摘要：

在攻击与防御的博弈中，半分布式P2P僵尸网络随着P2P的广泛应用已成为僵尸网络最主要的形式。为此，描述攻击者组建的半分布式P2P僵尸网络的构建原理和增长模型，提出蜜罐与流量分析技术相结合的“伪蜜罐”检测模型，即在主机出现网络异常时，关闭已知程序和服务，使主机向蜜罐身份靠近，并用流量分析技术检测的一种模型。实验结果表明，该检测方法能够有效地提高半分布式P2P僵尸网络的检出率。

关键词: 半分布式P2P僵尸网络, 伪蜜罐, 流量分析, 模型分析

Abstract:

In the game of attack and defense, semi-distributed P2P botnet becomes the most dominant form of botnet as the applications of P2P are widely used. This paper describes the basic principle of how the attackers create their semi-distributed botnet and the model of its increasing, proposes the “faked honeypot” detection model, which combines honeypot and the flow analysis. When anomalies appear in host network, the programs and services are closed, the host is made to lay aboard to the honeypot, and detected by flow analysis. Experimental result shows that the method can effectively improve the detection rate of semi-distributed P2P botnet.

Key words: semi-distributed P2P botnet, fake-honeypot, analysis of flow, model analysis

中图分类号: 

• TP393