| The botnet has become the main attack platform on Internet nowadays. Botnet is used for distributed denial of service, spam, information theft, distributing other malware, etc. With the raise of botnet, the research of botnet detection has become a hot spot.The current botnet detection techniques mainly includes: honeypot detection, characteristic detection, anomaly detection, DNS detection, data mining detection. These botnet detection techniques have a major drawback: they are not generic and can only detect a specific botnet or a kind of botnet, so they are limited.First of all, we analyze the basic characteristics of botnet in detail. Through the analysis, we find a major feature of botnet: the zombie nodes in the same botnet have the similarity in communication and attack. Based on this, we put forward the detection model of botnet based on IP flows. This model is divided into five modules: network flow collection module, communication log generation module, communication log clustering module, attack logs generated module, against log clustering module and cross clustering module. The network flow collection module is used for the collection of the net flows between inside and outside of the network; Communication log generation module and communication log clustering module are used to find the hosts with similar communication behavior; attack logs generated module and against log clustering module are used to find the hosts with similar attack activities. Based on this, the cross clustering module is used to find the hosts that belong to the same the botnet based on the result of the communication clustering and attack clustering .We construct a testing environment in the local network which simulates a botnet, then we carry out a series of experiments from different aspects. The results show that the module can effectively detect the botnet. Finally we have a summarization and prospect the next study of the work. |
PDF Full Text Request