| Botnet is a new type of attacks with the development of internet worms, trojans, backdoor tools, and other traditional forms of malwares. Unlike the specific network security incidents, it is attacker's attack platform.The platform can send spam, steal personal information, extortion through DDoS attacks and so on. Botnet is one threat the present international network security domain most pays attention.At first the article introduces botnet definition and related concepts, researches botnet work principle and life cycle, analyzes different types of botnet command and control mechanisms. Then it ntroduces botnet propagation model bases time zones, summarizes botnet track, detect and defense methods.Based on this analysis the article researches botnet operating mechanisms and network behavior between bot and server, then proposes detection method against the initial period of botnet: nickname detection, control command detection and command sequence similarity detection. Nickname detection uses score function, multi-regular expressions match and channel nickname distance to detect botnet. Control command detection uses AC multi-matching efficiency algorithms to find botnet key commands. Command sequence similarity detection computes similarity of commands sended by IRC host in the same channel to check if the channel is malicious. Three detection methods detects different stages of login process, improve botnet detection rate. At last the article designs irc botnet real-time detect system, and detects botnet in backbone network, has a good test results.About eighty percent of chat hosts is detected to be zombile. |
PDF Full Text Request