Research Of Correlative Method With Multiple Sensors In Bots Detection

Botnet is becoming the most serious threat to network security and can not be eradicated at present because of two main reasons. First, attackers update malicious code constantly for more profits, making defenders sink into a passive situation. Second, many existing botnet detection metrics tend to discover the entire botnet or all of those zombies. In theory, these methods maybe work well, but zombies of a botnet always distributed in different areas, deploying the sensor in a bound router of small network can hardly reach the expectations . Generally, single method always has false positive and false negative, it's a common deficiency. So, how to discover basic characters of botnets' and increase the accuracy of botnet detection and practicability is one of the problems must been work out.By means of researching and analyzing the botnet detection methods, malicious activity discovering metric and abnormal behaviors digging techniques, we proposed a detection mechanism based on alerts correlating of multiple sensors, with the expectations of increasing the detection accuracy and probability of alerts, weaking the false positive and false negative of a single sensor.The analyzed data come from packets collection and data flow collection with NProbe technology, that means high efficiency and less data drop compared with Cisco NetFlow which use sampling. We deployed three types of sensors in our system as discussed before. Bots detection module utilizes existing P2P and IRC bot detection methods for triggering alerts. Malicious activities detection module mainly focus on SCAN and SPAM. We analyze DNS and HTTP connection abnormal in abnormal behaviors digging module. Correlation module runs as daemon in background, triggered by timer every thirty minutes with correlative strategy, and also adjusts the probability of every sensor based on correlative results.Our system can detect both p2p and irc samples in both enclosed experimental network and real network environment with 2Gbits/s traffic. The result in real network traffic also demonstrated high efficiency and more accurate alerts compared with single sensor and discover suspicious botnet activities.