Analysis And Detection Of P2P Botnets Based On Clustering Analysis

P2P technology is a new technique of botnet, it gives a botnet higher concealment and stronger robustness. In recent years, the increasing of the number of P2P botnet seriously threatens the safety of network environment. Therefore, the most important thing for workers in the network security field is to further develop P2P botnet detection method.The communications of P2P botnet is different from normal network. Different zombies located in the same botnet may receive the control or attack orders from attacker in a certain time, and then carry out the same behavior at the same time, such as sending a barrage of spam, downloading or updating the malicious code, launching DDoS attack. In one botnet this makes different hosts have the same communication behavior at the same time. In addition, in order to confirm the identity of each other, the inside zombies of the same botnet will launch request-response packets periodically, this makes the host has similar communication behavior in different periods.As a basic technique of data mining, clustering analysis can unsupervised classify a large number of samples based on similarity measure technology. The characteristics of P2P botnet communication are large quantity stream data, high price of reprocessing, and its abnormal behaviors are similar, so it is considered to use clustering analysis for P2P botnet analysis and detection.Firstly, this paper described the background of P2P botnet, when the traditional IRC and HTTP-based botnet encountering "single point of failure" issue, the attacker use P2P technology in botnet to form the new type of P2P botnet. Gave the definition of P2P botnet, summarized the researchs on tracking, testing and countering P2P botnets, analysed their strengths and weaknesses. And introduced the content and structure of this paper.Then, we classified P2P botnet from three different aspects:malicious code, topology structure, way of produce. Analysed the working mechanism of P2P botnet, including its routing mechanism, communication mechanism, etc., by analyzing the known strategy that P2P botnet used to escape detection to avoid the same failures appear in the new system. And used several typical P2P botnet for example, reported their working mechanism and the means to escape the various testing system.On this basis, this paper presented an improved P2P botnet detection algorithm:a kind of second clustering algorithm based on principal component analysis. Through modeling the behavior characteristics and communication feature of P2P botnets, extracted its characteristics-flow vector quantity, then according to the algorithm, first, analysed the feature attributes use principal components analysis, got the ultimate reserved principal components, second, based on the reserved principal component began first clustering, third, referenced the results of first clustering, conducted secondary clustering on the uncertainty samples, second clustering based on more characteristic attributes, and it made clustering results more accurate.Next, designed a kind of P2P botnet detection system, the model system is divided into data preprocessing module, on-line monitoring module, offline inspection module, data management center and response control center. Data pretreatment module analysed the captured packages and save them according to designed data structure, prepared input data for on-line monitoring module; on-line monitoring module compared the arrived events with the rule sets to detect the attacks; offline inspection module used clustering analysis to test the samples; data management center was used to save and manage the feature flow data and rule sets; response control center studied the result of on-line monitoring module and offline inspection module comprehensively, then gave corresponding control measures. In addition, the paper discussed the deployment scheme of the model.Finally, established the experimental environment that can modeling real hosts and network equipment of P2P botnet, presented the P2P zombies code's infection and propagation process. By using different detection algorithms tested in the same data set, we proved the algorithm proposed in this paper is more effective in detecting P2P botnet.