Research On Botnet Detection Technology Based On Traffic Recognition

In recent years,with the rapid development of Internet technology,the phenomenon of interconnection of all things has gradually appeared in people's vision.Especially with the development of artificial intelligence,people use the Internet to control intelligent equipment and industrial control equipment to manage industrial facilities.This development mode makes the networking equipment blowout growth.Along with these conveniences,there are more and more serious network security situation,in which botnet as an attack carrier has increasingly become a carrier of distributed denial of service attacks,encrypted extortion and other malicious acts,which seriously threatens the security of users,enterprises and countries.Without network security,there will be no national security.Detection and defense of botnets has gradually become a hot topic in the security industry,which is of great epochal significance.Under these backgrounds,the research topic was chosen to realize detection of botnets in the way of traffic identification.Firstly,the study focused on the basic mechanism and characteristics of Botnet and the current mainstream traffic identification methods.By analyzing and choosing the detection method based on the flow characteristics and combining with the neural network,it realizes the analysis and detection of a large number of traffic data.By analyzing the original traffic,cleaning and aggregation,a complete and reasonable sample set is first established,and then a classification detection model is established by using the method of single hidden layer neural network(SHLNN).By selecting 8-dimensional detection features for HTTP botnet and P2P botnet respectively,and training the classification detection model by using the sample set,the classification detection model is realized under the condition of known botnet types.For the high-precision detection of single-type botnet,experiments show that after 15 training sessions,the detection accuracy of P2P botnet can reach 91.7%,and that of HTTP botnet can reach 94.1%.Besides the long training time,the accuracy is better than the vast majority of machine learning algorithmsSecondly,the detection of Botnet without distinguishing the type of botnet was studied,and achieves credible undifferentiated detection.By comparing the difference between two types of botnets and normal traffic,based on the behavior periodicity and similarity of botnets,a 10-dimensional feature is proposed for the detection of adaptability.By comparing the features,the botnet traffic and normal traffic can be well distinguished,and the number of hidden layers can be adjusted by means of experimental verification.After 15 training,the accuracy is basically 77.2%.At the same time,it is found that the model has relatively good detection capability for HTTP botnets,so the detection rate is relatively good when there are more HTTP stream samples.Finally,when the botnet traffic and normal traffic in the training sample set are seriously unbalanced,the classification model has poor detection effect,in order to solve this problem,a sample processing method based on sampling is proposed,In the process of processing,ENN is used to clean up the number of normal traffic noise samples,and adaptive synthetic sampling algorithm is used to generate botnet traffic samples from botnet traffic samples.Finally,the balance of the two kinds of samples is achieved.At the same time,the processed samples are of higher quality and have been partitioned.Thus,the classification and detection ability of the model for unbalanced data sets is solved,and training is conducted at the same time.The average training time was reduced to 1/2 of the original.