Research On Bots Control Behaviour And Detecting Approaches

Botnet are a group of hosts to launch large scale malicious attacks, which are usually commanded by a remote controller called bot master. Recent years, controllability of botnet have become more robust with the organizational structure gradually transformed from centralized to structured P2P model, and more diverse control protocol especially for some encrypt variation, which definitely brought great challenges to detection technology. As key point of botnet organization and execution, research of recognition and detection on botnet's command and control channel are of great importance.Control behavior based botnet detection approach and detection framework are proposed in this paper according to the two types of botnet. To centralized IRC botnet, we firstly pick out IRC sessions by protocol recognition and then extract malicious control keywords from IRC server-client traffic. Finally, further analysis and classification are processed according to the differentiation of keywords. For P2P botnet, we use flow distribution similarity to make the identification of botnet control behavior due to its unknown control protocol. Firstly, we extract P2P control flow by residual entropy based algorithm and then send the result into sequence hypothesis testing module to quantify its similarity, finally we implement two-dimensional support vector machine to make training and predict zombie hosts.Tests on packets and flow records of campus traffic of Huazhong University of Science and Technology shows that malicious control keyword based IRC bot detection algorithm performs well in efficiency in Gigabit Ethernet environment and accurately report and classify the patterns of zombies hidden in campus network; while control flow similarity based P2P bot detection method usingχ2 sequence hypothesis testing can nicely quantify the control flow similarity of P2P control traffic filtered by residual entropy module with the shelving rate of 99.8%, contracted by maximum likehood rate testing algorithm,χ2 test is more accuracy under distribution-unknown data set. And finally, the implementation of support vector machine can effectively avoid threshold judgment and lower the false positive.