高级搜索

留言板

尊敬的读者、作者、审稿人, 关于本刊的投稿、审稿、编辑和出版的任何问题, 您可以本页添加留言。我们将尽快给您答复。谢谢您的支持!

姓名
邮箱
手机号码
标题
留言内容
验证码

基于LLMNR协议与证据理论的本地网络CC信息分享机制

郭晓军 程光 胡一非 戴冕

郭晓军, 程光, 胡一非, 戴冕. 基于LLMNR协议与证据理论的本地网络CC信息分享机制[J]. 电子与信息学报, 2017, 39(3): 525-531. doi: 10.11999/JEIT160410
引用本文: 郭晓军, 程光, 胡一非, 戴冕. 基于LLMNR协议与证据理论的本地网络CC信息分享机制[J]. 电子与信息学报, 2017, 39(3): 525-531. doi: 10.11999/JEIT160410
GUO Xiaojun, CHENG Guang, HU Yifei, Dai Mian. CC Information Sharing Scheme in Local Network Based on LLMNR Protocol and Evidential Theory[J]. Journal of Electronics and Information Technology, 2017, 39(3): 525-531. doi: 10.11999/JEIT160410
Citation: GUO Xiaojun, CHENG Guang, HU Yifei, Dai Mian. CC Information Sharing Scheme in Local Network Based on LLMNR Protocol and Evidential Theory[J]. Journal of Electronics and Information Technology, 2017, 39(3): 525-531. doi: 10.11999/JEIT160410

基于LLMNR协议与证据理论的本地网络CC信息分享机制

doi: 10.11999/JEIT160410
基金项目: 

国家863计划项目(2015AA015603),江苏省未来网络创新研究院未来网络前瞻性研究项目(BY2013095-5-03),江苏省六大人才高峰高层次人才项目(2011-DZ024),江苏省普通高校研究生科研创新计划资助项目(KYLX_0141)

CC Information Sharing Scheme in Local Network Based on LLMNR Protocol and Evidential Theory

Funds: 

The National 863 Program of China (2015AA 015603), Jiangsu Future Net-works Innovation Institute: Prospective Research Project on Future Networks (BY2013095- 5-03), Six Talent Peaks of High Level Talents Project of Jiangsu Province (2011-DZ024), The Scientific Research Innovation Projects for General University Graduate of Jiangsu Province (KYLX_0141)

  • 摘要: 僵尸主机(Bot)安全隐蔽地获取控制命令信息是保证僵尸网络能够正常工作的前提。该文针对本地网络同类型Bot隐蔽地获取控制命令信息问题,提出一种基于LLMNR协议与证据理论的命令控制信息分享机制,首先定义了开机时间比和CPU利用率两个评价Bot性能的指标。其次本地网络中多个同类Bot间利用LLMNR Query包通告各自两个指标值,并利用D-S证据理论选举出僵尸主机临时代表BTL(Bot Temporary Leader)。接着仅允许BTL与命令控制服务器进行通信并获取命令控制信息。最后,BTL通过LLMNR Query包将命令控制信息分发给其它Bot。实验结果表明,该机制能使多个同类Bot完成命令控制信息的共享,选举算法能根据Bot评价指标实时有效选举出BTL,在网络流量较大时仍呈现较强的鲁棒性,且选举过程产生流量也具有较好隐蔽性。
  • [1] 王天佐, 王怀民, 刘波, 等. 僵尸网络中的关键问题[J]. 计算机学报, 2012, 35(6): 1192-1208. doi: 10.3724/SP.J.1016.2012. 01192.
    [2] WANG Tianzuo, WANG Huaimin, LIU Bo, et al. Some critical problems of Botnets[J]. Chinese Journal of Computers, 2012, 35(6): 1192-1208. doi:  10.3724/SP.J.1016.2012.01192.
    [3] CHEN P, DESMET L, and HUYGENS C. A study on advanced persistent threats[C]. Proceedings of the 15th IFIP TC 6/TC 11 International Conference on Communications and Multimedia Security, Aveiro, Portugal, 2014: 63-72. doi:  10.1007/978-3-662-44885-4_5.
    [4] JUELS A and TING F Y. Sherlock Holmes and the case of the advanced persistent threat[C]. Proceedings of the 5th USENIX Conference on Large-Scale Exploits and Emergent Threats, San Jose, CA, USA, 2012: 2-6.
    [5] RAFAEL A R G, GABRIEL M F, and PEDRO G T. Survey and taxonomy of botnet research through life-cycle[J]. ACM Computing Surveys, 2013, 45(4): 1-33. doi: 10.1145/2501654. 2501659.
    [6] GU G F, ZHANG J, and LEE W. BotSniffer: detecting botnet command and control channels in network traffic[C]. Proceedings of the 15th Annual Network and Distributed System Security Symposium, San Diego, CA, USA, 2008: 10-22.
    [7] STONE-GROSS B, COVA M, CAVALLARO L, et al. Your botnet is my botnet: Analysis of a botnet takeover[C]. Proceedings of the 16th ACM Conference on Computer and Communications Security, Hyatt Regency Chicago, IL, USA, 2009: 635-647. doi:  10.1145/1653662.1653738.
    [8] PORRAS P, SAIDI H, and YEGNESWARAN V. An analysis of the iKee.B iphone botnet[C]. Proceedings of the 2nd International ICST Conference on Security and Privacy in Mobile Information and Communication Systems, Catania, Sicily, Italy, 2010: 141-152. doi: 10.1007/978-3-642-17502- 2_12.
    [9] CHO C Y, CABALLERO J, GRIER C, et al. Insights from the inside: A view of botnet management from infiltration[C]. Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats, San Jose, CA, USA, 2010: 120-132.
    [10] BILGE L, BALZAROTTI D, ROBERTSON W, et al. Disclosure: detecting botnet command and control servers through large-scale netflow analysis[C]. Proceedings of the 28th Annual Computer Security Applications Conference, Orlando, FL, USA, 2012: 129-138. doi: 10.1145/2420950. 2420969.
    [11] ANDRIESSE D, ROSSOW C, STONE-GROSS B, et al. Highly resilient peer-to-peer botnets are here: an analysis of Gameover Zeus[C]. Proceedings of the 8th International Conference on Malicious and Unwanted Software: The Americas, Fajardo, Portugal, 2013: 116-123. doi: 10.1109/ MALWARE.2013.6703693.
    [12] RAHIMIAN A, ZIARATI R, PREDA S, et al. On the reverse engineering of the citadel botnet[C]. Proceedings of the 6th International Symposium Foundations and Practice of Security, La Rochelle, France, 2014: 408-425. doi: 10.1007/ 978-3-319-05302-8_25.
    [13] GAN C, CETIN O, and VAN E M. An empirical analysis of ZeuS CC lifetime[C]. Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, Singapore, 2015: 97-108. doi: 10.1145/2714576. 2714579.
    [14] CHOI H, LEE H, LEE H, et al. Botnet detection by monitoring group activities in DNS traffic[C]. Proceedings of the 7th IEEE International Conference on Computer and Information Technology, Aizu-Wakamatsu, Fukushima, Japan, 2007: 715-720. doi:  10.1109/CIT.2007.90.
    [15] STRAYER W T, LAPSELY D, WALSH R, et al. Botnet Detection Based on Network Behavior[M]. New York, USA, Springer Science Business Media, 2008: 1-24. doi: 10.1007 /978-0-387-68768-1_1.
    [16] SAAD S, TRAORE I, GHORBANI A, et al. Detecting P2P botnets through network behavior analysis and machine learning[C]. Proceedings of the 9th Annual International Conference on Privacy, Security and Trust, Montreal, Quebec, Canada, 2011: 174-180. doi:  10.1109/PST.2011.5971980.
    [17] ZHAO D, TRAORE I, SAYED B, et al. Botnet detection based on traffic behavior analysis and flow intervals[J]. Computers Security, 2013, 39(4): 2-16. doi: 10.1016/j.cose. 2013.04.007.
    [18] DIETRICH C J, ROSSOW C, and POHLMANN N. CoCoSpot: clustering and recognizing botnet command and control channels using traffic analysis[J]. Computer Networks, 2013, 57(2): 475-486. doi:  10.1016/j.comnet.2012.06.019.
    [19] JIANG H and SHAO X. Detecting P2P botnets by discovering flow dependency in CC traffic[J]. Peer-to-Peer Networking and Applications, 2014, 7(4): 320-331. doi:  10.1007/s12083-012-0150-x.
    [20] BILGE L, SEN S, BALZAROTTI D, et al. EXPOSURE: a passive DNS analysis service to detect and report malicious domains[J]. ACM Transactions on Information and System Security, 2014, 16(4): 289-296. doi:  10.1145/2584679.
    [21] CHANG W, MOHAISEN A, WANG A, et al. Measuring botnets in the wild: Some new trends[C]. Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, Singapore, 2015: 645-650. doi:  10.1145/2714576.2714637.
    [22] LEVON E, BERNARD A, and DAVE T. Link-Local Multicast Name Resolution (LLMNR)[OL]. https://tools.ietf. org /html/rfc4795. 2015.
    [23] CAVALCANTE A P A, BOUDY J, ISTRATE D, et al. A dynamic evidential network for fall detection[J]. IEEE Journal of Biomedical and Health Informatics, 2014, 18(4): 1103-1113. doi:  10.1109/JBHI.2013.2283055.
    [24] Guo X J, Cheng G, Pan W B, et al. A novel search engine- based method for discovering command and control server[C]. Proceedings of the 15th International Conference On Algorithms and Architectures for Parallel Processing. Zhangjiajie, China, 2015: 311-322. doi: 10.1007/978-3-319- 27137-8_24.
    [25] YIN T, ZHANG Y, and LI S. DR-SNBot: a social network- based botnet with Strong Destroy-Resistance[C]. Proceedings of the 9th IEEE International Conference on Networking, Architecture, and Storage, Tianjin, China, 2014: 191-199. doi:  10.1109/NAS.2014.37.
    [26] NAJAM M, YOUNIS U, and RASOOL R. Speculative parallel pattern matching using stride-k DFA for deep packet inspection[J]. Journal of Network and Computer Applications, 2015, 54: 78-87. doi:  10.1016/j.jnca.2015.04.013.
  • [1] 欧静兰, 余欢欢, 吴皓威, 马锐, 王柳彬.  基于携能通信的非信任双向中继网络安全传输方案, 电子与信息学报. doi: 10.11999/JEIT200069
    [2] 李攀攀, 谢正霞, 周志刚, 乐光学, 郑仕链, 杨小牛.  基于Hilbert填充曲线的海洋无线传感网源节点位置隐私保护方法, 电子与信息学报. doi: 10.11999/JEIT190364
    [3] 李建华.  能源关键基础设施网络安全威胁与防御技术综述, 电子与信息学报. doi: 10.11999/JEIT191055
    [4] 牛伟纳, 蒋天宇, 张小松, 谢娇, 张俊哲, 赵振扉.  基于流量时空特征的fast-flux僵尸网络检测方法, 电子与信息学报. doi: 10.11999/JEIT190724
    [5] 武泽慧, 魏强, 任开磊, 王清贤.  基于OpenFlow交换机洗牌的DDoS攻击动态防御方法, 电子与信息学报. doi: 10.11999/JEIT160449
    [6] 黎剑兵, 李庆, 董庆宽, 李小平.  有扰信道下基于门限密码的链式组播源认证技术, 电子与信息学报. doi: 10.11999/JEIT140884
    [7] 黄开枝, 洪颖, 罗文宇, 林胜斌.  基于演化博弈机制的物理层安全协作方法, 电子与信息学报. doi: 10.11999/JEIT140309
    [8] 葛琳, 季新生, 江涛.  基于关联规则的网络信息内容安全事件发现及其Map-Reduce实现, 电子与信息学报. doi: 10.3724/SP.J.1146.2013.01272
    [9] 荣宏, 王会梅, 鲜明, 施江勇.  基于快速独立成分分析的RoQ攻击检测方法, 电子与信息学报. doi: 10.3724/SP.J.1146.2013.00114
    [10] 周华, 周海军, 马建锋.  基于博弈论的入侵容忍系统安全性分析模型, 电子与信息学报. doi: 10.3724/SP.J.1146.2012.01081
    [11] 葛海慧, 肖达, 陈天平, 杨义先.  基于动态关联分析的网络安全风险评估方法, 电子与信息学报. doi: 0.3724/SP.J.1146.2012.01539
    [12] 蒋鸿玲, 邵秀丽, 李耀芳.  基于MapReduce的僵尸网络在线检测算法, 电子与信息学报. doi: 10.3724/SP.J.1146.2012.01444
    [13] 苏欣, 张大方, 罗章琪, 曾彬, 黎文伟.  基于Command and Control通信信道流量属性聚类的僵尸网络检测方法, 电子与信息学报. doi: 10.3724/SP.J.1146.2011.01098
    [14] 苏婷婷, 潘晓中, 肖海燕, 申军伟.  基于属性邻接矩阵的攻击图表示方法研究, 电子与信息学报. doi: 10.3724/SP.J.1146.2012.00261
    [15] 柯品惠, 李瑞芳, 张胜元.  d-元广义分圆序列的线性复杂度及自相关函数性质分析, 电子与信息学报. doi: 10.3724/SP.J.1146.2012.00804
    [16] 刘刚, 李千目, 张宏.  信度向量正交投影分解的网络安全风险评估方法, 电子与信息学报. doi: 10.3724/SP.J.1146.2011.01387
    [17] 蒋黎明, 张宏, 张琨, 徐建.  开放系统中一种基于模糊修正的证据信任模型, 电子与信息学报. doi: 10.3724/SP.J.1146.2011.00063
    [18] 田春岐, 邹仕洪, 王文东, 程时端.  一种新的基于改进型D-S证据理论的P2P信任模型, 电子与信息学报. doi: 10.3724/SP.J.1146.2006.01788
    [19] 金光, 杨建刚, 魏蔚, 董亚波.  基于增强权证的无状态过滤机制, 电子与信息学报. doi: 10.3724/SP.J.1146.2007.00460
    [20] 孙知信, 杨加园, 施良辉, 王汝传.  基于蜜罐的主动网络安全系统的研究与实现, 电子与信息学报.
  • 加载中
  • 计量
    • 文章访问数:  685
    • HTML全文浏览量:  35
    • PDF下载量:  459
    • 被引次数: 0
    出版历程
    • 收稿日期:  2016-04-25
    • 修回日期:  2016-09-09
    • 刊出日期:  2017-03-19

    目录

      /

      返回文章
      返回

      官方微信,欢迎关注