| Botnet is one of the most threatened network security problem is recognized,which refers to a platform that by spreading malicious code(computer viruses, worms,Trojan), it finds susceptible nodes, adds it into its control network, uses these nodes toimplement large-scale malicious attack. Since botnets is so concealment, destructivethan the common network attack that in recent years, it becomes the main way of thecurrent Internet attack.In the early, botnets are mostly based on IRC protocol and HTTP protocol, ofwhich the nodes are controlled of the center. By distributing the control message, theweak nodes will be easily infected, and added into network. At this stage of the botnet,its data transmission is mainly based on fixed ports, and special protocol (protocolscarry a key string). By monitoring the special port and identifying the key string in theprotocol, we can catch the botnet efficiently. With the development of P2P technologyand botnet, P2P botnet is in, which is made of new structure and new communicationmodel without center node. It optimizes the structure of traditional botnet which relieson a central node for command and control distribution. And it brings in some newdifficulties to the botnet detection.At present, P2P botnet detection method is mainly divided into four categories:host based detection, net flow based detection, protocol based detection and behaviorbased detection. The first one is aimed at monitoring the malicious code andsuspicious activities on the host, it has a good result on P2P botnet that has a controlcenter, but for others, it is useless. The last two methods detect the P2P botnetdividedly by protocol identification and application feature identification, thesemethods works well on detecting P2P botnet with special protocol, but not suit all kinds of P2P botnets. By analyzing the rules of the net flows, the net flow baseddetection could find the difference between P2P botnet and others, and it works well.But relative methods don’t analysis the dynamic feature of P2P botnet.Based on the work of other researchers, this paper presents a P2P botnet detectionmethod based on data flow feature vector recognition, which aims at the dynamicfeature of P2P botnet flows. Whereas there are more normal flows than bad flows onthe Internet, and its source or destination could hardly be the bot nodes, so firstly byconstructing black-white-grey list ash, we filter the normal network data flows, andcombining the port rules library and the protocol feature library, we find the typicalflows and identify the suspicious traffic data. By this preprocess, we reduce themagnitude of analysis samples, and it helps to construct the vectors. After that, weclassify the flows by the source and the destination, and analysis the dynamic featureof flows on time crosswise and flow feature vertical such as speed of packet numberand change rate of packet number speed, speed of packet size and change rate ofpacket size. And then we classify the sample data again, with comparing the thresholdwe get in the test, we could identify the nodes of P2P botnet efficiently. |
PDF Full Text Request