The Research Of Botnet Detection Algorithm

With development of the internet, the reliability of the network security is becoming more and more important. Now the botnet detection has become the most concern in the network security. And its detection has been a major problem, which will lead to a difficult problem. At present, the research of methodology of the botnet detection mainly focus in two aspect, the honeynet based methodology and the net flow monitor methodology. And the second methodology is divided into 4 kinds of methods. These are 1) anomaly based detection,2) signature based detection,3) DNS based detection,4) and datamining based detection.Anomaly based detection technology, which doesn't need priori knowledge to proceed rule match during intrusion detection process, is widely used in the botnet detection. The key point of our research is using the anomaly based detection algorithm, to detect the net flow feature of the compromised machines. After multi-round of detection, the suspicious compromised machines could finally be spotted.Two kinds of problems had been met in the botnet detection in local area network. Firstly, it needed rule match during the intrusion detection process. Secondly, it could not be detected before it performed malbehavior. After the study of the different character of botnets, the communication feature of the compromised machines is used to form a monitor scope to realize the detection of suspect compromised machines. The similarity of the inbound packets payloads and the time distance of inbound and outbound packets pairs were put forwarded and to examine if the communication feature of them fits the bots. And then substitute the similarity to the modified TRW algorithm. conduct an real-time detection with TRW(Threshold Random Walk) algorithm. The compromised machines detection would be realized by the similarity based modified TRW algorithm. The similarity of the compromised machines in each time window would be the input of the algorithm in each calculating round. After multi rounds (time windows) judgments, the compromised machines would be marked. This research will provide a new kind of methodology for compromised machines detection before malbehavior without rule matching, and thus the whole botnet. The experiments had proved the modification is effective to improve the detection accuracy. And it is important for the future research.