Detecting And Tracking Botnets Based On Network Traffic Behavior Analysis

Botnets is becoming more and more threatening for network security.Using it,hackers can conduct DDoS(distributed denial of service)attacks,obtain virtual currency,send spam and other malicious activities.These activities cause billions of dollars in economic losses every year.In addition,as various IoT devices access the Internet,the network environment is becoming more and more complex,which undoubtedly makes the botnet more and more difficult to defense.In the aspect of botnets' detection,the botnet's client usually has incubation period,during which the host's behavior is generally the same as that of a normal host,so it is difficult to detect it before it performs malicious activities.At present,the detection method of botnet is to combine the network traffic analysis method and the host behavior analysis method.The former analyzes the traffic generated by communication between hosts,and the latter detects whether the host has suspicious behavior.The method of network traffic analysis uses a multi-dimensional vectors to represent interaction patterns of the hosts by performing feature extraction from network traffic.It contains two types of methods.One uses classification algorithm of machine learning to train a classifier in known botnet samples,and determine whether there is a known botnet in the current network environment based on the classifier.Basing on clustering algorithm,the other method clusters all hosts' interaction patterns in the network environment and analyzes suspicious host groups based on clustering results.The nature of the clustering algorithm leads to this kind of method usually has a high false positive rate.Aiming to solve this problem,this paper introduces the abnormal point detection method in graph theory into the detection field of botnet,and proposes a botnet detection method that combines the abnormal point detection method of graph and the interaction pattern analysis method between hosts.Experiments show that the method has a 98%detection rate and a false positive rate less than 1%for the centralized botnet of multiple protocols.In the aspect of botnets,tracking,assume the botnet is not deployed in the anonymous network,for hiding the real C&C(command and control)server's IP to avoid tracking,the hacker will set multiple "step-stone" before the real server.In this situation,we cannot trace the source of botnet,only can track the outermost "step-stone" according to the bot.The botnet tracking method based on network flow watermark can effectively solve this problem.It adds watermark on the packets sent by the bot to the server,and detects the watemark on the network.At present,there are various watermark tracking methods proposed in the field of network flow watermarking.These methods add watermark by adjusting IP layer's packets.Their challenge is to reduce the interference of encryption of data streams,added chaff packets,network flows' splitting,packets'reassembling for the detection of adding watermark.But the small number of "heartbeat"packets of the botnet makes this kind of method unsuitable.In addition,at present,there is little tracking research work aiming at the botnet using HTTP protocol.The researchers mainly focus on finding the tracking method for the botnet using the IRC protocol.The main reason is that the tracking technology of the IRC protocol botnet can track the hacker's IP address,because the hacker can only communicate directly with the bot in IRC protocol's botnet.In order to fill the gap in the field of the research of botnet's tracking based on HTTP protocol,this paper proposes a dynamic watermark tracking method that adds redundant parameters in the application layer to track the real C&C server address of the HTTP protocol's botnet,which can effectively avoid the situation of network flow5s splitting and packets' reassembling.Experiments show that the success rate of this method to track real C&C server addresses is above 85%.