基于统计特征的隐匿P2P主机实时检测系统

doi:10.11772/j.issn.1001-9081.2015.07.1892

计算机应用 ›› 2015, Vol. 35 ›› Issue (7): 1892-1896.DOI: 10.11772/j.issn.1001-9081.2015.07.1892

基于统计特征的隐匿P2P主机实时检测系统

田朔玮, 杨岳湘, 何杰, 王晓磊, 江志雄

国防科学技术大学计算机学院, 长沙 410073

收稿日期:2015-02-04 修回日期:2015-03-27 出版日期:2015-07-10 发布日期:2015-07-17
通讯作者: 田朔玮(1984-),男,内蒙古呼和浩特人,硕士研究生,主要研究方向:计算机网络与安全,tsw777@sohu.com
作者简介:杨岳湘(1965-),男,湖南岳阳人,研究员,博士,主要研究方向:计算机网络与安全、数据挖掘、信息检索; 何杰(1984-),男,四川甘洛人,博士研究生,主要研究方向:计算机网络与安全; 王晓磊(1990-),男,河南许昌人,硕士研究生,主要研究方向:计算机网络与安全; 江志雄(1985-),男,云南昆明人,硕士研究生,主要研究方向:计算机网络安全。
基金资助:
国家自然科学基金资助项目(61170286)。

Real-time detection system for stealthy P2P hosts based on statistical features

TIAN Shuowei, YANG Yuexiang, HE Jie, WANG Xiaolei, JIANG Zhixiong

College of Computer, National University of Defense Technology, Changsha Hunan 410073, China

Received:2015-02-04 Revised:2015-03-27 Online:2015-07-10 Published:2015-07-17

摘要/Abstract

摘要：

针对当前隐匿恶意程序多转为使用分布式架构来应对检测和反制的问题,为快速精确地检测出处于隐匿阶段的对等网络(P2P)僵尸主机,最大限度地降低其危害,提出了一种基于统计特征的隐匿P2P主机实时检测系统。首先,基于3个P2P主机统计特征采用机器学习方法检测出监控网络内的所有P2P主机;然后,再基于两个P2P僵尸主机统计特征,进一步检测出P2P僵尸主机。实验结果证明,所提系统能在5 min内检测出监控网内所有隐匿的P2P僵尸主机,准确率高达到99.7%,而误报率仅为0.3%。相比现有检测方法,所提系统检测所需统计特征少,且时间窗口较小,具备实时检测的能力。

关键词: 对等网络, 僵尸网络, 统计特征, 机器学习, 检测系统

Abstract:

Since most malwares are designed using decentralized architecture to resist detection and countering, in order to fast and accurately detect Peer-to-Peer (P2P) bots at the stealthy stage and minimize their destructiveness, a real-time detection system for stealthy P2P bots based on statistical features was proposed. Firstly, all the P2P hosts inside a monitored network were detected using means of machine learning algorithm based on three P2P statistical features. Secondly, P2P bots were discriminated based on two P2P bots statistical features. The experimental results show that the proposed system is able to detect stealthy P2P bots with an accuracy of 99.7% and a false alarm rate below 0.3% within 5 minutes. Compared to the existing detection methods, this system requires less statistical characteristics and smaller time window, and has the ability of real-time detection.

Key words: Peer-to-Peer (P2P), botnet, statistical feature, machine learning, detection system

中图分类号:

TP393.06

田朔玮, 杨岳湘, 何杰, 王晓磊, 江志雄. 基于统计特征的隐匿P2P主机实时检测系统[J]. 计算机应用, 2015, 35(7): 1892-1896.

TIAN Shuowei, YANG Yuexiang, HE Jie, WANG Xiaolei, JIANG Zhixiong. Real-time detection system for stealthy P2P hosts based on statistical features[J]. Journal of Computer Applications, 2015, 35(7): 1892-1896.

参考文献

[1] LIU L, CHEN S, YAN G, et al. Bot Tracer: execution-based bot-like malware detection [M]// ISC'08: Proceedings of the 11th International Conference on Information Security, LNCS 5222. Berlin: Springer, 2008: 97-113.
[2] SZYMCZYK M. Detecting botnets in computer networks using multi-Agent technology [C]// DepCos-RELCOMEX'09: Proceedings of the Fourth International Conference on Dependability of Computer Systems. Piscataway: IEEE, 2009: 192-201.
[3] STINSON E, MITCHELL J C. Characterizing bots' remote control behavior [C]// DIMVA'07: Proceedings of the 4th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Berlin: Springer, 2007: 89-108.
[4] XU K, YAO D, MA Q, et al. Detecting infection onset with behavior-based policies [C]// NSS 2011: Proceedings of the 5th International Conference on Network and System Security. Piscataway: IEEE, 2011: 57-64.
[5] GU G, PORRAS P, YEGNESWARAN V, et al. BotHunter: detecting malware infection through IDS-driven dialog correlation [C]// SS'07: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium. Berkeley: Usenix Security. 2007: 1-16.
[6] SINGH K, GUNTUKU S C, THAKUR A, et al. Big data analytics framework for peer-to-peer botnet detection using random forests [J]. Information Sciences, 2014, 278: 488-497.
[7] JIANG H, SHAO X. Detecting P2P botnets by discovering flow dependency in C&C traffic [J]. Peer-to-Peer Networking and Applications, 2014, 7(4): 320-331.
[8] SILVA S S C, SILVA R M P, PINTO R C G, et al. Botnets: a survey [J]. Computer Networks, 2013, 57(2): 378-403.
[9] YU X, DONG X, YU G, et al. Online botnet detection based on incremental discrete Fourier transform [J]. Journal of Networks, 2010, 5(5): 568-576.
[10] ZHANG J, PERDISCI R, LEE W, et al. Building a scalable system for stealthy P2P-botnet detection [J]. IEEE Transactions on Information Forensics and Security, 2014, 9(1): 27-38.
[11] EN T F, REITER M K. Are your hosts trading or plotting? Telling P2P file-sharing and bots apart [C]// ICDCS 2010: Proceedings of the 2010 IEEE 30th International Conference on Distributed Computing Systems. Piscataway: IEEE, 2010: 241-252.
[12] RAHBARINIA B, PERDISCI R, LANZI A, et al. PeerRush: mining for unwanted P2P traffic [J]. Journal of Information Security and Applications, 2014, 19(3): 194-208.
[13] ZHAO D, TRAORE I, GHORBANI A, et al. Peer to peer botnet detection based on flow intervals [C]// SEC 2012: Proceedings of the 27th IFIP TC 11 Information Security and Privacy Conference on Information Security and Privacy Research. Berlin: Springer, 2012: 87-102.
[14] FINSTERBUSCH M, RICHTER C, ROCHA E, et al. A survey of payload-based traffic classification approaches [J]. IEEE Communications Surveys & Tutorials, 2014, 16(2): 1135-1156.
[15] LIU C, YANG Y, TANG C. A classification method of unstructured P2P multicast video streaming based on SVM [C]// MINES'09: Proceedings of the 2009 International Conference on Multimedia Information Networking and Security. Piscataway: IEEE, 2009: 68-72.
[16] HE J, YANG Y, QIAO Y, et al. Accurate classification of P2P traffic by clustering flows [J]. China Communications, 2013, 10(11): 42-51.
[17] HALL M, FRANK E, HOLMES G, et al. The WEKA data mining software: an update [J]. ACM SIGKDD Explorations Newsletter, 2009, 11(1): 10-18.
[18] KOHAVI R. A study of cross-validation and bootstrap for accuracy estimation and model selection [C]// IJCAI'95: Proceedings of the 14th International Joint Conference on Artificial Intelligence. San Francisco: Morgan Kaufmann Publishers, 1995: 1137-1145.

基于统计特征的隐匿P2P主机实时检测系统

Real-time detection system for stealthy P2P hosts based on statistical features

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

[1]	毛铭泽, 曹芮浩, 闫春钢. 基于权值多样性的半监督分类算法[J]. 计算机应用, 2021, 41(9): 2473-2480.
[2]	郭棉, 张锦友. 移动边缘计算环境中面向机器学习的计算迁移策略[J]. 计算机应用, 2021, 41(9): 2639-2645.
[3]	秦斌斌, 彭良康, 卢向明, 钱江波. 司机分心驾驶检测研究进展[J]. 计算机应用, 2021, 41(8): 2330-2337.
[4]	秦静, 左长青, 汪祖民, 季长清, 王宝凤. 基于堆叠分类器的心电异常监测模型设计[J]. 计算机应用, 2021, 41(3): 887-890.
[5]	姜倩玉, 王凤英, 贾立鹏. 基于感知哈希算法和特征融合的恶意代码检测方法[J]. 计算机应用, 2021, 41(3): 780-785.
[6]	孟祥瑞, 杨文忠, 王婷. 基于图文融合的情感分析研究综述[J]. 计算机应用, 2021, 41(2): 307-317.
[7]	楼豪杰, 郑元林, 廖开阳, 雷浩, 李佳. 基于Siamese-YOLOv4的印刷品缺陷目标检测[J]. 《计算机应用》唯一官方网站, 2021, 41(11): 3206-3212.
[8]	刘晓龙, 王士同. 渐进式分离的开放集模糊域自适应算法[J]. 《计算机应用》唯一官方网站, 2021, 41(11): 3127-3131.
[9]	朱玉娜, 张玉涛, 闫少阁, 范钰丹, 陈韩托. 基于半监督子空间聚类的协议识别方法[J]. 计算机应用, 2021, 41(10): 2900-2904.
[10]	王雅辉, 钱宇华, 刘郭庆. 基于模糊优势互补互信息的有序决策树算法[J]. 计算机应用, 2021, 41(10): 2785-2792.
[11]	蒋阳升, 王胜男, 涂家祺, 李莎, 王红军. 面向高铁站的热舒适度和能耗综合预测[J]. 计算机应用, 2021, 41(1): 249-257.
[12]	朱琳, 于海涛, 雷新宇, 刘静, 王若凡. 基于MRI图像的阿尔茨海默症患者脑网络特征识别算法[J]. 计算机应用, 2020, 40(8): 2455-2459.
[13]	梁登高, 周安民, 郑荣锋, 刘亮, 丁建伟. 基于大小突发块划分的微信支付行为识别模型[J]. 计算机应用, 2020, 40(7): 1970-1976.
[14]	程小辉, 牛童, 汪彦君. 基于序列模型的无线传感网入侵检测系统[J]. 计算机应用, 2020, 40(6): 1680-1684.
[15]	徐周波, 杨健, 刘华东, 黄文文. 基于XGBoost与拓扑结构信息的蛋白质复合物识别算法[J]. 计算机应用, 2020, 40(5): 1510-1514.