| With great development and extensive applications of technology of computer networks, the number of cyber-crime increases continuously which causes more and more users and enterprises exposed to threat of attacks and intrusions. The main reason for this phenomenon is the emergence of botnets. Botnet provides the attackers stealthy, flexible and efficient one-to-many command and control mechanisms, which can be used to order an army of bot hosts to achieve the goals including information theft, launching distributed denial of service, and sending SPAM. Botnet is the core of cyber-crime. Parts of the cyber-crime can be connected and unified by botnet. Botnet has stepped into the expanding phase, and has been a serious threat to Internet security.The research of the botnet has just begun recently, and it has adopted flow detecting techniques in most cases. But this technique always begins to extract characters after the outbreak of botnet, so it can not detect botnet timely and accurately.For the above, this paper's main contribution and innovation are: designed a system which could inspect and clean botnet, and introduced five new techniques to detect botnet. The primary work of this paper includes:1. The definition, principle and spread approach of botnet were described. Several methods for studying the botnet were introduced and the traditional measures to cope with it were given. The trends of the botnet were analyzed briefly.2. By analyzing characters of the botnet, this paper is able to design a botnet inspect system. This system can inspect botnet, filter the botnet traffic, and provide the specific anti-virus software to help the users whose computers were attacked by the bot programs delete virus. 3. Since how to detect botnet is always the emphasis and difficulty of the study, this paper introduced five new methods to detect botnet on the base of abnormal traffic, they were:immune virtual machines analyze method, abnormal behavior identification method, communication behavior inspection method, first packet of botnet method, and abnormal IRC detection method. According to the detection method, we can inspect the phase of botnet establishment, control and attacking. Once botnets were detected, the filtration and anti-virus module of the system this paper designed can control the spread and harm of botnet further more. The detection system is sufficiently flexible and able to integrate many existing detection techniques to provide effective and efficient botnet inspection, which has better timeliness, lower false positive rate, lower false negative rate, and upper efficiency.4. This paper also proposed two accessorial schemes to validate whether the suspect computer was involved in the botnet. The two accessorial schemes also can prove whether the detection results were right or not.5. This paper conducted laboratory test and actual network test for the detection system. Test results obtained were analyzed and the functionality and performance of the detection system were proved. According to the test results, system's functionality and performance are qualified. Higher accurate rate, better timeliness, stricter detection and lower system loss become the strongpoint of the system this paper designed. |
PDF Full Text Request