僵尸程序网络行为分析及检测方法研究

华中科技大学硕士学位论文僵尸程序网络行为分析及检测方法研究姓名：冉俊秀申请学位级别：硕士专业：信息安全指导教师：李汉菊20090526IIIAbstractBotnetsareconstitutedbymanyhostswhichareinfectedbybots.Botnetsarealwaysusedforlaunchinglargescalenetworkattack.Meanwhile,theinfectedhostsencounterthethreadofinformationrevelation.Botnetsareserioushiddendangerforbothnetworkrunningsecurityanduserdatasecurity.Thus,detectingbotnetseffectivelyisurgentfornowadaysnetworkmanagement.Currently,researchofbotnetdetectingismainlyfocusonbehavioralcharacteristicsandflowcharacteristics.Behavioralcharacteristicsbaseddetectingtechnologycandetectbotsaccurately,butitsdataprocessingabilityislimited.Flowcharacteristicsbaseddetectingtechnologycanprocesslargescaledata,butitsfalsealarmrateisalittlehigh.Themethoddiscussedinthispapercombinetheadvantagesofthesetwomethodsandcaneffectivelydetectbotnetactivitiesinlargebackgroundtrafic.AnalyzingflowcharacteristicsofBotnet,withinthesamebotnetwilllikelydemonstratepatial-temporalcorrelationandsimilaritybecauseofthestructurednatureofBotnet.Designaprotocolmatchingalgorithmbasedonlight-weightpayloadaccordingtotheexperimentalresults.Andthendeterminenetworkbehaviorofbotsusingthesequentialprobabilityratiotestalgorithm.Duetoaboveresearch,Aprototypesystemisdesignedandimplemented,whichcontainsthreemainmodules:networkflowpreprocessingmodule,protocolmatchingmodulebasedonlight-weightpayload,andanalysismodulebasedonsequenceprobabilityratiotestalgorithm.Firstofall,filteroutknownflowwhichcannotbebotnetsflowthroughwhitelisttechnology;Secondly,identifysuspiciousbotnetsC&Cflowintheremainingflowbyusingthelight-weightpayloadtechnology;Finally,identifybotsactivitiesbyusingsequentialprobabilityrationtestingalgorithms.Inordertotestandverifythemethoddiscussedinthispaper,arrangeseveralhostscontainingbotactivities,thenanalysisandprocessthecapturednetworkflowbyusingtheprototypesystem.TheresultshowsthatthemethodcandetectbotactivitiesinLANeffectively.Keywords:bots,networkbehavior,protocolmatchingalgothrimbasedonlightweightpayload,sequentialprobabilityratiotesingalgorithm□____________□“√”111.1(botnet)(DDoS)[1](Spam)[2](rootkit)[3](Worm)[4](Trojanhorse)[5]3IRCHTTPP2PIRCHTTPC/SP2P1.2[6]BacherHolzWindowssnort_inlineIRCNepenthes[7]NepenthesNepenthes(CNCERT/CC)2Honeybow[8]HoneybowNepenthesIRCIRCIRCIRCGTBotSdbotMybot[9]2004Agobot/GaobotrBot/Spybot[10]IRCIRCIRCP2PP2PP2P2003SinitNugache[11]Peacomm[12]P2PIRCHTTPP2P2007PeacommP2PP2PP2PIRCIRCNICK/HTTPIRC3/HTTPP2PIRCHTTP[13](1)P2P(2)P2PP2PP2P(3)P2PP2PIRCHTTPP2P1.3(1)(2)(3)(4)(5)(6)1.4452IT2.12.1.1[14](1)Shellcode[15]botbotbotmetasploit[16]TenableNessus3IP218.199.102.176MS06-040usewindows/smb/ms06_040_netapi/*ms06_040_netapi*/setPAYLOADwindows/shell/reverse_tcp/*PAYLOAD*/setRHOST218.199.102.176/*IP*/setLHOST218.199.102.170/*IP*/exploit/**/6TenableNessus3PAYLOADIPIP(2)[17](3)(QQMSN)(4)WEBWEB(5)2.1.2IRCHTTPIRCHTTPWEBWEBP2P7IPIP2.1.3IRCHTTPWEBP2PIRCHTTPP2P2.210IRCHTTPP2P2.2.1IRCIRCBot——Eggdrop[18]IRCEggdrop19996PrettyParkIRC,IRCIRCIRCIRCmIRCGT-BotAgobotSdbotIRCIRCIRC8IRCIRCIRCIRCIRCIRCIRCIRC2.2.2HTTPIRCIRCHTTPHTTPIRCBotnetIRCHTTPIRCHTTPHTTPHTTPIRCHTTPHTTPBobaxRustockClickbot2.2.3P2PIRCHTTPC/SP2PP2PP2PSinitSlapperNugachePeacommSlapperP2PSinitNugache9IRCHTTPP2PP2Ppeer-to-peer,2.32.3.1DDoSDDoSDDoSDDoS[19]DDoSCPUDDoSDDoSSynFlood[20]DDoSDDoSDDoS2.3.2[21]botssockv4/v5Marshal[22]685%IRC102.3.3Botnetbotnetbotsniffer[23]2.3.4BotnetBotnetBotnet2.4(1)(2)11(3)(4)2.52.5.1Botnet[24]Botnet(honeypot)/(honeynet)Botnet(),,HoneyWallHoneyWallHoneydHoneyWallHoneyWallWEBHoneyWallBotnetBotnetHoneyWallHoneyWall12[25]IPbotBotnetbot2.12.1BotTrojan.IRCBot-124Trojan.IRCBot-715IRCTrojan.Mybot.gen-61Botnet(l)(2)(3)(l)(2)Bots2.5.2BotsBotnet[26]IRCNICKNAMEBots[27]Bots13(l)(2)(l)(2)2.5.3BotsBotsBotspayloadHTTPIRC2.61433.1botBotmasterbotbotBotmaster(IRC)Bot3.1IP3.2IPDensity3-13-115botpayloadIRCHTTPIRCHTTP3.2payloadIRCHTTPNetflow[28]NetflowCiscoTCP/IPNetflowflow-captureflow-exportMySQL[29]MySQLMySQL`unix_secs`int(10)NOTNULLdefault'0',`exaddr`varchar(15)NOTNULLdefault'',`dpkts`int(8)defaultNULL,`doctets`int(10)defaultNULL,`first`int(12)NOTNULL,`last`int(12)NOTNULL,`engine_type`int(8)NOTNULL,`engine_id`int(8)NOTNULL,`srcaddr`varchar(15)NOTNULL,`dstaddr`varchar(15)NOTNULL,`nexthop`varchar(15)defaultNULL,`input`int(10)defaultNULL,16`output`int(10)defaultNULL,`srcport`int(8)NOTNULL,`dstport`int(8)NOTNULL,`prot`int(8)NOTNULL,`tos`int(8)NOTNULL,`tcp_flags`varchar(8)defaultNULL,`src_mask`varchar(15)defaultNULL,`dst_mask`varchar(15)defaultNULL,`src_as`int(11)defaultNULL,`dst_as`int(11)defaultNULL,NetflowNetflowpayloadpayload3-1IRCConnectionRegistrationIRCChannelOperationIRCIRCIRC3-1IRCConnectionRegistrationChannelOperationConnectionIRCPasswordServerNickServiceQuitServerQuitChannelOperationJoinNjoinMode3-2IRCConnectionRegistrationIRCChannelOperationSendingMessagesServicequeriesandcommandsIRCServiceQueryandcommandsIRCUserbasedqueriesMiscellaneous3-2IRCIRCConnection17RegistrationIRCPasswordNickUserChannelOperationJoinPartTopicKickSendingMessagesIRCServicequeriesandcommandsIRCMotdVersionConnectServiceQuerya