Research On Fast-flux And Domain-flux Botnet Traffic Detection Method

The rapid development of information network ushered in the Internet age.The following network security issues are also highlighted,in which the botnet is coming back with the technological changes.And the new technologies used in new botnets have gradually become research hotspots.In the process of establishing communication and transmission in botnet,the mainstream is that useing the related technology of DNS protocol to separate the server domain name and IP address,and to achieve reliable communication in the infected network,and flexible hosting of malicious content.The most widely used technologies include Fast-flux and Domain-flux technologies.Fast-flux technology refers to the technology that the relationship between domain name and IP address will change constantly.And the Domain-flux,dynamically generates a changed domain name according to a certain algorithm,and an attacker can control the botnet by implementing a controlled host registration to a valid domain name.At present,most of the research on these two types of technology focuses on one type,while most of the detection features focus on the local characteristics of traffic,which makes it difficult to cope with the constantly changing botnet.In response to the above problems,this thesis further studies the detection status of Fast-flux and Domain-flux botnets by analyzing the technical principles of botnets,and proposes a new and efficient detection method for these two types of botnets.The main contents and innovations are as follows:1.Research on the above two types of botnets,based on DNS traffic,propose a new detection model based on DNS association map.The model aims to extract the mapping relationship between domain name and IP based on DNS query response,and construct a DNS mapping association graph,which can satisfy the detection requirements of two types of botnets,Fast-flux and Domain-flux.2.According to the DNS association map,an analysis method based on multidimensional features of graph component elements is proposed.Including the structural features of the graph,the node features(FQDN node and IP node),the connection edge feature,and the blacklist statistical features are combined to realize the multi-feature analysis of the graph component,and the LightGBM algorithm is selected to complete the graph component classification.3.Analyze the application problems of the detection system in the actual network environment,and designing and implementing a prototype system that meets the traffic detection requirements of botnets under high-speed networks.Finally,the thesis evaluates and tests the algorithm based on the botnet datasets such as CTU-13.The results show that the classification detection of botnet traffic has higher accuracy that reach more than 92% than the common single-type detection method on the comprehensive type of data set.And designing and implementing the botnet detection prototype system.The test results show that the system can meet the detection requirements in high-speed networks,and can detect the botnet traffic of both Fast-flux and Domain-flux.