| The development of botnets has gradually become one of the major threats affecting Internet security since the beginning of the 21 st century,which has also attracted widespread attentions in the field of security.The original botnet relied on the IRC(Internet Relay Chat)protocol to control bots in the botnet.Although this central server-based control method is more convenient to be implemented,the central server,however,makes the IRC botnet easy to be detected and reversed.To overcome such limitation,Peer-to-Peer(P2P)technology has been adopted by attackers.The P2 P protocol introduces the decentralized idea,and abandons the C / S(client / server)architecture of IRC protocol,making all the bots have dual identities of client and server,which greatly enhances the robustness of P2 P botnets.Research on P2 P botnet detection will surely become an important research topic related to network security.To improve the detectability of botnet activities,this paper introduces the idea of association analysis in the field of data mining,and proposes a system to detect botnets based on the FP-growth(Frequent Pattern Tree)frequent item mining algorithm.The detection system is composed of three parts,namely: packet collection processing,rule mining,and statistical analysis of rules.Firstly,extract attributes from dataset including botnet and benign network traffic;while for the non-experimental systems,use the Winpcap(Libpcap)library to capture network packets and extract attributes.Then use FP-growth algorithm provided in Weka software to mine the rules of botnet traffic.Finally,among the mined rules,the rules related to the IP of the host are selected and statistically analyzed to detect the suspicious host.The effectiveness of the approach is demonstrated by the experiment consisting of 42074 benign hosts,and 17 hosts belonging to three different botnets(Storm,Waledac and Zeus): It is revealed in the experiment that the proposed method takes better performance than those in existing literature. |
PDF Full Text Request