高级搜索

留言板

尊敬的读者、作者、审稿人, 关于本刊的投稿、审稿、编辑和出版的任何问题, 您可以本页添加留言。我们将尽快给您答复。谢谢您的支持!

姓名
邮箱
手机号码
标题
留言内容
验证码

基于LLMNR协议与证据理论的本地网络CC信息分享机制

郭晓军 程光 胡一非 戴冕

郭晓军, 程光, 胡一非, 戴冕. 基于LLMNR协议与证据理论的本地网络CC信息分享机制[J]. 电子与信息学报, 2017, 39(3): 525-531. doi: 10.11999/JEIT160410
引用本文: 郭晓军, 程光, 胡一非, 戴冕. 基于LLMNR协议与证据理论的本地网络CC信息分享机制[J]. 电子与信息学报, 2017, 39(3): 525-531. doi: 10.11999/JEIT160410
GUO Xiaojun, CHENG Guang, HU Yifei, Dai Mian. CC Information Sharing Scheme in Local Network Based on LLMNR Protocol and Evidential Theory[J]. Journal of Electronics & Information Technology, 2017, 39(3): 525-531. doi: 10.11999/JEIT160410
Citation: GUO Xiaojun, CHENG Guang, HU Yifei, Dai Mian. CC Information Sharing Scheme in Local Network Based on LLMNR Protocol and Evidential Theory[J]. Journal of Electronics & Information Technology, 2017, 39(3): 525-531. doi: 10.11999/JEIT160410

基于LLMNR协议与证据理论的本地网络CC信息分享机制

doi: 10.11999/JEIT160410
基金项目: 

国家863计划项目(2015AA015603),江苏省未来网络创新研究院未来网络前瞻性研究项目(BY2013095-5-03),江苏省六大人才高峰高层次人才项目(2011-DZ024),江苏省普通高校研究生科研创新计划资助项目(KYLX_0141)

CC Information Sharing Scheme in Local Network Based on LLMNR Protocol and Evidential Theory

Funds: 

The National 863 Program of China (2015AA 015603), Jiangsu Future Net-works Innovation Institute: Prospective Research Project on Future Networks (BY2013095- 5-03), Six Talent Peaks of High Level Talents Project of Jiangsu Province (2011-DZ024), The Scientific Research Innovation Projects for General University Graduate of Jiangsu Province (KYLX_0141)

  • 摘要: 僵尸主机(Bot)安全隐蔽地获取控制命令信息是保证僵尸网络能够正常工作的前提。该文针对本地网络同类型Bot隐蔽地获取控制命令信息问题,提出一种基于LLMNR协议与证据理论的命令控制信息分享机制,首先定义了开机时间比和CPU利用率两个评价Bot性能的指标。其次本地网络中多个同类Bot间利用LLMNR Query包通告各自两个指标值,并利用D-S证据理论选举出僵尸主机临时代表BTL(Bot Temporary Leader)。接着仅允许BTL与命令控制服务器进行通信并获取命令控制信息。最后,BTL通过LLMNR Query包将命令控制信息分发给其它Bot。实验结果表明,该机制能使多个同类Bot完成命令控制信息的共享,选举算法能根据Bot评价指标实时有效选举出BTL,在网络流量较大时仍呈现较强的鲁棒性,且选举过程产生流量也具有较好隐蔽性。
  • 王天佐, 王怀民, 刘波, 等. 僵尸网络中的关键问题[J]. 计算机学报, 2012, 35(6): 1192-1208. doi: 10.3724/SP.J.1016.2012. 01192.
    WANG Tianzuo, WANG Huaimin, LIU Bo, et al. Some critical problems of Botnets[J]. Chinese Journal of Computers, 2012, 35(6): 1192-1208. doi: 10.3724/SP.J.1016.2012.01192.
    CHEN P, DESMET L, and HUYGENS C. A study on advanced persistent threats[C]. Proceedings of the 15th IFIP TC 6/TC 11 International Conference on Communications and Multimedia Security, Aveiro, Portugal, 2014: 63-72. doi: 10.1007/978-3-662-44885-4_5.
    JUELS A and TING F Y. Sherlock Holmes and the case of the advanced persistent threat[C]. Proceedings of the 5th USENIX Conference on Large-Scale Exploits and Emergent Threats, San Jose, CA, USA, 2012: 2-6.
    RAFAEL A R G, GABRIEL M F, and PEDRO G T. Survey and taxonomy of botnet research through life-cycle[J]. ACM Computing Surveys, 2013, 45(4): 1-33. doi: 10.1145/2501654. 2501659.
    GU G F, ZHANG J, and LEE W. BotSniffer: detecting botnet command and control channels in network traffic[C]. Proceedings of the 15th Annual Network and Distributed System Security Symposium, San Diego, CA, USA, 2008: 10-22.
    STONE-GROSS B, COVA M, CAVALLARO L, et al. Your botnet is my botnet: Analysis of a botnet takeover[C]. Proceedings of the 16th ACM Conference on Computer and Communications Security, Hyatt Regency Chicago, IL, USA, 2009: 635-647. doi: 10.1145/1653662.1653738.
    PORRAS P, SAIDI H, and YEGNESWARAN V. An analysis of the iKee.B iphone botnet[C]. Proceedings of the 2nd International ICST Conference on Security and Privacy in Mobile Information and Communication Systems, Catania, Sicily, Italy, 2010: 141-152. doi: 10.1007/978-3-642-17502- 2_12.
    CHO C Y, CABALLERO J, GRIER C, et al. Insights from the inside: A view of botnet management from infiltration[C]. Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats, San Jose, CA, USA, 2010: 120-132.
    BILGE L, BALZAROTTI D, ROBERTSON W, et al. Disclosure: detecting botnet command and control servers through large-scale netflow analysis[C]. Proceedings of the 28th Annual Computer Security Applications Conference, Orlando, FL, USA, 2012: 129-138. doi: 10.1145/2420950. 2420969.
    ANDRIESSE D, ROSSOW C, STONE-GROSS B, et al. Highly resilient peer-to-peer botnets are here: an analysis of Gameover Zeus[C]. Proceedings of the 8th International Conference on Malicious and Unwanted Software: The Americas, Fajardo, Portugal, 2013: 116-123. doi: 10.1109/ MALWARE.2013.6703693.
    RAHIMIAN A, ZIARATI R, PREDA S, et al. On the reverse engineering of the citadel botnet[C]. Proceedings of the 6th International Symposium Foundations and Practice of Security, La Rochelle, France, 2014: 408-425. doi: 10.1007/ 978-3-319-05302-8_25.
    GAN C, CETIN O, and VAN E M. An empirical analysis of ZeuS CC lifetime[C]. Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, Singapore, 2015: 97-108. doi: 10.1145/2714576. 2714579.
    CHOI H, LEE H, LEE H, et al. Botnet detection by monitoring group activities in DNS traffic[C]. Proceedings of the 7th IEEE International Conference on Computer and Information Technology, Aizu-Wakamatsu, Fukushima, Japan, 2007: 715-720. doi: 10.1109/CIT.2007.90.
    STRAYER W T, LAPSELY D, WALSH R, et al. Botnet Detection Based on Network Behavior[M]. New York, USA, Springer Science Business Media, 2008: 1-24. doi: 10.1007 /978-0-387-68768-1_1.
    SAAD S, TRAORE I, GHORBANI A, et al. Detecting P2P botnets through network behavior analysis and machine learning[C]. Proceedings of the 9th Annual International Conference on Privacy, Security and Trust, Montreal, Quebec, Canada, 2011: 174-180. doi: 10.1109/PST.2011.5971980.
    ZHAO D, TRAORE I, SAYED B, et al. Botnet detection based on traffic behavior analysis and flow intervals[J]. Computers Security, 2013, 39(4): 2-16. doi: 10.1016/j.cose. 2013.04.007.
    DIETRICH C J, ROSSOW C, and POHLMANN N. CoCoSpot: clustering and recognizing botnet command and control channels using traffic analysis[J]. Computer Networks, 2013, 57(2): 475-486. doi: 10.1016/j.comnet.2012.06.019.
    JIANG H and SHAO X. Detecting P2P botnets by discovering flow dependency in CC traffic[J]. Peer-to-Peer Networking and Applications, 2014, 7(4): 320-331. doi: 10.1007/s12083-012-0150-x.
    BILGE L, SEN S, BALZAROTTI D, et al. EXPOSURE: a passive DNS analysis service to detect and report malicious domains[J]. ACM Transactions on Information and System Security, 2014, 16(4): 289-296. doi: 10.1145/2584679.
    CHANG W, MOHAISEN A, WANG A, et al. Measuring botnets in the wild: Some new trends[C]. Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, Singapore, 2015: 645-650. doi: 10.1145/2714576.2714637.
    LEVON E, BERNARD A, and DAVE T. Link-Local Multicast Name Resolution (LLMNR)[OL]. https://tools.ietf. org /html/rfc4795. 2015.
    CAVALCANTE A P A, BOUDY J, ISTRATE D, et al. A dynamic evidential network for fall detection[J]. IEEE Journal of Biomedical and Health Informatics, 2014, 18(4): 1103-1113. doi: 10.1109/JBHI.2013.2283055.
    Guo X J, Cheng G, Pan W B, et al. A novel search engine- based method for discovering command and control server[C]. Proceedings of the 15th International Conference On Algorithms and Architectures for Parallel Processing. Zhangjiajie, China, 2015: 311-322. doi: 10.1007/978-3-319- 27137-8_24.
    YIN T, ZHANG Y, and LI S. DR-SNBot: a social network- based botnet with Strong Destroy-Resistance[C]. Proceedings of the 9th IEEE International Conference on Networking, Architecture, and Storage, Tianjin, China, 2014: 191-199. doi: 10.1109/NAS.2014.37.
    NAJAM M, YOUNIS U, and RASOOL R. Speculative parallel pattern matching using stride-k DFA for deep packet inspection[J]. Journal of Network and Computer Applications, 2015, 54: 78-87. doi: 10.1016/j.jnca.2015.04.013.
  • 加载中
计量
  • 文章访问数:  1415
  • HTML全文浏览量:  152
  • PDF下载量:  479
  • 被引次数: 0
出版历程
  • 收稿日期:  2016-04-25
  • 修回日期:  2016-09-09
  • 刊出日期:  2017-03-19

目录

    /

    返回文章
    返回