Research On Traffic Based Botnet Detection Approaches

Botnet is a group of computers controlled by attackers and can carry out various types of malicious behaviors, such as distributed denial of service, spam, phishing, sensitive information theft and so on. Botnet is one of the serious threats to Internet. How to detect botnet effectively becomes an important research.Now botnet detection is completed by analyzing network traffic. This kind of approaches has achieved some research results, but there are obvious shortcomings. It’s prone to lead to false positives when using similarity of botnet simply. Blacklists are needed. It depends on malicious attacks of botnet. Detection efficiency is low. To solve the above problems, this thesis proposes four botnet detection approaches. The main contributions and innovations are as follows:(1) A botnet detection approach based on similarity and stability is proposed. Bots in the same botnet run the same program and their traffic has similarity and stability. Existing approaches simply based on traffic similarity are prone to lead to false positives. The thesis proposes an approach which combines similarity and stability of traffic. The approach takes aggregate flows as analysis objects. It first clusters aggregate flows and gets their similar scores, then computes stability scores of every single aggregate flow through stability measure algorithm. Final results are obtained from the similarity and stability scores. The experimental results show that the detection rate of the approach is higher than simple similarity approach, and the false positive rate is less than simple stability approach. A good performance has been achieved.(2) A botnet detection approach analyzing DNS traffic visually is proposed. In order to evade detection, botnet uses dynamic domain name technology. Bots will frequently launch DNS query to obtain current IP address of the command and control server. Botnet will produce a large number of DNS traffic. Since existing approaches using DNS traffic need blacklists, the thesis proposes a visual botnet detection approach using DNS traffic. The approach extracts server-host pairs and their features from DNS traffic, computes the dissimilarity matrix of server-host pairs, and then detects botnets using VAT (Visual Assessment of cluster Tendency) algorithm. The approach can present digital image of dissimilarity matrix. Whether there is botnet cluster and the number and the size of clusters can be clearly seen from the image. The experimental results show that the approach can detect botnets effectively. Compare with the classic DNS based detection approach, the total false rate of our approach is lower.(3) A botnet detection approach based on flow relevance relationship is proposed. Since distributed botnets have no centralized command and control server, they are harder to be detected than centralized botnets. Bots in distributed botnets maintain neighbor lists and access the peers in their lists frequently in order to obtain the commands and updates. The flows produced when bots access the peers in their neighbor lists have relevance relationship. To detect this kind of botnets, the thesis proposes an approach based on flow relevance relationship. The approach first obtains flows and then detects botnets using flow relevance relationship. The experimental results show that it can detect botnets by extracting the flow relevance relationship. Compare with existing approaches, our approach needs no external system and does not depend on malicious behaviors of botnets.(4) A cloud collaborative environment based botnet detection approach is proposed. Botnets evolving makes the detection approach more complex and the amount of computation is also growing. It’s hard to detect botnets in high-speed network environment by running a serial algorithm on a single server. While cloud computing has a powerful data analysis and processing capabilities, it provides a solution to botnet detection. This thesis proposes a botnet detection approach based on cloud collaborative environment. The approach is composed of cloud clients and cloud servers which complete detection collaboratively. Cloud clients upload their own suspicious traffic to the cloud server. Cloud servers collect the traffic from cloud clients and process the traffic, and then detect botnets using MapReduce based algorithm. The experimental results show that the approach can detect botnets effectively. When the number of computing nodes increases, the approach can detect botnets more efficiently.In summary, the thesis proposes four botnet detection approaches based on network traffic analysis and some research results are achieved. The work of the thesis has the good meaning and value to promote the botnet detection.