基于LLMNR协议与证据理论的本地网络C&C信息分享机制

doi:10.11999/JEIT160410

摘要
图/表
参考文献(26)
相关文章 (15)

全文: PDF (832 KB)
输出: BibTeX | EndNote (RIS)

摘要

僵尸主机(Bot)安全隐蔽地获取控制命令信息是保证僵尸网络能够正常工作的前提。该文针对本地网络同类型Bot隐蔽地获取控制命令信息问题，提出一种基于LLMNR协议与证据理论的命令控制信息分享机制，首先定义了开机时间比和CPU利用率两个评价Bot性能的指标。其次本地网络中多个同类Bot间利用LLMNR Query包通告各自两个指标值，并利用D-S证据理论选举出僵尸主机临时代表BTL(Bot Temporary Leader)。接着仅允许BTL与命令控制服务器进行通信并获取命令控制信息。最后，BTL通过LLMNR Query包将命令控制信息分发给其它Bot。实验结果表明，该机制能使多个同类Bot完成命令控制信息的共享，选举算法能根据Bot评价指标实时有效选举出BTL，在网络流量较大时仍呈现较强的鲁棒性，且选举过程产生流量也具有较好隐蔽性。

	服务

	把本文推荐给朋友
	加入我的书架
	加入引用管理器
	E-mail Alert
	RSS
	作者相关文章
	郭晓军
	程光
	胡一非
	戴冕

关键词 ：网络安全, 僵尸网络, 命令控制, D-S证据理论, LLMNR协议

Abstract：

The bot must obtain the Command and Control (C&C) information covertly and securely, which is a necessary precondition to ensure botnet work correctly and normally. For the problem that how to covertly get and share C&C information between the same type bots in local network, a C&C Information Sharing scheme based on Link-Local Multicast Name Resolution (LLMNR) protocol and Evidential (CCISLE) theory is proposed. Firstly, for measuring bot performance, two metrics are defined: running time ratio and CPU utilization rate. Secondly, the same type bots will inform their own two metrics to each other via LLMNR query packets and utilize D-S evidential theory to vote BTL (Bot Temporary Leader). Then only BTL can be proved to communicate with C&C servers and C&C information can be obtained. Lastly, BTL will share the C&C information with other bots through LLMNR query packets. The experimental results show that CCISLE can help the same type bots achieve sharing C&C information successfully. The voting algorithm based on D-S evidential theory is able to elect BTL effectively with two proposed metrics and still present better robustness when in heavy network traffic. Moreover, the traffic produced during BTL voting process also has good covertness.

Key words： Network security Botnet Command and control D-S evidential theory Link-Local Multicast Name Resolution (LLMNR) protocal

收稿日期: 2016-04-25 出版日期: 2016-11-14

PACS:

TP393.08

基金资助:

国家863计划项目(2015AA015603)，江苏省未来网络创新研究院未来网络前瞻性研究项目(BY2013095-5-03)，江苏省“六大人才高峰”高层次人才项目(2011-DZ024)，江苏省普通高校研究生科研创新计划资助项目(KYLX_0141)

通讯作者: 程光：男，1973年生，教授、博士生导师，主要研究领域为网络安全、网络测量与行为学及未来网络安全. E-mail: gcheng@njnet.edu.cn

作者简介: 郭晓军：男，1983年生，博士生，研究领域为网络安全、网络测量及网络管理. 程光：男，1973年生，教授、博士生导师，主要研究领域为网络安全、网络测量与行为学及未来网络安全. 胡一非：男，1989年生，硕士生，研究领域为网络安全、机器学习. 戴冕：男，1988年生，博士生，研究领域为云计算、网络安全.

引用本文:

郭晓军,程光,胡一非,戴冕. 基于LLMNR协议与证据理论的本地网络C&C信息分享机制[J]. 电子与信息学报, 2017, 39(3): 525-531. GUO Xiaojun, CHENG Guang, HU Yifei, Dai Mian. C&C Information Sharing Scheme in Local Network Based on LLMNR Protocol and Evidential Theory. JEIT, 2017, 39(3): 525-531.

链接本文:

http://jeit.ie.ac.cn/CN/10.11999/JEIT160410 或 http://jeit.ie.ac.cn/CN/Y2017/V39/I3/525

[1]	王天佐, 王怀民, 刘波, 等. 僵尸网络中的关键问题[J]. 计算机学报, 2012, 35(6): 1192-1208. doi: 10.3724/SP.J.1016.2012. 01192.
	WANG Tianzuo, WANG Huaimin, LIU Bo, et al. Some critical problems of Botnets[J]. Chinese Journal of Computers, 2012, 35(6): 1192-1208. doi: 10.3724/SP.J.1016.2012.01192.
[2]	CHEN P, DESMET L, and HUYGENS C. A study on advanced persistent threats[C]. Proceedings of the 15th IFIP TC 6/TC 11 International Conference on Communications and Multimedia Security, Aveiro, Portugal, 2014: 63-72. doi: 10.1007/978-3-662-44885-4_5.
[3]	JUELS A and TING F Y. Sherlock Holmes and the case of the advanced persistent threat[C]. Proceedings of the 5th USENIX Conference on Large-Scale Exploits and Emergent Threats, San Jose, CA, USA, 2012: 2-6.
[4]	RAFAEL A R G, GABRIEL M F, and PEDRO G T. Survey and taxonomy of botnet research through life-cycle[J]. ACM Computing Surveys, 2013, 45(4): 1-33. doi: 10.1145/2501654. 2501659.
[5]	GU G F, ZHANG J, and LEE W. BotSniffer: detecting botnet command and control channels in network traffic[C]. Proceedings of the 15th Annual Network and Distributed System Security Symposium, San Diego, CA, USA, 2008: 10-22.
[6]	STONE-GROSS B, COVA M, CAVALLARO L, et al. Your botnet is my botnet: Analysis of a botnet takeover[C]. Proceedings of the 16th ACM Conference on Computer and Communications Security, Hyatt Regency Chicago, IL, USA, 2009: 635-647. doi: 10.1145/1653662.1653738.
[7]	PORRAS P, SAIDI H, and YEGNESWARAN V. An analysis of the iKee.B iphone botnet[C]. Proceedings of the 2nd International ICST Conference on Security and Privacy in Mobile Information and Communication Systems, Catania, Sicily, Italy, 2010: 141-152. doi: 10.1007/978-3-642-17502- 2_12.
[8]	CHO C Y, CABALLERO J, GRIER C, et al. Insights from the inside: A view of botnet management from infiltration[C]. Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats, San Jose, CA, USA, 2010: 120-132.
[9]	BILGE L, BALZAROTTI D, ROBERTSON W, et al. Disclosure: detecting botnet command and control servers through large-scale netflow analysis[C]. Proceedings of the 28th Annual Computer Security Applications Conference, Orlando, FL, USA, 2012: 129-138. doi: 10.1145/2420950. 2420969.
[10]	ANDRIESSE D, ROSSOW C, STONE-GROSS B, et al. Highly resilient peer-to-peer botnets are here: an analysis of Gameover Zeus[C]. Proceedings of the 8th International Conference on Malicious and Unwanted Software: The Americas, Fajardo, Portugal, 2013: 116-123. doi: 10.1109/ MALWARE.2013.6703693.
[11]	RAHIMIAN A, ZIARATI R, PREDA S, et al. On the reverse engineering of the citadel botnet[C]. Proceedings of the 6th International Symposium Foundations and Practice of Security, La Rochelle, France, 2014: 408-425. doi: 10.1007/ 978-3-319-05302-8_25.
[12]	GAÑÁN C, CETIN O, and VAN E M. An empirical analysis of ZeuS C&C lifetime[C]. Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, Singapore, 2015: 97-108. doi: 10.1145/2714576. 2714579.
[13]	CHOI H, LEE H, LEE H, et al. Botnet detection by monitoring group activities in DNS traffic[C]. Proceedings of the 7th IEEE International Conference on Computer and Information Technology, Aizu-Wakamatsu, Fukushima, Japan, 2007: 715-720. doi: 10.1109/CIT.2007.90.
[14]	STRAYER W T, LAPSELY D, WALSH R, et al. Botnet Detection Based on Network Behavior[M]. New York, USA, Springer Science Business Media, 2008: 1-24. doi: 10.1007 /978-0-387-68768-1_1.
[15]	SAAD S, TRAORE I, GHORBANI A, et al. Detecting P2P botnets through network behavior analysis and machine learning[C]. Proceedings of the 9th Annual International Conference on Privacy, Security and Trust, Montreal, Quebec, Canada, 2011: 174-180. doi: 10.1109/PST.2011.5971980.
[16]	ZHAO D, TRAORE I, SAYED B, et al. Botnet detection based on traffic behavior analysis and flow intervals[J]. Computers & Security, 2013, 39(4): 2-16. doi: 10.1016/j.cose. 2013.04.007.
[17]	DIETRICH C J, ROSSOW C, and POHLMANN N. CoCoSpot: clustering and recognizing botnet command and control channels using traffic analysis[J]. Computer Networks, 2013, 57(2): 475-486. doi: 10.1016/j.comnet.2012.06.019.
[18]	JIANG H and SHAO X. Detecting P2P botnets by discovering flow dependency in C&C traffic[J]. Peer-to-Peer Networking and Applications, 2014, 7(4): 320-331. doi: 10.1007/s12083-012-0150-x.
[19]	BILGE L, SEN S, BALZAROTTI D, et al. EXPOSURE: a passive DNS analysis service to detect and report malicious domains[J]. ACM Transactions on Information and System Security, 2014, 16(4): 289-296. doi: 10.1145/2584679.
[20]	CHANG W, MOHAISEN A, WANG A, et al. Measuring botnets in the wild: Some new trends[C]. Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, Singapore, 2015: 645-650. doi: 10.1145/2714576.2714637.
[21]	LEVON E, BERNARD A, and DAVE T. Link-Local Multicast Name Resolution (LLMNR)[OL]. https://tools.ietf. org /html/rfc4795. 2015.
[22]	CAVALCANTE A P A, BOUDY J, ISTRATE D, et al. A dynamic evidential network for fall detection[J]. IEEE Journal of Biomedical and Health Informatics, 2014, 18(4): 1103-1113. doi: 10.1109/JBHI.2013.2283055.
[23]	Guo X J, Cheng G, Pan W B, et al. A novel search engine- based method for discovering command and control server[C]. Proceedings of the 15th International Conference On Algorithms and Architectures for Parallel Processing. Zhangjiajie, China, 2015: 311-322. doi: 10.1007/978-3-319- 27137-8_24.
[24]	YIN T, ZHANG Y, and LI S. DR-SNBot: a social network- based botnet with Strong Destroy-Resistance[C]. Proceedings of the 9th IEEE International Conference on Networking, Architecture, and Storage, Tianjin, China, 2014: 191-199. doi: 10.1109/NAS.2014.37.
[25]	PHILIPPE B. Scapy[OL]. http://www.secdev.org/projects/ scapy/, 2015.NLANR/DAST. iPerf[OL]. https://iperf.fr/, 2015.
[26]	NAJAM M, YOUNIS U, and RASOOL R. Speculative parallel pattern matching using stride-k DFA for deep packet inspection[J]. Journal of Network and Computer Applications, 2015, 54: 78-87. doi: 10.1016/j.jnca.2015.04.013.