| Botnet is a network that consists of large numbers of hosts disseminated by an attacker for malicious purpose, and it uses one-to-many command and control channel to achieve the goals including information theft, launching distributed denial of service, and sending spam. P2P Botnet is a network that uese P2P network to spread or control bots. It gets rid of the restrictions of central server, using P2P technology to construct a new command and control channel, which has greatly increased its survival, concealing and robust ability, making detection and prevention more difficult and causing a serious threat to Internet security. But research of P2P Botnet detection has lagged behind its development at home and abroad. There is still no universal detection method to P2P Botnet.The functional structure, command and control mechanisms and architecture of P2P Botnet are analysised. Bots are collected and analysised through honeynet, and a characteristic database is established. Based on the worm propagation model theory, a P2P bots propagation model is established. Based on the technology of static characteristics, traffic monitoring, honeynet analysis and active detection, the method of Botnet tracking is improved, so that it can be applied to P2P Botnet detection. And some feasible experimental systems have benn designed.Based on active detection,a P2P Botnet detection experimental system has been designed. A crawler algorithm is designed and the programm has been accomplished. Describe the framework design of the experimental system in details and analyze the result from the experiment. The system use Overnet, a DHT structured P2P network, as the experimental environment, and take the P2P bot Peacomm as the detection sample. Deploy controlled P2P bots in the honeynet, capture the suspicious traffic, and obtain the the characteristics of command and control traffic. Active detection is the core module, using crawler to actively infiltrate Overnet network in order to get the entire network topology and the routing information of all peers. If bots in the honeynet communicate with the outside Botnet, P2P Botnet can be detected effectively with the help of the captured suspicious traffic and the network topology. The physical position of P2P bots also can be precisely located. |
PDF Full Text Request