Research On Unknown Botnet Communication Protocol Attack Technology Based On Generative Adversarial Network

With the rapid development of distributed services,the number of devices on the network is increasing,and the number of network nodes vulnerable to botnet is also increasing,and its proliferation may lead to large-scale serious security incidents.Attacks targeting botnet communication protocols can cause nodes to be forced offline,and delay and prevent the propagation of botnets.Known botnet attacks can be suppressed by professionals analyzing their binary files to obtain prior knowledge and combining various means.The attack of unknown botnet is usually to capture and analyze the traffic,and then send the randomly mutated load data to the target node to suppress it.However,most of the unknown botnet traffic generated by random mutation does not meet its protocol specifications,resulting in the inability to form an effective threat to botnets.Aiming at the problem of low utility of attack load generated in the attack of unknown botnet,this paper focuses on the research of network flow state prediction and load generation,uses the idea of fuzzy test to attack botnet nodes,realizes the real-time automatic fuzzy test system BotFuzzy for unknown botnet,and verifies it in the known defective communication protocol.The main work is as follows:(1)This paper proposes an algorithm for the load division of communication between unknown botnet nodes based on information entropy and Bayesian optimization.The existing load segmentation algorithm takes the eigenvalue or rule as the segmentation basis.For the botnet with unknown protocol specification,the segmented load subsequence does not conform to the load semantics.In this paper,a sliding window is set on a complete botnet inter-node communication load,and the information entropy of the continuous binary sequence in the window is used as the segmentation basis.The Bayesian optimization algorithm is used to dynamically adjust the window size of the sliding window and the information entropy threshold in the window.The experimental results show that the communication load subsequence segmented by the segmentation algorithm on the unknown botnet communication load without prior knowledge is more consistent with the protocol specification,so it is more general.(2)A network load generation method that conforms to botnet protocol is proposed.The existing load generation methods directly carry out random variation on the original load,and cannot retain the original semantics of the load field,resulting in the generated botnet attack containing a large number of invalid loads.This paper proposes a communication load generation method based on semantic segmentregeneration for generating adversary network,which eliminates the influence of long feature sequences in the original communication load of botnet in the generation training,and avoids the problem that the generated load contains too many invalid feature sequences.The experimental results show that the communication load between botnet nodes generated by this method is more in line with the protocol specification of botnet,and is more efficient.(3)A botnet load state prediction scheme based on network flow log is proposed.Due to the unstable and packet loss characteristics of the communication between botnet nodes,the protocol state mechanism in the existing load state prediction scheme is inaccurate and the prediction accuracy is low.According to the characteristics of the similar communication modes of each node in the flow log of the botnet,this paper clusters the load of the network flow log to form a cluster of multiple states,uses the network load data of its own node communicating with multiple other nodes to construct multiple protocol state machines,and selects the load state cluster with the highest similarity of the state machine to mark the load state.Then the network load state predictor is trained on the load set with state tags to obtain the state type of real-time botnet load.The experimental results show that this scheme can predict the state of unknown botnet communication load more accurately.(4)A passive fuzzy test system BotFuzzer for botnet protocol is proposed.At present,the passive fuzzy test system for the binary application layer protocol does not adapt to the unknown botnet,the attack efficiency is low,and the impact on the network is high,and it is easy to be detected.In this paper,based on the advantages of the existing passive scanning tools and the proposed communication load segmentation algorithm,network load generation method and network load state prediction scheme,a passive fuzzy test system BotFuzzer for botnet protocol is designed and implemented.The system verification shows that BotFuzzer can attack the target communication protocol with a higher efficiency,and provides a scheme with less impact on the network and higher efficiency in generating samples for attacking the communication between botnet nodes.