Botnet Detection Model And Key Technology Research And Implementation

In recent years, distributed denial-of-service attack (DDoS attack), spam, phishing, worms and other malicious activities have become major threats to the network life. They result serious impacts on the network infrastructure and national security. The essential cause is botnet which hides behind of these malicious activities. According to Symantec Security Report of2008and McAfee security report of the fourth quarter of2009, China had the world’s largest botnet scale with the proportion of13%and12%of the world once again. Botnet constantly grows and becomes a serious threat to the world’s network security, especially China.The current research of botnet detection is summarized and analyzed in this thesis. It proposes that the development trends of botnet detection will be based on network collaboration and similarity analysis. By analyzing botnet, we get the conclusion that the essence of development trend of botnet are to conceal control channel and optimize organizational structure. A botnet detection model based on collaboration is proposed, which is based on the current research of botnet detection. The model merges network coordination and analysis of behavior similarity to monitor behavior of botnet nodes, and finally detect botnet.This thesis focuses on the design and implementation of the prototype system of the collaborative detection model. The system is divided into three main entities:the top analysis and dispatch center, the regional coordination control center and the detection node. The top analysis and dispatch center assists establishment of the detection network and maintenance of the detection information. The regional coordination control center is responsible for the implementation of the collaborative detection task. The detection node monitors and analyzes the behavior of the node. The three entities of the prototype system coordinate together to achieve the final detection. The prototype system was verified in a simulative environment of laboratory. The result showed that abnormal attack behavior can be detected by the prototype system, and thus the system can detect the simulative botnet nodes.