Research on Botnet Controlled Host Detection Based on Netflow Abnormity

doi:10.3969/j.issn.1000-3428.2015.11.030

Abstract

Abstract: With extensive botnet arising as one of the major current network security threats,the automatic detection of botnet communication traffic is of high importance for Internet service providers and large corporation network monitoring.To solve the problem,this paper proposes a novel approach for botnet detection,a real-time botnet detection algorithm,where netflow related data is correlated as the host netflow graph structure and the host access chain structure,and a feature extraction method is leveraged for exacting implicit characteristics.Meanwhile,this paper establishes BotScanner detection system,which is a real-time steam processing engine.It trains BotScanner system on the four representative bot families and evaluates BotScanner on simulated network traffic and real-world network traffic.Experimental results show that BotScanner is able to detect bots in network traffic without the need of deep packet inspection,while still achieving high detection rates with very few false positives.When the netflow data from the core switch is very large,BotScanner is able to detect botnet in real-time by the efficient algorithm.It proves the feasibility of applying BotScanner system to botnet detection.

Key words: abnormity detection, botnet, netflow, real-time detection, malicious code

摘要： 大规模僵尸网络已成为当前互联网的主要威胁之一,僵尸网络流量自动检测技术对于互联网服务提供商和大型企业网监控非常重要。为此,提出一种基于网络流量异常的僵尸网络实时检测算法,通过将网络流量组织成主机网络流量图谱和主机关系链,并提取内在命令与控制通信特征检测僵尸网络,同时实现BotScanner检测系统。使用4个主流的僵尸恶意代码家族训练BotScanner,采用模拟网络流量和真实网络流量数据集进行测试。实验结果表明,在无需深度包解析的情况下,BotScanner僵尸网络检测系统能够获得较高的平均检测率和较低的误报率。在数据量较大的交换机上,BotScanner能够有效地进行实时检测,验证了提出算法用于僵尸网络检测方面的可行性。

关键词: 异常检测, 僵尸网络, 网络流量, 实时检测, 恶意代码

CLC Number:

TP309

BAI Tao,LIU Chenglong,QU Wu,WANG Zhen. Research on Botnet Controlled Host Detection Based on Netflow Abnormity[J]. Computer Engineering, doi: 10.3969/j.issn.1000-3428.2015.11.030.

白涛,刘成龙,曲武,王震. 基于网络流量异常的僵尸网络受控主机检测研究[J]. 计算机工程, doi: 10.3969/j.issn.1000-3428.2015.11.030.

/ / Recommend / Download Citations

URL: http://www.ecice06.com/EN/10.3969/j.issn.1000-3428.2015.11.030

http://www.ecice06.com/EN/Y2015/V41/I11/170

References

参考文献［1］Bacher P,Holz T,Kotter M,et al.Know Your Enemy:Tracking Botnets［EB/OL］.(2005-03-14).http://www.honeynet.org/papers/bots. ［2］诸葛建伟,韩心慧,周勇林,等.僵尸网络研究［J］.软件学报,2008,19(3):702-715. ［3］Gu Guofei,Porras P,Yegneswaran V,et al.BotHunter:Detecting Malware Infection Through IDS-driven Dialog Correlation［C］//Proceedings of the 16th Usenix Security Symposium.Berlin,Germany:Springer,2007:167-182. ［4］Goebel J,Holz T.Rishi:Identify Bot Contaminated Hosts by IRC Nickname Evaluation［C］//Proceedings of the 1st Conference on Hot Topics in Understanding Botnets.Berlin,Germany:Springer,2007:1-8. ［5］Binkley J R,Singh S.An Algorithm for Anomaly-based Botnet Detection［C］//Proceedings of USENIX Steps to Reducing Unwanted Traffic on the Internet Workshop.Berlin,Germany:Springer,2006:43-48. ［6］Wurzinger P,Bilge L,Holz T,et al.Automatically Generating Models for Botnet Detection［C］//Proceedings of the 14th European Symposium on Research in Computer Security.Saint-Malo,France:［s.n.］,2009:232-249. ［7］Perdisci R,Lee W,Feamster N.Behavioral Clustering of HTTP-based Malware and Signature Generation Using Malicious Network Traces［C］//Proceedings of Con-ference on Networked System Design and Implement- ation.Berlin,Germany:Springer,2010:391-404. ［8］Giroire F,Chandrashekar J,Taft N,et al.Exploiting Tem-poral Persistence to Detect Covert Botnet Channels［C］//Proceedings of the 12th International Symposium on Book Subtitle.Saint-Malo,France:［s.n.］,2009:326-345. ［9］Gu Guofei,Zhang Junjie,Lee W.BotSniffer:Detecting Botnet Command and Control Channels in Network Traffic［C］//Proceedings of the 16th Annual Network&Distributed System Security Symposium.Berlin,Ger-many:Springer,2008:1-18. ［10］Gu Guofei,Perdisci R,Zhang Junjie,et al.BotMiner:Clustering Analysis of Network Traffic for Protocol-and Structure-independent Botnet Detection［C］//Pro-ceedings of USENIX Security Symposium.［S.l.］:Academic Search Press,2008:139-154. ［11］Yen Tingfang,Reiter M K.Traffic Aggregation for Malware Detection［M］//Holz T,Bos H.Detection of Intrusions and Malware,and Vulnerability Assessment.Berlin,Germany:Springer,2008:207-227. ［12］Strayer W T,Walsh R,Livadas C,et al.Detecting Botnets with Tight Command and Control［C］//Proceedings of the 31st IEEE Conference on Local Computer Networks.Washington D.C.,USA:IEEE Press,2006:195-202. ［13］Nagaraja S,Mittal P,Hong Chi-Yao,et al.BotGrep:Finding P2P Bots with Structured Graph Analysis［C］//Proceedings of USENIX Security Symposium.［S.l.］:Academic Search Press,2010:95-110. ［14］Franois J,Wang Shaonan,Engel T.BotTrack:Tracking Botnets Using NetFlow and PageRank［C］//Proceedings of the 10th International IFIP TC 6 Networking Conference.Berlin,Germany:Springer,2011:1-14. ［15］Tegeler F,Fu Xiaoming,Vigna G,et al.Botfinder:Finding Bots in Network Traffic Without Deep Packet Inspection［C］//Proceedings of the 8th International Conference on Emerging Networking Experiments and Technologies.New York,USA:ACM Press,2012:349-360. ［16］Coskun B,Dietrich S,Memon N.Friends of an Enemy:Identifying Local Members of Peer-to-Peer Botnets Using Mutual Contacts［C］//Proceedings of the 26th Annual Computer Security Applications Conference.New York,USA:ACM Press,2010:131 -140. ［17］Kheir N,Wolley C.BotSuer:Suing Stealthy P2P Bots in Network Traffic Through Netflow Analysis［C］//Proceedings of the 12th International Conference on Cryptology and Network Security.Berlin,Germany:Springer,2013:162-178. ［18］Fan Yuhui,Xu Ning.A P2P Botnet Detection Method Used On-line Monitoring and Off-line Detection［J］.International Journal of Security and Its Applications,2014,8(3). ［19］Amini P,Azmi R,Araghizadeh M A.Botnet Detection using NetFlow and Clustering［J］.International Journal on Advances in Computer Science,2014,3(2):139-149. ［20］Garg S,Sarje A K,Peddoju S K.Improved Detection of P2P Botnets Through Network Behavior Analysis［C］//Proceedings of the 2nd International Conference on Security in Computer Networks and Distributed Systems.Berlin,Germany:Springer,2014:334-345. ［21］Vania J,Meniya A,Jethva H B.A Review on Botnet and Detection Technique［J］.International Journal of Computer Trends and Technology,2013,4(1):23-29. ［22］Wang Xiaogang,Qiu Weiliang,Zamar R H.CLUES:A Non-parametric Clustering Method Based on Local Shrinking［J］.Computational Statistics&Data Analysis,2007,52(1):286-298. 编辑顾逸斐

[1]	GE Xin, ZOU Futai, GUO Wanda, TAN Yue, LI Linsen. Review on Development of Social Botnets [J]. Computer Engineering, 2022, 48(8): 12-24.
[2]	CHEN Jiajie, PENG Bozhuang, WU Peize. Malicious Code Detection Method Based on Dynamic Behavior and Machine Learning [J]. Computer Engineering, 2021, 47(3): 166-173.
[3]	JIANG Jianyong, WU Yun, LONG Huiyun, HUANG Zimeng, LAN Lin. CenterNet-Based Real-Time Pedestrian Detection Model [J]. Computer Engineering, 2021, 47(10): 276-282.
[4]	HE Gaofeng, SI Yongrui, XU Bingfeng. Research on Malicious Encrypted Traffic Annotation Method for Android Mobile Application [J]. Computer Engineering, 2020, 46(7): 116-121,128.
[5]	HU Bin, ZHOU Zhihong, YAO Lihong, LI Jianhua. Malicious Traffic Detection Combining Features of Packet Payload and Stream Fingerprint [J]. Computer Engineering, 2020, 46(11): 157-163.
[6]	WU Tao, WANG Weibin, YU Li, XIE Beimin, YIN Weiwei, WANG Hongyu. Insulator Defect Detection Method for Lightweight YOLOV3 [J]. Computer Engineering, 2019, 45(8): 275-280.
[7]	LI Aocheng,WANG Zheng. Analysis of DNS Anomalous Behaviors Based on Fast-Flux [J]. Computer Engineering, 2018, 44(12): 184-189,195.
[8]	LI Dawei. Design of Universal Botnet Experimental Platform [J]. Computer Engineering, 2018, 44(11): 123-128.
[9]	CHEN Ruidong,ZHAO Lingyuan,ZHANG Xiaosong. Botnet Identification Technology Based on Fuzzy Clustering [J]. Computer Engineering, 2018, 44(10): 46-50.
[10]	ZUO Xiaojun,DONG Limian,QU Wu. Fast-Flux Botnet Detection Method Based on Domain Name System Traffic [J]. Computer Engineering, 2017, 43(9): 185-193.
[11]	LI Jing,YAO Yiyang,LU Xindai,QIAO Yong. Large-scale Malicious P2P Botnet Node Detection Technology Based on Challenge Strategy [J]. Computer Engineering, 2016, 42(10): 158-163.
[12]	SHAO Xiu-li, JIANG Hong-ling, GENG Mei-jie, LI Yao-fang. Botnet Detection Based on Correlation Relation and MapReduce [J]. Computer Engineering, 2014, 40(5): 115-119.
[13]	HAN Yi, JIANG Jian-guo, QIU Xin-liang, MA Xin-jian, ZHAO Shuang. Design and Implementation of Malware Detection Platform Based on Cloud Computing [J]. Computer Engineering, 2014, 40(4): 26-31.
[14]	BIAN Genqing,GONG Peijiao,SHAO Bilin. Detection Method of Malicious Code Model Clustering Based on K-L Divergence [J]. Computer Engineering, 2014, 40(12): 104-107,113.
[15]	CHENG Shuping,TAN Liang. Dynamic Detection Model in Botnet Based on Network Traffic [J]. Computer Engineering, 2014, 40(11): 106-112.

Please choose a citation manager

Content to export