Botnet Detection Method Based On Graph Analysis And Network Flow Characteristics

Botnet is one of the most serious security threats in the Internet.A botnet consists of a group of infected hosts.Attackers use command and control channels(C&C)to remotely control these bots and launch various types of network attacks,such as distributed denial of service(DDo S),spam,phishing,click fraud and information theft.Some existing detection methods rely on prior knowledge such as traffic fingerprints and malicious DNS domain names,and cannot deal with rapidly mutating bot trojans,especially encrypted malicious traffic.Although there are also methods based on traffic behavior analysis,most of these methods are based on simple twotuple,five-tuple statistical measure extraction.These flow-based methods ignore the analysis of long-term behavioral sequence data of botnets and the analysis of the P2 P remote control structure of botnets.In addition,due to the large traffic scale of the backbone network,the overhead of feature extraction for the communication relationship graph is too large,and there are few solutions that combine the topology graph and traffic statistics features at the same time.In view of the above problems,the main contributions and innovations of this paper are as follows:(1)Aiming at the core problem of excessive graph feature extraction overhead,this paper proposes TAS-TKC(Time Adaptive Sketch for Temporal Katz Centrality measurement),which hashes all the vertices randomly into a constant-sized data structure.The algorithm significantly reduces the time and memory overhead of the temporal Katz centrality of those vertices ranked Top-K,by sacrificing the centrality measurement accuracy of the graph vertices with low centrality.The experimental results show that the TAS-TKC algorithm can better preserve the sorting order of Top-K vertex centrality,and has little impact on the detection performance of botnet hosts.On the other hand,the selected features based on the centrality of graph vertices such as temporal Katz centrality can simultaneously capture the evolution information of the topology graph structure over time,the direct influence and indirect influence of the graph vertices in the temporal path.These features can better reflect the potential interaction patterns between bots,and are of great significance to the detection of botnets.(2)This paper proposes a feature extraction method based on traffic similarity and stability.Botnet traffic tends to be uniform,similar,and unified,while traffic generated by normal communication tends to be diverse and random.After using the Zeek traffic analysis tool to obtain the original traffic characteristics,this paper expands the similarity characteristics such as average payload packet length and PSH control bit packet ratio,and two stability characteristics such as packet count entropy and traffic duration entropy,which are all extracted from the basic network traffic data.According to the performance of feature importance ranking as well as model classification result,it can be concluded that similarity and stability feature extraction can significantly improve the botnet detection accuracy.(3)This paper proposes BotFusion,which is a botnet detection framework based on model fusion mechanism.According to the respective output scores of the LSTM model based on graph vertex centrality and the Light GBM model based on traffic statistical features(that is,the probability value of being judged as a botnet host),the final score and detection result are obtained by the method of weighted fusion.This paper selects the public datasets CTU-13,Io T-23 and the simulated dataset Bot-VM as the experimental data,and compares Bot Fusion with models such as Bot FP-Clus and Bot Chase proposed in recent years.The experimental results show that the detection accuracy of Bot Fusion is generally maintained at a high level,and it has outstanding performance in some data scenarios such as the Neris botnet.(4)This paper builds a botnet platform based on VMware and builds a simulated dataset Bot-VM.Firstly,deploy four Kali Linux botnet virtual machines and four normal virtual machines on two servers,which are configured by LAMP environment.Next,deploy the Ubuntu Tap virtual machine on another Dell7920 server,install Zeek and tshark traffic analysis tools to collect traffic log information,and use the linux Cron service to periodically execute relevant scripts to realize data annotation and build a simulated data set Bot-VM.Finally,supplementary experiments are performed on this dataset to further verify the detection capability of the BotFusion framework proposed in this paper.