基于日志的僵尸网络攻击数据分析

Analysis of Botnet Attack Data Based on Log

僵尸网络是近年来有组织进行黑客攻击的一种重要手段,其独特的攻击方式使数据具有不同于其他网络攻击手段的特点。文章基于采集的网络攻击报文,对僵尸网络攻击数据进行提取分析。首先,运用蜜罐域名服务代理技术构建网络攻击日志分析系统,并设计攻击日志文件的存储格式;然后,通过多种密文鉴别方法实现网络攻击明文的清洗提取,并根据僵尸网络攻击行为不同于网络扫描和黑客攻击的特点,提取僵尸网络的攻击数据,同时运用正则匹配方式发现僵尸网络攻击数据中包含5种类型的特定关键词,通过构建字符串库方式提高对僵尸网络的识别效率;最后,基于僵尸网络攻击数据选取特定聚类特征,运用两阶段聚类算法进行分析。实验结果表明,僵尸网络攻击具有端口偏向性特点,病毒下载是僵尸网络攻击展开的重要手段之一,特定端口攻击的属性数据分布明显不同于其他端口,选取的属性中除了与发送包大小相关的4个属性外,大多具有较强的聚类区分能力,可以作为进一步智能分析的重要特征。

Botnet is an important means of organized hacker attack in recent years.Its unique attack mode makes its data different from other network attack methods.Based on the collected network attack packets,this paper extracted and analyzed the botnet attack data.Firstly,the network attack log analysis system was constructed by using honeypot domain name service agent technology,and the storage format of the attack log file was designed.Then,it realized the cleaning and extraction of the plaintext of the network attack through a variety of ciphertext identification methods,and extracted the botnet attack data according to the characteristics of the botnet attack behavior different from the network scanning and hacker attack.At the same time,the regular matching method was used to find that the botnet attack data contains five types of specific keywords,which could improve the identification efficiency of the botnet by building a string library.Finally,specific clustering features were selected based on the botnet attack data and analyzed by using two-stage clustering algorithm.The experimental results show that botnet attacks have port-biased characteristics.Virus downloading is an important means for botnet attacks.The attribute data distribution of specific port attacks was obviously different from that of other ports.Except for the four attributes related to the size of the sent packet,most of the selected attributes have strong clustering and discrimination ability,which can be used as an important feature for further intelligent analysis.