僵尸网络检测关键技术研究
|
摘要
僵尸网络的肆虐给互联网带来了极大的威胁,使得僵尸网络检测技术成为近年来网络安全领域的热点研究课题。僵尸网络检测,首先通过各种途径获取可能存在僵尸网络活动的相关信息,然后根据僵尸网络在这些信息中表征出来的内在特性,应用多种分析技术识别并判断出僵尸网络的存在,最终确定攻击者、命令与控制服务器以及僵尸主机的位置。近年来,国内外学者已经取得了相当的研究成果,但是僵尸网络检测在信息采集与融合、内在特性提取、针对通信与行为的诊断、检测的关联分析以及系统体系结构等方面仍然存在一些亟需解决的问题。
针对僵尸网络检测中的典型问题与共性需求,深入研究了关键技术以及应用部署的发展现状,提出了层次协同模型和基于该模型的僵尸网络协同检测系统,重点研究了僵尸网络威胁感知、特性分析两方面所涉及的模型和方法,并在此基础上设计实现了一个原型系统。主要贡献包括以下几个方面:
一、在深入分析已有僵尸网络检测体系结构不足以及协同工作优势的基础上,提出了层次协同模型——HCO(Hierarchical Collaborative)模型,并且从模型框架、数据结构、建模过程、协同机制四个层面对模型进行了详细设计。基于HCO模型提出了僵尸网络协同检测系统——Bot_CODS(Botnet Collaborative Detection System),并从体系结构、物理结构、逻辑结构以及工作原理四个方面对该系统进行了详细设计。HCO模型紧扣僵尸网络检测的基本思想,合理结合协同理念,充分发掘检测在信息、特性、决策三个不同层次上的配合联动能力。基于该模型的Bot_CODS具有较强的可扩展性和可交互性,其检测组件可以灵活地部署在异构的网络上,适应各种应用环境,内部组件之间、检测系统之间以及与其它安全产品之间可以做到安全高效地交互。此外,HCO模型提供的紧密协同关系,能够使得Bot_CODS对广泛分布的僵尸网络活动做出快速反应。由此可见,Bot_CODS有效满足了僵尸网络检测的需求。
二、根据僵尸网络活动的主要特点,提出了一种基于协同的僵尸网络分布式检测方法。首先,针对僵尸网络活动阶段多样、表现形式各异、活动范围广阔的特点,提出了一个基于角色的策略型协同威胁感知模型——RPCTAM(Role-based Politic Collaborative Threat Awareness Model)。该模型是在已有计算机支持的协同工作的研究基础上,引入“策略”定义,进一步定义了基本集合、基本关系以及相应规则,通过对角色、策略、任务的分解来划分协同的交互范围,并以工作组为单位保证组内/组间成员的交互和通信,提高了协同效率,加快了协同进程。然后,针对僵尸网络活动干扰安全工具诊断的特点,提出一种基于信任度量的恶意传感器判定方法。该方法通过计算Bot_CODS中部署威胁感知传感器(TAS)节点的信任值,判定节点上的TAS是否被僵尸网络攻陷,进而剔除恶意TAS发送的有害信息,提高了整个系统的可信性。最后,在确保Bot_CODS中TAS高效、可信协同工作的支持下,针对僵尸网络发起的隐秘DDoS攻击,提出了一种面向DDoS的僵尸网络协同检测方法。该方法的核心思想是:在DDoS攻击过程中,恶意报文加入正常流量导致一些流量的属性值发生了变化,将这些变化的流量属性合并为一个指标——流量状态快照(TSS);接着,计算不同时间间隔上TSS的整体偏差率(IDR),进而识别可疑的攻击源(恶意IP地址);再根据僵尸网络攻击行为的同步性,通过信息交互方式比对这些恶意IP地址,便可以从可疑攻击源中确认存在的僵尸主机。该协同检测方法减少了传统方法导致的漏报现象,节省了计算资源和存储空间,实现了对僵尸网络发起的隐秘DDoS攻击以及僵尸主机的快速准确检测。
三、内在特性是指导僵尸网络检测的关键。为了获取有效的内在特性,提出一种面向命令与控制(C&C)的僵尸网络特性提取方法。首先,针对僵尸网络内在特性的表现形式(包括特征、异常以及特征模式)以及它们之间的联系,提出一种僵尸网络特性信息描述方法。该方法对特性信息的具体内容进行了定义,并使用巴克斯范式对特性信息进行抽象描述,还定义了一种基于XML的描述语言——FIDL(Feature Information Description Language),把特性信息描述为具有统一结构的文档形式供TAS使用,达到了提高检测工作效率和灵活性的目的。然后,针对C&C信道必定经过网络传输以及攻击命令具有相对固定的格式和命令字等特点,提出了一个C&C信道的特征(Signature)提取模型,主要由前期过滤、协议分类、数据预处理、特征提取以及特征判定五部分组成。其中,根据僵尸程序对攻击命令作出响应方式的差别,提出了一个针对攻击命令的判定方法。该模型应用于流经边缘网络的网络流量,主要解决蜜罐/蜜网适用性不强的问题,能够准确地从僵尸网络通信中提取出具有命令格式的特征,能够集成多种特征提取技术(例如本文采用的多序列联配算法),满足了面向C&C的僵尸网络特性提取的需求。
四、针对僵尸网络扩张迅速、瞬间危害巨大的特点,提出一种基于前缀哈希树的僵尸网络特性融合方法,具体包括特性聚合和特性访问两个方面。Bot_CODS中所有威胁监控中心(TMC)在基于前缀哈希树构建的平台上将局部信息逐级汇聚,通过聚合规则获取最终的全局信息,并分布式存入特性库中,实现将局部特性信息以最短的时间在全网范围内进行确认,保证Bot_CODS中的相关TMC做好应对准备。此外,提出一种基于前缀哈希树的特性信息访问算法FIA-PHT(Feature Information Access algorithm based on PHT)。TAS根据命名/发布情况,使用多属性区间查询的方法,能够快速查询访问存储在特性库中的特性信息,进而确保TMC下的TAS具备更有针对性的检测能力。通过理论分析和互联网真实数据集的模拟实验验证了该方法的准确性和可行性,查询延迟、节点负载都明显优于同类型解决方案。
五、基于上述关键问题的研究,设计并实现了Bot_CODS的原型系统,重点细化了其中的威胁感知传感器、威胁监控中心、威胁判决中心等关键组件。该原型系统集成了拓扑发现、流量采集、入侵检测等软件与工具,实现了基于协同的僵尸网络分布式检测方法、面向命令与控制的僵尸网络特性提取方法以及基于前缀哈希树的僵尸网络特性融合方法,验证了层次协同模型HCO。
本文是对僵尸网络检测的一次有益探索,研究成果对于促进僵尸网络检测研究具有良好的理论价值和实践意义。本文所做的工作已在承研的国家863高技术研究发展计划基金、自然科学基金以及实际工程项目中得到了应用。
With the rapid development of botnet, it has posed serious threat to Internet. Thus, the botnet detection has recently become a hot research topic in the field of network security. The botnet detection can be done through the following steps: first, obtain the information which may be related with the botnet activities; second, according to the essential features represented by the corresponding information, use various analysis techniques to identify and judge the existence of botnet; finally, determine the positions of attackers, command and control servers and zombies. Although there are several research results at home and abroad, the botnet detection still has some pressing problems such as information acquisition and fusion, essential feature extraction, diagnosis of the communication and behavior, correlation analysis of detection, and system architecture.
Towards the typical problems and common requirements during the botnet detection process, we make an intensive study of the current key technologies and the application deployment. And then we propose a hierarchical collaborative model and a botnet collaborative detection system based on this model. Specially, we focus on the related models and methods of botnet threat awareness and feature analysis. We also design and implement a prototype system to validate our work. The major contributions of this thesis are as following:
1. Based on the analysis of the disadvantages of existing botnet detection architectures and the advantages of the collaborative work, a hierarchical collaborative (HCO) model is proposed. And then, the HCO model is designed detailedly from four levels such as model framework, data structure, modeling process and collaborative mechanism. Besides, based on the HCO model, a botnet collaborative detection system (Bot_CODS) is presented. Bot_CODS is designed from four aspects including architecture, physical structure, logical structure and working principle. The HCO model fully reflects the basic idea of botnet detection, reasonably combines with the idea of collaboration, and fully draws out the collaborative abilities of the detection from three different levels such as information, feature and decision-making. Moreover, Bot_CODS based on the HCO model has good scalability and interoperability. The detection components can be flexibly deployed in heterogeneous networks and adapt to various application environments. And the interoperation among the internal components, detection systems and other security products can be done safely and efficiently. In addition, due to the close collaborative relationship provided by the HCO model, Bot_CODS can respond quickly to the widely distributed botnet activities. Thus, Bot_CODS effectively meets the requirements of botnet detection.
2. Regarding the main characteristics of botnet activities, a distributed botnet detection method based on collaboration is proposed. The botnet activities have multiple phases, various representations and wide range. Considering these characteristics, a role-based politic collaborative threat awareness model (RPCTAM) is presented. Based on the study of the existing computer supported cooperative work (CSCW), this model introduces the definition of policy, and defines the basic sets, basic relationships and the corresponding rules. According to the decompositions of roles, policies and tasks, the collaborative interoperation scope is divided. Moreover, group is used as a unit to ensure the interoperation and communication processes of inter-group and intra-group members. In this way, the collaborative efficiency and progress can be greatly improved. Furthermore, botnet activities always interfere with the security tools to make a diagnosis. In terms of this characteristic, a malicious sensor determination method based on trust measurement is proposed. Through computing the trust values of the threat awareness sensors (TASs) deployed in Bot_CODS, this method can determine whether the TAS upon the node is captured by botnet. Thus, the malicious information sent by malicious TASs can be filtered out. Using this method, the dependability of the whole system can be improved. Finally, on the support of the efficient and trust collaborative work of TASs in Bot_CODS, a collaborative botnet detection method against DDoS attack is proposed, which especially focuses on the subtle DDoS attacks launched by botnet. The key ideas of the method are listed as follows. 1) During the DDoS attack process, some traffic attributies have been changed due to the addition of malicious packets. We merge those changing traffic attributies into an indicator, called TSS (Traffic Status Snapshot). 2) The integrated deviation rates (IDRs) of TSSes during different time intervals are computed, which are helpful for the identification of suspicious attack sources (malicious IP addresses). 3) According to the synchronization of botnet attack activities, the comparison among malicious IP addresses is done by exchanging information. Then, the existing zombies can be detected from the suspicious attack sources. The collaborative detection method can reduce the false negative rate caused by the traditional methods, save the computing resources and storage space, and realize the fast and accurate detection of subtle DDoS attacks launched by botnet and zombies.
3. Essential feature is the key factor which guides the botnet detection process. In order to obtain the effective essential features, a botnet feature extraction method towards command and control (C&C) is proposed. Regarding the representation and relationships of botnet essential features including signature, anomaly, character pattern, a botnet feature description method is presented. Then, the detailed content of feature information is defined, and the abstract description of feature information is done by use of BNF (Backus-Naur Form). Besides, a description language based on XML called FIDL (Feature Information Description Language) is also defined. In FIDL, the feature information is described as the document format with unified structure used for the TAS. Thus, the efficiency and flexibility of detection work can be improved. In addition, C&C channel must pass through the network, and the attack commands always have a relatively fixed format and command strings. Thus, a signature generation model against C&C channel is proposed. The model is composed by five parts including pre-filtering, protocol classification, data preprocessing, signature generation and determination. Moreover, according to the differences of the response modes to the attack commands for bots, a determination method targeted at the attack commands is presented. This model can be applied to the network traffic of border networks, and mainly solve the problem of weak applicability of the honeypot or honeynet. It can generate the signatures with the command format from the botnet communication accurately. It also can integrate several signature generation techniques including the multi-sequence alignment algorithm used in this thesis, and meet the requirement of botnet feature extraction towards C&C.
4. Toward the botnet characteristics such as rapid expansion, great and instant harm, a botnet feature fusion method based on PHT (Prefix Hash Tree) is proposed, which includes two aspects: feature aggregation and feature access. In Bot_CODS, all of the threat monitor centers (TMCs) aggregate the local feature information step by step through the platform which is built based on PHT. And then, according to the aggregation rules, the global information is formed by the gathered information and stored distributedly into the characteristics library. In this way, the local feature information can be comfirmed at the shortest time in the whole network, and the corresponding TMCs in Bot_CODS can prepare well for the coming task. Moreover, a feature information access algorithm based on PHT (FIA-PHT) is presented. According to the naming and distribution process, TASs use the multi-attribute range query method. Thus, the feature information of the feature library can be inquired and accessed quickly. The more specified detection ability can be assured for TASs under the TMC. By doing the theory analysis and the simulation based on real traffic, the accuracy and feasibility of this method is proved. Experimental results indicate that it is significantly better than the same kind of solutions in the aspects of request and access latency and node load.
5. Based on the study of the key technologies described upon, a Bot_CODS prototype system is designed and implemented. We specify the design details of key equipments including TAS, TMC and TDC (Threat Decision-making Center), etc. The Bot_CODS prototype system integrates some softwares and tools including topology discovery, traffic capture and intrusion detection. And the distributed botnet detection method based on collaboration idea, botnet feature extraction method towards command and control, and botnet feature fusion method based on PHT are all implemented in the prototype system. According to the proposed testing content, the model correctness of HCO is also validated.
To sum up, our research is a beneficial exploration of botnet detection. It has the good theoretical and practical value to the development of botnet detection. The research has been integrated into the national high-tech research and development plan of China, the natural science foundation of China and our actual project.
针对僵尸网络检测中的典型问题与共性需求,深入研究了关键技术以及应用部署的发展现状,提出了层次协同模型和基于该模型的僵尸网络协同检测系统,重点研究了僵尸网络威胁感知、特性分析两方面所涉及的模型和方法,并在此基础上设计实现了一个原型系统。主要贡献包括以下几个方面:
一、在深入分析已有僵尸网络检测体系结构不足以及协同工作优势的基础上,提出了层次协同模型——HCO(Hierarchical Collaborative)模型,并且从模型框架、数据结构、建模过程、协同机制四个层面对模型进行了详细设计。基于HCO模型提出了僵尸网络协同检测系统——Bot_CODS(Botnet Collaborative Detection System),并从体系结构、物理结构、逻辑结构以及工作原理四个方面对该系统进行了详细设计。HCO模型紧扣僵尸网络检测的基本思想,合理结合协同理念,充分发掘检测在信息、特性、决策三个不同层次上的配合联动能力。基于该模型的Bot_CODS具有较强的可扩展性和可交互性,其检测组件可以灵活地部署在异构的网络上,适应各种应用环境,内部组件之间、检测系统之间以及与其它安全产品之间可以做到安全高效地交互。此外,HCO模型提供的紧密协同关系,能够使得Bot_CODS对广泛分布的僵尸网络活动做出快速反应。由此可见,Bot_CODS有效满足了僵尸网络检测的需求。
二、根据僵尸网络活动的主要特点,提出了一种基于协同的僵尸网络分布式检测方法。首先,针对僵尸网络活动阶段多样、表现形式各异、活动范围广阔的特点,提出了一个基于角色的策略型协同威胁感知模型——RPCTAM(Role-based Politic Collaborative Threat Awareness Model)。该模型是在已有计算机支持的协同工作的研究基础上,引入“策略”定义,进一步定义了基本集合、基本关系以及相应规则,通过对角色、策略、任务的分解来划分协同的交互范围,并以工作组为单位保证组内/组间成员的交互和通信,提高了协同效率,加快了协同进程。然后,针对僵尸网络活动干扰安全工具诊断的特点,提出一种基于信任度量的恶意传感器判定方法。该方法通过计算Bot_CODS中部署威胁感知传感器(TAS)节点的信任值,判定节点上的TAS是否被僵尸网络攻陷,进而剔除恶意TAS发送的有害信息,提高了整个系统的可信性。最后,在确保Bot_CODS中TAS高效、可信协同工作的支持下,针对僵尸网络发起的隐秘DDoS攻击,提出了一种面向DDoS的僵尸网络协同检测方法。该方法的核心思想是:在DDoS攻击过程中,恶意报文加入正常流量导致一些流量的属性值发生了变化,将这些变化的流量属性合并为一个指标——流量状态快照(TSS);接着,计算不同时间间隔上TSS的整体偏差率(IDR),进而识别可疑的攻击源(恶意IP地址);再根据僵尸网络攻击行为的同步性,通过信息交互方式比对这些恶意IP地址,便可以从可疑攻击源中确认存在的僵尸主机。该协同检测方法减少了传统方法导致的漏报现象,节省了计算资源和存储空间,实现了对僵尸网络发起的隐秘DDoS攻击以及僵尸主机的快速准确检测。
三、内在特性是指导僵尸网络检测的关键。为了获取有效的内在特性,提出一种面向命令与控制(C&C)的僵尸网络特性提取方法。首先,针对僵尸网络内在特性的表现形式(包括特征、异常以及特征模式)以及它们之间的联系,提出一种僵尸网络特性信息描述方法。该方法对特性信息的具体内容进行了定义,并使用巴克斯范式对特性信息进行抽象描述,还定义了一种基于XML的描述语言——FIDL(Feature Information Description Language),把特性信息描述为具有统一结构的文档形式供TAS使用,达到了提高检测工作效率和灵活性的目的。然后,针对C&C信道必定经过网络传输以及攻击命令具有相对固定的格式和命令字等特点,提出了一个C&C信道的特征(Signature)提取模型,主要由前期过滤、协议分类、数据预处理、特征提取以及特征判定五部分组成。其中,根据僵尸程序对攻击命令作出响应方式的差别,提出了一个针对攻击命令的判定方法。该模型应用于流经边缘网络的网络流量,主要解决蜜罐/蜜网适用性不强的问题,能够准确地从僵尸网络通信中提取出具有命令格式的特征,能够集成多种特征提取技术(例如本文采用的多序列联配算法),满足了面向C&C的僵尸网络特性提取的需求。
四、针对僵尸网络扩张迅速、瞬间危害巨大的特点,提出一种基于前缀哈希树的僵尸网络特性融合方法,具体包括特性聚合和特性访问两个方面。Bot_CODS中所有威胁监控中心(TMC)在基于前缀哈希树构建的平台上将局部信息逐级汇聚,通过聚合规则获取最终的全局信息,并分布式存入特性库中,实现将局部特性信息以最短的时间在全网范围内进行确认,保证Bot_CODS中的相关TMC做好应对准备。此外,提出一种基于前缀哈希树的特性信息访问算法FIA-PHT(Feature Information Access algorithm based on PHT)。TAS根据命名/发布情况,使用多属性区间查询的方法,能够快速查询访问存储在特性库中的特性信息,进而确保TMC下的TAS具备更有针对性的检测能力。通过理论分析和互联网真实数据集的模拟实验验证了该方法的准确性和可行性,查询延迟、节点负载都明显优于同类型解决方案。
五、基于上述关键问题的研究,设计并实现了Bot_CODS的原型系统,重点细化了其中的威胁感知传感器、威胁监控中心、威胁判决中心等关键组件。该原型系统集成了拓扑发现、流量采集、入侵检测等软件与工具,实现了基于协同的僵尸网络分布式检测方法、面向命令与控制的僵尸网络特性提取方法以及基于前缀哈希树的僵尸网络特性融合方法,验证了层次协同模型HCO。
本文是对僵尸网络检测的一次有益探索,研究成果对于促进僵尸网络检测研究具有良好的理论价值和实践意义。本文所做的工作已在承研的国家863高技术研究发展计划基金、自然科学基金以及实际工程项目中得到了应用。
With the rapid development of botnet, it has posed serious threat to Internet. Thus, the botnet detection has recently become a hot research topic in the field of network security. The botnet detection can be done through the following steps: first, obtain the information which may be related with the botnet activities; second, according to the essential features represented by the corresponding information, use various analysis techniques to identify and judge the existence of botnet; finally, determine the positions of attackers, command and control servers and zombies. Although there are several research results at home and abroad, the botnet detection still has some pressing problems such as information acquisition and fusion, essential feature extraction, diagnosis of the communication and behavior, correlation analysis of detection, and system architecture.
Towards the typical problems and common requirements during the botnet detection process, we make an intensive study of the current key technologies and the application deployment. And then we propose a hierarchical collaborative model and a botnet collaborative detection system based on this model. Specially, we focus on the related models and methods of botnet threat awareness and feature analysis. We also design and implement a prototype system to validate our work. The major contributions of this thesis are as following:
1. Based on the analysis of the disadvantages of existing botnet detection architectures and the advantages of the collaborative work, a hierarchical collaborative (HCO) model is proposed. And then, the HCO model is designed detailedly from four levels such as model framework, data structure, modeling process and collaborative mechanism. Besides, based on the HCO model, a botnet collaborative detection system (Bot_CODS) is presented. Bot_CODS is designed from four aspects including architecture, physical structure, logical structure and working principle. The HCO model fully reflects the basic idea of botnet detection, reasonably combines with the idea of collaboration, and fully draws out the collaborative abilities of the detection from three different levels such as information, feature and decision-making. Moreover, Bot_CODS based on the HCO model has good scalability and interoperability. The detection components can be flexibly deployed in heterogeneous networks and adapt to various application environments. And the interoperation among the internal components, detection systems and other security products can be done safely and efficiently. In addition, due to the close collaborative relationship provided by the HCO model, Bot_CODS can respond quickly to the widely distributed botnet activities. Thus, Bot_CODS effectively meets the requirements of botnet detection.
2. Regarding the main characteristics of botnet activities, a distributed botnet detection method based on collaboration is proposed. The botnet activities have multiple phases, various representations and wide range. Considering these characteristics, a role-based politic collaborative threat awareness model (RPCTAM) is presented. Based on the study of the existing computer supported cooperative work (CSCW), this model introduces the definition of policy, and defines the basic sets, basic relationships and the corresponding rules. According to the decompositions of roles, policies and tasks, the collaborative interoperation scope is divided. Moreover, group is used as a unit to ensure the interoperation and communication processes of inter-group and intra-group members. In this way, the collaborative efficiency and progress can be greatly improved. Furthermore, botnet activities always interfere with the security tools to make a diagnosis. In terms of this characteristic, a malicious sensor determination method based on trust measurement is proposed. Through computing the trust values of the threat awareness sensors (TASs) deployed in Bot_CODS, this method can determine whether the TAS upon the node is captured by botnet. Thus, the malicious information sent by malicious TASs can be filtered out. Using this method, the dependability of the whole system can be improved. Finally, on the support of the efficient and trust collaborative work of TASs in Bot_CODS, a collaborative botnet detection method against DDoS attack is proposed, which especially focuses on the subtle DDoS attacks launched by botnet. The key ideas of the method are listed as follows. 1) During the DDoS attack process, some traffic attributies have been changed due to the addition of malicious packets. We merge those changing traffic attributies into an indicator, called TSS (Traffic Status Snapshot). 2) The integrated deviation rates (IDRs) of TSSes during different time intervals are computed, which are helpful for the identification of suspicious attack sources (malicious IP addresses). 3) According to the synchronization of botnet attack activities, the comparison among malicious IP addresses is done by exchanging information. Then, the existing zombies can be detected from the suspicious attack sources. The collaborative detection method can reduce the false negative rate caused by the traditional methods, save the computing resources and storage space, and realize the fast and accurate detection of subtle DDoS attacks launched by botnet and zombies.
3. Essential feature is the key factor which guides the botnet detection process. In order to obtain the effective essential features, a botnet feature extraction method towards command and control (C&C) is proposed. Regarding the representation and relationships of botnet essential features including signature, anomaly, character pattern, a botnet feature description method is presented. Then, the detailed content of feature information is defined, and the abstract description of feature information is done by use of BNF (Backus-Naur Form). Besides, a description language based on XML called FIDL (Feature Information Description Language) is also defined. In FIDL, the feature information is described as the document format with unified structure used for the TAS. Thus, the efficiency and flexibility of detection work can be improved. In addition, C&C channel must pass through the network, and the attack commands always have a relatively fixed format and command strings. Thus, a signature generation model against C&C channel is proposed. The model is composed by five parts including pre-filtering, protocol classification, data preprocessing, signature generation and determination. Moreover, according to the differences of the response modes to the attack commands for bots, a determination method targeted at the attack commands is presented. This model can be applied to the network traffic of border networks, and mainly solve the problem of weak applicability of the honeypot or honeynet. It can generate the signatures with the command format from the botnet communication accurately. It also can integrate several signature generation techniques including the multi-sequence alignment algorithm used in this thesis, and meet the requirement of botnet feature extraction towards C&C.
4. Toward the botnet characteristics such as rapid expansion, great and instant harm, a botnet feature fusion method based on PHT (Prefix Hash Tree) is proposed, which includes two aspects: feature aggregation and feature access. In Bot_CODS, all of the threat monitor centers (TMCs) aggregate the local feature information step by step through the platform which is built based on PHT. And then, according to the aggregation rules, the global information is formed by the gathered information and stored distributedly into the characteristics library. In this way, the local feature information can be comfirmed at the shortest time in the whole network, and the corresponding TMCs in Bot_CODS can prepare well for the coming task. Moreover, a feature information access algorithm based on PHT (FIA-PHT) is presented. According to the naming and distribution process, TASs use the multi-attribute range query method. Thus, the feature information of the feature library can be inquired and accessed quickly. The more specified detection ability can be assured for TASs under the TMC. By doing the theory analysis and the simulation based on real traffic, the accuracy and feasibility of this method is proved. Experimental results indicate that it is significantly better than the same kind of solutions in the aspects of request and access latency and node load.
5. Based on the study of the key technologies described upon, a Bot_CODS prototype system is designed and implemented. We specify the design details of key equipments including TAS, TMC and TDC (Threat Decision-making Center), etc. The Bot_CODS prototype system integrates some softwares and tools including topology discovery, traffic capture and intrusion detection. And the distributed botnet detection method based on collaboration idea, botnet feature extraction method towards command and control, and botnet feature fusion method based on PHT are all implemented in the prototype system. According to the proposed testing content, the model correctness of HCO is also validated.
To sum up, our research is a beneficial exploration of botnet detection. It has the good theoretical and practical value to the development of botnet detection. The research has been integrated into the national high-tech research and development plan of China, the natural science foundation of China and our actual project.
引文
[1] Geer D. Malicious bots threaten network security [J]. IEEE Computer, 2005, 38(1): 18~20.
[2] Symantec Corporation. August Botnet Distribution [EB/OL]. http://www.symantec.com/connect/blogs/august-botnet-distribution, 2010-08-23/2011-04-25.
[3] Dean T, Marc F, Eric J, et al. Symantec Inc. Symantec Global Internet Security Threat Report: Trends for July-December 07 (Volume XIII) [R]. Cupertino, CA, USA: Symantec Inc., 2008.
[4] Marc F, Eric J, Mack T, et al. Symantec Global Internet Security Threat Report: Trends for 2008 (Volume XIV) [R]. Cupertino, CA, USA: Symantec Inc., 2009.
[5] Marc F, Dean T, Eric J, et al. Symantec Global Internet Security Threat Report: Trends for 2009 (Volume XV) [R]. Cupertino, CA, USA: Symantec Inc., 2010.
[6] McAfee Labs.迈克菲威胁报告:2010年第二季度[R].美国加利福尼亚州圣克拉拉市:迈克菲公司,2010.
[7] Marc F, Mack T, Mazurek D, et al. Symantec Internet Security Threat Report: Trends for 2010 (Volume 16) [R]. Cupertino, CA, USA: Symantec Inc., 2011.
[8] McAfee Labs.迈克菲威胁报告:2010年第四季度[R].美国加利福尼亚州圣克拉拉市:迈克菲公司,2010.
[9] Gu Guofei. Correlation-based Botnet Detection in Enterprise Networks [D]. Atlanta, USA: Georgia Institute of Technology, 2008.
[10] Gartner Survey Shows Phishing Attacks Escalated in 2007 [EB/OL]. http://www.gartner.com/it/page.jsp?id=565125, 2007-12-17/2010-09-19.
[11] McAfee Labs.迈克菲威胁报告:2010年第三季度[R].美国加利福尼亚州圣克拉拉市:迈克菲公司,2010.
[12] Dean T, Stephen E, Eric J, et al. Symantec Inc. Symantec Internet Security Threat Report: Trends for January-June 07 (Volume XII) [R]. Cupertino, CA, USA: Symantec Inc., 2007.
[13]国家互联网应急中心.2010年互联网网络安全态势综述[R].北京:国家互联网应急中心,2010.
[14] Arce I, Levy E. Analysis of the slapper worm [J]. IEEE Security & Provacy, 2003, 1(1): 82~87.
[15] Wang P, Sparks S, Zou CC. An advanced hybrid peer-to-peer botnet [J]. IEEE Transactions on dependable and secure computing, 2010, 7(2): 113~127.
[16]王伟军,孙晶.Web2.0的研究与应用综述[J].情报科学,2007,25(12):1907~1913.
[17]冯永亮.结构化P2P僵尸网络检测技术的研究[D].武汉:华中科技大学,2008:1~55.
[18]王涛.僵尸网络检测与传播抑制[D].广州:中山大学,2010:1~104.
[19]菜彬彬.P2P僵尸网络的研究[D].长春:长春理工大学,2010:1~42.
[20] Puri R. Bots & botnet: An overview, SANS White Paper [EB/OL]. http://www.sans.org/reading_room/whitepapers/malicious/1299.php, 2003.
[21] McCarty B. Botnes: Big and bigger [J]. IEEE Security & Privacy, 2003, 1(4): 87~90.
[22] Bacher P, Holz T, Kotter M, Wicherski G. Know your enemy: tracking botnets [EB/OL]. http://www.honeynet.org/papers/bots, 2005.
[23] Rajab M, Zarfoss J, Monrose F, et al. A multi-faceted approach to understanding the Botnet phenomenon [C] //Proc of the 6th ACM SIGCOMM conference on Internet Measurement Conference (IMC’06). New York: ACM, 2006: 41~52.
[24]诸葛建伟,韩心慧,周勇林等.僵尸网络研究与进展[J].软件学报,2008,19(3):702~715.
[25] Zhuge JW, Han XH, Ye ZY, Zou W. Discover and track botnets [C] //Proc of the Chinese Symp. On Network and Information Security (NetSec). Beijing, 2005: 183~189.
[26]王斌斌.僵尸网络检测方法研究[D].武汉:华中科技大学,2010:1~110.
[27]霍建滨,白凤娥.僵尸网络的检测技术研究.科技情报开发与经济.2007,17(3):229~230.
[28]满萍.受控僵尸网络攻击实验平台的研究与实现[D].北京:北京邮电大学,2009:1~55.
[29]中华人民共和国国务院.中华人民共和国计算机信息系统安全保护条例[Z].1994-02-18.
[30]文伟平,卿斯汉,蒋建春,王业君.网络蠕虫研究与进展.软件学报,2004,15(8):1208~1219.
[31]陈宁军.特洛伊木马程序SubSeven使用记录.计算机安全,2008,(10):98~100.
[32]孙淑华,马恒太,张楠等.后门植入、隐藏与检测技术研究.计算机应用研究,2004,21(7):78~81.
[33]金双民,郑辉,段海新.僵尸网络研究系列文章之僵尸网络研究概述[J].中国教育网络.2006,(6):51~54.
[34]徐恪,熊勇强,吴建平.对等网络研究综述[EB/OL]. http://211.83.176.29/jsjwl/data/uploadfile/201005/20100515141216990.pdf, 2010-05-15/2011-04-27.
[35] Barford P, Yegneswaran V. An Inside Look at Botnets [C] //Proc of SpecialWorkshop on Malware Detection Advances in Information Security. Berlin: Springer, 2007: 171~191.
[36] Nazario J. BlackEnergy DDoS Bot Analysis [R]. Chelmsford, MA: Arbor Networks, 2007: 26~30.
[37] Grizzard JB, Sharma V, Nunnery C, et al. Peer-to-peer Botnets: Overview and case study [C] //Proc of USENIX HotBots’07. Berkeley, CA: USENIX Association, 2007: 1~8.
[38] Stover S, Dittrich D, Hernandez J, et al. Analysis of the Storm and Nugache Trojans: P2P is here [J]. USENIX, 2007, 32(6): 18~27.
[39] Porras P, Saidi H, Yegneswaran V. A Multi-perspective analysis of the Storm (Peacomm) Worm [R]. Menlo Park, CA: SRI International’s Computer Science Laboratory, 2007.
[40] Blodewin F. Peacomm.C-Cracking the nutshell [EB/OL]. http://www.reconstructer.org/, 2007.
[41] Florio E, Ciubotariu M. Peerbot: Catch me if you can [R]. Cupertino, CA, USA: Symantec Security Response, 2007.
[42] Stock B, Gobel J, Engelberth M, Freiling FC, Holz T. Walowdac-Analysis of a peer-to-peer botnet [C] //Proc of the 5th European Conference on Computer Network Defence (EC2ND). Washington, DC: IEEE Computer Society, 2009: 13~20.
[43] Jang D, Kim M, Jung HC, Noh BN. Analysis of HTTP2P botnet Case study waledac. [C] //Proc of the 9th Malaysia International Conference on Communications with a Special Workshop on Digital TV Contents. Washington, DC: IEEE Computer Society, 2009: 409~412.
[44] Thomas K, Nicol DM. The Koobface botnet and the rise of social malware? [C] //Proc of the 5th IEEE International Conference on Malicious and Unwanted Software (Malware 2010). Washington, DC: IEEE Computer Society, 2010: 63~70.
[45] Binsalleeh H, Ormerod T, Boukhtouta A, et al. On the analysis of the Zeus botnet crimeware toolkit [C] //Proc of the 8th International Conference on Privacy, Security and Trust. Washington, DC: IEEE Computer Society, 2010: 31~38.
[46] Vogt R, Aycock J, Jacobson M J. Army of Botnet [C] //Proc of the 14th Annual Network and Distributed System Securtiy Symposium (NDSS’07). Berkeley, CA: USENIX Association, 2007: 111~123.
[47] Singh K, Srivastava A, Giffin J, Lee W. Evaluating Email’s Feasibility for Botnet Command and Control [C] //Proc of the International Conference on Dependable Systems and Networks. Washington, DC: IEEE Computer Society, 2008: 376~385.
[48] Singh K, Sangal S, Jain N, Traynor P, Lee W. Evaluating Bluetooth as a mediumfor botnet command and control [G] //LNCS 6201: Proc of the 7th International Conference on Detection of Intrusions and Malware and Vulnerability Assessment. Berlin: Springer, 2010: 61~80.
[49] Berger A, Hefeeda M. Exploiting SIP for botnet communication [C] //Proc of the 5th IEEE Workshop on Secure Network Protocols (NPSEC'09). Washington, DC: IEEE Computer Society, 2009: 31~36.
[50] Li Q, Li ZJ, Yu J, Ding J. StreamBot: P2P stream botnet based on PPStream [J]. Journal of Tsinghua University, 2010, 50 (SUPPL.1): 1534~1539.
[51] Leonard J, Xu SH, Sandhu R. A framework for understanding botnets [C] //Proc of the International Conference on Availability, Reliability and Security (ARES 2009). Washington, DC: IEEE Computer Society, 2009: 917~922.
[52] Li XF, Duan HX, Liu W, Wu JP. Understanding the construction mechanism of botnets [C] //Proc of the Symposia and Workshops on Ubiquitous, Autonomic and Trusted Computing in Conjunction with the UIC'09 and ATC'09 Conferences. Washington, DC: IEEE Computer Society, 2009: 508~512.
[53] Van-Ruitenbeek E, Sanders WH. Modeling Peer-to-Peer Botnets [C] //Proc of the 5th International Conference on the Quantitative Evaluation of System (QEST 2008). Washington, DC: IEEE Computer Society, 2008: 307~316.
[54]糜利敏.僵尸网络建模研究[D].长春:吉林大学,2010:1~49.
[55]范轶彦,邬国锐.动态僵尸网络模型研究[J].计算机应用,2010,30(3):692~694.
[56] Dagon D, Zou CC, Lee W. Modeling botnet propagation using time zones [C] //Proc of the 13th Annual Network and Distributed System Security Symposium (NDSS’06). Berkeley, CA: USENIX Association, 2006: 235~249.
[57] Ajelli M, Lo-Cigno R, Montresor A. Modeling botnets and epidemic malware [C] //Proc of 2010 IEEE International Conference on Communications. Washington, DC: IEEE Computer Society, 2010: 1~5.
[58]杨雄,朱宇光,徐则中,査志琴.基于蜜罐识别的僵尸网络多时区改进扩散模型[J].计算机工程与设计,2011,32(3):846~848.
[59] Rajab M A, Zarfoss J, Monrose F, Terzis A. My botnet is bigger than yours (maybe, better than yours): Why size estimates remain challenging [C] //Proc of USENIX HotBots’07. Berkeley, CA: USENIX Association, 2007: 1~8.
[60] Hu J, Li ZT, Yao DZ, Yu JF. Measuring botnet size by using URL and collaborative MailServers [C] //Proc of the 5th International Conference on Networking and Services (ICNS 2009). Washington, DC: IEEE Computer Society, 2009: 161~164.
[61] Li ZT, Hu J, Hu ZB, Wang BB, Tang L, Yi X. Measuring the botnet using the second character of bots [J]. Journal of Networks, 2010, 5(1): 98~105.
[62] Freiling F, Holz T, Wicherski G. Botnet Tracking: Exploring a Root-causeMethodology to Prevent Denial of Service Attacks [G] //LNCS 3679: Proc of the 10th European Symposium on Research in Computer Security. Berlin: Springer, 2005: 319~335.
[63] Baecher P, Koetter M, Holz T, et al. The nepenthes platform: An efficient approach to collect malware [G] //LNCS 4219: Proc of the International Symposium on Recent Advances in Intrusion Detection (RAID’06). Berlin: Springer, 2006: 165~184.
[64] Holz T, Steiner M, Dahl F, et al. Measurements and mitigation of peer-to-peer-based Botnets: A case study on storm worm [C] //Proc of the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET’08). Berkeley, CA: USENIX Association, 2008: 73~81.
[65] Leonard J, Xu SH, Sandhu R. A First Step towards Live Botmaster Traceback [C] //Proc of 2009 International Conference on Availability, Reliability and Security (ARES 2009). Washington, DC: IEEE Computer Society, 2009: 106~113.
[66]诸葛建伟,韩心慧,周勇林,宋程昱,郭晋鹏,邹维.HoneyBow:一个基于高交互式蜜罐技术的恶意代码自动捕获器[J].通信学报,2007,28(12):8~13.
[67]韩心慧,郭晋鹏,周勇林,诸葛建伟,邹维.僵尸网络活动调查分析[J].通信学报,2007,28(12):167~172.
[68]王明彦.僵尸网络发现与追踪的关键技术研究[D].宁夏:宁夏大学,2010:1~61.
[69] Overton M. Bots and botnets: Risks, issues and prevention. [C] //Proc of the 2005 Virus Bulletin Conference (VB2005). Abingdon, Oxfordshire, UK: Virus Bulletin, 2005: 5~7.
[70] Govil J, Govil J. Criminology of BotNets and their detection and defense methods [C] //Proc of 2007 IEEE International Conference on Electro/Information Technology (EIT2007). Washington, DC: IEEE Computer Society, 2007: 215~220.
[71] Al-Duwairi B, Manimaran G. JUST-Google: A Search Engine-based Defense Against Botnet-based DDoS Attacks [C] //Proc of 2009 IEEE International Conference on Communications. Washington, DC: IEEE Computer Society, 2009: 1~5.
[72] Liu X, Yang XW, Lu YB. To Filter or to Authorize Network-Layer DoS Defense Against Multimillion-node Botnets [J]. Computer Communication Review, 2008, 38(4): 195~206.
[73] Husna H,Phithakkitnukoon S,Dantu R. Traffic shaping of spam Botnets [C] //Proc of the 5th IEEE Consumer Communications and Networking Conference. Washington, DC: IEEE Computer Society, 2008: 786~787.
[74]冉宏敏,柴胜,冯铁,张家晨.P2P僵尸网络研究.计算机应用研究.2010,27(10):3628~3632.
[75] Liang J, Naoumov N, Ross KW. The index poisoning attack in P2P file sharing systems [C] //Proc of the 25th IEEE International Conference on Computer Communications. Washington, DC: IEEE Computer Society, 2006: 1~12.
[76] Wang P, Wu L, Aslam B, Zou CC. A systematic study on peer-to-peer botnets [C] //Proc of the 18th International Conference on Computer Communications and Networks (ICCCN 2009). Washington, DC: IEEE Computer Society, 2009: 1~8.
[77] Davis CR, Fernandez JM, Neville S, et al. Sybil attacks as a mitigation strategy against the storm botnet [C] //Proc of the 3rd International Conference on Malicious and Unwanted Software (MALWARE 2008). Washington, DC: IEEE Computer Society, 2008: 32~40.
[78]刘彬斌.一种僵尸网络的拓扑分析和反制算法研究[D].成都:电子科技大学,2009:1~77.
[79]陈端兵,万英,天军伟,傅彦.一种基于社会网络分析的P2P僵尸网络反制策略[J].计算机科学,2009,36(6):101~104.
[80] Gu GF, Porras P, Yegneswaran V, et al. BotHunter: Detecting malware infection through ids-driven dialog correlation [C] //Proc of the 16th USENIX Security Symposium (Security’07). Berkeley, CA: USENIX Association, 2007: 167~182.
[81] Gu GF, Zhang JJ, Lee W. BotSniffer: Detecting Botnet command and control channels in network traffic [C] //Proc of the 16th Annual Network and Distributed System Security Symposium (NDSS’08). Berkeley, CA: USENIX Association, 2008: 193~210.
[82] Gu GF, Zhang JJ, Perdisci R, et al. Botminer: Clustering analysis of network traffic for protocol- and structure-independent Botnet detection [C] //Proc of the 17th USENIX Security Symposium (Security’08). Berkeley, CA: USENIX Association, 2008: 139~154.
[83] Gu GF, Yegneswaran V, Porras P, et al. Active Botnet Probing to Identify Obscure Command and Control Channels [C] //Proc of 2009 Annual Computer Security Applications Conference (ACSAC’09). Washington, DC: IEEE Computer Society, 2009: 241~253.
[84] Goebel J, Holz T. Rishi: Identify bot contaminated hosts by irc nickname evaluation [C] //Proc of USENIX HotBots’07. Berkeley, CA: USENIX Association, 2007: 1~12.
[85] Hund R, Hamann M, Holz T. Towards Next-Generation Botnets [C] //Proc of the 4th European Conference on Computer Network Defence (EC2ND). Washington, DC: IEEE Computer Society, 2008: 33~40.
[86] Holz T, Gorecki C, Rieck K, et al. Measuring and Detecting Fast-Flux Service Networks [C] //Proc of the 16th Annual Network and Distributed System Security Symposium (NDSS’08). Berkeley, CA: USENIX Association, 2008:181~192.
[87] Wurzinger P, Bilge L, Holz T, et al. Automatically generating models for botnet detection [G] //LNCS 5789: Proc of the 14th European Symposium on Research in Computer Security. Berlin: Springer, 2009: 232~249.
[88] Lee JS, Jeong HC, Park JH, et al. The activity analysis of malicious http-based botnets using degree of periodic repeatability [C] //Proc of 2008 International Conference on Security Technology (SecTech2008). Washington, DC: IEEE Computer Society, 2008: 83~86.
[89] Ji SG, Im CT, Kim MJ, et al. Botnet detection and response architecture for offering secure internet services [C] //Proc of 2008 International Conference on Security Technology (SecTech2008). Washington, DC: IEEE Computer Society, 2008: 101~104.
[90]苏云琳.僵尸网络检测系统的分析与设计[D].北京:北京邮电大学,2010:1~76.
[91]严庆.基于Bot会话关联的僵尸网络检测方法[D].成都:电子科技大学,2009:1~62.
[92]王明丽.基于主机的P2P僵尸网络病毒检测技术研究[D].成都:电子科技大学,2009:1~69.
[93]李超.基于行为特征的IRC僵尸网络检测技术研究[D].哈尔滨:哈尔滨工业大学,2008:1~58.
[94]王爽.基于流量特征的IRC僵尸网络检测技术研究[D].哈尔滨:哈尔滨工业大学,2008:1~46.
[95] Govil J.Examining the criminology of bot zoo [C] //Proc of the 6th International Conference on Information, Communications and Signal Processing. Washington, DC: IEEE Computer Society, 2007: 473~478.
[96] Gao Y, Zhao Y, Schweller R. Detecting stealthy spreaders using Online outdegree histograms [C] //Proc of the 15th IEEE International Workshop on Quality of Service. Washington, DC: IEEE Computer Society, 2007: 145~153.
[97] Li ZC, Goyal A, Chen Y. Honeynet-based botnet scan traffic analysis [C] //Proc of the Conference on Botnet Detection: Countering the Largest Security Threat. Berlin: Springer, 2008: 25~44.
[98] Stinson E, Mitchell JC. Characterizing bots’remote control behavior [C] //Proc of the 4th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Washington, DC: IEEE Computer Society, 2007: 89~108.
[99] Liu L, Chen SQ, Yan GH, et al. BotTracer: Execution-based bot-like malware detection [G] //LNCS 5222: Proc of the 11th international conference on Information Security. Berlin: Springer, 2008: 97~113.
[100] Al-Hammadi Y, Aickelin U, Greensmith J. DCA for Bot Detection [C] //Proc of IEEE Congress on Evolutionary Computation. Washington, DC: IEEE Computer Society, 2008: 1807~1816.
[101] Mitsuaki A, Takanori K, Masayoshi S. A Proposal of Metrics for Botnet Detection Based on Its Cooperative Behavior [C] //Proc of 2007 International Symposium on Applications and the Internet-Workshops. Washington, DC: IEEE Computer Society, 2007: 82~85.
[102] Zhuge JW, Holz T, Han XH, et al. Characterizing the irc-based Botnet phenomenon [R]. Beijing: Peking University & University of Mannheim Technical Report, 2007.
[103] Daswani N, Stoppelman M. The anatomy of Clickbot.A. [C] //Proc of the 1st Workshop on Hot Topics in Understanding Botnets (HotBots 2007). Berkeley, CA: USENIX Association, 2007: 1~11.
[104] Simon H. Working the botnet: how dynamic DNS is revitalising the zombie army [J]. Network Security, 2007(1): 9~11.
[105] Binkley JR, Singh S. An algorithm for anomaly-based Botnet detection [C] //Proc of USENIX SRUTI’06. Berkeley, CA: USENIX Association, 2006: 43~48.
[106] Binkley JR. Anomaly-Based botnet server detection [C] //Proc of the FloCon 2006 Analysis Workshop. Berkeley, CA: USENIX Association, 2006: 7~12.
[107] Strayer WT, Walsh R, Livadas C, et al. Detecting Botnets with tight command and control [C] //Proc of the 31st IEEE Conference on Local Computer Networks (LCN’06). Washington, DC: IEEE Computer Society, 2006: 195~202.
[108] Livadas C, Walsh R, Lapsley D, et al. Using machine learning techniques to identify Botnet traffic [C] //Proc of the 2nd IEEE LCN Workshop on Network Security (WoNS’2006). Washington, DC: IEEE Computer Society, 2006: 967~974.
[109] Karasaridis A, Rexroad B, Hoeflin D. Wide-scale Botnet detection and characterization [C] //Proc of USENIX HotBots’07. Berkeley, CA: USENIX Association, 2007: 7~7.
[110] Nivargi V, Bhaowal M, Lee T. Machine Learning Based Botnet Detection [EB/OL]. http://www.stanford.edu/class/cs229/proj2006/NivargiBhaowalLee-MachineLearningBasedBotnetDetection.pdf, 2006-10-10/2008-12-19.
[111] Mazzariello C. IRC traffic analysis for botnet detection [C] //Proc of the 4th International Symposium on Information Assurance and Security. Washington, DC: IEEE Computer Society, 2008: 318~323.
[112] Kondo S, Sato N. Botnet traffic detection techniques by C&C session classification using SVM [G] //LNCS 4752: Proc of the 2nd InternationalWorkshop on Security. Berlin: Springer, 2007: 91~104.
[113] Kugisaki Y, Kasahara Y, Hori Y. Bot detection based on traffic analysis [C] //Proc of 2007 International Conference on Intelligent Pervasive Computing (IPC2007). Washington, DC: IEEE Computer Society, 2007: 303~306.
[114] Ramachandran A, Feamster N, Dagon D. Revealing Botnet membership using DNSBL counter-intelligence [C] //Proc of the Conference on Botnet Detection: Countering the Largest Security Threat. Berlin: Springer, 2008: 131~142.
[115] Tu H, Li ZT, Liu B. Detecting botnets by analyzing DNS traffic [G] //LNCS 4430: Proc of the Pacific Asia Workshop on Intelligence and Security Informatics. Berlin: Springer, 2007: 323~324.
[116] Villamarin-Salomon R, Brustoloni JC. Identifying botnets using anomaly detection techniques applied to DNS traffic [C] //Proc of the 5th IEEE Consumer Communications and Networking Conference. Washington, DC: IEEE Computer Society, 2008: 476~481.
[117] Choi H, Lee H, Lee H. Botnet detection by monitoring group activities in DNS traffic [C] //Proc of the 7th IEEE International Conference on Computer and Information Technology. Washington, DC: IEEE Computer Society, 2007: 715~720.
[118] Nazario J, Holz T. As the Net Churns: Fast-Flux Botnet Observations [C] //Proc of the 3rd International Conference on Malicious and Unwanted Software (Malware2008). Washington, DC: IEEE Computer Society, 2008: 24~31.
[119] Schoof R, Koning R. Detecting peer-to-peer botnets [R]. Amsterdam, Holland: University of Amsterdam, 2007.
[120] Claise B, Sadasivan G, Valluri V, et al. Cisco Systems NetFlow Services Export Version 9 (RFC3954) [S]. Strasbourg, France: Internet Engineering Task Force (IETF), 2004.
[121] Steggink M, Idziejczak I. Detection of peer-to-peer botnets [D]. Amsterdam, Holland: University of Amsterdam, 2008.
[122]谢静,谭良.半分布式P2P僵尸网络的伪蜜罐检测方法[J].计算机工程,2010,36(14):111~113.
[123]刘丹,李毅超,胡跃.多阶段过滤的P2P僵尸网络检测方法.计算机应用,2010,30(12): 3354~3356.
[124]于戈,于晓聪,董晓梅等.P2P僵尸网络的快速检测技术.东北大学学报(自然科学版),2010,31(12):1709~1712.
[125] Chiang K, Lloyd L. A case study of the rustock rootkit and spam bot [C] //Proc of USENIX HotBots’07. Berkeley, CA: USENIX Association, 2007: 10~10.
[126] Ramachandran A, Feamster N. Understanding the network-level behavior of spammers [C] //Proc of ACM SIGCOMM 2006 Conference. New York: ACM,2006: 291~302.
[127] Carl G, Kesidis G, Brooks RR, et al. Denial-of-Service Attack-Detection Techniques [J]. IEEE Internet Computing, 2006, 10(1): 82~89.
[128]严芬,王佳佳,赵金凤等.DDoS攻击检测综述[J].计算机应用研究,2008,25(4):966~969.
[129] Xie YL, Yu F, Achan K. Spamming Botnets Signatures and Characteristics [J]. COMPUTER COMMUNICATION REVIEW, 2008, 38(4): 171~182.
[130] Duan ZH, Chen P, Fernando S, et al. Detecting Spam Zombies by Monitoring Outgoing Messages [C] //Proc of IEEE INFOCOM 2009. Washington, DC: IEEE Computer Society, 2009: 1764~1772.
[131] Zhao Y, Xie YL, Yu F, et al. Botgraph: large scale spamming botnet detection [C] //Proc of the 6th USENIX symposium on Networked systems design and implementation (NSDI’09). Berkeley, CA: USENIX Association, 2009: 321~334.
[132] Li Z, Dunagan J, Simon DR, et al. Characterizing botnets from email spam records [C] //Proc of the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET’08). Berkeley, CA: USENIX Association, 2008: 10~18.
[133] Ian C, Eimear B. The automatic discovery, identification and measurement of botnets [C] //Proc of the 1st International Workshop on Dependability and Security in Complex and Critical Information System. Washington, DC: IEEE Computer Society, 2008: 127~132.
[134] Robledo HFG. Types of hosts on a Remote File Inclusion (RFI) botnet [C] //Proc of the 5th Electronics, Robotics and Automotive Mechanics Conference. Washington, DC: IEEE Computer Society, 2008: 105~109.
[135]程仁杰,殷建平,刘运等.蜜罐及密网技术研究进展[J].计算机研究与发展,2008,45(增刊):375~378.
[136] Lu W, Ghorbani AA. Bots Behaviors vs. Human Behaviors on Large-Scale Communication Networks [G] //LNCS 5230: Proc of the 11th International Symposium on Recent Advances in Intrusion Detection. Berlin: Springer, 2008: 415~416.
[137] ROBERT E, ADELE C, PRANAB B. A Multi-Layered Approach to Botnet Detection [C] //Proc of 2008 International Conference on Security and Management (SAM’08). USA: CSREA, 2008: 301~308.
[138] Zhang ZH, Youki K. A holistic perspective on understanding and breaking botnets: Challenges and countermeasures [J]. Journal of the National Institute of Information and Communications Technology, 2008, 55(2): 43~59.
[139] Paxton N, Ahn GJ, Chu B. Towards practical framework for collecting andanalyzing network-centric attacks [C] //Proc of IEEE International Conference on Information Reuse and Integration. Washington, DC: IEEE Computer Society, 2007: 73~78.
[140]李瑞轩,胡劲纬,唐卓.R2BAC:基于风险的多自治域安全互操作模型[J].通信学报,2008,29(10):58~69.
[141]王伟,曾国荪,刘涛.基于信任机制的协作系统形成与演化机制[J].通信学报,2006,27(11):31~35.
[142] Tang Y, Luo JQ, Xiao B, et al. Concept, Characteristics and Defending Mechanism of Worms [J]. IEICE Transaction, 2009, 92-D(5): 799~809.
[143] Peng T, Leckie C and Ramamohanarao K. Survey of network-based defense mechanisms countering the DoS and DDoS problems [J]. ACM Computing Surveys, 2007, 39(1).
[144] Yu J, Lee H, Kim MS and Park D. Traffic flooding attack detection with SNMP MIB using SVM [J]. Computer Communications, 2008, 31: 4212~4219.
[145]史美林.CSCW:计算机支持的协同工作.通信学报,1995,6(1):55~61.
[146] Dourish P, Bellotti V. Awareness and coordination in shared workspaces [C] //Proc. of the CSCW’92. Toronto: ACM Press, 1992: 107~114.
[147]朱君,汤庸.角色群体协作中的层次感知模型研究.软件学报,2007,18(Suppl.):95~101.
[148]杨武勇,史美林,姜进磊,杨胜文.基于角色的层次型同步协作感知模型,清华大学学报(自然科学版),2005,45(4):479~482.
[149] Snapp SR, Brentano J, Dias GV, et al. A system for distributed intrusion detection [C] //Proc of the IEEE COM PCON 91. Washington, DC: IEEE Computer Society, 1991: 170~176.
[150] Janakiraman R, Zhang M. Indra: a peer-to-peer approach to network intrusion detection and prevention [C] //Proc of the 20th IEEE international workshops on enabling technologies: infrastructure for collaborative enterprises (WETICE). Washington, DC: IEEE Computer Society, 2003: 226~231.
[151] Yegneswaran V, Barford P, Jha S. Global intrusion detection in the DOMINO overlay system [C] //Proc of the 11th network and distributed security symposium (NDSS’04). Berkeley, CA: USENIX Association, 2004.
[152] Cai BQ. Distributed Intrusion Detection System node cooperation algorithm [D]. Najing: Nanjing University of Science, 2008(Ch).
[153] Xue YD, Han XL, Dai SF. Distributed Cooperative Intrusion Detection System Based on Snort [J]. Computer Engineering, 2010, 36(19): 165~167(Ch).
[154] Jin C, Wang H and Shin KG. Hop-Count Filtering: An effective defense against spoofed DDoS traffic [C] //Proceedings of the 10th ACM Conference onComputer and Communications Security (CCS 2003). New York: ACM, 2003: 30~41.
[155] Wang H, Zhang D and Shin K G. Detecting SYN flooding attacks [C] // Proc of IEEE Infocom 2002. Washington, DC: IEEE Computer Society, 2002: 1530~1539.
[156] Manikopoulos C and Papavassiliou S. Network intrusion and fault detection: A statistical anomaly approach [J]. IEEE Communications Magazine, 2002, 40: 76~82.
[157] Chen Y, Hwang K and Ku W-S. Collaborative detection of DDoS attacks over multiple network domains [J]. IEEE Transactions on Parallel and Distributed Systems, 2007, 18: 1649~1662.
[158] Oshima S, Hirakawa A, Nakashima T and Sueyoshi T. DoS/DDoS detection scheme using statistical method based on the destination port number [C] //Proc of the 5th International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIH-MSP 2009). Washington, DC: IEEE Computer Society, 2009: 206~209.
[159] Peng T, Leckie C and Ramamohanarao K. Protection from distributed denial of service attacks using history-based IP filtering [C] //Proc of 2003 International Conference on Communications (ICC 2003). Washington, DC: IEEE Computer Society, 2003: 482~486.
[160] Jin S and Yeung D S. A covariance analysis model for DDoS attack detection [C] //Proc of 2004 IEEE International Conference on Communications. Washington, DC: IEEE Computer Society, 2004: 1882~1886.
[161] Lakhina A, Crovella M and Diot C. Diagnosing network-wide traffic anomalies [C] //Proceedings of SIGCOMM 2004. New York: ACM, 2004.
[162] Siaterlis C and Maglaris B. Towards multisensor data fusion for DoS detection [C] //Proceedings of the 2004 ACM symposium on Applied computing. New York: ACM, 2004.
[163] Sekar V, Duffield N, Spatscheck O, et al. LADS: large-scale automated DDOS detection system [C] //Proceedings of the annual conference on USENIX’06 Annual Technical Conference. Boston, MA: USENIX Association, 2006: 16~16.
[164] Bao T, Liu SF. Rule-based Method for Network Data Collection and Processing [J]. Computer Engineering, 2007, 33(1): 101~103(Ch).
[165] Open Source Host-based Instrusion Detection System (OSSEC) [EB/OL]. http://www.ossec.net.
[166] Sekar V, Duffield N, Spatscheck O, et al. LADS: large-scale automated DDOS detection system [C] //Proceedings of the annual conference on USENIX’06 Annual Technical Conference. Boston, MA: USENIX Association, 2006: 16~16.
[167] Lakhina A, Crovella M and Diot C. Diagnosing network-wide traffic anomalies[C] //Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications. New York: ACM, 2004.
[168] Akansu AN and Haddassd RA. Multiresolution Signal Decomposition: Transforms, Subbands, and Wavelets [M]. Academic Press, 1992: 1~487.
[169] Kanungo T, Mount D M, Netanyahu N S, et al. An efficient k-means clustering algorithms: Analysis and implementation [J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2002, 24: 881~892.
[170] Lakhina A,Crovella M,Diot C. Mining Anomalies Using Traffic Feature Distributions [C]//Proceedings of ACM SIGCOMM 2005. New York: ACM, 2005.
[171]唐勇,卢锡城,王勇军.攻击特征自动提取技术综述[J].通信学报,2009,30(2):96~105.
[172] Vigna G, Eckmann S T, Kemmerer R A. Attack Languages [C] //Proc of the IEEE Information Survivability Workshop (ISW 2000). Washington, DC: IEEE Computer Society, 2009: 163~166.
[173] Tcpdump 3.8 documentation [EB/OL]. http://www.tcpdump.org, 2004.
[174] Debar H, Curry D, Feinstein B. The Intrusion Detection Message Exchange Format (IDMEF) (RFC4765) [S]. Strasbourg, France: Internet Engineering Task Force (IETF), 2007.
[175] Eckmann ST, Vigna G, Kemmerer RA. STATL: An Attack Language for State-based Intrusion Detection [J]. Journal of Computer Security, 2002, 10(1/2): 71~104.
[176] Snort Roesch M. Snort-lightweight intrusion detection for networks [EB/OL]. http://www.snort.org, 2004.
[177] Cedric Michel, Ludovic Me. Adele: An attack description language for knowledge-based intrusion detection [C] //Proc of the 16th International Conference on Information Security. Netherlands: Kluwer, 2001: 353~368.
[178]孔东林.分布式主动协同入侵检测系统的入侵特征描述与子系统性能改进.郑州:中国人民解放军信息工程大学,2005:1~49.
[179] Cai M, Hwang K, Pan Jianping, Papadopoulos C. WormShield: Fast Worm Signature Detection with Distributed Fingerprint Aggregation [J]. IEEE Transactions on Dependable and Secure Computing (TDSC), 2007, 4(2): 88~104.
[180]邹崇理,自然语言和逻辑语言:现在逻辑的延伸.绵阳师范大学学报,2007,26(3):1~6.
[181] Wang K, Cretu G, Stolfo SJ. Anomalous payload-based worm detection and signature generation [G] //LNCS 2820: Proc of Recent Advances in IntrusionDetection (RAID). Berlin: Springer, 2003: 227~246.
[182] Tang Y, Chen S. Defending against internet worms: a signature-based approach [C] //Proc of the 24th Annual Conference IEEE INFOCOM. Washington, DC: IEEE Computer Society, 2005: 1384~1394.
[183] Yegneswaran V, Giffin JT, Barford P, et al. An architecture for generating semantics-aware signature [C] //Proc of the 14th USENIX Security Symposium. Berkeley, CA: USENIX Association, 2005: 97~112.
[184] Tang Y, Lu X, Xiao B. Generating Simplified Regular Expression Signatures for Polymorphic Worms [G] //LNCS 4610: Proc of the 4th International Conference on Autonomic and Trusted Computing (ATC-07). Berlin: Springer, 2007: 478~488.
[185]唐勇,卢锡城,胡华平,朱培栋.基于多序列联配的攻击特征自动提取技术研究[J].计算机学报,2006,29(9):1533~1541.
[186]王威,方滨兴,崔翔.基于终端行为特征的IRC僵尸网络检测[J].计算机学报,2009,32(10): 1980~1988.
[187] Smith T, Waterman M. Identification of common molecular subsequences [J]. Journal of Molecular Biology, 1981, 147 (1): 195~197.
[188]唐勇,魏书宁,胡华平,卢锡城.抗噪的攻击特征自动提取方法[J].通信学报,2009,30(12):124~131.
[189] Chawathe Y, Ramabhadran S, Ratnasamy S, LaMarca A, Shenker S, Hellerstein J. A case study in building layered DHT applications [C]//Proceedings of ACM SIGCOMM 2005. New York: ACM, 2005: 97~108.
[190] Stoica I, Morris R, Liben-Nowell D, et al. Chord: A scalable peer-to-peer lookup protocol for Internet applications [J]. IEEE/ACM Transactions on Networking, 2003, 11: 17~32.
[191]张一鸣,李东升,卢锡城.虚拟计算环境中的可扩展分布式资源信息服务[J].软件学报,2007,18(8):1993~1942.
[192] Jagadish HV. Linear clustering of objects with multiple attributes [C]//Proceedings of the ACM SIGMOD 1990. New York: ACM, 1990: 332~342.
[193] Jakab L, Cabellos-Aparicio A, Coras F, Saucez D, Bonaventure O. LISP-TREE: A DNS Hierarchy to Support the LISP Mapping System [J]. IEEE Journal on Selected Areas in Communications, 2010, 28(8): 1332~1343.
[194] Internet draft: draft-ietf-lisp-alt-06, LISP alternative topology (LISP-ALT) [S].
[195] Coras F. CoreSim: A Simulator for Evaluating LISP Mapping Systems [D]. Diplom Thesis, Technical University of Cluj-Napoca, June 2009.
[196]何明,龚正虎,卓莹.基于WSDM Agent的分布式拓扑发现系统设计与实现.全国第18届计算机科学与技术应用会议(CACIS18). 2008:1286~1291.
[2] Symantec Corporation. August Botnet Distribution [EB/OL]. http://www.symantec.com/connect/blogs/august-botnet-distribution, 2010-08-23/2011-04-25.
[3] Dean T, Marc F, Eric J, et al. Symantec Inc. Symantec Global Internet Security Threat Report: Trends for July-December 07 (Volume XIII) [R]. Cupertino, CA, USA: Symantec Inc., 2008.
[4] Marc F, Eric J, Mack T, et al. Symantec Global Internet Security Threat Report: Trends for 2008 (Volume XIV) [R]. Cupertino, CA, USA: Symantec Inc., 2009.
[5] Marc F, Dean T, Eric J, et al. Symantec Global Internet Security Threat Report: Trends for 2009 (Volume XV) [R]. Cupertino, CA, USA: Symantec Inc., 2010.
[6] McAfee Labs.迈克菲威胁报告:2010年第二季度[R].美国加利福尼亚州圣克拉拉市:迈克菲公司,2010.
[7] Marc F, Mack T, Mazurek D, et al. Symantec Internet Security Threat Report: Trends for 2010 (Volume 16) [R]. Cupertino, CA, USA: Symantec Inc., 2011.
[8] McAfee Labs.迈克菲威胁报告:2010年第四季度[R].美国加利福尼亚州圣克拉拉市:迈克菲公司,2010.
[9] Gu Guofei. Correlation-based Botnet Detection in Enterprise Networks [D]. Atlanta, USA: Georgia Institute of Technology, 2008.
[10] Gartner Survey Shows Phishing Attacks Escalated in 2007 [EB/OL]. http://www.gartner.com/it/page.jsp?id=565125, 2007-12-17/2010-09-19.
[11] McAfee Labs.迈克菲威胁报告:2010年第三季度[R].美国加利福尼亚州圣克拉拉市:迈克菲公司,2010.
[12] Dean T, Stephen E, Eric J, et al. Symantec Inc. Symantec Internet Security Threat Report: Trends for January-June 07 (Volume XII) [R]. Cupertino, CA, USA: Symantec Inc., 2007.
[13]国家互联网应急中心.2010年互联网网络安全态势综述[R].北京:国家互联网应急中心,2010.
[14] Arce I, Levy E. Analysis of the slapper worm [J]. IEEE Security & Provacy, 2003, 1(1): 82~87.
[15] Wang P, Sparks S, Zou CC. An advanced hybrid peer-to-peer botnet [J]. IEEE Transactions on dependable and secure computing, 2010, 7(2): 113~127.
[16]王伟军,孙晶.Web2.0的研究与应用综述[J].情报科学,2007,25(12):1907~1913.
[17]冯永亮.结构化P2P僵尸网络检测技术的研究[D].武汉:华中科技大学,2008:1~55.
[18]王涛.僵尸网络检测与传播抑制[D].广州:中山大学,2010:1~104.
[19]菜彬彬.P2P僵尸网络的研究[D].长春:长春理工大学,2010:1~42.
[20] Puri R. Bots & botnet: An overview, SANS White Paper [EB/OL]. http://www.sans.org/reading_room/whitepapers/malicious/1299.php, 2003.
[21] McCarty B. Botnes: Big and bigger [J]. IEEE Security & Privacy, 2003, 1(4): 87~90.
[22] Bacher P, Holz T, Kotter M, Wicherski G. Know your enemy: tracking botnets [EB/OL]. http://www.honeynet.org/papers/bots, 2005.
[23] Rajab M, Zarfoss J, Monrose F, et al. A multi-faceted approach to understanding the Botnet phenomenon [C] //Proc of the 6th ACM SIGCOMM conference on Internet Measurement Conference (IMC’06). New York: ACM, 2006: 41~52.
[24]诸葛建伟,韩心慧,周勇林等.僵尸网络研究与进展[J].软件学报,2008,19(3):702~715.
[25] Zhuge JW, Han XH, Ye ZY, Zou W. Discover and track botnets [C] //Proc of the Chinese Symp. On Network and Information Security (NetSec). Beijing, 2005: 183~189.
[26]王斌斌.僵尸网络检测方法研究[D].武汉:华中科技大学,2010:1~110.
[27]霍建滨,白凤娥.僵尸网络的检测技术研究.科技情报开发与经济.2007,17(3):229~230.
[28]满萍.受控僵尸网络攻击实验平台的研究与实现[D].北京:北京邮电大学,2009:1~55.
[29]中华人民共和国国务院.中华人民共和国计算机信息系统安全保护条例[Z].1994-02-18.
[30]文伟平,卿斯汉,蒋建春,王业君.网络蠕虫研究与进展.软件学报,2004,15(8):1208~1219.
[31]陈宁军.特洛伊木马程序SubSeven使用记录.计算机安全,2008,(10):98~100.
[32]孙淑华,马恒太,张楠等.后门植入、隐藏与检测技术研究.计算机应用研究,2004,21(7):78~81.
[33]金双民,郑辉,段海新.僵尸网络研究系列文章之僵尸网络研究概述[J].中国教育网络.2006,(6):51~54.
[34]徐恪,熊勇强,吴建平.对等网络研究综述[EB/OL]. http://211.83.176.29/jsjwl/data/uploadfile/201005/20100515141216990.pdf, 2010-05-15/2011-04-27.
[35] Barford P, Yegneswaran V. An Inside Look at Botnets [C] //Proc of SpecialWorkshop on Malware Detection Advances in Information Security. Berlin: Springer, 2007: 171~191.
[36] Nazario J. BlackEnergy DDoS Bot Analysis [R]. Chelmsford, MA: Arbor Networks, 2007: 26~30.
[37] Grizzard JB, Sharma V, Nunnery C, et al. Peer-to-peer Botnets: Overview and case study [C] //Proc of USENIX HotBots’07. Berkeley, CA: USENIX Association, 2007: 1~8.
[38] Stover S, Dittrich D, Hernandez J, et al. Analysis of the Storm and Nugache Trojans: P2P is here [J]. USENIX, 2007, 32(6): 18~27.
[39] Porras P, Saidi H, Yegneswaran V. A Multi-perspective analysis of the Storm (Peacomm) Worm [R]. Menlo Park, CA: SRI International’s Computer Science Laboratory, 2007.
[40] Blodewin F. Peacomm.C-Cracking the nutshell [EB/OL]. http://www.reconstructer.org/, 2007.
[41] Florio E, Ciubotariu M. Peerbot: Catch me if you can [R]. Cupertino, CA, USA: Symantec Security Response, 2007.
[42] Stock B, Gobel J, Engelberth M, Freiling FC, Holz T. Walowdac-Analysis of a peer-to-peer botnet [C] //Proc of the 5th European Conference on Computer Network Defence (EC2ND). Washington, DC: IEEE Computer Society, 2009: 13~20.
[43] Jang D, Kim M, Jung HC, Noh BN. Analysis of HTTP2P botnet Case study waledac. [C] //Proc of the 9th Malaysia International Conference on Communications with a Special Workshop on Digital TV Contents. Washington, DC: IEEE Computer Society, 2009: 409~412.
[44] Thomas K, Nicol DM. The Koobface botnet and the rise of social malware? [C] //Proc of the 5th IEEE International Conference on Malicious and Unwanted Software (Malware 2010). Washington, DC: IEEE Computer Society, 2010: 63~70.
[45] Binsalleeh H, Ormerod T, Boukhtouta A, et al. On the analysis of the Zeus botnet crimeware toolkit [C] //Proc of the 8th International Conference on Privacy, Security and Trust. Washington, DC: IEEE Computer Society, 2010: 31~38.
[46] Vogt R, Aycock J, Jacobson M J. Army of Botnet [C] //Proc of the 14th Annual Network and Distributed System Securtiy Symposium (NDSS’07). Berkeley, CA: USENIX Association, 2007: 111~123.
[47] Singh K, Srivastava A, Giffin J, Lee W. Evaluating Email’s Feasibility for Botnet Command and Control [C] //Proc of the International Conference on Dependable Systems and Networks. Washington, DC: IEEE Computer Society, 2008: 376~385.
[48] Singh K, Sangal S, Jain N, Traynor P, Lee W. Evaluating Bluetooth as a mediumfor botnet command and control [G] //LNCS 6201: Proc of the 7th International Conference on Detection of Intrusions and Malware and Vulnerability Assessment. Berlin: Springer, 2010: 61~80.
[49] Berger A, Hefeeda M. Exploiting SIP for botnet communication [C] //Proc of the 5th IEEE Workshop on Secure Network Protocols (NPSEC'09). Washington, DC: IEEE Computer Society, 2009: 31~36.
[50] Li Q, Li ZJ, Yu J, Ding J. StreamBot: P2P stream botnet based on PPStream [J]. Journal of Tsinghua University, 2010, 50 (SUPPL.1): 1534~1539.
[51] Leonard J, Xu SH, Sandhu R. A framework for understanding botnets [C] //Proc of the International Conference on Availability, Reliability and Security (ARES 2009). Washington, DC: IEEE Computer Society, 2009: 917~922.
[52] Li XF, Duan HX, Liu W, Wu JP. Understanding the construction mechanism of botnets [C] //Proc of the Symposia and Workshops on Ubiquitous, Autonomic and Trusted Computing in Conjunction with the UIC'09 and ATC'09 Conferences. Washington, DC: IEEE Computer Society, 2009: 508~512.
[53] Van-Ruitenbeek E, Sanders WH. Modeling Peer-to-Peer Botnets [C] //Proc of the 5th International Conference on the Quantitative Evaluation of System (QEST 2008). Washington, DC: IEEE Computer Society, 2008: 307~316.
[54]糜利敏.僵尸网络建模研究[D].长春:吉林大学,2010:1~49.
[55]范轶彦,邬国锐.动态僵尸网络模型研究[J].计算机应用,2010,30(3):692~694.
[56] Dagon D, Zou CC, Lee W. Modeling botnet propagation using time zones [C] //Proc of the 13th Annual Network and Distributed System Security Symposium (NDSS’06). Berkeley, CA: USENIX Association, 2006: 235~249.
[57] Ajelli M, Lo-Cigno R, Montresor A. Modeling botnets and epidemic malware [C] //Proc of 2010 IEEE International Conference on Communications. Washington, DC: IEEE Computer Society, 2010: 1~5.
[58]杨雄,朱宇光,徐则中,査志琴.基于蜜罐识别的僵尸网络多时区改进扩散模型[J].计算机工程与设计,2011,32(3):846~848.
[59] Rajab M A, Zarfoss J, Monrose F, Terzis A. My botnet is bigger than yours (maybe, better than yours): Why size estimates remain challenging [C] //Proc of USENIX HotBots’07. Berkeley, CA: USENIX Association, 2007: 1~8.
[60] Hu J, Li ZT, Yao DZ, Yu JF. Measuring botnet size by using URL and collaborative MailServers [C] //Proc of the 5th International Conference on Networking and Services (ICNS 2009). Washington, DC: IEEE Computer Society, 2009: 161~164.
[61] Li ZT, Hu J, Hu ZB, Wang BB, Tang L, Yi X. Measuring the botnet using the second character of bots [J]. Journal of Networks, 2010, 5(1): 98~105.
[62] Freiling F, Holz T, Wicherski G. Botnet Tracking: Exploring a Root-causeMethodology to Prevent Denial of Service Attacks [G] //LNCS 3679: Proc of the 10th European Symposium on Research in Computer Security. Berlin: Springer, 2005: 319~335.
[63] Baecher P, Koetter M, Holz T, et al. The nepenthes platform: An efficient approach to collect malware [G] //LNCS 4219: Proc of the International Symposium on Recent Advances in Intrusion Detection (RAID’06). Berlin: Springer, 2006: 165~184.
[64] Holz T, Steiner M, Dahl F, et al. Measurements and mitigation of peer-to-peer-based Botnets: A case study on storm worm [C] //Proc of the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET’08). Berkeley, CA: USENIX Association, 2008: 73~81.
[65] Leonard J, Xu SH, Sandhu R. A First Step towards Live Botmaster Traceback [C] //Proc of 2009 International Conference on Availability, Reliability and Security (ARES 2009). Washington, DC: IEEE Computer Society, 2009: 106~113.
[66]诸葛建伟,韩心慧,周勇林,宋程昱,郭晋鹏,邹维.HoneyBow:一个基于高交互式蜜罐技术的恶意代码自动捕获器[J].通信学报,2007,28(12):8~13.
[67]韩心慧,郭晋鹏,周勇林,诸葛建伟,邹维.僵尸网络活动调查分析[J].通信学报,2007,28(12):167~172.
[68]王明彦.僵尸网络发现与追踪的关键技术研究[D].宁夏:宁夏大学,2010:1~61.
[69] Overton M. Bots and botnets: Risks, issues and prevention. [C] //Proc of the 2005 Virus Bulletin Conference (VB2005). Abingdon, Oxfordshire, UK: Virus Bulletin, 2005: 5~7.
[70] Govil J, Govil J. Criminology of BotNets and their detection and defense methods [C] //Proc of 2007 IEEE International Conference on Electro/Information Technology (EIT2007). Washington, DC: IEEE Computer Society, 2007: 215~220.
[71] Al-Duwairi B, Manimaran G. JUST-Google: A Search Engine-based Defense Against Botnet-based DDoS Attacks [C] //Proc of 2009 IEEE International Conference on Communications. Washington, DC: IEEE Computer Society, 2009: 1~5.
[72] Liu X, Yang XW, Lu YB. To Filter or to Authorize Network-Layer DoS Defense Against Multimillion-node Botnets [J]. Computer Communication Review, 2008, 38(4): 195~206.
[73] Husna H,Phithakkitnukoon S,Dantu R. Traffic shaping of spam Botnets [C] //Proc of the 5th IEEE Consumer Communications and Networking Conference. Washington, DC: IEEE Computer Society, 2008: 786~787.
[74]冉宏敏,柴胜,冯铁,张家晨.P2P僵尸网络研究.计算机应用研究.2010,27(10):3628~3632.
[75] Liang J, Naoumov N, Ross KW. The index poisoning attack in P2P file sharing systems [C] //Proc of the 25th IEEE International Conference on Computer Communications. Washington, DC: IEEE Computer Society, 2006: 1~12.
[76] Wang P, Wu L, Aslam B, Zou CC. A systematic study on peer-to-peer botnets [C] //Proc of the 18th International Conference on Computer Communications and Networks (ICCCN 2009). Washington, DC: IEEE Computer Society, 2009: 1~8.
[77] Davis CR, Fernandez JM, Neville S, et al. Sybil attacks as a mitigation strategy against the storm botnet [C] //Proc of the 3rd International Conference on Malicious and Unwanted Software (MALWARE 2008). Washington, DC: IEEE Computer Society, 2008: 32~40.
[78]刘彬斌.一种僵尸网络的拓扑分析和反制算法研究[D].成都:电子科技大学,2009:1~77.
[79]陈端兵,万英,天军伟,傅彦.一种基于社会网络分析的P2P僵尸网络反制策略[J].计算机科学,2009,36(6):101~104.
[80] Gu GF, Porras P, Yegneswaran V, et al. BotHunter: Detecting malware infection through ids-driven dialog correlation [C] //Proc of the 16th USENIX Security Symposium (Security’07). Berkeley, CA: USENIX Association, 2007: 167~182.
[81] Gu GF, Zhang JJ, Lee W. BotSniffer: Detecting Botnet command and control channels in network traffic [C] //Proc of the 16th Annual Network and Distributed System Security Symposium (NDSS’08). Berkeley, CA: USENIX Association, 2008: 193~210.
[82] Gu GF, Zhang JJ, Perdisci R, et al. Botminer: Clustering analysis of network traffic for protocol- and structure-independent Botnet detection [C] //Proc of the 17th USENIX Security Symposium (Security’08). Berkeley, CA: USENIX Association, 2008: 139~154.
[83] Gu GF, Yegneswaran V, Porras P, et al. Active Botnet Probing to Identify Obscure Command and Control Channels [C] //Proc of 2009 Annual Computer Security Applications Conference (ACSAC’09). Washington, DC: IEEE Computer Society, 2009: 241~253.
[84] Goebel J, Holz T. Rishi: Identify bot contaminated hosts by irc nickname evaluation [C] //Proc of USENIX HotBots’07. Berkeley, CA: USENIX Association, 2007: 1~12.
[85] Hund R, Hamann M, Holz T. Towards Next-Generation Botnets [C] //Proc of the 4th European Conference on Computer Network Defence (EC2ND). Washington, DC: IEEE Computer Society, 2008: 33~40.
[86] Holz T, Gorecki C, Rieck K, et al. Measuring and Detecting Fast-Flux Service Networks [C] //Proc of the 16th Annual Network and Distributed System Security Symposium (NDSS’08). Berkeley, CA: USENIX Association, 2008:181~192.
[87] Wurzinger P, Bilge L, Holz T, et al. Automatically generating models for botnet detection [G] //LNCS 5789: Proc of the 14th European Symposium on Research in Computer Security. Berlin: Springer, 2009: 232~249.
[88] Lee JS, Jeong HC, Park JH, et al. The activity analysis of malicious http-based botnets using degree of periodic repeatability [C] //Proc of 2008 International Conference on Security Technology (SecTech2008). Washington, DC: IEEE Computer Society, 2008: 83~86.
[89] Ji SG, Im CT, Kim MJ, et al. Botnet detection and response architecture for offering secure internet services [C] //Proc of 2008 International Conference on Security Technology (SecTech2008). Washington, DC: IEEE Computer Society, 2008: 101~104.
[90]苏云琳.僵尸网络检测系统的分析与设计[D].北京:北京邮电大学,2010:1~76.
[91]严庆.基于Bot会话关联的僵尸网络检测方法[D].成都:电子科技大学,2009:1~62.
[92]王明丽.基于主机的P2P僵尸网络病毒检测技术研究[D].成都:电子科技大学,2009:1~69.
[93]李超.基于行为特征的IRC僵尸网络检测技术研究[D].哈尔滨:哈尔滨工业大学,2008:1~58.
[94]王爽.基于流量特征的IRC僵尸网络检测技术研究[D].哈尔滨:哈尔滨工业大学,2008:1~46.
[95] Govil J.Examining the criminology of bot zoo [C] //Proc of the 6th International Conference on Information, Communications and Signal Processing. Washington, DC: IEEE Computer Society, 2007: 473~478.
[96] Gao Y, Zhao Y, Schweller R. Detecting stealthy spreaders using Online outdegree histograms [C] //Proc of the 15th IEEE International Workshop on Quality of Service. Washington, DC: IEEE Computer Society, 2007: 145~153.
[97] Li ZC, Goyal A, Chen Y. Honeynet-based botnet scan traffic analysis [C] //Proc of the Conference on Botnet Detection: Countering the Largest Security Threat. Berlin: Springer, 2008: 25~44.
[98] Stinson E, Mitchell JC. Characterizing bots’remote control behavior [C] //Proc of the 4th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Washington, DC: IEEE Computer Society, 2007: 89~108.
[99] Liu L, Chen SQ, Yan GH, et al. BotTracer: Execution-based bot-like malware detection [G] //LNCS 5222: Proc of the 11th international conference on Information Security. Berlin: Springer, 2008: 97~113.
[100] Al-Hammadi Y, Aickelin U, Greensmith J. DCA for Bot Detection [C] //Proc of IEEE Congress on Evolutionary Computation. Washington, DC: IEEE Computer Society, 2008: 1807~1816.
[101] Mitsuaki A, Takanori K, Masayoshi S. A Proposal of Metrics for Botnet Detection Based on Its Cooperative Behavior [C] //Proc of 2007 International Symposium on Applications and the Internet-Workshops. Washington, DC: IEEE Computer Society, 2007: 82~85.
[102] Zhuge JW, Holz T, Han XH, et al. Characterizing the irc-based Botnet phenomenon [R]. Beijing: Peking University & University of Mannheim Technical Report, 2007.
[103] Daswani N, Stoppelman M. The anatomy of Clickbot.A. [C] //Proc of the 1st Workshop on Hot Topics in Understanding Botnets (HotBots 2007). Berkeley, CA: USENIX Association, 2007: 1~11.
[104] Simon H. Working the botnet: how dynamic DNS is revitalising the zombie army [J]. Network Security, 2007(1): 9~11.
[105] Binkley JR, Singh S. An algorithm for anomaly-based Botnet detection [C] //Proc of USENIX SRUTI’06. Berkeley, CA: USENIX Association, 2006: 43~48.
[106] Binkley JR. Anomaly-Based botnet server detection [C] //Proc of the FloCon 2006 Analysis Workshop. Berkeley, CA: USENIX Association, 2006: 7~12.
[107] Strayer WT, Walsh R, Livadas C, et al. Detecting Botnets with tight command and control [C] //Proc of the 31st IEEE Conference on Local Computer Networks (LCN’06). Washington, DC: IEEE Computer Society, 2006: 195~202.
[108] Livadas C, Walsh R, Lapsley D, et al. Using machine learning techniques to identify Botnet traffic [C] //Proc of the 2nd IEEE LCN Workshop on Network Security (WoNS’2006). Washington, DC: IEEE Computer Society, 2006: 967~974.
[109] Karasaridis A, Rexroad B, Hoeflin D. Wide-scale Botnet detection and characterization [C] //Proc of USENIX HotBots’07. Berkeley, CA: USENIX Association, 2007: 7~7.
[110] Nivargi V, Bhaowal M, Lee T. Machine Learning Based Botnet Detection [EB/OL]. http://www.stanford.edu/class/cs229/proj2006/NivargiBhaowalLee-MachineLearningBasedBotnetDetection.pdf, 2006-10-10/2008-12-19.
[111] Mazzariello C. IRC traffic analysis for botnet detection [C] //Proc of the 4th International Symposium on Information Assurance and Security. Washington, DC: IEEE Computer Society, 2008: 318~323.
[112] Kondo S, Sato N. Botnet traffic detection techniques by C&C session classification using SVM [G] //LNCS 4752: Proc of the 2nd InternationalWorkshop on Security. Berlin: Springer, 2007: 91~104.
[113] Kugisaki Y, Kasahara Y, Hori Y. Bot detection based on traffic analysis [C] //Proc of 2007 International Conference on Intelligent Pervasive Computing (IPC2007). Washington, DC: IEEE Computer Society, 2007: 303~306.
[114] Ramachandran A, Feamster N, Dagon D. Revealing Botnet membership using DNSBL counter-intelligence [C] //Proc of the Conference on Botnet Detection: Countering the Largest Security Threat. Berlin: Springer, 2008: 131~142.
[115] Tu H, Li ZT, Liu B. Detecting botnets by analyzing DNS traffic [G] //LNCS 4430: Proc of the Pacific Asia Workshop on Intelligence and Security Informatics. Berlin: Springer, 2007: 323~324.
[116] Villamarin-Salomon R, Brustoloni JC. Identifying botnets using anomaly detection techniques applied to DNS traffic [C] //Proc of the 5th IEEE Consumer Communications and Networking Conference. Washington, DC: IEEE Computer Society, 2008: 476~481.
[117] Choi H, Lee H, Lee H. Botnet detection by monitoring group activities in DNS traffic [C] //Proc of the 7th IEEE International Conference on Computer and Information Technology. Washington, DC: IEEE Computer Society, 2007: 715~720.
[118] Nazario J, Holz T. As the Net Churns: Fast-Flux Botnet Observations [C] //Proc of the 3rd International Conference on Malicious and Unwanted Software (Malware2008). Washington, DC: IEEE Computer Society, 2008: 24~31.
[119] Schoof R, Koning R. Detecting peer-to-peer botnets [R]. Amsterdam, Holland: University of Amsterdam, 2007.
[120] Claise B, Sadasivan G, Valluri V, et al. Cisco Systems NetFlow Services Export Version 9 (RFC3954) [S]. Strasbourg, France: Internet Engineering Task Force (IETF), 2004.
[121] Steggink M, Idziejczak I. Detection of peer-to-peer botnets [D]. Amsterdam, Holland: University of Amsterdam, 2008.
[122]谢静,谭良.半分布式P2P僵尸网络的伪蜜罐检测方法[J].计算机工程,2010,36(14):111~113.
[123]刘丹,李毅超,胡跃.多阶段过滤的P2P僵尸网络检测方法.计算机应用,2010,30(12): 3354~3356.
[124]于戈,于晓聪,董晓梅等.P2P僵尸网络的快速检测技术.东北大学学报(自然科学版),2010,31(12):1709~1712.
[125] Chiang K, Lloyd L. A case study of the rustock rootkit and spam bot [C] //Proc of USENIX HotBots’07. Berkeley, CA: USENIX Association, 2007: 10~10.
[126] Ramachandran A, Feamster N. Understanding the network-level behavior of spammers [C] //Proc of ACM SIGCOMM 2006 Conference. New York: ACM,2006: 291~302.
[127] Carl G, Kesidis G, Brooks RR, et al. Denial-of-Service Attack-Detection Techniques [J]. IEEE Internet Computing, 2006, 10(1): 82~89.
[128]严芬,王佳佳,赵金凤等.DDoS攻击检测综述[J].计算机应用研究,2008,25(4):966~969.
[129] Xie YL, Yu F, Achan K. Spamming Botnets Signatures and Characteristics [J]. COMPUTER COMMUNICATION REVIEW, 2008, 38(4): 171~182.
[130] Duan ZH, Chen P, Fernando S, et al. Detecting Spam Zombies by Monitoring Outgoing Messages [C] //Proc of IEEE INFOCOM 2009. Washington, DC: IEEE Computer Society, 2009: 1764~1772.
[131] Zhao Y, Xie YL, Yu F, et al. Botgraph: large scale spamming botnet detection [C] //Proc of the 6th USENIX symposium on Networked systems design and implementation (NSDI’09). Berkeley, CA: USENIX Association, 2009: 321~334.
[132] Li Z, Dunagan J, Simon DR, et al. Characterizing botnets from email spam records [C] //Proc of the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET’08). Berkeley, CA: USENIX Association, 2008: 10~18.
[133] Ian C, Eimear B. The automatic discovery, identification and measurement of botnets [C] //Proc of the 1st International Workshop on Dependability and Security in Complex and Critical Information System. Washington, DC: IEEE Computer Society, 2008: 127~132.
[134] Robledo HFG. Types of hosts on a Remote File Inclusion (RFI) botnet [C] //Proc of the 5th Electronics, Robotics and Automotive Mechanics Conference. Washington, DC: IEEE Computer Society, 2008: 105~109.
[135]程仁杰,殷建平,刘运等.蜜罐及密网技术研究进展[J].计算机研究与发展,2008,45(增刊):375~378.
[136] Lu W, Ghorbani AA. Bots Behaviors vs. Human Behaviors on Large-Scale Communication Networks [G] //LNCS 5230: Proc of the 11th International Symposium on Recent Advances in Intrusion Detection. Berlin: Springer, 2008: 415~416.
[137] ROBERT E, ADELE C, PRANAB B. A Multi-Layered Approach to Botnet Detection [C] //Proc of 2008 International Conference on Security and Management (SAM’08). USA: CSREA, 2008: 301~308.
[138] Zhang ZH, Youki K. A holistic perspective on understanding and breaking botnets: Challenges and countermeasures [J]. Journal of the National Institute of Information and Communications Technology, 2008, 55(2): 43~59.
[139] Paxton N, Ahn GJ, Chu B. Towards practical framework for collecting andanalyzing network-centric attacks [C] //Proc of IEEE International Conference on Information Reuse and Integration. Washington, DC: IEEE Computer Society, 2007: 73~78.
[140]李瑞轩,胡劲纬,唐卓.R2BAC:基于风险的多自治域安全互操作模型[J].通信学报,2008,29(10):58~69.
[141]王伟,曾国荪,刘涛.基于信任机制的协作系统形成与演化机制[J].通信学报,2006,27(11):31~35.
[142] Tang Y, Luo JQ, Xiao B, et al. Concept, Characteristics and Defending Mechanism of Worms [J]. IEICE Transaction, 2009, 92-D(5): 799~809.
[143] Peng T, Leckie C and Ramamohanarao K. Survey of network-based defense mechanisms countering the DoS and DDoS problems [J]. ACM Computing Surveys, 2007, 39(1).
[144] Yu J, Lee H, Kim MS and Park D. Traffic flooding attack detection with SNMP MIB using SVM [J]. Computer Communications, 2008, 31: 4212~4219.
[145]史美林.CSCW:计算机支持的协同工作.通信学报,1995,6(1):55~61.
[146] Dourish P, Bellotti V. Awareness and coordination in shared workspaces [C] //Proc. of the CSCW’92. Toronto: ACM Press, 1992: 107~114.
[147]朱君,汤庸.角色群体协作中的层次感知模型研究.软件学报,2007,18(Suppl.):95~101.
[148]杨武勇,史美林,姜进磊,杨胜文.基于角色的层次型同步协作感知模型,清华大学学报(自然科学版),2005,45(4):479~482.
[149] Snapp SR, Brentano J, Dias GV, et al. A system for distributed intrusion detection [C] //Proc of the IEEE COM PCON 91. Washington, DC: IEEE Computer Society, 1991: 170~176.
[150] Janakiraman R, Zhang M. Indra: a peer-to-peer approach to network intrusion detection and prevention [C] //Proc of the 20th IEEE international workshops on enabling technologies: infrastructure for collaborative enterprises (WETICE). Washington, DC: IEEE Computer Society, 2003: 226~231.
[151] Yegneswaran V, Barford P, Jha S. Global intrusion detection in the DOMINO overlay system [C] //Proc of the 11th network and distributed security symposium (NDSS’04). Berkeley, CA: USENIX Association, 2004.
[152] Cai BQ. Distributed Intrusion Detection System node cooperation algorithm [D]. Najing: Nanjing University of Science, 2008(Ch).
[153] Xue YD, Han XL, Dai SF. Distributed Cooperative Intrusion Detection System Based on Snort [J]. Computer Engineering, 2010, 36(19): 165~167(Ch).
[154] Jin C, Wang H and Shin KG. Hop-Count Filtering: An effective defense against spoofed DDoS traffic [C] //Proceedings of the 10th ACM Conference onComputer and Communications Security (CCS 2003). New York: ACM, 2003: 30~41.
[155] Wang H, Zhang D and Shin K G. Detecting SYN flooding attacks [C] // Proc of IEEE Infocom 2002. Washington, DC: IEEE Computer Society, 2002: 1530~1539.
[156] Manikopoulos C and Papavassiliou S. Network intrusion and fault detection: A statistical anomaly approach [J]. IEEE Communications Magazine, 2002, 40: 76~82.
[157] Chen Y, Hwang K and Ku W-S. Collaborative detection of DDoS attacks over multiple network domains [J]. IEEE Transactions on Parallel and Distributed Systems, 2007, 18: 1649~1662.
[158] Oshima S, Hirakawa A, Nakashima T and Sueyoshi T. DoS/DDoS detection scheme using statistical method based on the destination port number [C] //Proc of the 5th International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIH-MSP 2009). Washington, DC: IEEE Computer Society, 2009: 206~209.
[159] Peng T, Leckie C and Ramamohanarao K. Protection from distributed denial of service attacks using history-based IP filtering [C] //Proc of 2003 International Conference on Communications (ICC 2003). Washington, DC: IEEE Computer Society, 2003: 482~486.
[160] Jin S and Yeung D S. A covariance analysis model for DDoS attack detection [C] //Proc of 2004 IEEE International Conference on Communications. Washington, DC: IEEE Computer Society, 2004: 1882~1886.
[161] Lakhina A, Crovella M and Diot C. Diagnosing network-wide traffic anomalies [C] //Proceedings of SIGCOMM 2004. New York: ACM, 2004.
[162] Siaterlis C and Maglaris B. Towards multisensor data fusion for DoS detection [C] //Proceedings of the 2004 ACM symposium on Applied computing. New York: ACM, 2004.
[163] Sekar V, Duffield N, Spatscheck O, et al. LADS: large-scale automated DDOS detection system [C] //Proceedings of the annual conference on USENIX’06 Annual Technical Conference. Boston, MA: USENIX Association, 2006: 16~16.
[164] Bao T, Liu SF. Rule-based Method for Network Data Collection and Processing [J]. Computer Engineering, 2007, 33(1): 101~103(Ch).
[165] Open Source Host-based Instrusion Detection System (OSSEC) [EB/OL]. http://www.ossec.net.
[166] Sekar V, Duffield N, Spatscheck O, et al. LADS: large-scale automated DDOS detection system [C] //Proceedings of the annual conference on USENIX’06 Annual Technical Conference. Boston, MA: USENIX Association, 2006: 16~16.
[167] Lakhina A, Crovella M and Diot C. Diagnosing network-wide traffic anomalies[C] //Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications. New York: ACM, 2004.
[168] Akansu AN and Haddassd RA. Multiresolution Signal Decomposition: Transforms, Subbands, and Wavelets [M]. Academic Press, 1992: 1~487.
[169] Kanungo T, Mount D M, Netanyahu N S, et al. An efficient k-means clustering algorithms: Analysis and implementation [J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2002, 24: 881~892.
[170] Lakhina A,Crovella M,Diot C. Mining Anomalies Using Traffic Feature Distributions [C]//Proceedings of ACM SIGCOMM 2005. New York: ACM, 2005.
[171]唐勇,卢锡城,王勇军.攻击特征自动提取技术综述[J].通信学报,2009,30(2):96~105.
[172] Vigna G, Eckmann S T, Kemmerer R A. Attack Languages [C] //Proc of the IEEE Information Survivability Workshop (ISW 2000). Washington, DC: IEEE Computer Society, 2009: 163~166.
[173] Tcpdump 3.8 documentation [EB/OL]. http://www.tcpdump.org, 2004.
[174] Debar H, Curry D, Feinstein B. The Intrusion Detection Message Exchange Format (IDMEF) (RFC4765) [S]. Strasbourg, France: Internet Engineering Task Force (IETF), 2007.
[175] Eckmann ST, Vigna G, Kemmerer RA. STATL: An Attack Language for State-based Intrusion Detection [J]. Journal of Computer Security, 2002, 10(1/2): 71~104.
[176] Snort Roesch M. Snort-lightweight intrusion detection for networks [EB/OL]. http://www.snort.org, 2004.
[177] Cedric Michel, Ludovic Me. Adele: An attack description language for knowledge-based intrusion detection [C] //Proc of the 16th International Conference on Information Security. Netherlands: Kluwer, 2001: 353~368.
[178]孔东林.分布式主动协同入侵检测系统的入侵特征描述与子系统性能改进.郑州:中国人民解放军信息工程大学,2005:1~49.
[179] Cai M, Hwang K, Pan Jianping, Papadopoulos C. WormShield: Fast Worm Signature Detection with Distributed Fingerprint Aggregation [J]. IEEE Transactions on Dependable and Secure Computing (TDSC), 2007, 4(2): 88~104.
[180]邹崇理,自然语言和逻辑语言:现在逻辑的延伸.绵阳师范大学学报,2007,26(3):1~6.
[181] Wang K, Cretu G, Stolfo SJ. Anomalous payload-based worm detection and signature generation [G] //LNCS 2820: Proc of Recent Advances in IntrusionDetection (RAID). Berlin: Springer, 2003: 227~246.
[182] Tang Y, Chen S. Defending against internet worms: a signature-based approach [C] //Proc of the 24th Annual Conference IEEE INFOCOM. Washington, DC: IEEE Computer Society, 2005: 1384~1394.
[183] Yegneswaran V, Giffin JT, Barford P, et al. An architecture for generating semantics-aware signature [C] //Proc of the 14th USENIX Security Symposium. Berkeley, CA: USENIX Association, 2005: 97~112.
[184] Tang Y, Lu X, Xiao B. Generating Simplified Regular Expression Signatures for Polymorphic Worms [G] //LNCS 4610: Proc of the 4th International Conference on Autonomic and Trusted Computing (ATC-07). Berlin: Springer, 2007: 478~488.
[185]唐勇,卢锡城,胡华平,朱培栋.基于多序列联配的攻击特征自动提取技术研究[J].计算机学报,2006,29(9):1533~1541.
[186]王威,方滨兴,崔翔.基于终端行为特征的IRC僵尸网络检测[J].计算机学报,2009,32(10): 1980~1988.
[187] Smith T, Waterman M. Identification of common molecular subsequences [J]. Journal of Molecular Biology, 1981, 147 (1): 195~197.
[188]唐勇,魏书宁,胡华平,卢锡城.抗噪的攻击特征自动提取方法[J].通信学报,2009,30(12):124~131.
[189] Chawathe Y, Ramabhadran S, Ratnasamy S, LaMarca A, Shenker S, Hellerstein J. A case study in building layered DHT applications [C]//Proceedings of ACM SIGCOMM 2005. New York: ACM, 2005: 97~108.
[190] Stoica I, Morris R, Liben-Nowell D, et al. Chord: A scalable peer-to-peer lookup protocol for Internet applications [J]. IEEE/ACM Transactions on Networking, 2003, 11: 17~32.
[191]张一鸣,李东升,卢锡城.虚拟计算环境中的可扩展分布式资源信息服务[J].软件学报,2007,18(8):1993~1942.
[192] Jagadish HV. Linear clustering of objects with multiple attributes [C]//Proceedings of the ACM SIGMOD 1990. New York: ACM, 1990: 332~342.
[193] Jakab L, Cabellos-Aparicio A, Coras F, Saucez D, Bonaventure O. LISP-TREE: A DNS Hierarchy to Support the LISP Mapping System [J]. IEEE Journal on Selected Areas in Communications, 2010, 28(8): 1332~1343.
[194] Internet draft: draft-ietf-lisp-alt-06, LISP alternative topology (LISP-ALT) [S].
[195] Coras F. CoreSim: A Simulator for Evaluating LISP Mapping Systems [D]. Diplom Thesis, Technical University of Cluj-Napoca, June 2009.
[196]何明,龚正虎,卓莹.基于WSDM Agent的分布式拓扑发现系统设计与实现.全国第18届计算机科学与技术应用会议(CACIS18). 2008:1286~1291.