您的位置:山东大学 -> 科技期刊社 -> 《山东大学学报(理学版)》

山东大学学报(理学版) ›› 2017, Vol. 52 ›› Issue (3): 74-81.doi: 10.6040/j.issn.1671-9352.2.2016.001

• • 上一篇    下一篇

基于分形与自适应数据融合的P2P botnet检测方法

宋元章,李洪雨,陈媛,王俊杰   

  1. 中国科学院长春光学精密机械与物理研究所, 吉林 长春 130033
  • 收稿日期:2016-08-18 出版日期:2017-03-20 发布日期:2017-03-20
  • 作者简介:宋元章(1986— ),男,硕士,助理研究员,研究方向为网络安全和分布式计算. E-mail:songyuanzhang@163.com
  • 基金资助:
    国家863高技术研究发展计划资助项目(2011AA7031024G);国家自然科学基金资助项目(90204014)

P2P botnet detection method based on fractal and adaptive data fusion

SONG Yuan-zhang, LI Hong-yu, CHEN Yuan, WANG Jun-jie   

  1. Changchun Institute of Optics, Fine Mechanics and Physics, Chinese Academy of Sciences, Changchun 130033, Jilin, China
  • Received:2016-08-18 Online:2017-03-20 Published:2017-03-20

PDF (PC)

439

摘要: 提出了一种基于分形与自适应数据融合的P2P僵尸网络检测方法。构建单分形特性、多分形特性检测传感器,利用大时间尺度下的自相似性和小时间尺度下的局部奇异性刻画网络流量特征,利用Kalman滤波器检测上述特性是否异常。为获得更精确的检测结果,提出了一种自适应数据融合方法,根据证据冲突程度自适应得选择DST(Dempster-Shafer Theory)、DSmT(Dezert-Smarandache Theory)对上述检测结果进行融合。而且,考虑到了P2P应用对检测的影响。实验结果表明该方法检测准确度较高。

关键词: P2P僵尸网络, Dezert-Smarandache理论, 自适应数据融合, Dempster-Shafer理论

Abstract: A novel P2P botnet detection algorithm based on fractal and adaptive data fusion was proposed. Firstly, it built the single-fractal detection sensor and the multi-fractal detection sensor, and they used the self-similarity under the large time scale and the local singularity under the small time scale to describe the characteristics of network. Kalman filter was used to detect abnormalities of the above characteristics. To get the more accurate detection result, an adaptive data fusion method based on DST(Dempster-Shafer Theory)and DSmT(Dezert-Smarandache Theory)was proposed. Depending on the conflict factor of evidences, DST and DSmT were adaptively utilized to fuse the results of two above detection sensors to get the final result. The side effects on detecting P2P botnet which P2P programs generated are considered. The experiments show that the proposed algorithm is able to detect P2P botnet with high accuracy.

Key words: P2P botnet, Adaptive Data Fusion, Dezert-Smarandache Theory, Dempster-Shafer Theory

中图分类号: 

  • TP393.08
[1] 王志, 蔡亚运, 刘露, 等. 基于覆盖率分析的僵尸网络控制命令发掘方法[J]. 通信学报, 2014, 35(1):156-166. WANG Zhi, CAI Yayun, LIU Lu, et al. Using coverage analysis to extract Botnet command-and-control protocol[J]. Journal on Communications, 2014, 35(1):156-166.
[2] 臧天宁, 云晓春, 张永铮, 等. 僵尸网络关系云模型分析算法[J]. 武汉大学学报·信息科学版, 2012, 37(2):247-251. ZANG Tianning, YUN Xiaochun, ZHANG Yongzheng, et al. A botnet relationship analyzer based on cloud model[J]. Geomatics and Information Science of Wuhan University, 2012(37):247-251.
[3] HOLZ T, STEINER M, DAHL F. Measurements and mitigation of Peer-to-Peer-based botnets: a case study on storm worm[C] // 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats San Francisco.[S.l.] : [s.n.] , 2008: 3-12.
[4] 王海龙, 胡宁, 龚正虎. Bot_CODA: 僵尸网络协同检测体系结构[J]. 通信学报, 2009, 30(10A):15-22. WANG Hailong, HU Ning, GONG Zhenghu. Bot_CODA: botnet collaborative detection architecture[J]. Journal on Communications, 2009, 30:15-22.
[5] 臧天宁, 云晓春, 张永铮, 等. 网络设备协同联动模型[J].计算机学报, 2011, 34(2):216-228. ZANG Tianning, YUN Xiaochun, ZHANG Yongzheng, et al. A Model of network device coordinative run[J]. Journal of Computers, 2011, 34:216-228.
[6] 江健, 诸葛建伟, 段海新, 等. 僵尸网络机理与防御技术[J].软件学报, 2012, 23(1):82-96. JIAN Jiang, ZHUGE Jianwei, DUAN Haixin, et al. Research on botnet mechanisms and defenses[J]. Journal of Software, 2012, 23:82-96.
[7] KARIM Ahmad, SALLEH Rosli Bin, SHIRAZ Muhammad, et al. Review: botnet detection techniques: review, future trends, and issues[J]. Journal of Zhejiang University-Science C(Computers & Electronics), 2014, 15(11):943-983.
[8] JAIKUMAR Padmini, KAK Avinash C. A graph-theoretic framework for isolating botnets in a network[J]. Security and Communication Networks, 2015, 8(16):2605-2623.
[9] YAHYAZADEH Moosa, ABADI Mahdi. BotGrab: a negative reputation system for botnet detection[J]. Computers and Electrical Engineering, 2015, 41:68-85.
[10] KIM J S, KAHNG B, KIM D, et al. Self-similarity in fractal and non-fractal networks[J]. Journal of the Korean Physical Society, 2008, 52:350-356.
[11] GIORGI G, NARDUZZI C. A study of measurement-based traffic models for network diagnostics[C] // IEEE Instrumentation & Measurement Technology Conference.[S.l.] :[s.n.] , 2007: 1-3.
[12] LELAND W E, TAQQU M S, WILLINGER W. On the self-similar nature of ethernet traffic(extended version)[J]. IEEE/ACM Trans on Networking, 1994, 2(1):1-15.
[13] KARAGIANNIS T, MOLLE M, FALOUTSOS M. Understanding the limitations of estimation methods for long-range dependence[R]. California: University of California, 2006: 11-15.
[14] RIEDI R H, VEHEL J L. Multifractal properties of TCP traffic: a numberical study[R]. Rocquencourt: INRIA, 1997: 6-17.
[15] MAULIK Krishanu, RESNICK Sidney. The self-similar and multifractal nature of a network traffic model[J]. Stochastic Models, 2003(19):549-577.
[16] 从爽, 孙光立, 邓科, 等. 陀螺稳定平台扰动的自抗扰及其滤波控制[J]. 光学精密工程, 2016, 24(1):169-177. CONG Shuang, SUN Guangli, DENG Ke, et al. Active disturbance rejection and filter control of gyro-stabilized platform[J]. Optics and Precision Engineering, 2016, 24(1):169-177.
[17] 张百强, 储海荣, 孙婷婷, 等. 应用RB无迹卡尔曼滤波组合导航提高GPS重获信号后的导航精度[J]. 光学精密工程, 2016, 24(4):836-843. ZHANG Baiqiang, CHU Hairong, SUN Tingting, et al. Precision improvement methodology for INS/GPS after GPS outage using RB-UKF[J]. Optics and Precision Engineering, 2016, 24(4):836-843.
[18] 陈东, 刘诗斌, 殷世民, 等. 光寻址电位传感器的噪声分析与信号处理方法研究[J]. 光学精密工程, 2016, 24(6):1456-1464. CHEN Dong, LIU Shibin, YIN Shimin, et al. Research on noise analysis and signal processing method of light addressable potentiometric sensor[J]. Optics and Precision Engineering, 2016, 24(6):1456-1464.
[19] 刘志青, 李鹏程, 陈小卫, 等. 基于信息向量机的机载激光雷达点云数据分类[J]. 光学精密工程, 2016, 24(1):210-219. LIU Zhiqing, LI Pengcheng, CHEN Xiaowei, et al. Classification of airborne LiDAR point cloud data based on information vector machine[J]. Optics and Precision Engineering, 2016, 24(1):210-219.
[20] 吴禄慎, 史皓良, 陈华伟. 基于特征信息分类的三维点数据去噪[J]. 光学精密工程, 2016, 24(6):1465-1473. WU Lushen, SHI Haoliang, CHEN Huawei. Denoising of three-dimensional point data based on classification of feature information[J]. Optics and Precision Engineering, 2016, 24(6):1465-1473.
[21] YAGER Rr, LIU L. Classic works of the dempster-shafer theory of belief functions [M]. Berlin: Springer-Verlag, 2008: 23-49.
[22] MRUPHY C K. Combing belief function when evidence conflicts[J]. Decision Support System, 2000, 29(1):1-9.
[23] MATHON B R, OZBEK M M, PINDER G F. Dempster-shafer theory applied to uncertainty surrounding permeability[J]. Math Geosci, 2010, 42:293-307.
[24] SMARANDACHE F, DEZERT J. Advances and applications of DSmT for information fusion, Vol. 2[M]. Rehoboth:American Research Press, 2006: 15-39.
[25] SEN Subhabrata, SPATSCHECK Oliver, WANG Dongmei. Accurate, scalable in-network identification of P2P traffic using application signatures[C] // Proceedings of the 13th international conference on World Wide Web. New York: ACM, 2004: 512-521.
[26] KASERA S, PINHEIRO J, LOADER C. Fast and robust signaling overload control[C] // Proceedings of Ninth International Conference on Network Protocols. Riverside, USA: IEEE, 2001: 323-331.
[27] STEGGINK M, IDZIEJCZAK I. Detection Of Peer-To-Peer botnets [R/OL]. http://staff.science.uva.nl/~delaat/sne-2007-2008/p22/report.pdf.
[28] ZHAOA David, TRAOREA Issa, SAYED Bassam, et al. Botnet detection based on traffic behavior analysis and flow intervals[J]. Computers & Security, 2013(39):2-16.
[29] KANG Jian, ZHANG Jun-Yao, et al. Detecting new P2P botnet with multi-chart CUSUM[C] //International Conference on Networks Security, Wireless Communications and Trusted Computing. Wuhan: [s.n.] 2009, 1:688-691.
[30] 康健, 宋元章. 利用多维观测序列的KCFM混合模型检测新型P2P botnet[J]. 武汉大学学报(信息科学版), 2010, 35(5):520-523. KANG Jian, SONG yuanzhang. Application KCFM to Detect New P2P Botnet Based on Multi-Observed Sequence[J].Geomatics and Information Science of Wuhan University, 2010, 35(5):520-523.
[1] 张 甲,段海新,葛连升 . 基于事件序列的蠕虫网络行为分析算法[J]. J4, 2007, 42(9): 36-40 .
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
版权所有 © 2018 《山东大学学报(理学版)》编辑部 
地址: 山东省济南市山大南路27号山东大学中心校区(250100) 电话: +86-0531-88366917 E-mail: xblxb@sdu.edu.cn
本系统由北京玛格泰克科技发展有限公司设计开发