作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程

• 安全技术 • 上一篇    下一篇

基于关联关系和MapReduce的僵尸网络检测

邵秀丽1,蒋鸿玲1,耿梅洁1,李耀芳2   

  1. (1. 南开大学信息技术科学学院,天津 300071;2. 天津城建大学计算机与信息工程学院,天津 300384)
  • 收稿日期:2013-04-02 出版日期:2014-05-15 发布日期:2014-05-14
  • 作者简介:邵秀丽(1963-),女,教授、博士生导师,主研方向:网络安全,云计算,软件工程;蒋鸿玲,博士研究生;耿梅洁,硕士研究生;李耀芳,讲师。
  • 基金资助:
    国家科技支撑计划基金资助项目(2012BAF12B00);天津市重点基金资助项目(11JCZDJC28100, 12ZCDZGX46700)。

Botnet Detection Based on Correlation Relation and MapReduce

SHAO Xiu-li  1, JIANG Hong-ling  1, GENG Mei-jie  1, LI Yao-fang  2   

  1. (1. College of Information Technical Science, Nankai University, Tianjin 300071, China; 2. College of Computer and Information, Tianjin Chengjian University, Tianjin 300384, China)
  • Received:2013-04-02 Online:2014-05-15 Published:2014-05-14

摘要: 现有僵尸网络检测方法的计算量较大,导致检测效率低,而云计算的强大数据处理和分析能力为僵尸网络的检测提供了新的思路和解决方案。为此,设计并实现一种基于MapReduce模型的并行僵尸网络检测算法,基于云协同和流间关联关系对僵尸网络进行检测。提取流间关联关系,将具有关联关系的流聚集到同一个集合中,计算主机的分数,若分数大于阈值则判断为可疑的僵尸主机。实验结果表明,该算法对P2P僵尸网络的检测率能够达到90%以上,误报率控制在4%以下,并且随着云服务器端计算节点的增多,其处理云客户端上传数据及检测僵尸网络的效率更高。

关键词: 僵尸网络, 云计算, 关联关系, MapReduce模型, Hadoop云平台

Abstract: Existing botnet detection methods generally have large amount of computation, which results in low detection efficiency. Cloud computing provides new ideas and solutions for the detection of botnets because of its power capacity of data processing and analysis capabilities. Therefore, this paper designs and implements a parallel botnet detection algorithm based on MapReduce model, which uses cloud collaboration and flow correlation relation to detect botnets. It extracts the relationship between flows, gathers the flows having relationship, and calculates the scores of hosts. The hosts whose score is greater than a threshold are suspicious bots. Experimental results show that this algorithm is effective for detecting botnet. The detection rate of P2P botnet can reach more than 90%, and the false alarm rate belows 4%. With the cloud server-side computing nodes increasing, the process of cloud client to upload data and botnet detection is more efficient.

Key words: botnet, cloud computing, correlation relation, MapReduce model, Hadoop cloud platform

中图分类号: