Detection Of P2P Botnet Using MFFM Model

With the evolution of attack technology, the Internet network security events are mainly concentrated in using the attacking network composed of a large number of controlled hosts to attack one or more victims, and the most representative one is DDoS(Distributed Denial of Service). Obviously, the botnet is the inevitable result of this trend.The botnet is a kind of attacking network composed of a large number of hosts, and the hosts are infected by various ways such as worms, Trojans and so on. Compared with the inflexible and monotonous DDoS, botnets provide the attackers a secret, flexible, efficient one-to-many Command and Control(C&C) mechanism, and the attackers can easily launch many types of attacks, such as DDoS, sending spam, information theft, expanding the scale of botnets and so on.The fact that the botnet caused the great threat and the destructive power to Internet is beyond doubt. Moreover, the widely spreading of the botnet leads to the trade of bot hosts, which will further exacerbate the threat of botnet to the Internet. Recently, with the popularity of the smart phones, botnets on smart phones have appeared. With the advancement of the triple play and mobile Internet, the widespread botnets have posed a serious threat to national network security.According to the protocols used to implement the command and control mechanism, the botnets can be divided into IRC(Internet Relay Chat) botnet, HTTP botnet and P2P(Peer to Peer) botnet. P2P botnet is a new type of botnets, which is flourishing in the Internet. P2P botnets use the structure of P2P network to maintain their C&C. Compared with the "traditional" botnets (such as IRC and HTTP botnets), every peer serves as both client and server in the P2P network, which made them be influenced little by single-point(server) failure. While, the "traditional" botnets now can be easily detected and controlled by taking measurements on the C&C servers. Furthermore, the Distributed Hash Table of P2P network accelerates the transmission and spread of the command. Also, the new P2P botnets are using new techniques, such as Rootkits, Fast-flux and so on, which make them harder to be detected and controlled. Storm botnet appearing in early 2007 is one representative example of P2P botnet, and it quickly developed to the "biggest" botnet in the Internet. In conclusion, P2P botnet is the trend of the botnet, so the detecting and mitigating methods of P2P botnet have become the important and hot issue in the network security area.Firstly, We analyze in detail the weaknesses of the existing detection methods of botnet, and then take Storm as the example to study the lifecycle and the flow characteristics of P2P botnets, and finally propose a novel real-time detecting model named as MFFM (Multi-Flow Fused Model), and we take into account that the different types of flows should play different roles in the detection of P2P botnet, so we deal with different types of flows in different methods basing on unique characteristics of themselves. Firstly, MFFM lays emphasis on the UDP flow, which is most related with the Command and Control mechanism of the botnet (the heart of the botnet). We use the hurst parameter to detect the abnormality of UDP flow, which is able to reflect the natural self-similarity of UDP flow. Secondly, MFFM uses the discrete Kalman filter to find the abnormalities of the ICMP flow and SMTP flow, and Multi-chart CUSUM works as the amplifier to make the abnormalities clearer. Finally, we consider the influence on detecting botnet which the web applications generate, especially the applications using the P2P protocols, and use the properties of TCP flow to distinguish that the abnormalities are caused by the botnets or the P2P applications. We can see that the above several flows run through the lifecyle of botnet, which can improve the detection accuracy to some extent. Moreover, the paper applies the Kaufman algorithm to adjust the threshold dynamically to minimize the false positive rate and false negative rate.After series of experiments, the results prove that the model can detect the Storm botnet in a relatively high precision with both low false-positive rate and low false-negative rate.This paper is organized as follows:Chapter 1 introduces the damage, classification, research background and recent research status of botnet, and presents the main work of the paper base on the problems existing in the current research.Chapter 2 details the course of development of the botnets, the lifecycle of botnet, the function modules of bot and so on, and take Storm as the example to study the lifecycle and the flow characteristics.Chapter 3 details the processes and modules of MFFM model, which deal with different types of flows in different methods basing on unique characteristics of themselves to reflect that the different types of flows should play different roles in the detection of P2P botnet. This chapter mainly describes the following problems:how to find the abnormality of UDP flow with the help of the nature self-similarity, how to find abnormalities of the ICMP flow and SMTP flow with the help of the discrete Kalman filter, how to amplify the abnormalities of ICMP flow and SMTP flow with Multi-chart CUSUM, and how to distinguish that the abnormalities are caused by the botnets or the P2P applications and so on.Chapter 4 tests the performance of MFFM model on false positive rate, false negative rate and detection delay by a series of experiments.Chapter 5 summarizes the main work of this paper, and proposes some ideas for the future work.