CAJ | 학술논문

IRC僵尸网络(botnet)足攻击者通过IRC服务器构建命令与控制信道方式控制大量主机(bot)组成的网络.IRC僵尸网络中IRC服务器与bot连接具有很强的动态特性,为识别使用不同IRC服务器的同一僵尸网络,文中提取并比对僵尸网络的通信量特征、通信频率特征,建模估算bot重叠率,通过融合以上度量指标,提出了僵尸网络相似性度量模型.实验验证了模型的有效性,计算了其准确率,并分析了僵尸网络的迁移.
IRC강시망락(botnet)족공격자통과IRC복무기구건명령여공제신도방식공제대량주궤(bot)조성적망락.IRC강시망락중IRC복무기여bot련접구유흔강적동태특성,위식별사용불동IRC복무기적동일강시망락,문중제취병비대강시망락적통신량특정、통신빈솔특정,건모고산bot중첩솔,통과융합이상도량지표,제출료강시망락상사성도량모형.실험험증료모형적유효성,계산료기준학솔,병분석료강시망락적천이.
IRC botnet can be regarded as a collection of compromised computers (called Zombie computers) running software under the command-and-control infrastructure constructed by the IRC servers. The connection between the botnet server and the bots are usually very dynamic. In order to describe a botnet at a finer granularity, the paper proposes a method that measures the similarity of botnets by extracting and comparing the metrics such as communication volumes, frequency, and the overlap rate of bots. A novel model for botnet similarity measuring is proposed by combining those metrics mentioned. Experiments are carried out for validation purposes, the confidence of the accuracy is evaluated and shown, and the migration situation of botnet are also discussed.