Construction And Detection Technology Of Semi-distributed P2P Botnet

Semi-distributed P2P(peer-to-peer) botnet with strong hidden and robust, which takes a growing threat to the global network security, is becoming a new platform for attacks. On the one hand , to avoid detection, the builder of semi-distributed P2P botnet use various methods to transplant P2P protocol and make the botnet difficult to detect. On the other hand, in order to make semi-distributed P2P botnet play a long-term role in attacking platform, the attacker will change its construction method actively to find variants of such botnet. Therefore, construction and detection technology research on semi-distributed P2P botnet plays a part in preventing and destroying such botnet.The present study of this paper will focus on semi-distributed P2P botnet, we carry out the research in the following areas:1. We make a detailed study on the semi-distributed P2P botnet from architecture to working mechanisms.2. Several existing detection methods on the semi-distributed P2P botnet were analyzed and summarized,including honeypot detection, flow detection and SST hooks detection.3. We propose a detection method based on pseudo-honeypot. On condition that users find out abnormal phenomenon of their hosts, they should close normal running programs immediately and do a simple deployment on the hosts, at the case stands, the hosts can be beregard as"Pseudo-honeypots", then We can combine with flow analysis method to detect semi-distributed P2P botnet.4. A new construction method of semi-distributed P2P botnet is proposed,we call it honeypot-prescient semi-sistributed P2P botnet. The core of this method which prevents the honeypot to join a botnet utilize sensor authentication layer. It can avoid relatively simple honeypot detection. Based on two metric functions C (p), D (p) and the peer-list update process which use a different number of servent bots, we analyse the robustness of such botnet. Then, a detection method based on double-honeypots for honeypot-prescient semi-distributed P2P botnets is proposed. The combination of high-interaction honeypot with low-interaction honeypot makes honeypots to join honeypot-prescient semi-distributed P2P botnet easily. Thus, it is convenient to detect hidden botnet.In this paper, we make use of some softwares to simulate, such as Matlab, Omnipeek and Wireshark. The results show that: the proposed pseudo-honeypot detection can effectively detect semi-distributed P2P botnet; honeypot-prescient semi-distributed P2P botnets was high robustness, and double honeypot detection method has high detection rate.