摘要： 针对利用先验知识不能检测新型或变异僵尸网络(Botnet)的现状,提出一种基于网络流量的Botnet 动态 检测模型。通过聚类分析通信流量并完成关联分析,以鉴定bot 之间的类似通信和恶意行为模式。该模型具有特 征库更新和检测模型生成的动态性,并且可以处理来自不同僵尸网络的数据,其检测体系结构与协议和Botnet 的 先验知识无关。实验结果验证了该模型的有效性和准确性。

关键词: 网络安全, 僵尸网络, 恶意代码, 网络流量, 动态检测

Abstract: For the status quo that the Botnet detection of a priori knowledge to get the matching and protocol-related are unable to be suitable for new or mutated Botnet detection,this paper proposes a dynamic Botnet detection model based on network traffic. By using clustering,it analyzes traffic and completes the correlation analysis to identify similar between bot communication and malicious behavior patterns. The test architecture has nothing to do with the agreement and Botnet prior knowledge. The model has three dynamic characteristics,such as the characteristics of library updated,detection model generation,and handling the network traffic from the dynamic Botnet. Finally,the effectiveness and the accuracy are verified by the experimental data.

Key words: network security, Botnet, malicious code, network flow, dynamic detection

中图分类号: 

• TP309