Botnet Detection Methods Based On The Characteristics Of Abnormal Behavior Study

Botnet is a centralized control computer group secretly builded through Internet by attacker. It can on a large scale refuse the service attack, send junk e-mails, phishing and so on. Detecting the botnet quickly and effectively can prevent from some network events. However, the controlled computer coverage, type of complex and diverse, this is a botnet detection challenges. Fast and accurate detection of botnets as a major research direction in this field.This paper analyzes the IRC protocol based on the functions of botnet structure and working mechanism, and present several common botnet detection algorithm of the advantages and disadvantages, From the zombie channel under the control of the host's response to the characteristics of unusual behavior, abnormal behavior is proposed based on characteristics of the zombie channel detection algorithm. Design and Implementation of IRC-based botnet detection of abnormal behavior characteristics of the prototype system, and This algorithm effects on the assessment of the effectiveness of this algorithm to verify. This major work includes:(1)Botnets work process analysis combined with the current advantages and disadvantages of traditional detection algorithm, verify the program based on the feasibility of detecting abnormal behavior, and give a feature-based botnet detection framework for abnormal behavior.(2)Successfully built a zombie network operating environment, and zombie zombies under control channel attacks who conducted a comprehensive simulation analysis, extract the abnormal behavior under the zombie host characteristics, by comparing the difference between the IRC Bot channels and IRC chat channels.(3)Giving a botnet detection algorithm based on abnormal behavior, The algorithm main problem is to identify the IRC chat channel in the host response towards an order in time and space correlation, according to the host is detected for a certain period of time in order to respond to the similarity, to determine whether the current channel used by an attacker to build a botnet.(4)Design and implementation for this IRC-based botnet detection of abnormal behavior characteristics of the prototype system, respectively, for the normal IRC channels and implanted into the IRC Bot channel analysis of two aspects of the experiment to verify the effectiveness of this algorithm and framework.