| Botnets, which are networks of compromised machines controlled by one or a group of attackers, have emerged as one of the most serious security threats on the Internet. The traditional Botnet are mainly central architecture based on IRC or HTTP protocol. But more and more Botnet are changing to distributed architecture based on P2P protocol in recently years, which is robuster and more difficult to detect. Lots of attacks are caused by Botnet such as DDOS, Spam, Information theft and so on, which will have bad effect on the security and development of Internet. So it's an urgent task for us to detect and damage Botnet. Lots of work have done on the detection of Botnet based on IRC protocol, work on P2P Botnet still need to be done. This paper is focused on the detection of P2P Botnet in LAN.Firstly this article analyse the category, communication mechanism and attacking technology of Botnet. After the research of how P2P Botnet are created, we try to find some characters of it, especially about network flow. So strategy can be made according to them.Introduce an Intrusion detection system based on flow analysis, which is implemented on an open source IDS called Snort by adding some plugins. The strategy tries to catch the following characters of P2P Botnet:Firstly the flows which is produced by Bot are P2P flows, so we can limit our detection on those flows; Secondly the default connecting list of Bot are similar, so the destination of different victim would be similar; Thirdly the similarity of flow produced by Bot. Detectiong of P2P Botnet is effective according to these general traits of P2P Botnet.The method can detect unkown and encrypted P2P Botnet with high speed, because it don't have to match the content of every packet. It's proved to be an accurate and effective method with our experiment. |
PDF Full Text Request