Research On Fast-Flux Botnet Detection Method Based On Network Traffic

Fast-Flux technology makes use of the mechanism of rapidly changing domain name-related IP addresses to increase the difficulty of traceability of attackers.As a result,attackers are increasingly inclined to apply Fast-Flux technology to botnet to escape the tracking and detection of security researchers.So how to effectively detect Fast-Flux botnet has become a hot issue in the field of network security.Most of the existing detection methods are focused on traffic analysis.To some extent,the Fast-Flux botnet can be recognized,but there exist high false positive rate and false negative rate,and the verification environment should be offline.Therefore,how to effectively detect Fast-Flux botnet in a real high-speed network environment is an urgent problem to be solved.In order to solve the above problems,this dissertation deeply analyzes the basic principles and network topology of Fast-Flux botnets,and on this basis,further studies the related academic achievements of the existing Fast-Flux botnet,and finally proposes a two-stage Fast-Flux botnet detection scheme.The scheme includes two approaches: i)suspicious Fast-Flux traffic filtering based on real-time features,and ii)Fast-Flux botnet detection based on hybrid association feature.The method of suspicious Fast-Flux traffic filtering(SFFTF)is mainly aimed at filtering the suspicious Fast-Flux traffic through DNS,black and white lists,and FastFlux botnet real-time features.This method cuts down the total traffic data,reduces the interference of irrelevant data and improves the level of detection performance and efficiency.The existing Fast-Flux botnet detection methods mostly pay attention to local features.According to bipartite graph,this dissertation analyzes the global correlation between domain names and IP addresses.Then,combining with the advantages of existing time-based detection methods,the study proposes a Fast-Flux botnet detection method with hybrid association features,which enriches the dimension of Fast-Flux botnet feature vector.Considering the accuracy and efficiency of XGBoost Algorithm for the detection,this dissertation applies it to the Fast-Flux botnet detection for the first time.In addition,this method can also identify Fast-Flux domain names that are in construction or in extinction.Finally,the proposed methods are tested by ISOT Research Lab's botnet dataset.The result shows that the processes can detect the Fast-Flux botnet with higher efficiency and accuracy.Meanwhile,in response of the difficulties of traffic capture and analysis in highspeed network,a Fast-Flux botnet detection prototype system suitable for high-speed network environment has been designed and implemented by using the proposed scheme.The result demonstrates that the prototype system can well meet the detection requirements of Fast-Flux botnet under high-speed networks.The proposed detection method and the detection system provide strong support for the detection of Fast-Flux botnet in the current high-speed networks environment.