(國防科學技術大學 計算機學院�,湖南省長沙市 410073)
摘要:僵尸網絡(Botnet)檢測已經成為近年來網絡安全領域的研究熱點之一���,Botnet的一個顯著特點是能建立C&C通道���,攻擊者可以通過這個通道給bots發送命令�,并接收與命令相對應的響應���,而響應往往會引起網絡流量的突變������;谶@一特點�,本文提出一種改進的CUSUM的算法����,對僵尸網絡流量中的突變點進行檢測�����。經實驗表明���,本文所采用的算法是有效的�����,能有效地檢測出流量中的突變點���,并且能提高檢測速度和準確率��。
關鍵詞:僵尸網絡��;CUSUM的算法����;突變點�;門限值����;
Botnet Anomaly Traffic Detection Based on Modified-CUSUM Algorithms
LAI Ben, ZHANG Yi
National University of Defense Technology, Chang Sha, 410073, China,
Abstract:The detection of Botnet has become one of the hot spots in network security research. An extinct characteristic of Botnet is to build up C&C channel through which the attacker would be able to send commands to bots and receive the responses. The response action is likely to cause a sudden change in network traffic. Based on the characteristic of the change point, we propose an improved CUSUM algorithm in this paper to detect the change point in network traffic of Botnet. The experiment result shows that the algorithm we proposed is effective to detect the change point in network traffic of Botnet with a higher detection ratio and a higher accuracy.
Key words: Botnet, CUSUM algorithm, change point, thresholds
參考文獻
[1]王天佐 王懷民 僵尸網絡研究綜述[J]��。 計算機學報�����。2011
[2]J.John, A.Moshchuk,S.Gribble,and A.Krishnamurthy. Studying Spamming Botnets Using Botlab[C]. In Usenix Symposium on Networked Systems Design and Implementation (NSDI), 2009.
[3]D.Moore,G.Voelker, and S.Savage.Inferring Internet Denial of Service Activity[C].In Usenix Security Sympos- ium, 2001.
[4]D.Anderson,C.Fleizach,S.Savage,and G.Voelker.Spamscatter:Characterizing Internet Scam Hosting Insfrastru- cture[C]. In Usenix Security Symposium, 2007.
[5]孫知信��,唐益慰����,程媛������;诟倪MCUSUM算法的路由器異常流量檢測[J]����。軟件學報�。2005.01
[6]Moustakides GV.Performance of CUSUM tests for detecting changes in continuous time processes[J]. In: Mo- ustakides GV,ed.Proc of the IEEE Int’l Symp.Information Theory. 2002.186−187.
[7]Gustafsson,F,The Marginalized Likelihood Ratio Test for Detecting Abrupt Changes[J], IEEE Trans.On Auto- matic Control,41(1):66-78,1996.
[8]Page E S.Continuous inspection schemes[J].Biometrika,1954,41:100-115.
[9]SIRISVA,PAPAGALOU F.Appl ication of anomaly detection algorithms for detecting SYN flooding attacks [A ]. Proc. of the Conf on Global Tele communications [C], 2004.
[10]Peter Wurzinger, Leyla Bilge, Thorsten Holz. Automatically Generating Models for Botnet Detection[C]. at the ESORICS 2009 conference.
[11]SIRISVA,PAPAGALOU F.Application of anomaly detection algorithms for detecting SYN flooding attacks [A].Proc of the Conf on Global Telecommun ications [C],2004.
作者簡介:
來犇����,性別男����,陜西禮泉人�,碩士研究生�,計算機專業��,現在就讀于湖南省長沙市國防科學技術大學�����,研究方向為網絡安全�����,具體在研究僵尸網絡的檢測���,導師為張怡�����。
