Research On Key Techniques Of Botnet Confrontation

A botnet is a collection of Internet-connected programs communicating with other similar programs in order to perform specially designatedtasks, which is dangerous, concealed and hard to remove, that has now become one of the biggest threats to Internet, and also madeit a hot area of research.This dissertation advances the theory and practice of the detection, counter and restraint of botnet.The dissertation has five main parts.The first part summaries the definition, history, classification, damage, mechanism and new trend of botnet, and then gives a briefly introduction of botnet detection and botnet countermeasure.The second part present innovative multiple-feature detection measure a lgorithm that is based on machine learning. We first model the connection and communication of botnet by Markov chain. Then we build detection model of the similarity of bot based on statistic and clustering, and the encrypted data flow based on entropy theory. As a result, we propose a novel meta-level classification algorithm based on content features and flow features. Then we evaluate six machine learning algorithms including Naive Bayes, Support Vector Machine, J48, Rotation Forest, PART and Neural Network to construct the base-level classifiers. The final meta-level classifier is constructed by Least Square (RLS) algorithm. The experiment is performed on the ISOT dataset and the results demonstrate that our meta-level algorithm is more precise than base-level classifiers.The third part describes three novel anti-botnet techniques. The first one present a test case generator model. Firstly, communication model of botnet command and control system based on extended finite state machine is established, the black-box fuzzing method against botnet service programs is proposed and test case generator based on state transition driver is proposed. This model firstly excavates the entire valid network status test path in order to find out the state transfer process which can trigger the vulnerabilities. Then it generates variation factor of the original test vectors based on a combination of static and dynamic methods. Both the test case generator and variation model and method are designed to generate high-quality test cases. In order to improve detecting efficiency and cover rate, a fitness function and algorithm based on transfer flow of risk state is designed to guide the evaluation of test case and increase the probability of detecting vulnerability. Focus on the fragility of botnet topology, the secondtechniquepresent a successive fault counter strategy, which is based on botnet bridge node, and can effectively detect cascading failure of demi-distributed botnet.By the strategy, the bridge node fault model based on load capacity of complex network model is established.Through the corresponding theoretical analysis and numerical simulation,results demonstrates the effectiveness of our method. The third technique concerns the analysis about the botnet countermeasure, including Bagle-CB FTP server vulnerability detection, peer-to-peer network cascading failures of Eggdrop botnet variant’s command&control server and Zuesbot cybersquatting.The fourth part presents botnet suppression technique, progress has been made in three respects. First of all, based on the two-factor network worm propagation model, combined with scale-free network features and APT attacks, SAPM botnet propagation models is proposed and kinetic analysis of ATP-based botnet propagation is achieved in the complex network environment which proves the optimal countermeasure of the propagation theoretically. Secondly, ATP-based botnet propagation is studied and the suppression strategy is proposed which consists of innovative vulnerability detecting algorithm against document format processing software in the environment of Linux/Unix, and relative test tools in order to inhibit the core part of the botnet propagation. Thirdly, in the case that Linux/Unix system software in different formats is mostly open source software features and the disadvantage of dynamic vulnerability detection is studied in-depth, construction method of program path constraints symbolic model, PWA coverage testing algorithm, and white box based EWFT prototype tool are designed. Experimental result shows that PWA algorithm is better compared to the international popularity of SAGE test algorithm performance, and different kinds of vulnerabilities can be detected by it, which will play a key role in achieve active defense against ATP-based botnet propagation.The fifth part describes engineering implementation. First, an overview is made on the cloud-based botnet monitoring and mitigation design prototype system architecture, functional modules and key technologies. Second,Taking fully advantage of Apache Spark cloud’s powerful computing capability and wide distribution of nodes, functions such as botnet detection, monitoring, counter, suppress and so on are achieved. During practical applications, nice social benefits are achieved.The dissertation makes four main contributions:First, for the weakness of encrypted detecting method based on characteristics and contents, we establish three models:a state transition splice detection model, node naming similarity detection model and encrypted data communication entropy estimate detection model. Based on these models, we combined state transfer, identification and encryption session to extract the feature vector of botnet. We also build a combination of least squares estimation algorithm classifier, which obtain a more satisfactory detection.Second, for extended finite state machine based botnet command system communication model,we proposed a test case generation model driven by the transfer state set, studied the black-box testing methods for botnet Fuzzing service program, and improved the capabilities for finding vulnerability of botnet servicesprogram.Third, we discovered the existence of semi-distributed botnet networking cascading failures. Strategy methods to counter the botnet bridge node have been proposed based oncascading failure.We also establish the bridge node cascading model based on the complex network capacity model. At last, we completed the corresponding theoretical analysis and numerical simulation, which verified the effectiveness of counter-strategy. We opened up a new direction to counter the botnet technology research.Fourth, for the propagation characteristics of botnet attacks based APT,we established SAPM botnet propagation model, and completed model dynamics analysis under complex network environment, which improvethesoftware vulnerability testing algorithm under Linux/Unix environment. We developed a white Box Fuzzing tools tomitigatethe spread of botnet. Finally, PWA coverage testing algorithm was designed and EWFT prototype tool was build. The experimental verify that compared to the international popularity of SAGE test algorithm,PWA algorithm has much more better performance, which improves the program execution path space test coverage and path testing depth.