Research On Botnet Detection Method Based On Domain And Traffic Characteristics

In the past two decades,the use of the Internet has become more and more popular,and Internet-based applications have also shown a spurt of growth.This makes the Internet fully integrated into people's lives and provides support for many services,such as finance,entertainment,commerce,and transportation.This has brought many conveniences to people's production and life,but at the same time it has also produced many security threats.Among them,botnets,as a carrier of malicious software,carry a series of malicious behaviors,such as distributed denial of service,spam,encrypted extortion,and information theft.It has brought huge security challenges to ordinary users,enterprises,and even the country.Network security is a necessary condition for national security.In this era,network security practitioners are competing against botnets for research,and botnet detection is the key to responding to botnet attacks,only find the device infected with the botnet can destroy the botnet.Therefore,the research on botnet detection in this thesis is of great significance.This thesis studies the basic principles,operating procedures,and common features of botnets,as well as some problems in current detection methods.In response to these features and problems,a Domain Generation Algorithm(DGA)detection method based on multiple word vectors and a botnet detection method based on the attention mechanism and traffic spatiotemporal characteristics are proposed.The specific work done in this thesis is as follows:1.Botnets widely use DGA domain technology to avoid detection.In response to this phenomenon and the low accuracy of dictionary-based domain detection by current DGA domain detection methods,this thesis proposes a DGA domain name detection method based on multiple word vectors.First of all,this thesis designs a word segmentation algorithm based on Zipf's law and dynamic programming algorithm that can segment continuous English strings.This algorithm has a good segmentation effect on dictionary-based domains.Then,based on the word segmentation results,the domains are divided into dictionary-based domains and nondictionary-based domains.They are represented by word-level word vectors and character-level word vectors respectively.Finally,a multi-layer two-way GRU model is used for feature extraction and sort.Experiments have verified that this method has good detection performance,and it has achieved 99.24% detection accuracy on data sets such as 360 Net Lab,and has a high detection speed.2.Aiming at the problems of slow detection speed and insufficient feature extraction in current botnet detection methods based on deep learning models,this thesis proposes a botnet detection method based on attention mechanism and traffic spatiotemporal characteristics.First of all,this thesis comprehensively considers the overall spatial characteristics and local spatial characteristics of botnet traffic,and combines the characteristics of specific protocols such as Transport Layer Security(TLS)to improve the graphical scheme of data packet flow.Then,based on two types of lightweight deep learning models Shuffle Net V2 and SRU,the spatial feature extraction model of traffic data and the temporal feature extraction model of traffic data are designed,which extract the characteristics of the traffic data from the two dimensions of space and time respectively,and input the two types of features into the classifier for classification.In addition,this theis also adds an attention mechanism to the feature extraction model,which improves the feature extraction ability of the feature extraction model.Experimental verification shows that the detection method in this thesis has achieved high detection accuracy,with a detection accuracy rate of 97.9%,and has a greater improvement in detection speed compared to other methods based on deep learning models,and can better cope with large-scale network traffic.