Research On Botnet Countermeasure Technology Based On Behavior Analysis

In recent years, with the development of the new technologies and applications of Internet, people’s daily life and work become more and more convenient, and the network security is full of new challenges. Network attacks including distributed denial of service attacks, e-mail phishing,ransomware, and bank account theft, causing huge losses to individuals,businesses and even countries. Behind these attacks, the botnets as a universal platform has become the source of them. The scope of its impact expanded from the traditional personal computer to the smart phone,industrial control systems, cloud services, routers, IP cameras and other types of facilities. The changeful forms and abundant attack methods have brought great challenges to the defenders. In addition, in a lot of state-based APT attack cases, the command and control technology from botnets has been widely used. Therefore, the author believes that in the future, botnets as an effective attack weapons, will play an important role in cyberspace wars.Based on the above facts, several research fields such as study the core mechanism of botnet, focusing on the evolution of botnet, comprehensive summarizing the key technologies of botnet on attack and defense, forecast new botnet form, improving the existing botnet defense system are of significance for improving the botnet security incident emergency response capabilities and increasing the Chinese deterrence ability of cyberspace warfare and prevention China from cyberspace threats.In this thesis, the author researches on both attack and defense technologies of botnets. From the attacker’s perspective, the thesis focus on the evolution of botnets, take the behavioral difference between the controlled environment and the common infection host as the breakthrough point, and study high-confrontation and intelligent control technology to predict future possible botnet command control channel model and survival model. From the perspective of the defender, the thesis analysis the key features from botnet communication behavior for study on network-level based botnet detection. The main contents of the thesis include botnet analysis and evaluation research, botnet survival model research, Command and Control channel model research, and botnet detection technology research.In the direction of botnet analysis and evaluation, this thesis first summarizes and analyzes the defects of existing botnet lifecycle models,then presents a life-cycle model based on the Hidden Markov model, which is suitable for fine-grained description of the state migration of botnets. From the attacker’s point of view, the author extracts nine key attributes and explains the meaning and expectations of each attribute, and use attributes to analyze the vulnerability of the representative Command and Control protocols. Based on the published performance analysis methods, a quantitative evaluation model of botnet for seven-dimensional key attribute has been proposed. The model can be a comprehensive assessment of the botnet, fills the vacancy that have been left over from existing research. The author selected the Mirai as the case, based on the third-party monitoring data and the volunteer observation data, the key attributes of the Mirai are quantitatively analyzed. Under famous SI and SIR spread models analyzed,the simulation results show that the Mirai can infect the vulnerable hosts in the whole Internet within three hours. Under certain conditions, the Mirai can use the new vulnerability to infect any vulnerable host in one hour, which reveals the seriousness of the current Internet of Things botnet threats.Besides, the thesis takes the time as a clue, based on the published reports of botnet cases and academic research results, sums up the evolution of botnet attack technology, dividing the development process of botnet is into "PC attack" and "extensive attack" two stages. The "extensive attack" phase covers three evolutionary directions: "PC botnets", "emerging botnets" and"APT botnets". The author puts forward a detailed summary of the botnet form, representative case, command control protocol, and malicious behavior in each stage, and forecasts the future development trend of botnets from category, command control protocol, malicious behavior and attribute.In the direction of botnet survival model research, the thesis proposes a botnet survival model with high confrontation ability, which changes the traditional botnet process. The author proposes a "terminal information collection, backend recognition and analysis" of the confrontation mechanism and include it in botnet process, which enhance the abilities of identification defense analysis environment, the anti-detection system and fine-grained differentiation control. The key points of the model implementation include registration authentication channel construction technology, terminal identification technology and communication pattern similarity elimination technology. In the aspect of registering authentication channel, the model utilizes a dynamic addressing algorithm based on the public service resource,and uses the customizable drop service to realize SURL-Flux, utilizes the public cloud storage service to realize efficient terminal information return,using anonymous networks to effectively protect the identity of the botmaster during the process of information exchange. In the aspect of terminal identification technology research, the model puts forward the difference between the basic behavior of the infected terminal, the use of records, the relevant statistical features of the mouse and mouse operation, using the machine learning algorithm to effectively identify the host status. The goal of local simulation experiment is to distinguish the virtual machines and the physical machines. The experimental result shows that the clustering algorithm can effectively identify different groups. In the aspect of communication pattern similarity elimination technology, the technology introduces statistical feature of the traffic flow from the common detection schemes, and proposes a communication mode change technique based on adaptive template. The method can effectively eliminate the similarity of communication pattern between different bots. The contrast experiments show that this method enhances the ability of botnets against traffic detection to some degree. The model effectively make up the existing botnet model in the hidden and intelligent perception of the lack of capacity, representing the development of advanced botnet attack technology. It is of great significance for defenders to carry out relevant defense work in the future.In the Command and Control channel model prediction direction, the thesis takes the development trend of the current Web security threat and the development trend of botnet extensive attack as the starting point, studies the command control channel technology for Web server based botnets, and proposes a Webshell-based hierarchical command and control channel model.Based on the idea of connectionless and cooperative flooding, the model improves the control method of Webshells which is sent by traditional single point, Implemented a command delivery method of tree-like structure from top to bottom, which can effectively improve the bots control efficiency. The model based on the Tor network Hidden Service and Tor2Web service to build command control channel, effectively hide the command to control the server real status, so that the traditional traceability tracking method is difficult to work. At the same time, the model adopts the reputation evaluation method based on the network-level behavior of infected hosts,botmaster can quickly find and locate the honeypot host, making the botnet has certain intelligence perception. Center authentication and dynamic encryption mechanism can effectively combat the defense methods of hijacking and measurement. The simulation results show that the proposed channel model has better efficiency and reliability, and its anti-destruction ability is better than the random network model. With the increase of the number of removal, the robustness is better than that of the small-wor-ld network model. From the point of view of defense, the thesis also puts forward some defense suggestions on the use of anonymous network vulnerabilities, infiltration monitoring, proxy node denial of service attacks,and establishment of international cooperation mechanism.In the research direction of botnet detection technology, the thesis takes the HTTP botnets as the object, studies the passive detection technology and signature generation technology for traffic flow. In the aspect of detection technology research, the author presents a detection method for HTTP first request packet and first response packet (referred to as "one question and answer packet"), which extracts the statistical characteristics of HTTP packet size and header key field information. The paper uses a representative machine learning classification algorithm to identify botnet traffic. The cross validation experiment proves that the scheme can effectively balance the accuracy and space-time overhead and support the demand of small-scale detection scene. It can accurately detect the communication traffic of famous botnets such as Bobax, ZeuS and Spyeye, and performs better than traditional data flow detection methods. In the aspect of signature generation technology,the thesis proposes a signature generation method based on the similarity of key information of the HTTP header, which automatically generate high quality network signatures, and can be linked with the signature detection system to help defenders identify botnet traffic more widely and quickly.In project realization, the thesis summarizes the design concept and architecture of the botnet detection method and the automatic signature generation method. The design obtained the national patent license and the prototype system in the 863 sub-subject has been approved by experts in project delivery assessment.