Research On New Command&Control Mechanism And Detection Technique Of Botnet

Botnets can be used by attackers to launch strong network attacks with large coverage,high intensity and more difficulty to prevent,which poses serious threat to the normal running of Internet.Because botnet is a logical controllable network platform which is secretly organized by a set of device infected zombie program through command and control(C&C)mechanism,the C&C mechanism is the core of entire botnet network and endlessly changes with the continuous evolution of botnets.So the research of C&C mechanism will be very helpful to some issues such as understanding working mechanism of botnet,exploring possible organization of future botnets,identifying unknown botnet types or restraining botnets spread.The already discovered C&C mechanisms of current botnet includes using fixed IP or domain name,Domain-Flux,Fast-Flux and P2P to find the C&C server node,and transmits C&C information in plaintext or encrypted way.These discovered C&C mechanisms has mainly problems as follows:the concealment of finding C&C server node process is weak,the C&C information transmittion in plaintext has very low security while has very high space-time complexity in encrypted way,and the same type bots in local network present very similar in communication behavior.Towards the above-mentioned problems,this dissertation focuses on construction of new C&C scheme for botnet.It conducts study in C&C server node information finding,C&C information concealing transmittion and C&C information sharing between the same type bots in local network.The major contributions and innovation of this dissertation are as following four aspects:(1)For the problem of poor in concealment duiring C&C server node finding process,a C&C server node addresses finding method based on Web search service(CAWSS)is porposed.And through a long time experiment,the CAWSS's feasibility and validity has been verified.The main idea of CAWSS is using the legal Web search service to disguise the C&C server node finding process.In CAWSS,attacker firstly constitutes blog articles whose title and content are MD5 value of date and C&C server node addresses(IP,domanin name,etc.)respectively,and publishes them on some free blogs registered on Internet in advance.Then these blog articles can be indexed by Web search engine after a few days.Secondly,when the infected device becomes a bot,it will use date MD5 value generated by keyword production algorithm as the search term,and send this date MD5 value to Web search engine to obtain all items from the returned search engine result pages(SERP).Lastly,CAWSS ranks these items with Top-K algorithm.The top K items related with blog articles that contained C&C server node addresses are selected,then the bot can extract C&C server node addresses from the abstract part of these top K items.(2)For the problem of low security in plaintext and high space-time cost of C&C information transmittion in encrypted way,a C&C information transmission method based on HTML code information hiding(CTHIH)is presented.The CTHIH overcomes the disadvantages of C&C information transmittion in plaintext which is easy to be detected and identified,and effectively avoid higher space-time overhead caused by encryption transmission.CTHIH uses the webpage HTML code as cover object and information hiding technique to transmit C&C information.Based on the inherent features of current webpage HTML code,CTHIH firstly serializes C&C information to a binary string(BS)according to self-defined character encoding table and dose Arnold chaotic transfon for BS to impoves its secrecy.Then CTHIH embeds each bit of chaotic BS into cover webpage according to the random odevity of character amount contained by each row/column in cover webpage's HTML code.Finally,when bot obtains this kind webpage with hidden chaotic BS,it can extract the each hidden bit of chaotic BS through computing the odevity of each row/column in cover webpage's HTML code and reverse Arnold chaotic transform,which also means that the C&C information transmittion is fully completed.(3)Toward the issue that the same type bots in local network present quite similar in communication behavior duiring obtaining C&C information process,a C&C information sharing method based on LLMNR protocol and evidence theory(CISLE)is depicted.CISLE can improve the secrecy of network traffic produced by same type bots,effectively avoid communication behavior similarity and present better robustness.The main idea of CISLE is to use bot temporary leader(BTL)voted in local network to obtain and sharing C&C information.First of all,for measuring bot performance,two metrics are defined:running time ratio and CPU utilization rate.Secondly,the same type bots inform their own two metrics to each other via LLMNR Query packets and utilize Dempster-Shafer evidential theory to vote BTL.Then,only BTL can be allowed to find C&C server nodes by CAWSS method and get C&C information through CTHIH method.Lastly,BTL will share gotten C&C information with other bots through LLMNR Query packets in local network.(4)Based on above proposed methods,the detection prototype system is designed and implemented.In order to discover or identify botnets using the above proposed methods as early as possible,the corresponding detection models for reference have been respectively proposed for CAWSS,CTHIH and CISLE.Then the detection prototype system which uses these detection models as core has been designed and implemented.After that,this detection prototype system has been deploymed and tested in campus network.The test results validate and prove the feasibility and effectiveness of detection models.