特点,提取并利用曲线的峰、谷特征点;并提出改进的LB-PAA对动态时间弯曲距离的计算进行优化.实验验证了方法的有效性并计算了各类错误率. 相似文献
8.
9.
IRC僵尸网络是攻击者通过IRC服务器构建命令与控制信道方式来控制大量主机组成的网络。IRC僵尸网络的动态性以及动态IP地址的影响,给僵尸网络的大小度量带来很大的困难。本文采用基于概率的动态IP地址去重算法减小动态IP地址的影响,给出僵尸网络大小尽量准确的度量,实验验证了本文方法的有效性。 相似文献
10.
现有的IRC botnet检测技术不适合控制命令交互不频繁的botnet检测。为了实现小规模隐秘僵尸网络的检测,提出了一种基于序列分析的僵尸网络检测模型,对现有的被动检测技术进行补充。讨论了几种探测技术和检测算法,根据客户端响应类型选择检测算法,分析了平均检测轮数,只须观察少量的命令控制交互,能够对单个或多个IRC僵尸主机进行检测。实验结果表明,在保证误报率和漏报率的前提下该方法能在预定检测轮数内完成判定。 相似文献
11.
While current botnets rely on a central server or bootstrap nodes for their operations, in this paper we identify and investigate a new type of botnet, called Tsunami, in which no such bottleneck nodes exist. In particular, we study how a Tsunami botnet can build a parasitic relationship with a widely deployed P2P system, Kad, to successfully issue commands to its bots, launch various attacks, including distributed denial of service (DDoS) and spam, at ease, as well as receive responses from the bots. Our evaluation shows that in a Kad network with four million nodes, even with only 6 % nodes being Tsunami bots, Tsunami can reach 75 % of its bots in less than 4 min and receive responses from 99 % of bots. We further propose how we may defend against Tsunami and evaluate the defense solution. 相似文献
12.
Peer-to-peer (P2P) botnets outperform the traditional Internet relay chat (IRC) botnets in evading detection and they have become a prevailing type of threat to the Internet nowadays.Current methods for detecting P2P botnets,such as similarity analysis of network behavior and machine-learning based classification,cannot handle the challenges brought about by different network scenarios and botnet variants.We noticed that one important but neglected characteristic of P2P bots is that they periodically send requests to update their peer lists or receive commands from botmasters in the command-and-control (C&C) phase.In this paper,we propose a novel detection model named detection by mining regional periodicity (DMRP),including capturing the event time series,mining the hidden periodicity of host behaviors,and evaluating the mined periodic patterns to identify P2P bot traffic.As our detection model is built based on the basic properties of P2P protocols,it is difficult for P2P bots to avoid being detected as long as P2P protocols are employed in their C&C.For hidden periodicity mining,we introduce the so-called regional periodic pattern mining in a time series and present our algorithms to solve the mining problem.The experimental evaluation on public datasets demonstrates that the algorithms are promising for efficient P2P bot detection in the C&C phase. 相似文献
13.
Botnets are widely used by attackers and they have evolved from centralized structures to distributed structures. Most of the modern P2P bots launch attacks in a stealthy way and the detection approaches based on the malicious traffic of bots are inefficient. In this paper, an approach that aims to detect Peer-to-Peer (P2P) botnets is proposed. Unlike previous works, the approach is independent of any malicious traffic generated by bots and does not require bots’ information provided by external systems. It detects P2P bots by focusing on the instinct characteristics of their Command and Control (C&C) communications, which are identified by discovering flow dependencies in C&C traffic. After discovering the flow dependencies, our approach distinguishes P2P bots and normal hosts by clustering technique. Experimental results on real-world network traces merged with synthetic P2P botnet traces indicate that 1) flow dependency can be used to detect P2P botnets, and 2) the proposed approach can detect P2P botnets with a high detection rate and a low false positive rate. 相似文献
14.
传统僵尸程序依赖于集中控制,P2P僵尸的传播和控制方式都是分布式的,使其更具隐蔽性和健壮性.本文通过分析P2P僵尸的特征,对其控制行为进行了较为深入的研究.首先,阐述了控制流相似性的概念并对其做出合理量化;其次,利用皮尔逊序列假设检验法来识别P2P僵尸控制行为;最后,通过自动分类技术来进行二次判定,以完成自动检测.实验和数据分析表明该方法能够有效的识别校园网内P2P僵尸的控制行为,与相关的方法相比,误报显著降低. 相似文献
15.
Web services designed for human users are being abused by computer programs (bots). The bots steal thousands of free e-mail accounts in a minute, participate in online polls to skew results, and irritate people by joining online chat rooms. These real-world issues have recently generated a new research area called human interactive proofs (HIP), whose goal is to defend services from malicious attacks by differentiating bots from human users. In this paper, we make two major contributions to HIP. First, based on both theoretical and practical considerations, we propose a set of HIP design guidelines that ensure a HIP system to be secure and usable. Second, we propose a new HIP algorithm based on detecting human face and facial features. Human faces are the most familiar object to humans, rendering it possibly the best candidate for HIP. We conducted user studies and showed the ease of use of our system to human users. We designed attacks using the best existing face detectors and demonstrated the challenge they presented to bots. 相似文献
16.
僵尸网络是一种从传统恶意代码进化而来的新型攻击方式,已成为Internet安全的一个重大威胁。建立僵尸网络的传播模型已成为研究僵尸程序传播特性最有效的一种方法。当前建立的僵尸网络传播模型均是基于随机网络理论的,而实际的Internet是一个具有无尺度特性的复杂网络,因此,这些主流传播模型并不能完全准确反映僵尸程序在Internet的传播特性。提出了一种基于无尺度网络结构的僵尸网络传播模型,根据Internet的实际情况,结合网络流量阻塞这一Internet中的常态现象,重点考虑了真实Internet中节点的增长性和择优连接性。仿真结果表明,该模型不仅符合真实Internet网络中僵尸程序的传播规律和感染特性,而且能够反映出网络中出现拥塞时僵尸程序的感染特性。 相似文献
17.
中国网络游戏外挂问题现状分析 总被引:2,自引:0,他引:2
网络游戏外挂的泛滥严重阻碍了中国网络游戏产业的正常发展。本文给出了网络游戏外挂的定义,并对当前中国网络游戏存在的安全问题进行了分析,重点分析了网络游戏外挂与反外挂的技术特点和使用情况,并针对目前中国网络游戏安全领域存在的问题提出几点建议。 相似文献
18.
Tian Junrui Tu Zhiying Li Nan Su Tonghua Xu Xiaofei Wang Zhongjie 《Applied Intelligence》2022,52(12):13916-13940
Applied Intelligence - Conversational AI (CoAI) bot, such as customer service bots, navigation bots, chat bots and etc., is a new form of software application. How to accurately identify user... 相似文献
19.
针对当前隐匿恶意程序多转为使用分布式架构来应对检测和反制的问题,为快速精确地检测出处于隐匿阶段的对等网络(P2P)僵尸主机,最大限度地降低其危害,提出了一种基于统计特征的隐匿P2P主机实时检测系统。首先,基于3个P2P主机统计特征采用机器学习方法检测出监控网络内的所有P2P主机;然后,再基于两个P2P僵尸主机统计特征,进一步检测出P2P僵尸主机。实验结果证明,所提系统能在5 min内检测出监控网内所有隐匿的P2P僵尸主机,准确率高达到99.7%,而误报率仅为0.3%。相比现有检测方法,所提系统检测所需统计特征少,且时间窗口较小,具备实时检测的能力。 相似文献
20.
P. D. Zegzhda E. V. Malyshev E. Yu. Pavlenko 《Automatic Control and Computer Sciences》2017,51(8):874-880
The problem of detection of automatically managed accounts (bots) in social networks has been considered. The method of their detection based on machine learning methods is proposed. The paper describes an example of a method based on artificial neural network learning. The parameters of a page in a social network used to detect bots have been presented. An experimental evaluation of the proposed system performance is given that demonstrates a high level of detection of bots in social networks. 相似文献