Research On Botnet C&C Testing And Evaluation System Based On Emulation

In recent years, botnets have brought increasing threat to network security. As the core ofbotnet, C&C (Contral and Command) mechanism is the focus of the study of botnet defense. Butexisting research mode, for instance theoretical analysis, simulation testing, reverse engineering,are not comprehensive and dependable enough. To solve these problems, through learning fromforeign advanced research experience, this thesis establishes a emulation method for evaluatingbotnet C&C mechanisms and builds an evaluation system for large-scale botnet’s C&Cmechanism evaluation. It sets up virtualized reconfigurable emulation experiment network,deploy benign botnet, evaluate it’s C&C mechanism in the experiment network then gets adependable verdict.The major work completed in this paper and the research results achieved include:According to botnets workflow and defensive measures that network defenders might take,this thesis gets botnet’s demands for C&C mechanism, builds botnet C&C mechanisms guidesystem. The design of botnet C&C mechanism evaluation system’s theoretical basis isestablished.To the question that using limited hardware resources to reproduce the botnets operatingenvironment, based on virtualization technology, a reconfigurable experiment networkconstruction program is proposed and implemented. It can build a larger scale, diverse topologynetwok which contains the necessary network background flow. And the experiment network canbe controled efficiently.To the question that deploying and evaluating large-scale benign botnet, designed a schemeof botnet emluation and evaluation. Through virtual machine share mechanisms, achieved theemulation of large-scale botnets; Through the Sleep-Wake mechanism, achieved the emulation ofbotnet spread and node cleanup; Through the network communications dyeing mechanism tosolve the problem of data identify.Based on the above research results, a prototype system designed in this paper is built in aserver cluster. Two typical C&C mechanisms are evaluated, experimental results show that thesystem can achieve the desired design requirements.