东北大学学报(自然科学版)

东北大学学报(自然科学版) ›› 2010, Vol. 31 ›› Issue (12): 1709-1712.DOI: -

• 论著 • 上一篇    下一篇

P2P僵尸网络的快速检测技术

于戈;于晓聪;董晓梅;秦玉海;   

  1. 东北大学信息科学与工程学院;中国刑事警察学院计算机犯罪侦查系;
  • 收稿日期:2013-06-20 修回日期:2013-06-20 出版日期:2010-12-15 发布日期:2013-06-20
  • 通讯作者: -
  • 作者简介:-
  • 基金资助:
    国家高技术研究发展计划项目(2009AA01Z131);;

Rapid detection technique for P2P-based botnets

Yu, Ge (1); Yu, Xiao-Cong (2); Dong, Xiao-Mei (1); Qin, Yu-Hai (2)   

  1. (1) School of Information Science and Engineering, Northeastern University, Shenyang 110004, China; (2) Department of Computer Crime Detection, China Criminal Police College, Shenyang 110035, China
  • Received:2013-06-20 Revised:2013-06-20 Online:2010-12-15 Published:2013-06-20
  • Contact: Yu, X.-C.
  • About author:-
  • Supported by:
    -

RichHTML

0

PDF (PC)

537

摘要: 以僵尸网络为平台的攻击发展迅速,其控制协议与结构不断演变,基于P2P协议的分布式结构僵尸网络得到快速发展.现有的P2P僵尸网络检测技术大都通过分析历史网络流量信息来进行离线检测,很难保证检测结果的准确性,也较难满足实时性需求.针对这种情况,提出P2P僵尸网络快速检测技术,首先采用一种改进的增量式分类技术,在线分离出满足P2P协议的网络流量;然后利用P2P僵尸主机的通信模式具有行为相似性和周期性的特点,通过动态聚类技术和布尔自相关技术,快速检测出可疑僵尸主机.实验结果表明该技术能够高效实现P2P僵尸网络的快速检测.

关键词: P2P僵尸网络, 快速检测, 增量式分类, 动态聚类, 布尔自相关

Abstract: The attacks due to P2P-based botnet are increasingly one of the most serious threats to the Internet. The existing detection strategies for P2P-based botnets just focus on the offline detection methods by tracking the historical network traffic, which can hardly meet the requirement for real-time and precision. A new technique is therefore proposed to detect the P2P-based botnet activities rapidly, where an improved incremental classification technique is introduced to distinguish the P2P-based network traffic from others. Then a dynamical clustering technique and Boolean auto-correlation technique are presented to detect the suspected P2P-based botnet hosts which have the similarity and periodicity in communication behavior. The experimental evaluations showed that the technique proposed can implement the detection for P2P-based botnets rapidly and efficiently.

中图分类号: