基于LLMNR協(xié)議與證據(jù)理論的本地網(wǎng)絡(luò)CC信息分享機(jī)制

郭曉軍; 程光; 胡一非; 戴冕

doi:10.11999/JEIT160410

基于LLMNR協(xié)議與證據(jù)理論的本地網(wǎng)絡(luò)CC信息分享機(jī)制

doi: 10.11999/JEIT160410

基金項(xiàng)目:

國家863計(jì)劃項(xiàng)目(2015AA015603)，江蘇省未來網(wǎng)絡(luò)創(chuàng)新研究院未來網(wǎng)絡(luò)前瞻性研究項(xiàng)目(BY2013095-5-03)，江蘇省六大人才高峰高層次人才項(xiàng)目(2011-DZ024)，江蘇省普通高校研究生科研創(chuàng)新計(jì)劃資助項(xiàng)目(KYLX_0141)

計(jì)量
- 文章訪問數(shù): 1427
- HTML全文瀏覽量: 156
- PDF下載量: 479
- 被引次數(shù): 0
出版歷程
- 收稿日期: 2016-04-25
- 修回日期: 2016-09-09
- 刊出日期: 2017-03-19

CC Information Sharing Scheme in Local Network Based on LLMNR Protocol and Evidential Theory

Funds:

The National 863 Program of China (2015AA 015603), Jiangsu Future Net-works Innovation Institute: Prospective Research Project on Future Networks (BY2013095- 5-03), Six Talent Peaks of High Level Talents Project of Jiangsu Province (2011-DZ024), The Scientific Research Innovation Projects for General University Graduate of Jiangsu Province (KYLX_0141)

摘要

摘要: 僵尸主機(jī)(Bot)安全隱蔽地獲取控制命令信息是保證僵尸網(wǎng)絡(luò)能夠正常工作的前提。該文針對(duì)本地網(wǎng)絡(luò)同類型Bot隱蔽地獲取控制命令信息問題，提出一種基于LLMNR協(xié)議與證據(jù)理論的命令控制信息分享機(jī)制，首先定義了開機(jī)時(shí)間比和CPU利用率兩個(gè)評(píng)價(jià)Bot性能的指標(biāo)。其次本地網(wǎng)絡(luò)中多個(gè)同類Bot間利用LLMNR Query包通告各自兩個(gè)指標(biāo)值，并利用D-S證據(jù)理論選舉出僵尸主機(jī)臨時(shí)代表BTL(Bot Temporary Leader)。接著僅允許BTL與命令控制服務(wù)器進(jìn)行通信并獲取命令控制信息。最后，BTL通過LLMNR Query包將命令控制信息分發(fā)給其它Bot。實(shí)驗(yàn)結(jié)果表明，該機(jī)制能使多個(gè)同類Bot完成命令控制信息的共享，選舉算法能根據(jù)Bot評(píng)價(jià)指標(biāo)實(shí)時(shí)有效選舉出BTL，在網(wǎng)絡(luò)流量較大時(shí)仍呈現(xiàn)較強(qiáng)的魯棒性，且選舉過程產(chǎn)生流量也具有較好隱蔽性。
- 網(wǎng)絡(luò)安全 /
- 僵尸網(wǎng)絡(luò) /
- 命令控制 /
- D-S證據(jù)理論 /
- LLMNR協(xié)議
Abstract: The bot must obtain the Command and Control (CC) information covertly and securely, which is a necessary precondition to ensure botnet work correctly and normally. For the problem that how to covertly get and share CC information between the same type bots in local network, a CC Information Sharing scheme based on Link-Local Multicast Name Resolution (LLMNR) protocol and Evidential (CCISLE) theory is proposed. Firstly, for measuring bot performance, two metrics are defined: running time ratio and CPU utilization rate. Secondly, the same type bots will inform their own two metrics to each other via LLMNR query packets and utilize D-S evidential theory to vote BTL (Bot Temporary Leader). Then only BTL can be proved to communicate with CC servers and CC information can be obtained. Lastly, BTL will share the CC information with other bots through LLMNR query packets. The experimental results show that CCISLE can help the same type bots achieve sharing CC information successfully. The voting algorithm based on D-S evidential theory is able to elect BTL effectively with two proposed metrics and still present better robustness when in heavy network traffic. Moreover, the traffic produced during BTL voting process also has good covertness.
- Network security /
- Botnet /
- Command and control /
- D-S evidential theory /
- Link-Local Multicast Name Resolution (LLMNR) protocal

HTML全文

參考文獻(xiàn)(26)

王天佐, 王懷民, 劉波, 等. 僵尸網(wǎng)絡(luò)中的關(guān)鍵問題[J]. 計(jì)算機(jī)學(xué)報(bào), 2012, 35(6): 1192-1208. doi: 10.3724/SP.J.1016.2012. 01192.

WANG Tianzuo, WANG Huaimin, LIU Bo, et al. Some critical problems of Botnets[J]. Chinese Journal of Computers, 2012, 35(6): 1192-1208. doi: 10.3724/SP.J.1016.2012.01192.

CHEN P, DESMET L, and HUYGENS C. A study on advanced persistent threats[C]. Proceedings of the 15th IFIP TC 6/TC 11 International Conference on Communications and Multimedia Security, Aveiro, Portugal, 2014: 63-72. doi: 10.1007/978-3-662-44885-4_5.

JUELS A and TING F Y. Sherlock Holmes and the case of the advanced persistent threat[C]. Proceedings of the 5th USENIX Conference on Large-Scale Exploits and Emergent Threats, San Jose, CA, USA, 2012: 2-6.

RAFAEL A R G, GABRIEL M F, and PEDRO G T. Survey and taxonomy of botnet research through life-cycle[J]. ACM Computing Surveys, 2013, 45(4): 1-33. doi: 10.1145/2501654. 2501659.

GU G F, ZHANG J, and LEE W. BotSniffer: detecting botnet command and control channels in network traffic[C]. Proceedings of the 15th Annual Network and Distributed System Security Symposium, San Diego, CA, USA, 2008: 10-22.

STONE-GROSS B, COVA M, CAVALLARO L, et al. Your botnet is my botnet: Analysis of a botnet takeover[C]. Proceedings of the 16th ACM Conference on Computer and Communications Security, Hyatt Regency Chicago, IL, USA, 2009: 635-647. doi: 10.1145/1653662.1653738.

PORRAS P, SAIDI H, and YEGNESWARAN V. An analysis of the iKee.B iphone botnet[C]. Proceedings of the 2nd International ICST Conference on Security and Privacy in Mobile Information and Communication Systems, Catania, Sicily, Italy, 2010: 141-152. doi: 10.1007/978-3-642-17502- 2_12.

CHO C Y, CABALLERO J, GRIER C, et al. Insights from the inside: A view of botnet management from infiltration[C]. Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats, San Jose, CA, USA, 2010: 120-132.

BILGE L, BALZAROTTI D, ROBERTSON W, et al. Disclosure: detecting botnet command and control servers through large-scale netflow analysis[C]. Proceedings of the 28th Annual Computer Security Applications Conference, Orlando, FL, USA, 2012: 129-138. doi: 10.1145/2420950. 2420969.

ANDRIESSE D, ROSSOW C, STONE-GROSS B, et al. Highly resilient peer-to-peer botnets are here: an analysis of Gameover Zeus[C]. Proceedings of the 8th International Conference on Malicious and Unwanted Software: The Americas, Fajardo, Portugal, 2013: 116-123. doi: 10.1109/ MALWARE.2013.6703693.

RAHIMIAN A, ZIARATI R, PREDA S, et al. On the reverse engineering of the citadel botnet[C]. Proceedings of the 6th International Symposium Foundations and Practice of Security, La Rochelle, France, 2014: 408-425. doi: 10.1007/ 978-3-319-05302-8_25.

GAN C, CETIN O, and VAN E M. An empirical analysis of ZeuS CC lifetime[C]. Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, Singapore, 2015: 97-108. doi: 10.1145/2714576. 2714579.

CHOI H, LEE H, LEE H, et al. Botnet detection by monitoring group activities in DNS traffic[C]. Proceedings of the 7th IEEE International Conference on Computer and Information Technology, Aizu-Wakamatsu, Fukushima, Japan, 2007: 715-720. doi: 10.1109/CIT.2007.90.

STRAYER W T, LAPSELY D, WALSH R, et al. Botnet Detection Based on Network Behavior[M]. New York, USA, Springer Science Business Media, 2008: 1-24. doi: 10.1007 /978-0-387-68768-1_1.

SAAD S, TRAORE I, GHORBANI A, et al. Detecting P2P botnets through network behavior analysis and machine learning[C]. Proceedings of the 9th Annual International Conference on Privacy, Security and Trust, Montreal, Quebec, Canada, 2011: 174-180. doi: 10.1109/PST.2011.5971980.

ZHAO D, TRAORE I, SAYED B, et al. Botnet detection based on traffic behavior analysis and flow intervals[J]. Computers Security, 2013, 39(4): 2-16. doi: 10.1016/j.cose. 2013.04.007.

DIETRICH C J, ROSSOW C, and POHLMANN N. CoCoSpot: clustering and recognizing botnet command and control channels using traffic analysis[J]. Computer Networks, 2013, 57(2): 475-486. doi: 10.1016/j.comnet.2012.06.019.

JIANG H and SHAO X. Detecting P2P botnets by discovering flow dependency in CC traffic[J]. Peer-to-Peer Networking and Applications, 2014, 7(4): 320-331. doi: 10.1007/s12083-012-0150-x.

BILGE L, SEN S, BALZAROTTI D, et al. EXPOSURE: a passive DNS analysis service to detect and report malicious domains[J]. ACM Transactions on Information and System Security, 2014, 16(4): 289-296. doi: 10.1145/2584679.

CHANG W, MOHAISEN A, WANG A, et al. Measuring botnets in the wild: Some new trends[C]. Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, Singapore, 2015: 645-650. doi: 10.1145/2714576.2714637.

LEVON E, BERNARD A, and DAVE T. Link-Local Multicast Name Resolution (LLMNR)[OL]. https://tools.ietf. org /html/rfc4795. 2015.

CAVALCANTE A P A, BOUDY J, ISTRATE D, et al. A dynamic evidential network for fall detection[J]. IEEE Journal of Biomedical and Health Informatics, 2014, 18(4): 1103-1113. doi: 10.1109/JBHI.2013.2283055.

Guo X J, Cheng G, Pan W B, et al. A novel search engine- based method for discovering command and control server[C]. Proceedings of the 15th International Conference On Algorithms and Architectures for Parallel Processing. Zhangjiajie, China, 2015: 311-322. doi: 10.1007/978-3-319- 27137-8_24.

YIN T, ZHANG Y, and LI S. DR-SNBot: a social network- based botnet with Strong Destroy-Resistance[C]. Proceedings of the 9th IEEE International Conference on Networking, Architecture, and Storage, Tianjin, China, 2014: 191-199. doi: 10.1109/NAS.2014.37.

NAJAM M, YOUNIS U, and RASOOL R. Speculative parallel pattern matching using stride-k DFA for deep packet inspection[J]. Journal of Network and Computer Applications, 2015, 54: 78-87. doi: 10.1016/j.jnca.2015.04.013.

相關(guān)文章

施引文獻(xiàn)

資源附件(0)

訪問統(tǒng)計(jì)