基于LLMNR协议与证据理论的本地网络C&C信息分享机制

C&C Information Sharing Scheme in Local Network Based on LLMNR Protocol and Evidential Theory

僵尸主机(Bot)安全隐蔽地获取控制命令信息是保证僵尸网络能够正常工作的前提。该文针对本地网络同类型Bot隐蔽地获取控制命令信息问题,提出一种基于LLMNR协议与证据理论的命令控制信息分享机制,首先定义了开机时间比和CPU利用率两个评价Bot性能的指标。其次本地网络中多个同类Bot间利用LLMNR Query包通告各自两个指标值,并利用D-S证据理论选举出僵尸主机临时代表BTL(Bot Temporary Leader)。接着仅允许BTL与命令控制服务器进行通信并获取命令控制信息。最后,BTL通过LLMNR Query包将命令控制信息分发给其它Bot。实验结果表明,该机制能使多个同类Bot完成命令控制信息的共享,选举算法能根据Bot评价指标实时有效选举出BTL,在网络流量较大时仍呈现较强的鲁棒性,且选举过程产生流量也具有较好隐蔽性。

The bot must obtain the Command and Control （C＆C） information covertly and securely, which is a necessary precondition to ensure botnet work correctly and normally. For the problem that how to covertly get and share C＆C information between the same type bots in local network, a C＆C Information Sharing scheme based on Link-Local Multicast Name Resolution （LLMNR） protocol and Evidential （CCISLE） theory is proposed. Firstly, for measuring bot performance, two metrics are defined： running time ratio and CPU utilization rate. Secondly, the same type bots will inform their own two metrics to each other via LLMNR query packets and utilize D-S evidential theory to vote BTL （Bot Temporary Leader）. Then only BTL can be proved to communicate with C＆C servers and C＆C information can be obtained. Lastly, BTL will share the C＆C information with other bots through LLMNR query packets. The experimental results show that CCISLE can help the same type bots achieve sharing C＆C information successfully. The voting algorithm based on D-S evidential theory is able to elect BTL effectively with two proposed metrics and still present better robustness when in heavy network traffic. Moreover, the traffic produced during BTL voting process also has good covertness.