摘要
为了应对电力系统中日趋严重的安全问题,阐述了僵尸网络在电力二次系统中部署和传播的可能性,分析了僵尸网络在活动时产生的报文特征和流量的行为特性,并针对电力二次系统僵尸网络的特点,提出了两种可部署于网络分析仪的僵尸网络检测方法,分别是基于深度包检测技术的异常协议识别方法和基于循环自相关和X-means聚类的流序列特征分析方法。实验证明,这两种方法均具有良好的检测效果,其中,异常协议识别方法在特定场景下将失效,而流序列特征分析方法具有更好的通用性。
In order to deal with the increasingly serious security problems in power system,this paper describes the possibility of the botnet deployment and dissemination in the power secondary system,analyzes the packet feature and traffic behavior generated by the botnet,and presents two methods to detect the botnet according to the characteristics of the power secondary system based on network analyzer. One is abnormal protocol identification method based on deep packet inspection technology,the other is flow sequence feature analysis method based on cyclic autocorrelation and X-means clustering. Experimental results show that these two methods have good detection abilities. Abnormal protocol identification method will fail in certain situations and flow sequence feature analysis method has stronger generality.
出处
《微型机与应用》
2016年第18期10-12,15,共4页
Microcomputer & Its Applications
关键词
僵尸网络
电力系统
深度包检测
流量行为
循环自相关
聚类分析
网络分析仪
botnet
power system
deep packet inspec tion
traffic be havior
cyclic autocorrelation
cluster analysis
network analyzer