摘要
融合蠕虫、后门、木马等技术为一体的僵尸网络因其可被攻击者用于发送垃圾邮件、实施拒绝服务攻击、窃取敏感信息等,已成为高持续性威胁攻击的"后盾"。现有的僵尸网络检测方法多数局限于特定的僵尸网络类型,且不能有效处理边界附近的数据。为此,提出一种基于网络流量相似性的僵尸网络识别方法。该方法不依赖于数据包内容,可处理加密流量。通过提取数据集中流和包的统计特征,分别对每个特征进行模糊聚类,判别其模糊类别的特征边界,并基于最大隶属度原则判断是否存在僵尸网络流量,根据支持度和置信度筛选关联规则,从而确定具体的僵尸网络类型。实验结果表明,该方法可有效识别僵尸网络流量,并且能够对僵尸网络的类型进行预判。
A Botnet that combining worms,backdoors,and Trojans has become the backing of Advanced Persistent Threat(APT)attacks because it can be used by attackers to send spam,perform denial of service attacks,and steal sensitive information.Existing Botnet detection methods are mostly limited to specific Botnet types and cannot effectively process data near the boundary.Therefore,a Botnet identification method based on network traffic similarity is proposed.This method does not rely on packet content and can handle encrypted traffic.By extracting the statistical features of the data stream and the packet,each feature is fuzzy clustered,the feature boundary of the fuzzy category is discriminated,and the Botnet traffic is judged based on the principle of maximum affiliation degree.According to the support degree and confidence degree,associate rules are filtered to determine the specific Botnet type.Experimental results show that the method can effectively identify Botnet traffic and predict the type of Botnet.
作者
陈瑞东
赵凌园
张小松
CHEN Ruidong;ZHAO Lingyuan;ZHANG Xiaosong(Center for Cyber Security,University of Electronic Science and Technology of China,Chengdu 611731,China)
出处
《计算机工程》
CAS
CSCD
北大核心
2018年第10期46-50,共5页
Computer Engineering
基金
国家自然科学基金"靶向性复杂攻击网络建模和行为分析研究"(F020805)
国家电网公司科学技术项目"新能源厂站网络安全防护关键技术研究"(522722180007)
关键词
僵尸网络检测
流量相似性
模糊聚类
特征边界
最大隶属
Botnet detection
traffic similarity
fuzzy clustering
feature boundary
maximum affiliation