1、 课题名称:课题名称: 僵尸网络的研究僵尸网络的研究 摘要摘要 僵尸网络是由被僵尸程序感染的网络上计算机组成的可相互通信、可被控制的网络, 是一种新型的网络攻击形式, 对网络安全构成了很大危害, 也为网络战提供了一种新的进攻 手段。介绍了僵尸网络的概念和演化过程,深入剖析了僵尸网络的功能结构和工作机制,讨 论了僵尸网络的传播模型,提出讨论了僵尸网络的检测和反制方法,对僵尸网络的发展趋 势和军事上的应用作了展望。 目前僵尸程序的检测主要有基于行为特征的检测技术和基于流量特征的检测技术。基 于行为特征的检测技术能够比较精确的检测僵尸程序的活动, 但是处理数据的能力有限; 而 基于流量特征的检测技术
2、能够处理较大规模的数据量, 但是存在较大的误报。 基于网络僵尸 程序检测方法能够较好的结合这两种检测技术的优点, 有效地检测在较大背景流量中活动的 僵尸程序。 由于目前在僵尸程序代码的设计上存在结构化的特性,同一个僵尸网络内的僵尸主机 行为和消息在时间和空间上都表现出了极大的关联性和相似性。分析了僵尸程序的流特征, 根据实验结果, 设计出了基于轻量级有效载荷协议匹配算法。 然后利用序列假设检验算法对 僵尸程序的网络活动进行动态的判定。 关键词:僵尸程序,网络行为,网络安全,僵尸网络恶意代码,网络战。 Abstract A botnet is the program on the web inf
3、ection zombie computer can be composed of communication, can be control network, is a new type of network attack form of network security constitutes the very great harm, but also for WangLaoZhan provides a new offensive means. Introduces the concept of the botnet and evolution process, this paper e
4、xplores the botnet function structure and work mechanism, and discusses the spread the botnet model, discussed the botnet detection and counterspell method, the development trend of botnets Potential and military application are discussed. At present the main testing program zombie based on behavior
5、 characteristics of the testing technology based on the characteristics of the flow and testing technology. Based on behavior characteristics of the testing technology can be more precise detection of zombie program activities, but limited ability to deal with data; Based on the characteristics of t
6、he flow and testing technology to be able to deal with a large amount of data, but there is large misstatement. Based on network zombie program to better detection method combining the two kinds of testing technology advantages, detect in the big background traffic zombie program activities. Because the present in the zombie program code on the design of the characteristics of the existing structured, within the same botnet bots behavior and the news in time and space
