| Botnet is one of serious threats to Internet security, which not only has the features of the worms, Trojans and other malicious programs, but also is highly controllability. It is considered as the main platform for a variety of attacks, such as junk mail, distributed denial of service attacks, click fraud and phishing etc. With the development of the Black chain network, botnet has become a transmission belt between the network crimes. According to topology structure, botnet can be divided into three models, that is, centralized topology, random topology and P2P topology. In the current research methods of the botnet detection models, the various structures of the botnet models have respectively their shortcomings and deficiencies, most methods can only detect the C&C (command control channel and structure) which based on a specific protocol. And this from the substantive characteristics of the botnet, malicious behavior flows produced by all bot hosts in the botnet have similarities and synergies and a running botnet would certainly generate C&C command control flow and malicious behavior flow produced by the controller. In this paper, we can be able to indentify botnet by detecting the flow of synergistic behavior and conversation and distinguish a variety of protocol-based C&C channel botnet or topologies botnet.This paper introduces a detection model of the botnet which is independent of C&C command control mechanism and structure, besides a priori knowledge related to botnet is not indispensable. The model consist of three parts, namely the analysis of the network coordination behavior flow、the analysis of the network conversation flow and the correlation analysis between behavior flow and conversation flow. The analysis of behavior flow and session flow result in two sets, respectively the IP set of host which bring synergistic behavior flow and the other IP set of host which produce conversation flow, and future which are mixed to identify botnet. During the analysis, it is mutual independence that the analysis module of collaborative behavior and the analysis module of communication session. According to the characteristics of network traffic that is a periodic(24hours) changes, when analyzing flow of synergistic behavior, we can treat90minutes as a cycle time for sub-processing and calculate the current time clustering threshold of the network flow by statistical analysis of the characteristics of network flow before24hours. This will not only enhance the rate of network traffic processing but also making the system adaptive ability of a variety of environments. In the analysis module of network traffic, this paper proposes the concept of network traffic flow path which provides a good foundation for network traffic analysis of the session. |
PDF Full Text Request