| The Botnet is now a major threat of network security. Once the host infected,controllers can control the PC from internet and ma lic ious behaviors could be doneto the internet and PC. Lots of technique has been used to make t he Botnet muchmore difficulty to be detected, especially the new net-structure based onPeer-To-Peer communication protocol. Centralization is no longer a feature of theBotnet, makes the detection methods based on the network flow clusteringunavailable.This paper analyzes the P2P Botnet characteristics, and focus on two points asthe research object: the Peer-To-Peer communication protocol; the maliciousbehaviors Botnet could done.Though to the analys is of the P2P protocol, multiple filter ing method was usedto identify P2P traffic. The Popular method such as neural network andself-learning method has higher accuracy in P2P traffic identification, but due to thelimitation of the training samp les, the C&C traffic caused by Botnet can’t beidentified very well. So this paper using port detection, application layer signaturefeature detection and P2P flow feature detection to identify P2P traffic.The Botnet exist many kinds of malicious behaviors, this paper focus on threemain behaviors for testing, that is port scanning, distributed denial of service attackand sending spam. CUSUM algorithm was used to detect port scanning and DDoS.SMTP characters were used to detect spam. Fina lly, results were comb ined todecide if there is a BotnetTwo traffics were used to test this system. One is LBNL-trace traffic, the otheris lab traffic. The experimental results show P2P Botnet could be detectedefficiently. |
PDF Full Text Request