强抗毁性社交僵尸网络的构建及其防御

Modeling and countermeasures of a social network-based botnet with strong destroy-resistance

为打击僵尸网络,保障网络空间安全,提出一种新型的具备强抗毁性的社交僵尸网络(DR-SNbot),并给出了针对性的防御方法。DR-SNbot基于社交网络搭建命令与控制服务器(C&C-Server,command and control server),每个C&C-Server对应一个不同的伪随机昵称,并利用信息隐藏技术将命令隐藏在日志中发布,进而提出一种新型的命令与控制信道。当C&C-Server不同比例地失效时,DR-SNbot会发出不同等级的预警,通知攻击者构建新的C&C-Server,并自动修复C&C通信以保障其强抗毁性。在实验环境中,即使当前C&C-Server全部失效,DR-SNbot仍能在短期内修复C&C通信,将控制率维持在100%。最后,基于伪随机僵尸昵称与合法昵称在词法特征上的差异性,提出一种僵尸昵称检测方法,可有效检测社交僵尸网络利用自定义算法批量生成的伪随机僵尸昵称。实验结果表明,该方法召回率达到93%,准确率达到96.88%。

To defeat botnets and ensure cyberspace security, a novel social network-based botnet with strong de- stroy-resistance （DR-SNbot）, as well as its corresponding countermeasure, was proposed. DR-SNbot constructed command and control servers （C＆C-Servers） based on social network. Each C＆C-Server corresponded to a unique pseudo-random nickname. The botmaster issues commanded by hiding them in diaries using information hiding techniques, and then a novel C＆C channel was established. When different proportions of C＆C-Servers were invalid, DR-SNbot would send out different levels of alarms to inform attackers to construct new C＆C-Servers. Then, DR-SNbot could automatically repair C＆C com- munication to ensure its strong destroy-resistance. Under the experimental settings, DR-SNbot could resume the C＆C com- munication in a short period of time to keep 100% of the control rate even if all the current C＆C-Servers were invalid. Fi- nally, a botnet nickname detecting method was proposed based on the difference of lexical features of legal nicknames and pseudo-random nicknames. Experimental results show that the proposed method can effectively （precision： 96.88%, recall： 93%） detect pseudo-random nicknames generated by social network-based botnets with customized algorithms.