基于排列熵与决策级多传感器数据融合的P2P僵尸网络检测方法

doi:10.11896/j.issn.1002-137X.2016.07.025

摘要/Abstract

摘要： 提出了一种基于排列熵和决策级多传感器数据融合的P2P僵尸网络检测算法。首先分别构建流量异常检测传感器和异常原因区分传感器:前者利用排列熵刻画网络流量的复杂度特征(该特征并不依赖于特定类型的P2P僵尸网络),通过利用Kalman滤波器检测该特征是否存在异常；后者利用TCP流量特征在一定程度上减弱P2P应用等网络应用程序对P2P僵尸网络检测的误差影响。最后利用D-S证据理论对上述传感器的检测结果进行决策级数据融合以获得最终的检测结果。实验表明,提出的方法可有效检测新型P2P僵尸网络。

关键词: P2P僵尸网络,排列熵,多传感器数据融合,Kalman滤波器

Abstract: Aiming at the problems of the existing P2P botnet detection methods,a novel P2P botnet detection algorithm based on the permutation entropy and the multi-sensor data fusion on the decision level was proposed.Firstly,it builds the abnormalities detection sensor and the reasons of abnormalities distinguishing sensor.The former sensor uses the permutation entropy to describe accurately the complexity characteristics of network traffic,which does not vary with the structure of P2P network,the P2P protocol and the attack.And the Kalman filter is used to detect the abnormalities of the complexity characteristics of network traffic.Considering that the traffic flow of Web applications is likely to affect the detection result,the latter sensor utilizes the features of TCP flow to solve the problem.Finally,the final result was obtained by fusing the results of two above sensors with the D-S evidence theory.The experiments show that the algorithm proposed in the paper is able to detect P2P botnet with high accuracy.

Key words: P2P botnet,Permutation entropy,Multi-sensor data fusion,Kalman filter

宋元章. 基于排列熵与决策级多传感器数据融合的P2P僵尸网络检测方法[J]. 计算机科学, 2016, 43(7): 141-146. https://doi.org/10.11896/j.issn.1002-137X.2016.07.025

SONG Yuan-zhang. P2P Botnet Detection Based on Permutation Entropy and Multi-sensor Data Fusion on Decision Level[J]. Computer Science, 2016, 43(7): 141-146. https://doi.org/10.11896/j.issn.1002-137X.2016.07.025

参考文献

[1] Sarat S,Terzis A.Measuring the Storm Worm Network:Technical Report 01-10-2007[R].HiNRG Johns Hopkins University,2007
[2] Steggink M,Idziejczak I.Detection of peer-to-peer botnets[D].University of Amsterdam,Netherlands,2007
[3] Porras P,Saidi H,Yegneswaran V.A Multi-perspective Analysis of the Storm (Peacomm) Worm:SRI Technical Report 10-01[R].Computer Science Laboratory,SRI International,CA,2007
[4] Wang Zhi,Cai Ya-yun,Liu Lu,et al.Using coverage analysis to extract Botnet command-and-control protocol[J].Journal on Communications,2014,35(1):156-166(in Chinese) 王志,蔡亚运,刘露,等.基于覆盖率分析的僵尸网络控制命令发掘方法[J].通信学报,2014,35(1):156-166
[5] Wang Hai-long,Hu Ning,Gong Zheng-hu.Bot_CODA:botnetcollaborative detection architecture[J].Journal on Communications,2009,30(10A):15-22(in Chinese) 王海龙,胡宁,龚正虎.Bot_CODA:僵尸网络协同检测体系结构[J].通信学报,2009,30(10A):15-22
[6] Zang Tian-ning,Yun Xiao-chun,Zhang Yong-zheng, et al.AModel of Network Device Coordinative Run[J].Journal of Computers,2011,34(2):216-228(in Chinese) 臧天宁,云晓春,张永铮,等.网络设备协同联动模型[J].计算机学报,2011,34(2):216-228
[7] Zhuge Jian-wei,Han Xin-hui,Zhou Yong-lin,et al.Research and Development of Botnets[J].Journal of Software,2008,19(3):702-715(in Chinese) 诸葛建伟,韩心慧,周勇林,等.僵尸网络研究[J].软件学报,2008,19(3):702-715
[8] Jiang Jian,Zhuge Jian-wei,Duan Hai-xin,et al.Research on Botnet Mechanisms and Defenses[J].Journal of Software,2012,23(1):82-96(in Chinese) 江健,诸葛建伟,段海新,等.僵尸网络机理与防御技术[J].软件学报,2012,23(1):82-96
[9] Karim A,et al.Review:Botnet detection techniques:review,future trends,and issues[J].Journal of Zhejiang University-Science C (Computers & Electronics),2014,15(11):943-983
[10] Jia Feng,Wu Bing,Xiong Xiao-yan,et al.Early fault diagnosis of bearing based on multi-dimension permutation entropy and SVM[J].Computer Intergrated Manufacturing Systems,2014,20(9):2275-2282(in Chinese) 贾峰,武兵,熊晓燕,等.基于多维度排列熵与支持向量机的轴承早期故障诊断方法[J].计算机集成制造系统,2014,20(9):2275-2282
[11] Liu Yong-bin,Long Qian,Feng Zhi-hua,et al.Detection Method for Nonlinear and Non-Stationary Signals[J].Journal of Vibration and Sock,2007,26(12):131-134(in Chinese) 刘永斌,龙潜,冯志华,等.一种非平稳、非线性振动信号检测方法的研究[J].振动与冲击,2007,26(12):131-134
[12] Feng Fu-guo,Rao Guo-qiang,Si Ai-wei,et al.Research and application of the arithmetic of PE in testing the sudden change of vibration signal[J].Journal of Vibration Engineering,2012,25(2):221-224(in Chinese) 冯辅国,饶国强,司爱威,等.排列熵算法研究及其在振动信号突变检测中的应用[J].振动工程学报,2012,25(2):221-224
[13] Lv Yong,Li You-rong,Xiao Han,et al.Gear fault classification based on weighted phase space reconstruction and sample entropy[J].Journal of Vibration Engineering,2009,22(5):462-466(in Chinese) 吕勇,李友荣,肖涵,等.基于加权相空间重构降噪及样本熵的齿轮故障分类[J].振动工程学报,2009,22(5):462-466
[14] Christoph B,Bernd P.Permutation entropy:a natural complexity measure for time series [J].Physical Review Letters,2002,88(17):174102-1-4
[15] Fraser A M,Swinney H L.Independent coordinates for strange attractors from mutual information [J].Physical Review A,1986,33(2):1134-1140
[16] Cao L Y.Practical method for determining the minimum embedding dimension of a scalar series [J].Physical D:Nonlinear Phenomena,1997,110(1/2):43-50
[17] Xu Guo-dong,Song Jia-ning,Li Peng-fei.Pulsar navigation adaptive filtering algorithm based on information quality[J].Optics and Precision Engineering,2015,23(3):827-837(in Chinese) 徐国栋,宋佳凝,李鹏飞.基于信息质量的脉冲星导航自适应滤波算法[J].光学精密工程,2015,23(3):827-837
[18] Ji Shu-jiao,Zhu Ming,Lei Yan-min,et al.Video stabilizationwith improved motion vector estimation[J].Optics and Precision Engineering,2015,23(5):1458-1465(in Chinese) 吉淑娇,朱明,雷艳敏,等.基于改进运动矢量估计法的视频稳像[J].光学精密工程,2015,23(5):1458-1465
[19] Yang Gong-liu,Guo Wei-lin,Yuan Er-kai.Compensation of time delay in ship deformation measured by attitude matching[J].Optics and Precision Engineering,2015,23(5):1409-1415(in Chinese) 杨功流,郭蔚林,袁二凯.姿态匹配法测量船体变形角中时间延迟的补偿[J].光学精密工程,2015,23(5):1409-1415
[20] Sen S,Spatscheck O,Wang Dong-mei.Accurate,scalable in-net-work identification of p2p traffic using application signatures[C]∥Proceedings of the 13th international conference on World Wide Web.New York,NY,USA:ACM,2004:512-521
[21] Kasera S,Pinheiro J,Loader C.Fast and robust signaling overload control[C]∥Proceedings of Ninth International Conference on Network Protocols.Riverside,USA:IEEE,2001:323-331
[22] Bauer M.Approximation Algorithms and Decision Making in the Dempster-Shafer Theory of Evidence—an empirical study[C]∥12th Conference on Uncertainty in Artificial Intelligence (UAI 96).1997:217-237
[23] Yager R,Liu L.Classic Works of the Dempster-Shafer Theory of Belief Functions [M].Springer-Verlag,Berlin,2008
[24] Mruphy C K.Combing belief function when evidence conflicts[J].Decision Support System,2000,29(1):1-9
[25] Steggink M,Idziejczak I.Detection Of Peer-To-Peer Botnets [R/OL].http://staff.science.uva.nl/~delaat/sne-2007-2008/p22/report.pdf
[26] Zhaoa D,Traorea I,Sayed B,et al.Botnet detection based ontraffic behavior analysis and flow intervals[J].Computers & Security,2013,39(4):2-16
[27] Kang Jian,Zhang Jun-Yao,Li Qiang,et al.Detecting New P2P Botnet with Multi-chart CUSUM[C]∥International Conference on Networks Security,Wireless Communications and Trusted Computing(NSWCTC 2009).Wuhan,China,2009:688-691

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed