Research On Botnets' Analysis Technologies In Large Scale Network

With the rapid development of the information technologies and the emergences of various network implementations, the computer network becomes more and more important in our daily work and life. However, the increasing network security events threaten the development of the computer network. Botnet is one of the main threats for the network which can be regarded as a collection of compromised computers (called Zombie computers) running software under the command-and-control infrastructure. By the botnet, the botmasters can easily control many computers to launch the distributed denial of service attack to any website on the Internet, also they can send massive spam to obtain sensitive information from those bots for potential economical purpose. Thus the relevant research on the botnet, e.g. the effective detection and depth analysis is actually very important. This thesis is supported by a number of the National High Technology Research and Development Plans of China ("863"Plan). Several key analysis problem on botnet in the large scale network such as migration, collaboration,size measure,and propagation model have been investigated based on detecting botnets in the large scale network. The main research includes the following topics:1,Identifying the IRC botnets'migration based on the botnets'comunication count period (CCP) statistics curves. IRC botnet is one of the important botnets which is set up using the IRC protocol. The behavior of IRC botnet change it's control server is named as migration. Identifying the botnets'migration is very important for measuring IRC botnets'number and size, studying their life cycle. Because the bots of the irrelevant IRC botnets are different, the communication count periodic (CCP) statistics curves and communication frequency periodic (CFP) statistics curves are quite different, the CCP and the CFP curves of the migration IRC botnets are similar because they have the same bots or same bots partially. In this paper,we proposed a method of identifying migration IRC botnets based on the Euclidean distance (EUDMD method) and dynamic time warping distance (DTWMD method) of the botnets'CCP and the CFP curves. For improving the computational efficiency of dynamic time warping distance, matching feature points of the CCP and the CFP curves and calculating the improved not equidistant LB_PAA distance to filter out certain data which are irrelevant IRC botnets.2,Identifying the botnets'collaboration based on association analysis of botnets'malicious behavior. Large botnets use the mode of collaborative control and management for their own safety purpose, several smaller botnets are controlled by several smaller botnets'command and control channels, and all of the botnets'command and control channels and the botnets are unified controlled by the botnet controller. As each small botnets'command and control channels are different,botnet detection methods can not identify the collaborative botnets, Identifying the botnets'collaboration is very important for measuring their size, especially discovering large botnets. Because the collaborative botnets are controlled by the same botnet controller, they are essentially one botnet, the botnets'malicious acts, including DDos attacks, spam and other have the correlation of similar target and similar time. In this paper,we proposed a collaboration identify method based on correlation analysis of correlation of target and time of botnets'malicious acts. We built suspicious malicious behavior frequent time windows of botnets, given cooperating detection conclusions used the hypothesis test method SPRT to make decision under the test level. Experiments showed that detection accuracy was proportional to the amout of the data set and the number of zombie hosts IP. With the time span being 2 months, zombie host IP number being greater than 40, the omission rate of the method is 0.3,Measuring the scale of the botnets'infected bots. The scale of botnets' infected hosts reflect the potential attack ability of botnets and is one of the index for evaluating botnets'threaten which is affected by dynamic IP address and NAT IP address after detecting collaborative botnets and migration botnets.the accurate measurement of the botnets'infected bots can be obtained with the dynamic IP identifying approach and the NAT IP identifying approach. First,identified dynamic IP addresses of conficker infected hosts'IP address based on the detected conficker communications data. Second,created a dynamic IP address block list DImap in the IP space based on the continuity of dynamic IP address. Third,identified the dynamic IP address in the detected data of botnets according to the list of dynamic IP address DImap and calculated the number of zombie hosts corresponding to the dynamic IP address block; identified NAT IP address based on the abnormal of bots' communication frequency and calculated the number of zombie hosts corresponding to the NAT IP address. Finally, accurate measure of the amount of botnets' infected hosts in large scale network were output.4,The propagation model of the botnet worms. Botnet worm is one of the botnets' spread ways. An accurate botnet worm's propagation model can describe the propagation characteristics of botnets and forecast the trend of botnets'propagation. Through introducing the parameter of bots' average propagation ability,the propagation model of the botnet worms ADSIR was investigated in this thesis based on the propagation model of the botnet worms DSIR,as the bots' propagation ability is different and the bots' average propagation ability is variational because of the difference of bots' connectivity and online rate. The ADSIR model was verified by the detected data of the conficker and the propagation trend of the conficker in a certain time interval was predicted by this model. In the summary, This thesis has investigated a number of key technologies for the analysis of the botnets in the large scale network. Several mathematical models, approaches and algorithms have been proposed. This thesis is expected to accelerate the theoretical and implemental research of the research on the botnet.