| Undoubtedly, DDoS attack has emerged as the most serious security issue on Internet today. Botnet is the most important tool used for DDoS. It is a network grouped by zombies. So it becomes the primary target for us to counterattack DDoS. Botnet is not an individual virus, but an organization of one or several attacking networks. They attack a particular target together in a specified time. So it is important to research on the process of botnet's establishment. While the establishment of botnet depends on bot's propagation, the process of bot's propagation can be considered as the buildup of botnet, regardless the process that attacking nodes register to control center and the communication between them. Moreover, bot's detection is one of the methods that can block or destroy botnet. So the propagation and detection of bots are the breakthrough points of the research on botnet.This thesis targets on IRC (Internet Relay Chat) botnet, and this kind of botnet is built up by Instant Message software. Bots which infect as worms' mode are selected in this paper as a breakthrough point of the research on this botnet. This paper accomplishes three works as follows.Firstly, two-factor worm bot propagation model on scale-free networks is proposed in this paper. By researching the feature of worm bot and the complex network topology of botnet, scale-free network is regarded as the most proper network model that could describe IRC botnet, which is organized by the infection of worm bots. This propagation model takes hubs' impact on worm bots' propagation into account. And it is improved on existing worm propagation models which are build on totally linked network topology. This model's simulation shows good retardance at start and slowly removing. The simulation curve is proximal to original observation curve.Secondly, sectional approximate string matching algorithm is proposed in this paper. Pattern matching is one of the most popular detection techniques. Traditional pattern matching algorithms solve the problem of similarity of two strings. But they are disabling on some improved attack methods, such as noise, session splicing and information dispersing. Sectional approximate string matching algorithm can effectively solve above problems by deciding this problem as whether at least 1/p of the pattern string falls into the text string with order remains unresolved. It has both functions of approximate string matching and regular pattern matching. It can match on-line, and decreases false negative rate. Its best-case complexity is O(m~2/log m), and the worst-case complexity is not more than O(mn). This algorithm is also compatible with the development of dynamic programming algorithms.Lastly, this thesis summarizes existing botnet counterattacking techniques, and develops a host-based bot detection system. |
PDF Full Text Request