Design And Implementation Of System For Botnet Detection Based On Net Flow

Botnets have become a primary―platform‖for attacks on the Internet. Botnets are now used for distributed denial-of-service (DDoS) attacks, spam, phishing, information theft, distributing other malware, etc. With the rise of botnet, botnet detection technology research is inevitable.At present, four key botnet detection technologies exist, including characteristics-based, traffic-based, honeypot-based and DNS-based. Detection technology based on the characteristics usually extracts features after the botnet break out. Detect botnet by the botnet traffic characteristics can mining botnet essence better, but false positive rate and false negative rates are higher, it is hard to deploy practically. Honeypot technology is the most widely used detection technology, but it have to detect passively. Due to the DNS is administered by ISP, detection based on the DNS is constrained, and that the botnet that use their own DNS can't be detected. After the analysis of the detection technologies above, traffic characteristics-based detection has certain advantages in detetion of not single bot and in real time. To further reduce the false positives rate of traffic-detection, a detection model based on data flow is proposed. The model classifies the flow feature first, and then computes the active degree of malicious activities. Finally, get the IP address after cross-correlation analysis.The system consists of five main components: communication monitoring platform, activity monitoring platform, communication aggregation module, the module activities together, cross-correlation module. Communication monitoring platform is responsible for formatting flow and write log, the formatted log makes storage and later analysis more efficient. Activity monitoring platform monitor suspicious activities, such as spam, scanning, exploring, binary download, etc. Communication clustering module and activity clustering module process separately according to their monitoring log. Finally, the cross correlation module will cross the result of the two clustering module, to find out the likely member at the same botnet. A small botnet was built on the LAN; it simulated the port scanning and DDoS activities. The system monitored the outbound network flow, and then detected the bots at the same botnet after the clustering and cross correlation procedure.