Can botnets be beaten?
僵尸网络会被击败吗?
Date: February 19th, 2008
Author: Justin Fielding
作者:Justin Fielding
翻译:endurer,2008-02-28 第1版
Category: security, Botnet, cybercrime
分类:安全,僵尸网络,网络犯罪
Tags: Network, Command, Instruction, Bot, Analysis, BotSniffer, Networking, Justin Fielding
标签:网络,命令,指令,僵尸,分析,BotSniffer,网络,Justin Fielding
英文来源:http://blogs.techrepublic.com.com/networking/?p=443&tag=nl.e101
This week, Georgia Tech unveiled BotSniffer, a prototype system designed to detect and disable botnets. Using traffic analysis the BotSniffer tries to identify botnet members by looking for command and control channels.Apparently the BotSniffer detector has been built as an independent plug-in for the popular open source intrusion detection system Snort. With a host system that’s as widely used as Snort, there could be a good possibility of such a system eventually making it in to the real-world. The paper released by Georgia Tech’s School of Computer Science says, “We evaluated BotSniffer using many real-world network traces. The results show that BotSniffer can detect real-world botnets with high accuracy and has a very low false positive rate.”
本周,Georgia Tech(佐治亚理工学院)公开了BotSniffer,这是一个设计用于检测和禁用僵尸网络的原型。利用流量分析,BotSniffer试图通过寻找指挥和控制通道来鉴别僵尸网络成员。显然,BotSniffer检测器已建成为流行的开源入侵检测软件系统Snort的一个独立插件。借助一个如Snort这样的广泛使用的宿主系统,该系统极有可能进入现实世界。佐治亚理工学院的计算机科学学校公布的文件称:“我们使用一些真实世界中的网络跟踪来评估BotSniffer。结果显示BotSniffer可以以高精确度和极低误报率检测真实世界中的僵尸网络。”
《endurer注:1。佐治亚理工学院简称Georgia Tech,1885年建校,是美国顶尖的理工学院,排名仅次于麻省理工学院(MIT)和加州理工学院(CalTech)。学院位于亚特兰大市中心,隔壁就是可口可乐公司总部。
2。Snort是一个开源的、跨平台的软件包,用作监视小型TCP/IP网的嗅探器、日志记录、侵入探测器。它可以运行在Linux/UNIX和Win32系统上。官方网站:http://www.snort.org/
3。good possibility:极有可能》
The paper suggests that botnets’ command and control mechanism may be their Achilles heel. These command and control channels are used by botmasters to relay instructions to the infected hosts. Instructions are either delivered ‘live’ via IRC channels or via HTTP where the bot will connect at pre-specified intervals and collect instructions from a Web server. If these channels of communication are detected and cut off then the botmaster no longer has control of his zombies: “If we can take down an active command and control or simply interrupt the communication to the command and control, the botmaster will not be able to control his botnet. Moreover, the detection of the command and control channel will reveal the command and control servers and the bots in a monitored network.”
该文件提出僵尸网络的指挥和控制机制可能是其致命弱点。这些指挥和控制通道被僵尸主控机用来向受感染的主机传达指示。指示也可以通过IRC频道或通过HTTP实时交付,bot每隔一段时间会连接到这些预先指定的网页服务器收集指示。如果这些通信通道被检测并切断,那么僵尸主控机就不能再控制他的僵尸:“如果我们能关闭一个活动指挥和控制或简单的中断指挥和控制通讯,僵尸主控机将不能控制其僵尸网络。而且,指挥和控制通道的检测将揭示被监视网络中的指挥和控制服务器和bot。”
《endurer注:1。Achilles` heel:Achilles(阿喀琉斯)是是希腊联军里最英勇善战的骁将,也是荷马史诗Iliad里的主要人物之一。传说他是希腊密耳弥多涅斯人的国王珀琉斯和海神的女儿西蒂斯所生的儿子。阿基里斯瓜瓜坠地以后,母亲想使儿子健壮永生,把他放在火里锻炼,又捏着他的脚踵倒浸在冥河(Styx)圣水里浸泡。因此阿基里斯浑身象钢筋铁骨,刀枪不入,只有脚踵部位被母亲的手捏住,没有沾到冥河圣水,成为他的唯一要害。在特洛伊战争中,阿基里斯骁勇无敌,所向披靡,杀死了特洛伊主将,著名英雄(Hector(赫克托耳),而特洛伊的任何武器都无法伤害他的身躯。后来,太阳神阿波罗(Apollo)把阿基里斯的弱点告诉了特洛伊王子Paris(帕里斯),阿喀琉斯终于被帕里斯诱到城门口,用暗箭射中他的脚踵,负伤而死。Achilles` heel遂用于指代唯一弱点;薄弱环节;要害》
There are normally multiple bots on a network so thorough analysis of traffic or host activity can pick out behavioural traits and detect bot-like activity: “We observe that the bots of a botnet demonstrate spatial-temporal correlation and similarities due to the nature of their pre-programmed response activities to control commands. This helps us identify command and control within network traffic. For instance, at a similar time, the bots within a botnet will execute the same command — obtain system information, scan the network — and report to the command and control server with the progress/result of the task.”
一个网络中通常存在多个bot,所以通过对流量或主机行为进行分析,可以拣出行为的特性并检测bot类活动:“我们观察意到傀儡网络中的bots基于预先编程响应控制命令的活动的本质展示了时空关联和相似之处。这有助于我们在网络在网络流量中鉴别指挥和控制。例如,在相似的时间里,傀儡网络中的bots将执行相同的命令——获取系统信息,扫描网络——并向指和控制服务器报告任务的进度/结果。”
《endurer注:1。behavioural trait:行为的特性》
BotSniffer is certainly not the only attempt to stamp out what has quickly become one of the Internets biggest problems. Desktop antivirus and security packages from all of the big brand security vendors are incorporating features aimed at locking out botnets by detecting and removing the malicious software that turns so many desktop computers in to evil zombies.I think this highlights an important point-if botnets can be beaten then the problem has to be attacked from several different angles. ISPs trying to detect command and control channels will most likely never have complete success. Once ISPs or network admins start to detect and isolate infected hosts, bots will undoubtedly find ways to avoid detection in just the same way that viruses do. They can encrypt communications, randomize behaviour, and so on. The analysis will get smarter, but it becomes a game of catch-up. If botnets are losing hosts due to improved desktop protection, then they come under pressure on several fronts and will find it hard to grow.
botsniffer当然不是抑制已迅速成为互联网一个最大的问题的唯一试图。所有的大品牌安全厂商的台式机反病毒和安全软件包正在把具体功能锁定在,通过检测和清除可以将这么多的台式电脑拉入邪恶的僵尸网络恶意软件,将僵尸网络拒之门外。我认为,这点出了一个重点-如果僵尸网络可以被打击,那么问题已从几个不同的角度被化解。ISP(互联网服务供应商)尝试侦查指挥和控制渠道将极有可能永远无法取得圆满成功。一旦ISP或网络管理员开始检测和隔离被感染的主机,bots必定将寻求与计算机病毒相同的方法躲避检测。它们可以对通讯加密,使行为随机,等等。分析将更聪明,但它成了追逐游戏。如果僵尸网络由于桌面保护增强而丢失主机,那么它们将在几个方面受到压力,并会发觉很难成长。
《endurer注:1。stamp out:踩灭,消灭
2。lock out:把...关在外面
3。turn in:向里弯曲(进去,归还,缴还,上床就寝);turn in to:了解,熟悉(自己或别人的感情)》
Spam blocking would be a good example of how various types of filtering can work together to block unsolicited junk e-mail. Around 85 percent of all incoming e-mail is blocked by my Barracuda Spam Firewall. This is achieved by combining techniques such as virus scanning, user policies, rate control, Bayesian analysis, rule-based scoring, and IP reputational analysis. Alone, no one of these forms of detection would be adequate-however, once combined they form a sturdy defence blocking 90-95 percent of the unwanted junk mail thrown at our servers daily.
拦截垃圾邮件将是一个好例子,说明各类型的过滤能够共同努力,阻止来路不明的垃圾电子邮件。大约85%的来件被我的Barracuda Spam Firewall(梭子鱼垃圾邮件防火墙)拦截。实现这个目标,是通过联合技术,如病毒扫描,用户策略,速率控制,贝叶斯过滤分析,基于规则的评分技术和IP地址信誉评价。不必说,这个检测组合中的无一能单独胜任——然而一旦联合,它们结成了一个强健的防线,每天在我们的服务器上拦截了90-95%的有害垃圾邮件。
Network based detection of botnets seems like a very good idea and with programs like BotSniffer able to plug in to existing Intrusion Detection Systems, we could well see that tables turn on Botmasters. I could see this type of traffic analysis being very effective at an ISP level-they already analyse traffic for illegal downloads, so I couldn’t see that listening for bots would be much of an additional burden.
基于网络的僵尸网络检测看起来像是一个很好的主意,并且有像BotSniffer这样可用作现有入侵检测系统插件的程序,我们会看到僵尸主控机扭转局势。我可以理解这类流量分析在ISP级非常有效——他们已经针对非法下载分析流量,所以我不能理解bots将会是太大的额外负担的说法。
Do you currently take any measures to detect or block unwanted and potentially dangerous network traffic? Bots or even P2P and other rogue applications can have a massive impact on network security and performance. If you do, I’d be interested to know what techniques you use-leave a comment and share your experience.
现在你采取一些措施来检测或拦截不必要的或潜在危险的网络流量?Bots或P2P和其它流氓应用程序可能对网络安全和性能有巨大的影响。如果你做了,我想知道你使用什么技术——留下评论并分享你的经验。
《endurer注:1。impact on:对...之影响
2。be interested to:愿意(想)》
分享到:
相关推荐
僵尸网络僵尸网络 计算机安全僵尸网络 计算机安全
僵尸网络_图神经网络.pdf
机器学习技术在僵尸网络检测领域具有广泛应用,但随着僵尸网络形态和命令控制机制逐渐变化,人工特征选取变得越来越困难。为此,提出基于深度学习的僵尸网络检测系统——BotCatcher,从时间和空间这 2 个维度自动化...
基础僵尸网络介绍,包括僵尸网络的特点、预防等。
僵尸网络_网络程序杀手 安全的朋友,请仔细阅读
[僵尸网络网络程序杀手].(美)席勒.扫描版 详细miaoshu
为了更好地探索研究新型P2P僵尸网络的跟踪、检测与反制方法,介绍了P2P僵尸网络的基本定义和演化历史,对P2P僵尸网络的分类和工作机制进行研究,分析P2P僵尸网络的拓扑结构及其逃避检测的方法,报告对P2P僵尸网络...
linux抓取僵尸网络进程脚本
僵尸网络 Botnet 是指采用一种或多种传播手段,将大量主机感染bot程序(僵尸程序)病毒,从而在控制者和被感染主机之间所形成的一个可一对多控制的网络。
为了能够快速掌握指纹特征并及时准确检测新型僵尸网络,对指纹特征提取算法进行了研究。在已有算法的基础上依据僵尸网络指纹特征分布的特点,提出了适用于该指纹特征自动提取的算法及系统设计框架,使其能够自适应地对...
自己做的关于僵尸网络基础知识和案例的PPT 和大家共享
针对目前基于网络的P2P僵尸网络检测中特征建模不完善、不深入的问题, 以及僵尸网络中通信具有隐蔽性的特点, 提出一种对通信流量特征进行聚类分析的检测方法。分析P2P僵尸网络在潜伏阶段的通信流量统计特征, 使用结合...
基于P2P的僵尸网络及其防御,基于P2P的僵尸网络及其防御
介绍了僵尸网络的演化 过程和基本定义,深入剖析了僵尸网络的功能结构与工作机制,讨论了僵尸网络的命令与控制机制和传播模型,并归 纳总结了目前跟踪、检测和防御僵尸网络的最新研究成果,最后探讨了僵尸网络的...
P2P僵尸网络研究论文,下载自CNKI,备份用
基于混合P2P通信的移动僵尸网络设计与实现,路一鸣,双锴,移动僵尸网络是近几年新兴的僵尸网络,利用了移动设备来进行网络攻击,给个人用户及互联网造成较大的威胁。将移动僵尸网络与P2P技
僵尸网络已经成为网络攻击者首选的攻击平台,用以发起分布式拒绝服务攻击、窃取敏感信息和发送垃 圾邮件等,对公共互联网的正常运行和...器分布、僵尸网络规模、被控主机分布以及僵尸网络各种攻击行为的分析结果。
SfabAntiBot1.1.0.6(僵尸网络专杀)
僵尸网络源码工程,学习研究资料,好东西,不解释
基于流量的僵尸网络检测方法