The Research On Botnet Detection Technology Based On Automatic Scoring Algorithm

With more and more terminal devices accessing to the Internet,botnets bring more and more threats to the Internet environment.Through botnets,attackers can easily control thousands of computers,launch distributed denial-of-service attacks on any site,send a large number of spam,steal sensitive information from controlled computers,or use click fraud to gain economic benefits.Botnets use command and control channels to communicate.Different types of botnets have different command and control channels in protocol and structure.In this thesis,we analyze the characteristics of Botnet traffic command and control channel in different stages,extract features from malicious domain names and HTTP-based network protocol behavior,and extract 12 representative features from three different dimensions.These features are extracted from three different dimensions,and the feasibility of the features is analyzed through charts.According to the time-based network behavior characteristics,feature is increased through three time windows setting,which increases the accuracy of detection results.What's more,a lightweight feature extraction framework based on Bloom-Filter algorithm is proposed,which successfully solves the problem of large amount of computation and storage overhead in the process of massive data extraction and processing.In addition,a network traffic anomaly detection algorithm based on reputation scoring algorithm is proposed: This algorithm can automatically select suspicious events from unlabeled data sets without data labeling,and output most suspicious events in real time.This algorithm can greatly reduce the workload of security personnel and contribute greatly to botnet host detection.During the experiment,we use real botnet data traffic to test the system.These data sets used in the experiment include not only malicious botnet traffic and DGA data,but also including benign sample data.We use the co-existing behavior with the known botnet traffic set,the botnet can be inferred by calculating the similarity between the infected host and the known malicious network traffic set.Experiments show that the accuracy of this method for botnet can reach 99.96% and the False Positive rate is only 0.34%,which has a good application prospect.