CAREER: Coordination- and Correlation-based Botnet Defense

职业：基于协调和关联的僵尸网络防御

• 批准号: 0954096
• 负责人: Guofei Gu
• 金额: $ 40万
• 依托单位: Texas A&M Engineering Experiment Station
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2010
• 资助国家: 美国
• 起止时间: 2010-02-15 至 2017-01-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0954096&HistoricalAwards=false
• 关键词: CAREER; Coordination; Correlation; based; Botnet

This project aims to create a systematic framework with novel approaches and techniques to defend against current and next generation botnets. A botnet is a network of compromised computers (bots) that are under the control of an attacker (botmaster) through some command & control (C&C) channel. In recent years, botnets have distinguished themselves from previous generation malware as the primary platform and root-cause for most Internet attacks and illegal activities. With the magnitude and the potency of attacks afforded by their combined bandwidth and processing power, botnets are now considered as the greatest single threat to Internet security. As botnets involve both host-level and network-level activities, a systematic defensive framework should consider both host- and network-level information. We can achieve better defense by utilizing host-network coordination, community-based intelligence, and a cross-layer view, instead of relying on a single (or a set of separate) host- or network-level information source(s). This project establishes a host-network coordination- and correlation-based framework for systematic botnet defense in depth. It addresses three major questions covering detection, prevention, and attribution of botnets: How to detect the existence of botnets in an efficient, accurate, robust, fast, and automatic way? How to prevent botnets from penetrating into a protected network? Where does the command and control (C&C) actually originate from? The methodology and techniques proposed in the project can have a profound impact on future malware defense in terms of improving its effectiveness, efficiency, and robustness.

该项目旨在创建一个系统框架，采用新颖的方法和技术来防御当前和下一代僵尸网络。僵尸网络是由受攻击的计算机(僵尸)组成的网络，攻击者(僵尸主控)通过某个命令和控制(C&A；C)通道控制这些计算机。近年来，僵尸网络与上一代恶意软件不同，成为大多数互联网攻击和非法活动的主要平台和根本原因。由于僵尸网络结合了带宽和处理能力所提供的攻击的规模和效力，现在被认为是对互联网安全的最大单一威胁。由于僵尸网络既涉及主机级别的活动，也涉及网络级别的活动，因此系统的防御框架应该同时考虑主机级别和网络级别的信息。我们可以通过利用主机-网络协调、基于社区的智能和跨层视图来实现更好的防御，而不是依赖单一(或一组单独的)主机或网络级信息源(S)。该项目建立了一个基于主机-网络协调和关联的系统僵尸网络纵深防御框架。它解决了僵尸网络的检测、预防和归属的三个主要问题：如何以高效、准确、健壮、快速和自动的方式检测僵尸网络的存在？如何防止僵尸网络渗透到受保护的网络中？命令和控制(C&amp；C)实际上来自哪里？项目中提出的方法和技术在提高恶意软件防御的有效性、效率和健壮性方面可以对未来的恶意软件防御产生深远的影响。

项目成果

CloudRand: Building Heterogeneous and Moving-target Network Interfaces

CloudRand：构建异构和移动目标网络接口

• 发表时间: 2018
• 期刊: 2018 International Conference on Computer Communication and Networks (ICCCN'18
• 作者: Seungwon Shin, Zhaoyan Xu