| In recent years, the network criminal activity has become more and more rampant, and the methods of crime as well has become more and more diversification and delicate. Botnet undoubtedly has been the most frequently used attack platform because of its wide spreading, efficient and high concealment and it has become one of the most serious threats to the Internet. Botnets have been widely used to launch malicious network activities such as distributed denial-of-service(DDoS) attack, spam, phishing and the sensitive information theft. Therefore, the botnet detection has become the one of the focuses in the field of network security and the research has important significance in protecting the security of network.There are two mainly research directions in the techniques of botnet detection, one is establishing honey-pot or honey-network, the other is passive network traffic monitoring and analysis. At present, the most of the researchers are concentrating on research of the latter. The key of botnet detection techniques based on passive network traffic monitoring is exactly grasping the features of botnet traffic. This paper generalized and summarized the features of the dialog flows in botnet traffic by studying and exploring the features of different kinds of botnet traffic and on this base we proposed a botnet detection system based on the network cell.In the study of the features of botnet dialog flow, we first extracted the dialog flows from the network packets, then summarized the features of the botnet dialog flows through researching on the number of dialog flows in botnet traffic and the degree of that. We introduced the concept of degree of node based on the dialog flow, analyzed the attack patterns of the bot node and the characteristics of the Command&Control traffic, come up with the feature vector to describe the characteristics of the botnet traffic and used the data mining scheme to model and analyze the feature vectors.The botnet detection system based on Network Cell is proposed on the basis of the research on the differences between the normal network cell and botnet network cell. In the research, we cluster the similar network packets to forming one Network Cell to another. Combining the conclusion drew from the research on the features of the dialog flows, we compared and analyzed the characteristics of the normal network cell and the botnet network cell, and come up with four indicators to reflect the abnormal conditions of the monitored traffic. According to the diagnosis table, we can make a conclusion whether there is a botnet or not. To evaluate the effectiveness and availabilities of the proposed detection system, we have done a series of experiments. The experimental results confirm that the detection system is efficiency, reliability and with higher accuracy. What’s more, the open model of the network cell has the important pioneering significance in botnet detection techniques based on passive network traffic monitoring. |
PDF Full Text Request