Research And Implementation Of Botnet Detection System Based On Temporal-Spatial Correlation

A botnet is a collection of internet-connected bot programs communicating with other similar bot programs mainly by C&C channels in order to perform attack tasks, such as DDOS attacks, spams and so on, which has already become a big threat to Internet Security.With the rapid development of the botnet technology, the new zombie variants emerge in an endless stream and the botnet detection technology has also been constantly updated. However, so far, there hasn't been a method which can detect all types of botnets and every method has better detection results on the part of the zombie samples or some zombie family. In the course of botnet development and its detection technology development, it can be seen: in order to enhance the robustness and the ability to fight against detection, more and more botnet controllers tend to use encryption communicaton to avoid detection; the botnet controllers release their commands through C&C channels to take control of the zombies, so the C&C traffic can well characterize the existence of a botnet; because of the existence of the botnet group behaviors and the cooperative working mechanism, there consists some temporal-spatial correlation on the message responses or behavior responses made by the hosts within a botnet.Faced with the problems above, this paper mainly makes researches into there parts:the identification of encrypted traffic, the detection of C&C communication traffic and the botnet's temporal-spatial correlation analysis. On this basis, we also design and implement a botnet detection system based on the temporal-spatial correlation. The main contents of this paper are as follows:(1) The chaos characteristics and the randomness of the payload change a lot before and after the encryption. Being aware of the fact, we propose a method for encrypted traffic identification based on data stream which use relative entropy and Monte Carlo PI errors as features. Compared with the method that only use relative entropy as feature vector, our method has a high accuracy and a low false alarm rate. (2) The traffic between the HTTP-based zombies and the C&C server has a different set of attributes from that between normal network hosts, so after obtaining the discriminative characteristics, we use a comprehensive analysis method to dispose of the network traffic to detect the C&C communication of the botnets. (3) After the analyse of the temporal-spatial correlation of the botnet, we use the Bloom Filter for IP aggragation and SPRT based on the kernel density in response groups to the realization of the detection system. At the same time, we make analyses of the network to determine the presence of botnets. The experimental results show that this method can detect the botnet effectively, and ensure the false positive rate and false negative rate in a controlled range.