The Research On Botnet Detection

As a universal platform of network attack which equips various attack technique, botnet hasbecome one of the most serious threat to Internet security. It harms the benefits of users,enterprise and even the information security of the country or army. For this reason, it’s ameaningful task to carry out the research on botnet detection.In this thesis, based on the analysis of current botnet detection, three questions are studied,such as P2P botnet detection, bot detection and the detection of domain name for Fast-Fluxbotnet. The main contributions of the thesis are as follows.1. A P2P botnet detection method is proposed based on the features of communication flows.At first, primary filtering on controlling flow-cluster based on the features is proceeded in viewof the clustering results. Then, the distribution similarity of average package length in controllingflow-cluster is analysed, and the Bhattacharyya Distance is used to extract the features. Then thesimilarity coefficient of flow-cluster is calculated according to clustering coefficient, so P2Pbotnet controlling flow-cluster can be distinguished. At last, a P2P botnet detection algorithm isdesigned. The results show that the method doesn’t rely on the malicious attack behavior，it candetect the single zombie, and gets high detection efficiency and detection rates.2. A bot detection method is proposed based on behavior characteristics. According to thefeatures of DNS query activities, interactive relationship of person-computer-network isanalysized by combining the network connections involving the DNS query and the self-startingaction characteristic, to achieve the goal of filtering and alarm triggering. The informationentropy is used to extract the features and the pattern of DNS reaction activities, a Bot_DNSreaction classifier is modeled by using support voctor machine. Finally, a bot detection algorithmis proposed based on the method. The false positive rate is proved to be low. The detectionefficiency and effect is good, which is independent of the protocol adopted by botnet.3. A detection method of domain name for Fast-Flux botnet is proposed. Based on theanalysis of domain name features of Fast-Flux botnet, four characteristics of three types areselected to detect Fast-Flux domain name, such as, the proxy distribution characteristics, thestructural characteristics of domain name and the features of service quality (the TTLcharacteristics and agent status characteristics), which are measured by Moran index,Bhattacharyya distance and online rate of agent separately. The extracted features are viewedas the feature vectors and trained by SVM to work as domain name classifier. The result showsthat the method proposed could find domain names of Fast-Flux botnet efficiently.4. A botnet detection prototype system is designed and implemented, which focuses on thedesign of overall structure, processes and core modules. Finally, sum up the work in the thesis, and the development prospects of botnet detectiontechnology and research direction in future are suggested.