The IRC Botnet Detection System Based On Cluster Analysis Techniques

Botnet is an internet system, controlled by hackers, containing several bot programinfected computers. Hackers spread bot program via internet to turn numbers of normalcomputers into bot ones. Remote control is realized by bot program to launch large scaleDDos attacks, send spam, steal confidential information, infect more computers or otherillegal purposes. The damage will be immensity.Within a wide variety of botnets, the botnet, based on IRC (Internet Relay Chat) protocolis particularly harmful. The characteristics of IRC botnet is that hackers communicate andsend control instruction to botnet computer by IRC protocol. The IRC server is the centralpoint of the botnet. Currently main IRC botnet detect method is the detection of conditioncode contrast and flow rate, which lies the problem of real-time absence, high difficulty foranalyzing undefined sample etc. The accuracy for detection is quite low.In response to the former problems, the article takes the penetration point of analyzingIRC computer nickname naming rules and abnormal communication behavior to accomplishmainly the following tasks:1、In-depth analysis of the IRC botnet principle and working mechanism, according tothe IRC bots virus samples, conclusion is made for the IRC bots nickname string length,letters, numbers, numbers of symbols, and the network for IRC protocol data package-total,the total number of bytes, the number of ports and other aspects of the rule; 2、On the basis of the cluster analysis techniques for Mahalanobis distance and Euclideandistance algorithm, combined with IRC bots nickname analysis features of the rule andabnormal behavior characteristic rule, two new algorithms are proposed. Meanwhile testingprogram is clarified by the two algorithms, and common Hit detection programs, in order toachieve effective to enhance the detection accuracy and reduce the rate of false alarm;3、Design a good universal IRC botnet detection prototype system, which bases on a newalgorithm. Elaborate system data acquisition algorithm detection algorithm interface,parameter management, system protection module design, so as to achieve the correctidentification of network in the botnet computers to reduce detection false alarm rate as thetarget;4、Over passing a test, to validate the effect of IRC botnet detection system by clusteringanalysis technology，and confirmed the feasibility of the system. Analysis will be conductedfor the practical application during the process.