Research On Mirai Botnet Detection Technology Based On Honeypot Technology

With the continuous development of smart devices and terminals,the Internet of Things technology is maturing.Because IoT devices are mostly installed on the public network,lack of effective protection measures,and difficult to upgrade,their natural security risks have caused the Internet of Things botnet to rampant.At the same time,due to the concealment of botnets,it has brought great difficulties to the detection and evaluation of security researchers.This paper studies the detection and risk assessment of the Mirai botnet.(1)Mirai botnet node identification based on honeypot technologyThe traffic-based botnet identification method has problems such as large data processing capacity and difficulty in obtaining node communication traffic,and it is difficult to identify in an unknown network.Aiming at this problem,the paper analyzes the Mirai source code,studies the working mechanism and principle of Mirai virus,designs the features to identify Mirai virus,propose the Mirai botnet node identification method combining honeypot and vulnerability scanning technology.On this basis,the paper designs and implements the visual detection system of Mirai botnet nodes.The paper verified the system in the public network,capturing a total of 272,204 scanning behaviors and 175,923 infecting behaviors.(2)Mirai virus file recognition based on function call graphIn order to improve the credibility of botnet node identification and reduce missed detection and misdetection,this paper further studies the identification methods Mirai and its variant files.Virus file recognition under source-free conditions usually uses signature/keyword matching techniques.However,due to the effects of techniques such as confusion and compression,it is difficult to effectively identify Mirai and variant viruses using this method.To solve this problem,the paper proposes a recognition method based on the similarity of function call graphs.Firstly,the paper selects the function call graph as a feature to reflect the similarity of the homologous program,and uses its ability to express the semantic characteristics of the program to resist the interference of the semantic maintenance attack technology such as confusion.Then,the paper packages the feature values of the adjacency matrix into the feature vector of the graph to compare the similarity,thus avoiding the complicated computational cost of directly comparing the similarity of the graph.Finally,the paper uses a supervised machine learning algorithm to learn a classification model,which realizes the recognition of Mirai and its variant viruses.Simulation analysis shows that the proposed algorithm achieves 0.8239 accuracy,0.8310 accuracy,0.8446 recall rate,and is superior to spectral features based on multiple indicators such as receiver operating characteristic curve,accuracy and recall rate.(3)Mirai botnet security risk assessment based on node importanceMirai and its variants are the most widely spread bots in the Internet of Things.Assessing the security risks of Mirai botnets is important for developing cybersecurity strategies.Hidden Markov model-based techniques are the most widely used risk assessment methods,but there are problems that cannot be directly applied to the Mirai botnet.In addition,the technology lacks an assessment of the relationship and impact of node and network security risks,although in the Mirai botnet environment,this impact is difficult to ignore.In view of the above problems,this paper proposes a new network risk value calculation method and improves the basic hidden Markov model evaluation method.The concept of node importance is introduced.The node importance of each node in the network is calculated by node correlation,and the risk of the whole network is calculated by weighting the node importance and node risk value,the way which all nodes are treated equally is changed.In this paper,the model is validated by the published data.The results show that the sensitivity of the proposed method to the change of network risk is improved,which is beneficial to the coping ability of security events in the IoT environment.