Research On Key Technologies Of Coordinated Botnets Detection And Identification

With widespread use of Internet, some malwares are overrunning like the plagues. Thereare various kinds of attacks and fraudulent activities on the Internet, and the bot is one of themost state-of-the-art malwares. The attackers build the botnet by the compromised controlledcomputers, which are called zombies and controlled by hosted bot software. This network isthen used as a platform to conduct fraudulent activities, such as Distributed Denial of Service(DDoS) attack, spam, phishing, information theft, etc. Attackers can communicate with thebots by creating command and control mechanisms and make united management of thebotnet members. A botnet typically contains tens to hundreds of thousands of bots, but someeven have several millions of bots. With the magnitude and the potency of attacks afforded bycombined bandwidth and processing power of zombies, botnets are now considered as thelargest threat to the Internet security. Therefore, it is more important to explore how to detectand identify a botnet, effectively track, defense, control and reduce the jeopardy caused by thebotnets. To address these issues, the research work of this dissertation focuses on thefollowing aspects:Firstly, a method to detect centralized botnets adopting IRC (Internet Relay Chat) andHTTP protocols is proposed based on the similarity of communication flows and theproperties of DNS queries. On the basis of the features analysis of centralized botnetcommunication activities and the dataflow group for bots to query DNS, the concept of thecloud model is introduced. A cloud model is proposed to define the dissimilarity of the botnetcommunication flows. The group of bots, which have the features of the botnetcommunication activities, is mined. The flows of the communication between the bots and theDNSes are analyzed. By the cluster analysis of the access frequency and the data flows ofquery DNSes, the controlled computers are determined in the end. The proposed method isevaluated in terms of the detection capability by using typical botnet samples and realbackground traffic. It is also analyzed and compared with the related work. Hereby，theadvancement of this method is validated.Secondly, to address the issues caused by increasingly structural complexity andpotential implicit relationship between different botnets, the measurement approach of thebotnet similarity is proposed. The botnet features, including the dataflow number of internalcommunication, the number of data packets of the data flows, the amount of communication between bots, the payload of data packets, and so on, are analyzed. The statistical function ispresented to define the botnet feature similarity. On the basis of this work, various kinds offeatures similarity are syncretized by means of the improved D-S (Dempster-Shafer) evidencetheory. The model is set up to analyze the relationship between botnets and syntheticallyevaluate the feature similarities of two botnets. The experimental results show that thepresented approach in this dissertation is effective, and can even work well during theevaluation for the botnets with encrypted communication. Moreover, the ideal effect isachieved by applying the approach to analyze practical bonet data captured by the securitymonitoring platform of the fundamental backbone network.Thirdly, the command and control servers of the IRC botnets and the HTTP botnets areoften migrated to avoid the detection. To address this kind of issues, an approach is proposedfor identifying the migration of a botnet. Based on the multiple features appearing during themigration of a botnet, the migration relationships between two botnets are comprehensivelyanalyzed and determined by adopting the C-F model to fuse the features. Typical botnetsamples are used to conduct the evaluation experiments. The experimental results show thatproposed approach in this dissertation can effectively identify the migration activities of thebotnets. Compared with the method only using the overlap ratio of IP addresses, the presentedapproach in this dissertation still have a good identification in the case of the number of thebotnet members is dynamically changed.Finally, in order to identify the potential implicit relationship between the security eventsoccurred at different geographic positions and time in open Internet environment, aCoordinative Work Model (CWM) is proposed based on the idea of the Universal TuringMachine to detect and identify distributed network security events. Based on this model, theCoordinative Work System (CWS) is designed and implemented to detect and identify thedistributed network security events occurring in the fundamental backbone network. TheCWM is analyzed in terms of multiple-layered architecture, and compared with the SOC(Security Operating System) based model. It is validated by practical cases that CWS cancoordinate different types of network equipments in the backbone network to work togethereffectively for the track, detection, analysis, and identification of the botnets. The analysis oftypical experiment data shows that CWS is not only able to analyze and identify therelationships between the security incidents occurred at different time and space, but alsoeffectively support the discovery of deeply hidden threat against safety raised by thecorrelation between different incidents.The key technologies of the Botnet detection and identification are investigated in this dissertation, including the measurement of the Botnet similarity and the analysis of the Botnetmigration. The methods and models of coordinated detection and identification of the Botnetare presented, the corresponding systems are developed. This is intended to effectively detectand track the Botnet, and correctly identify the relationship between the Botnets and theirscales, so as to prevent and control the damage caused by the Botnets. The research results ofthis dissertation are of importantly theoretical and practical significance for the research of theBotnet defense technologies, and also have important reference value to detect and keep awayother distributed malware incidents in the Internet.