| The botnet is for malicious purposes,spreading bots and controlling a large number of hosts,and controlling the network of channels C&C through a one-to-many command.The botnet provides an invisible,flexible,and efficient one-to-many command and control mechanism for attackers,and can control a large number of zombie hosts for information stealing,distributed denial of service attacks,and spam.The botnet has entered a period of rapid development,and the number and scale of botnets have also increased,posing a serious threat to the Internet.The technology for detecting botnets in the field of cybersecurity has also been continuously updated.This paper proposes a botnet homology recognition model based on communication behavior similarity test.This model can identify the botnets that may exist in the network through the traffic characteristics in the network,and can perform homology according to different botnet characteristics.Identify and trace back to different botnet sources.Because the real network environment contains a large amount of normal communication traffic,botnets often use this feature to hide themselves in huge traffic,which is difficult to identify.Therefore,this paper filters traffic data according to botnet characteristics through a series of filtering methods.Filtering,a comprehensive detection method based on the combination of similarity detection and stability detection is proposed.After the network traffic is aggregated,according to the similarity of communication characteristics of the same botnet,the stability of the packet size in time,Design a comprehensive detection algorithm to separate botnet traffic from normal network traffic.After extracting botnets in a large-scale environment,a large number of botnets of different types and different sources can be obtained.Therefore,a traceable classification method is needed,so that the analysis of network security personnel and the development of reasonable solutions are large.Helpful,this paper proposes a homology test method for network traffic.By calculating the distance between network traffic curves,a dynamic time warping distance algorithm is introduced to calculate the similarity between communication curves.At the same time,in order to improve the efficiency of detection,two lower bound distances are introduced to filter botnet data of different sources.This paper verifies the botnet dataset in the real environment,and uses the tag datato verify the botnet detection results.Compared with the cross-clustering experiment,it proves that the integrated detection method has higher detection rate and lower error.Reporting rate;the threshold of similarity measurement is determined by data set,and the recognition rate of homology in the test data set is statistically verified.The experiment proves the validity of the homology botnet based on traffic similarity detection,and compares different lower bound distances.The theoretical and actual computational amount of algorithm time overhead.It proves the efficiency of the model. |
PDF Full Text Request