The Study Of P2P Botnet Tracking Technology

As one of the most threats today's Internet faces, botnet has gone through ten years' development, unlike early centralized botnets, such as IRC or HTTP botnets, today's botnets have developed into more stealthy and complex distribute botnets, namely P2P botnet. P2P botnet has changed a lot in structure, hiding technology, function etc, greatly improving its stealthy and resilience and causing great harm to current Internet. Current P2P botnet's research mainly focuses on detection, prediction, measurement, performance analysis and defense etc, obtaining relatively mature research. However, research on P2P botnet tracking is still lacking, which is urgently required. In order to resist and eradicate P2P botnet effectively, the in-depth study on P2P botnet tracking has become an urgent task.In this paper, a three-step strategy for P2P botnet tracking was put forward through the in-depth analysis of the current P2P botnet structure characteristics, the first step is the zombies nodes and topology discovery, the second step is the key nodes mining of P2P botnet, the third step is the P2P botnet activity identification. The rationality and validity of proposed methods in the three steps was evaluated through experiment verification. Then on this basis, a prototype system for P2P botnet tracking is designed in this paper.In the first step, the protocols and architecture of Zeus(one of the current active P2P botnet) are firstly analyzed systematically, the corresponding crawler is designed. Using the crawler, a large number of zombie nodes(about 100000 IP) and relative complete network topology are obtained. According to the obtained IP information of zombie nodes, the longitude and latitude information are extracted further. In order to reduce the time overhead of crawler, an improved crawling algorithm(LICA modified) are proposed through the comparison of multiple crawling algorithms. The experiments results show that the improved algorithm can greatly reduce the time overhead while keeping relative higher crawling efficiency.During the second step, in view of the fact that key nodes generally exist in P2P botnet and are hard to be found, the research on discovery of key nodes in P2P botnet is conducted in this paper, which is based on network topology and network traffic respectively. From the perspective of network topology, based on the analysis of current node importance measurement methods, a mining method of key nodes in P2P botnet based on multiple attributes is proposed. Experiments show that this method is feasible. In order to improve the accuracy of the excavation of key nodes, the corresponding differences(spatial characteristics?message characteristics and so on) are extracted firstly through the traffic difference analysis of key nodes and ordinary nodes, then a key nodes recognition technology based on the traffic difference analysis is proposed in this paper and its effectiveness is evaluated through experiments.In the third step, in order to further to track the upper server, the identification of P2P botnet activity is needed to be conducted on the basis of the key nodes excavation during the second step. Aiming at the current situation that strong encryptions are generally adopted in P2P botnets, in order to identify the internal activities of P2P botnet, a novel approach based on Hidden Markov Model is proposed to identify network activities on the encrypted traffic, based on analysis of the time series characteristics and statistical properties of network traffic. The experimental results show that the proposed method can identify different network activities effectively. The false alarm rate of identification is less than 3.6%, the average true rate of identification reaches 98.55%.In summary, in order to resist the current P2P botnet more effectively, the paper is divided into three steps to carry out in-depth research on P2P botnet tracking by analyzing the main features, the feasibility of research is also validated through experiments. Also the study in this paper lays the foundation for the further combat and track, having a strong social significance and application value.