基于LLMNR协议与证据理论的本地网络CC信息分享机制

郭晓军; 程光; 胡一非; 戴冕

doi:10.11999/JEIT160410

基于LLMNR协议与证据理论的本地网络CC信息分享机制

doi: 10.11999/JEIT160410

基金项目:

国家863计划项目(2015AA015603)，江苏省未来网络创新研究院未来网络前瞻性研究项目(BY2013095-5-03)，江苏省六大人才高峰高层次人才项目(2011-DZ024)，江苏省普通高校研究生科研创新计划资助项目(KYLX_0141)

计量
- 文章访问数: 1381
- HTML全文浏览量: 141
- PDF下载量: 479
- 被引次数: 0
出版历程
- 收稿日期: 2016-04-25
- 修回日期: 2016-09-09
- 刊出日期: 2017-03-19

CC Information Sharing Scheme in Local Network Based on LLMNR Protocol and Evidential Theory

Funds:

The National 863 Program of China (2015AA 015603), Jiangsu Future Net-works Innovation Institute: Prospective Research Project on Future Networks (BY2013095- 5-03), Six Talent Peaks of High Level Talents Project of Jiangsu Province (2011-DZ024), The Scientific Research Innovation Projects for General University Graduate of Jiangsu Province (KYLX_0141)

摘要

摘要: 僵尸主机(Bot)安全隐蔽地获取控制命令信息是保证僵尸网络能够正常工作的前提。该文针对本地网络同类型Bot隐蔽地获取控制命令信息问题，提出一种基于LLMNR协议与证据理论的命令控制信息分享机制，首先定义了开机时间比和CPU利用率两个评价Bot性能的指标。其次本地网络中多个同类Bot间利用LLMNR Query包通告各自两个指标值，并利用D-S证据理论选举出僵尸主机临时代表BTL(Bot Temporary Leader)。接着仅允许BTL与命令控制服务器进行通信并获取命令控制信息。最后，BTL通过LLMNR Query包将命令控制信息分发给其它Bot。实验结果表明，该机制能使多个同类Bot完成命令控制信息的共享，选举算法能根据Bot评价指标实时有效选举出BTL，在网络流量较大时仍呈现较强的鲁棒性，且选举过程产生流量也具有较好隐蔽性。
- 网络安全 /
- 僵尸网络 /
- 命令控制 /
- D-S证据理论 /
- LLMNR协议
Abstract: The bot must obtain the Command and Control (CC) information covertly and securely, which is a necessary precondition to ensure botnet work correctly and normally. For the problem that how to covertly get and share CC information between the same type bots in local network, a CC Information Sharing scheme based on Link-Local Multicast Name Resolution (LLMNR) protocol and Evidential (CCISLE) theory is proposed. Firstly, for measuring bot performance, two metrics are defined: running time ratio and CPU utilization rate. Secondly, the same type bots will inform their own two metrics to each other via LLMNR query packets and utilize D-S evidential theory to vote BTL (Bot Temporary Leader). Then only BTL can be proved to communicate with CC servers and CC information can be obtained. Lastly, BTL will share the CC information with other bots through LLMNR query packets. The experimental results show that CCISLE can help the same type bots achieve sharing CC information successfully. The voting algorithm based on D-S evidential theory is able to elect BTL effectively with two proposed metrics and still present better robustness when in heavy network traffic. Moreover, the traffic produced during BTL voting process also has good covertness.
- Network security /
- Botnet /
- Command and control /
- D-S evidential theory /
- Link-Local Multicast Name Resolution (LLMNR) protocal

HTML全文

参考文献(26)

王天佐, 王怀民, 刘波, 等. 僵尸网络中的关键问题[J]. 计算机学报, 2012, 35(6): 1192-1208. doi: 10.3724/SP.J.1016.2012. 01192.

WANG Tianzuo, WANG Huaimin, LIU Bo, et al. Some critical problems of Botnets[J]. Chinese Journal of Computers, 2012, 35(6): 1192-1208. doi: 10.3724/SP.J.1016.2012.01192.

CHEN P, DESMET L, and HUYGENS C. A study on advanced persistent threats[C]. Proceedings of the 15th IFIP TC 6/TC 11 International Conference on Communications and Multimedia Security, Aveiro, Portugal, 2014: 63-72. doi: 10.1007/978-3-662-44885-4_5.

JUELS A and TING F Y. Sherlock Holmes and the case of the advanced persistent threat[C]. Proceedings of the 5th USENIX Conference on Large-Scale Exploits and Emergent Threats, San Jose, CA, USA, 2012: 2-6.

RAFAEL A R G, GABRIEL M F, and PEDRO G T. Survey and taxonomy of botnet research through life-cycle[J]. ACM Computing Surveys, 2013, 45(4): 1-33. doi: 10.1145/2501654. 2501659.

GU G F, ZHANG J, and LEE W. BotSniffer: detecting botnet command and control channels in network traffic[C]. Proceedings of the 15th Annual Network and Distributed System Security Symposium, San Diego, CA, USA, 2008: 10-22.

STONE-GROSS B, COVA M, CAVALLARO L, et al. Your botnet is my botnet: Analysis of a botnet takeover[C]. Proceedings of the 16th ACM Conference on Computer and Communications Security, Hyatt Regency Chicago, IL, USA, 2009: 635-647. doi: 10.1145/1653662.1653738.

PORRAS P, SAIDI H, and YEGNESWARAN V. An analysis of the iKee.B iphone botnet[C]. Proceedings of the 2nd International ICST Conference on Security and Privacy in Mobile Information and Communication Systems, Catania, Sicily, Italy, 2010: 141-152. doi: 10.1007/978-3-642-17502- 2_12.

CHO C Y, CABALLERO J, GRIER C, et al. Insights from the inside: A view of botnet management from infiltration[C]. Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats, San Jose, CA, USA, 2010: 120-132.

BILGE L, BALZAROTTI D, ROBERTSON W, et al. Disclosure: detecting botnet command and control servers through large-scale netflow analysis[C]. Proceedings of the 28th Annual Computer Security Applications Conference, Orlando, FL, USA, 2012: 129-138. doi: 10.1145/2420950. 2420969.

ANDRIESSE D, ROSSOW C, STONE-GROSS B, et al. Highly resilient peer-to-peer botnets are here: an analysis of Gameover Zeus[C]. Proceedings of the 8th International Conference on Malicious and Unwanted Software: The Americas, Fajardo, Portugal, 2013: 116-123. doi: 10.1109/ MALWARE.2013.6703693.

RAHIMIAN A, ZIARATI R, PREDA S, et al. On the reverse engineering of the citadel botnet[C]. Proceedings of the 6th International Symposium Foundations and Practice of Security, La Rochelle, France, 2014: 408-425. doi: 10.1007/ 978-3-319-05302-8_25.

GAN C, CETIN O, and VAN E M. An empirical analysis of ZeuS CC lifetime[C]. Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, Singapore, 2015: 97-108. doi: 10.1145/2714576. 2714579.

CHOI H, LEE H, LEE H, et al. Botnet detection by monitoring group activities in DNS traffic[C]. Proceedings of the 7th IEEE International Conference on Computer and Information Technology, Aizu-Wakamatsu, Fukushima, Japan, 2007: 715-720. doi: 10.1109/CIT.2007.90.

STRAYER W T, LAPSELY D, WALSH R, et al. Botnet Detection Based on Network Behavior[M]. New York, USA, Springer Science Business Media, 2008: 1-24. doi: 10.1007 /978-0-387-68768-1_1.

SAAD S, TRAORE I, GHORBANI A, et al. Detecting P2P botnets through network behavior analysis and machine learning[C]. Proceedings of the 9th Annual International Conference on Privacy, Security and Trust, Montreal, Quebec, Canada, 2011: 174-180. doi: 10.1109/PST.2011.5971980.

ZHAO D, TRAORE I, SAYED B, et al. Botnet detection based on traffic behavior analysis and flow intervals[J]. Computers Security, 2013, 39(4): 2-16. doi: 10.1016/j.cose. 2013.04.007.

DIETRICH C J, ROSSOW C, and POHLMANN N. CoCoSpot: clustering and recognizing botnet command and control channels using traffic analysis[J]. Computer Networks, 2013, 57(2): 475-486. doi: 10.1016/j.comnet.2012.06.019.

JIANG H and SHAO X. Detecting P2P botnets by discovering flow dependency in CC traffic[J]. Peer-to-Peer Networking and Applications, 2014, 7(4): 320-331. doi: 10.1007/s12083-012-0150-x.

BILGE L, SEN S, BALZAROTTI D, et al. EXPOSURE: a passive DNS analysis service to detect and report malicious domains[J]. ACM Transactions on Information and System Security, 2014, 16(4): 289-296. doi: 10.1145/2584679.

CHANG W, MOHAISEN A, WANG A, et al. Measuring botnets in the wild: Some new trends[C]. Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, Singapore, 2015: 645-650. doi: 10.1145/2714576.2714637.

LEVON E, BERNARD A, and DAVE T. Link-Local Multicast Name Resolution (LLMNR)[OL]. https://tools.ietf. org /html/rfc4795. 2015.

CAVALCANTE A P A, BOUDY J, ISTRATE D, et al. A dynamic evidential network for fall detection[J]. IEEE Journal of Biomedical and Health Informatics, 2014, 18(4): 1103-1113. doi: 10.1109/JBHI.2013.2283055.

Guo X J, Cheng G, Pan W B, et al. A novel search engine- based method for discovering command and control server[C]. Proceedings of the 15th International Conference On Algorithms and Architectures for Parallel Processing. Zhangjiajie, China, 2015: 311-322. doi: 10.1007/978-3-319- 27137-8_24.

YIN T, ZHANG Y, and LI S. DR-SNBot: a social network- based botnet with Strong Destroy-Resistance[C]. Proceedings of the 9th IEEE International Conference on Networking, Architecture, and Storage, Tianjin, China, 2014: 191-199. doi: 10.1109/NAS.2014.37.

NAJAM M, YOUNIS U, and RASOOL R. Speculative parallel pattern matching using stride-k DFA for deep packet inspection[J]. Journal of Network and Computer Applications, 2015, 54: 78-87. doi: 10.1016/j.jnca.2015.04.013.

施引文献

资源附件(0)

访问统计