Research On Botnet Anti-evasion Technique Based On Fuzzy Clustering

Botnet is an attack platform composed of a large number of controlled hosts,which can be used by attackers to complete various types of attacks,such as distributed denial of service,spam,phishing and other attacks.As a result,botnet has posed a serious threat to network security.Therefore,how to accurately and efficiently detect the botnet has become a hot issue at home and abroad.In order to avoid detection and blocking,botnet takes all kinds of evasion technology to improve its viability,among which DNS-based evasion technology is the most widely used.At present,there are two main problems in the detection method aiming at the botnet based on DNS evasion technology:First,the each existing detection method only aim at a certain single type of botnet has a high detection efficiency,which can't be applied to the actual environment of Botnet detection.Second,each detection method is independent and can't be correlated with other botnet detection methods.In this regard,this paper presents a botnet anti-evasion technology based on fuzzy c-means,which can well solve the existing problems in botnet detection methods based on DNS evasion technology.The main work of this paper are as follows:(1)In order to effectively detect the botnet based on DNS evasion technology,this paper compares the characteristics of DNS queries between botnet domain name and normal network domain name,and extracts 22 features which can clearly distinguish botnets from normal network traffic.At the same time,considering there could be overlap features between different botnets and the "dimension disaster" existing in the operation of high-dimensional features,this paper proposes a feature selection method combining forward selection and backward elimination.The method consisting of two steps:group exclusion and feature inclusion.Group exclusion step aims to evaluate the function of group and delete the group that contribute the least to the overall accuracy.The feature inclusion step analyzes each feature in the worst performing group which is excluded by previous step and selects individual features one by one that can increase overall accuracy.In the end,13 features with the highest detection efficiency are selected through experiments.(2)An anti-evasion technique for botnet based on improved fuzzy c-means is proposed.Aiming at the three popular DNS evasion technologies,this method uses an improved fuzzy c-means algorithm based on intra-class distance and inter-class distance to detect botnets.In the process of algorithm execution,the object function of the algorithm uses the difference of intra-class distance and inter-class distance instead of the sample to cluster center distance of the traditional fuzzy c-means,and optimizes the membership matrix and clustering center expression.The clustering effect of intra class aggregation and inter class discretization can be realized by adjusting the related parameters.Finally,we validate effectiveness of the proposed method for botnet detection through the ISCX botnet data set.The experiment shows that this method also has high detection rate in real network environment,and can be used in practical application.