The Research Of Botnet Detecting Based On HTTP Protocol

With the development of internet, network security is facing a growing threaten, and virous Trojans continuously emerge in recent years. Botnet has become one of the major threaten to network security because of its advantages, including Distributed Denial of Service(DDoS) attack, Spam, phishing, worm spreading and stealing sensitive informations. According to the CNCERT’s report, more than0.74million computers are under the control of Botnet in China.Botnet mainly used the IRC protocol to establish a command and control (C&C) channel in early stage, but bots based on IRC are easily to be detected with the researcher’s further study of bot based on IRC. Hence, hackers started to use more complicated P2P protocol and HTTP protocol to establish a command and control (C&C) channel.More and more bots based on new protocol emerge, it’s time to find new detection method to detect them.Terminal-based detection and network traffic-based detection are widely used in detecting IRC Botnet, and get good performance. This thesis firstly study the related information of Botnet, get a more comprehensive understanding of it, and analyze the HTTP bot’s behavior. Then give a research of DCA algorithm. Finally study the API HOOK technology. Based on the related work above and the senior res-earches of detecting bots, this thesis gives a method of detecting HTTP Bot. It uses API HOOK technology to intercept the calls of special functions which are necessary called by bots for achieving their functions. Then map the call sequences of function to the input signal of DCA algorithm after getting them. Next, get the output result throug-h DCA algorithm, and calculate the MCAV as quota of exception antigen according to the output result. At last, give a contrast between MCAV and exception threshold, and determine wether the program is bot according to the comparison. More than, lead into a new exception indicator MAC, which is used to compare with MCAV.The experiment proves that this detection method can find bots in computers which are infected by bots through putting the DCA algorithm into the detecting of HTTP Bot. In addition, The experiment result indicate that using MAC as exception indicator is more efficient than using MCAV.