计算机工程 ›› 2018, Vol. 44 ›› Issue (10): 46-50.doi: 10.19678/j.issn.1000-3428.0051085

所属专题: 网络空间安全专题

• 网络空间安全专题 • 上一篇    下一篇

基于模糊聚类的僵尸网络识别技术

陈瑞东,赵凌园,张小松   

  1. 电子科技大学 网络空间安全研究中心,成都 611731
  • 收稿日期:2018-04-04 出版日期:2018-10-15 发布日期:2018-10-15
  • 作者简介:陈瑞东(1985—),男,助理研究员、博士,主研方向为恶意样本分析、僵尸网络发现;赵凌园,硕士研究生;张小松,教授、博士。
  • 基金项目:
    国家自然科学基金“靶向性复杂攻击网络建模和行为分析研究”(F020805);国家电网公司科学技术项目“新能源厂站网络安全防护关键技术研究”(522722180007)。

Botnet Identification Technology Based on Fuzzy Clustering

CHEN Ruidong,ZHAO Lingyuan,ZHANG Xiaosong   

  1. Center for Cyber Security,University of Electronic Science and Technology of China,Chengdu 611731,China
  • Received:2018-04-04 Online:2018-10-15 Published:2018-10-15

摘要: 融合蠕虫、后门、木马等技术为一体的僵尸网络因其可被攻击者用于发送垃圾邮件、实施拒绝服务攻击、窃取敏感信息等,已成为高持续性威胁攻击的“后盾”。现有的僵尸网络检测方法多数局限于特定的僵尸网络类型,且不能有效处理边界附近的数据。为此,提出一种基于网络流量相似性的僵尸网络识别方法。该方法不依赖于数据包内容,可处理加密流量。通过提取数据集中流和包的统计特征,分别对每个特征进行模糊聚类,判别其模糊类别的特征边界,并基于最大隶属度原则判断是否存在僵尸网络流量,根据支持度和置信度筛选关联规则,从而确定具体的僵尸网络类型。实验结果表明,该方法可有效识别僵尸网络流量,并且能够对僵尸网络的类型进行预判。

关键词: 僵尸网络检测, 流量相似性, 模糊聚类, 特征边界, 最大隶属

Abstract: A Botnet that combining worms,backdoors,and Trojans has become the backing of Advanced Persistent Threat(APT) attacks because it can be used by attackers to send spam,perform denial of service attacks,and steal sensitive information.Existing Botnet detection methods are mostly limited to specific Botnet types and cannot effectively process data near the boundary.Therefore,a Botnet identification method based on network traffic similarity is proposed.This method does not rely on packet content and can handle encrypted traffic.By extracting the statistical features of the data stream and the packet,each feature is fuzzy clustered,the feature boundary of the fuzzy category is discriminated,and the Botnet traffic is judged based on the principle of maximum affiliation degree.According to the support degree and confidence degree,associate rules are filtered to determine the specific Botnet type.Experimental results show that the method can effectively identify Botnet traffic and predict the type of Botnet.

Key words: Botnet detection;traffic similarity, fuzzy clustering, feature boundary, maximum affiliation

中图分类号: