僵尸网络命令与控制信道的特征提取模型研究

僵尸网络发起的分布式拒绝服务攻击、垃圾邮件发送以及敏感信息窃取等恶意活动已经成为网络安全面临的重要威胁。命令与控制信道正是僵尸网络操纵这些恶意活动的唯一途径。利用命令与控制信道中攻击命令具有相对固定的格式和命令字的特点,基于现有的特征提取技术,针对边缘网络的可疑流量,提出了一个新型的特征提取模型。实验结果表明,该模型能够准确地提取出具有命令格式的特征,而且由这些特征转化的入侵检测规则能够有效识别感染的僵尸主机。

Signature generation model for botnet command and control channel

The malicious activities such as distributed denial of service attack, spam sending, and sensitive information theft launched by botnet have been the serious threats to Internet security. Command and control channel is the only way for botnet to manipulate these malicious activities. With the features of relatively fixed command format and string in the command and control channel, a novel signature generation model is proposed based on the existing techniques of signature generation, which focuses on the edge network’s suspect traffics. Experiment results show that the proposed model can generate accurate signatures conforming to the command format. Furthermore, the intrusion detection rules generated from these signatures can be used to identify the zombies effectively.