| Being an increasing threat to the security of Internet, Botnet has been brought into focus among researchers attention in the area of network security. As IRC is still the dominate protocol used by Botnets, almost all the relevant research are concerned about the detection on the Command and Control (C&C) channel of IRC Botnets. IRC-based C&C channel is highly centralized which makes this structure based on Client/Server pattern is easy to be tracked, detected and controlled. Compared with the IRC Botnets, Botnets using P2P technique are well improved in robustness and ability of concealment, which bring big challenges to detect and track such kind of Botnets. At present, there is no general detection approach because of the strong characteristic of P2P Botnets. However, with the constant development of P2P Botnets recently, constructing the effective detection method of P2P Botnets will be an important research subject.In this thesis, data mining techniques have been brought into the field of information security. We choose P2P-controlled bots as research content, analyzing their malicious behaviors on the host and communication so as to understand the rules of their activities and transmission mechanism. Furthermore, a general and efficient detection method of P2P-controlled bots is proposed based on above analysis so as to find out the unusual activities and connections. Through combining analysis of malicious behaviors and identification of P2P protocol together, the general detection method of P2P-controlled bots is achieved which not only with great innovation in this research area but also with high application values.In this paper, large numbers of bot samples are collected firstly. These samples are analyzed in order to understand their operation principles, content signatures, behavior characters, transmission rules and attacks. Bots analysis reports are accomplished in details. Secondly, text classification algorithm - N-gram is utilized to construct the detection model which is used to identify malicious behaviors. Through extracting and quantifying API function calls of executables, we can get the frequency distribution of the substring intersected from the API sequence so as to verify if the executable has malicious behaviors on the host. Thirdly, improvements are made on current traffic detection techniques. A method to identify P2P traffic is constructed. We emphasize on the analysis of P2P connection behaviors, and give a detailed description of the process of constructing the P2P behavior model. Finally, the detection approach combines malicious behavior analysis and P2P protocol identification together effectively. A time window is set to monitor the behaviors on the host and the communication traffic dynamically, through which the detection of P2P-contriolled bots on the host is realized. And then, series of experiments are launched to show that the way of detecting P2P-controlled bots proposed in this paper is effective. |
PDF Full Text Request