Research And Implementation Of P2P Bot Detection Based On Association Of Host And Network

With the rapid development of information technology, Internet has become essential in human normal life. When enjoy the advantages of Internet, people also notice the security problems brought by Internet. Botnets have become one of the most serious threats of network security in modern society. Especially Botnets using P2P technology have become the focus of Botnet detection industry. How to effectively detect and prevent P2P Botnet has become an urgent research topic of security research organization. Currently Botnet detection methods are mostly concentrated in dealing with IRC Botnets, however detection methods for P2P Botnets are still in the research stage and not effective. So researching of P2P Botnet detection is instructive. In order to fight against the P2P Botnet, improve the protection capacity of host, ensure the security of local area network, we need to propose more powerful and more effective detection methods continuously.In order to resolve the threat of Botnet, based on some existing research, we propose a method based on association of host and network which composed with host-side detection and sever-side detection. This method can detect P2P Bots according to their behavior characteristics in different state. Not only detecte the active state P2P Bot on an host rapidly, but also can detecte the stable state P2P Bots on an server. This method overcomes ineffectiveness in the stable state of other methods. First, in host-based detection we describe the traffic characteristics of P2P application, and design a P2P traffic identification algorithm; we also monitor the API function calls of process using Detours technology, and design a extracting feature substring algorithm of a certain process API functions sequence based on N-gram mode; then using LDA analysis we design a distinction method between normal procedures and P2P Bots through the feature substring probability of process. Second, in sever-based detection we extract the communication characteristics of P2P Bots in the stable state, and design a periodic traffic detection method using the principle of autocorrelation; then we design a P2P Bot identification method through cluster analysis and structure test. Third, with these two methods we propose a novel P2P Bot detection method based on association of host and network. After analyzing the functional requirements of P2P Bot detector system, we implement P2P Bot Detector prototype system based on we proposed method. This detection system can monitor hosts in LAN and detect P2P bots host timely achieving the purpose of host security protection.Series of experiments show that our detection methods can appear high detection rate. Both host-based detection and sever-based detection can achieve better detection results.