Research And Implementation Of Botnet Detection Based On Similarity Analysis

With the characteristics of easily control, a wide range of influence and difficult to detect, Botnet has become the most important and widely employed cyber attacks platform in the Internet. Botmaster can be used to launch DDOS Attacks, Spamming, steal information and other malicious activities. The Evolving of technology and the increasing of the botnet make the detection become a hot research area in network security.At present, the content of network traffic detection, anomaly detection, logging detection are the main detection techniques. But there are still some faults and limitations, for example, the method could not be used to detect more than one kinds of botnets, and also it is hard to be deployed in a real environment.To resolve the problem of versatility, by analyzing network traffic and communication mechanism, we find the network traffic and host behavior of botnet master has a certain degree of group similarity characteristics. Based on similarity theory, this paper proposed a botnet detection method based on similarity analysis combined with the existing botnet detection technology, then designed and implemented a detection system model. The detection system model, which consists of network packet capture, network traffic analysis, host behavior analysis and cross-correlation clustering those four main function modules. The system detects whether there is a botnet or not in a certain network by analyzing the captured TCP and UDP data packets. Among them, the network packet capture module is deployed at the border of the network to monitor and collect network data packets. Network traffic analysis module is to find the hosts that have similar characteristic by analyzing the network packets. Based on the characteristics of network traffic, host behavior analysis module identifies suspicious behaviors and hosts that exhibit the same behaviors. With the result data of network traffic analysis module and host behavior analysis module, the cross-correlation clustering module finds out the suspicious hosts belonging to the same botnet by the way of filtering and calculating similarity measure.In order to verify the detection system, we build a simple local area network environment with the limited experimental resources and propose some different experimental scenarios. According to the experimental results, it is couldc be found that this detection method could detect botnet hosts in the LAN. Finally, in the last of the paper, we puts forward to a number of botnet infection prevention measures, summarize this work and propose some future work and goals.