CN102130920A - Botnet discovery method and system thereof - Google Patents
Botnet discovery method and system thereof Download PDFInfo
- Publication number
- CN102130920A CN102130920A CN2011100980152A CN201110098015A CN102130920A CN 102130920 A CN102130920 A CN 102130920A CN 2011100980152 A CN2011100980152 A CN 2011100980152A CN 201110098015 A CN201110098015 A CN 201110098015A CN 102130920 A CN102130920 A CN 102130920A
- Authority
- CN
- China
- Prior art keywords
- botnet
- condition code
- module
- network packet
- behavioural characteristic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a botnet discovery method and a botnet discovery system, which belong to the field of information security and aim to solve the problems of low universality and low adaptability of the prior art. The botnet discovery method comprises the following steps of: identifying network data packets adopting a botnet bearer protocol for communication; performing feature matching with botnet feature codes in a botnet feature code library; performing botnet behavior feature detection on unsuccessfully matched network data packets; calculating a botnet scale, and generating a topological botnet structure; and adding extracted botnet feature codes into the botnet feature library. The discovery system comprises a botnet bearer protocol identification module, a botnet feature code matching module, a botnet behavior feature identification module, a botnet feature code extraction module and a botnet generation module. By the method and the system, known and new unknown botnets can be effectively detected, and the entire botnet information can be acquired; therefore, the method and the system are favorable for generating an overall defense policy for the botnet.
Description
Technical field
The present invention relates to the confidence security fields, concrete is a kind of discover method and system of Botnet.
Background technology
Compare with traditional malicious code (as computer virus, worm and wooden horse), Botnet adopts multiple communication means, and a large amount of main frames are infected bot program, thereby forms the network of an one-to-many control between effector and infected main frame.The control relation of this one-to-many makes the hacker to be its service with a large amount of resource of extremely cheap cost control, becomes the desirable platform of attacking that the hacker starts attack in force.The hacker utilizes the Botnet of its control can initiate large-scale network attack, as start distributed denial of service attack (DDoS), send magnanimity spam etc., arbitrarily obtain simultaneously the sensitive information of the main frame of hacker's control, as bank account password etc., the safety of serious threat individual, enterprises and institutions' information system.
At the heavy damage that Botnet causes information system, the traditional computer virus detection techniques is primarily aimed at main frame carries out malicious code and detects, only can killing part bot program, can't obtain the full detail of whole bot program.
The Chinese patent publication number is the application case of CN101404658, and the principle of this invention is: at first extract the IRC protocol data from network packet; Then the condition code in protocol data and the data characteristics storehouse is mated, obtain the Botnet packet; Control Server in determining same Botnet, corpse computer, Botnet are controlled computer at last.Not enough goes into to be: only can detect the Botnet based on the IRC agreement, versatility is poor; Based on the condition code technology for detection, can not detect the mutation of known Botnet or new Botnet, bad adaptability.
Summary of the invention
The objective of the invention is at obtaining whole Botnet information in the prior art detection method, only can detect a kind of Botnet and the defective that can't detect new unknown Botnet, a kind of discover method and system thereof of Botnet are proposed, this method and system detects based on Botnet condition code and Botnet behavioural characteristic, can effectively detect known and new unknown Botnet, and can obtain whole Botnet information, thereby help formulating whole defence policies at Botnet.
In order to realize purpose of the present invention, adopted following technical scheme:
A kind of discover method of Botnet comprises the step of catching network packet, also comprises: the step that identifies the network packet that adopts the communication of Botnet bearing protocol; Botnet condition code in the network packet that adopts the communication of Botnet bearing protocol and the Botnet condition code storehouse is carried out the step of characteristic matching; Network packet to not success coupling is carried out the step that the Botnet behavioural characteristic detects; According to successfully mating Botnet condition code and the network packet calculating Botnet scale and the step that generates the Botnet topological structure that meet the Botnet behavioural characteristic in the Botnet condition code storehouse; The network packet that meets the network behavior feature is carried out the step that the Botnet feature database was extracted and the Botnet condition code of extracting was added to the Botnet condition code.Described IRC agreement, P2P agreement and the http protocol of including but not limited to
Concrete, also comprise according to successfully mating Botnet condition code in the Botnet condition code storehouse and meeting the step of the network packet identification corpse machine of Botnet behavioural characteristic; The computer analysis that is identified as the corpse machine is gathered and generated the Botnet statistical report; The step that report is alarmed or monitored the corpse machine according to Botnet.
Above-mentioned warning is that each computer in the Botnet statistical report is alarmed, and alarms demonstration in the mode of high brightness and flicker on supervisory control comuter; Described supervision is that the computer that is defined as the corpse machine is paid close attention to, and monitors its malice Botnet activity, takes to include but not limited to cut off the defensive measure that network connects, the collection network packet is collected evidence to carrying out the activity of malice Botnet.
Concrete, the step that aforementioned Botnet behavioural characteristic detects comprises: set a detection threshold S; Set the feature weight of each Botnet behavior; If certain network data of computer meets the Botnet behavioural characteristic, then this Botnet behavioural characteristic is changed to 1, and multiply by the weight of this Botnet behavioural characteristic correspondence; All of computing computer meet Botnet behavioural characteristic sum T, if T more than or equal to S, then computer is the corpse machine, otherwise computer is not the corpse machine.
The method of aforementioned calculating Botnet scale: the network packet IP number of addresses that will successfully mate the Botnet condition code adds that the network packet IP number of addresses that meets the Botnet behavioural characteristic is the scale of Botnet in the network.
Aforementioned Botnet behavior includes but not limited to: order is communicated by letter, is sent spam, vulnerability scanning, starts the service of refusal formula to attack with control channel.
A kind of discovery system of Botnet is characterized in that, comprising: Botnet bearing protocol identification module, this module are realized the network data communication protocol packet of catching is discerned, and identify the network packet that adopts the Botnet bearing protocol; Botnet condition code storehouse, this module stores Botnet condition code; Botnet condition code matching module, this module is mated Botnet condition code in the network packet that adopts the Botnet bearing protocol and the Botnet condition code storehouse, finds out the Botnet communication data packet; Botnet behavioural characteristic identification module, this module to adopting the Botnet bearing protocol and communicating but the network packet of successfully not mating Botnet condition code in the Botnet feature database carry out the identification of Botnet behavioural characteristic and detect; Botnet condition code extraction module, this module is carried out depth analysis to being judged to be the network packet that meets the Botnet behavioural characteristic, extracts the Botnet condition code and joins in the Botnet condition code storehouse; The Botnet generation module, this module gathers the computer analysis that successfully is identified as the corpse machine by Botnet condition code matching module and Botnet behavioural characteristic identification module, generates the Botnet statistical report.
As preferably, the recognition system of Botnet of the present invention also comprises Botnet alarm and monitor module, and this module is carried out the processing of two aspects to the Botnet statistical report of being submitted to by the Botnet generation module:
1), each computer in the Botnet statistical report is alarmed, and on supervisory control comuter alarms demonstration in the mode of high brightness and flicker;
2), the computer that is defined as the corpse machine is paid close attention to, monitor its malice Botnet activity, take to include but not limited to cut off the defensive measure that network connects, the collection network packet is collected evidence carrying out the activity of malice Botnet.
The present invention is a kind of new Botnet discover method and system, and with traditional Host Based or compare based on the Botnet defence method of a kind of specific Botnet bearing protocol (as the IRC agreement), present technique has following advantage:
1, can effectively obtain the Global Information of Botnet
Traditional Host Based Botnet defence method is by finding whether there is bot program in the main frame, if any then deleting this bot program, can't obtain the overall picture of Botnet.The present invention is by analyzing the network packet of catching, thereby obtains the Global Information of Botnet, and makes whole Botnet defence policies, and defence efficient is better.
2, can detect unknown bot program effectively
Traditional Host Based Botnet defence method mainly detects by the mode of bot program condition code, and is powerless to the mutation of unknown bot program or known bot program.One aspect of the present invention detects known Botnet by the mode of condition code, detects by the Botnet behavioural characteristic on the other hand, can detect the mutation of unknown Botnet or known Botnet effectively.
3, stronger to the versatility of finding Botnet
Traditional Botnet discover method mainly is the Botnet of finding based on the IRC agreement, and for powerless based on the Botnet of P2P, http protocol.The present invention can effectively detect the Botnet based on IRC, P2P and http protocol, and versatility is stronger.
4, can effectively find unknown Botnet
Traditional discovery is based on the discover method of condition code based on the method for IRC agreement Botnet, and powerless for the mutation of unknown Botnet or known Botnet.One aspect of the present invention detects known Botnet by the mode of condition code, by the Botnet behavioural characteristic is detected, can detect the mutation of unknown Botnet or known Botnet effectively on the other hand.
5, autgmentability is stronger
The Botnet technology is in the middle of the process of continuous development and change always, adopt the IRC agreement as traditional Botnet bearing protocol, but more now employing P2P or http protocol are as the Botnet bearing protocol, and the continuous development of Botnet bearing protocol and Botnet behavioural characteristic makes traditional Botnet defense technique to tackle.The present invention can expand effectively, adds new Botnet bearing protocol and new Botnet behavioural characteristic, can adapt to the development of Botnet new technology effectively.
Description of drawings
The present invention will illustrate by example and with reference to the mode of accompanying drawing, wherein:
Fig. 1 is the flow chart of the discover method of a kind of Botnet of the present invention.
Fig. 2 is the discovery systematic schematic diagram of a kind of Botnet of the present invention.
Fig. 3 is a kind of deployment schematic diagram that Botnet provided by the invention is found system.
Fig. 4 is the another kind deployment schematic diagram that Botnet provided by the invention is found system.
Embodiment
Disclosed all features in this specification, or the step in disclosed all methods or the process except mutually exclusive feature and/or step, all can make up by any way.
Disclosed arbitrary feature in this specification (comprising any accessory claim, summary and accompanying drawing) is unless special narration all can be replaced by other equivalences or the alternative features with similar purpose.That is, unless special narration, each feature is an example in a series of equivalences or the similar characteristics.
As depicted in figs. 1 and 2, be the discover method flow chart and the discovery system block diagram of a kind of Botnet of the present invention.The present invention is described further below in conjunction with accompanying drawing, and the concrete steps of its discover method are as follows:
(1) catches network packet in real time, the network packet of catching is transferred to Botnet bearing protocol identification module 11, this module is discerned the network data communication protocol packet, identify the network packet that adopts the Botnet bearing protocol, as adopt the network packet of IRC, P2P, http protocol, transfer to Botnet condition code matching module 12 and handle, other network packet do not process.
(2) Botnet condition code matching module 12 carries out characteristic matching according to the Botnet condition code in the Botnet condition code storehouse 13, if the match is successful then transfer to Botnet generation module 14 and handle, further discern otherwise transfer to Botnet behavioural characteristic identification module 15.
(3) Botnet behavioural characteristic identification module 15 carries out Botnet behavior identification according to the Botnet behavioural characteristic to network packet, if discern successfully, then transfers to Botnet generation module 14, and other network packet do not process; If discern successfully, extract the Botnet condition code by the Botnet characteristic extracting module simultaneously and join Botnet condition code storehouse 13.
(4) 14 pairs of network packet that successfully are identified as the corpse machine by Botnet condition code matching module 12 and Botnet behavioural characteristic identification module 15 of Botnet generation module are extracted its IP address, build whole Botnet topological diagram.
(5) 17 pairs of Botnets that generated by Botnet generation module 14 of Botnet alarm and monitor module are alarmed, malicious hackers activity to Botnet simultaneously monitors, and take corresponding defensive measure, collect evidence as the connection of cut-out network, collection network packet etc.
The present invention finishes function by following functional module:
1, Botnet bearing protocol identification module 11: this module realizes the network data communication protocol packet of catching is discerned, and identifies the network packet that adopts the Botnet bearing protocol, comprising: IRC agreement, P2P agreement and http protocol.To the network packet that the employing Botnet bearing protocol that identifies is communicated by letter, transfer to Botnet condition code matching module 12 and handle.The network packet that does not adopt the communication of Botnet bearing protocol is not then processed.
2, Botnet condition code storehouse 13 is mainly used in storage Botnet condition code.
3, Botnet condition code matching module 12: the network packet that this module communicates the employing Botnet bearing protocol that identifies, mate according to the Botnet condition code in the good Botnet condition code storehouse 13 of prior foundation, find out the Botnet communication data packet.Transferring to different processing modules according to the result of mating handles:
(1) with Botnet condition code storehouse 13 in condition code successfully mate, to successfully mating the network packet of Botnet condition code, illustrate that then this network packet is the Botnet communication data packet, transfer to Botnet generation module 14 and handle.
(2) with Botnet condition code storehouse 13 in condition code successful coupling, to successfully not mating the network packet of Botnet condition code, transfer to the Botnet behavioural characteristic and know module 15 and handle.
4, Botnet behavioural characteristic identification module 15: this module is to adopting the Botnet bearing protocol and communicating but the network packet of successfully not mating condition code in the Botnet feature database 13 is carried out the identification of Botnet behavioural characteristic, this module detects the Botnet behavioural characteristic, and main Botnet behavioural characteristic comprises:
(1) order is communicated by letter with control channel;
(2) send spam;
(3) vulnerability scanning;
(4) start the service of refusal formula to attack.
The Botnet behavioural characteristic detects available equation (1) and describes.
Wherein
(
) be Botnet behavioural characteristic to be detected, i.e. order is communicated by letter, is sent spam, vulnerability scanning and starts the service of refusal formula to attack with control channel,
nFor Botnet behavioural characteristic number (
n=4), if detect this Botnet behavioural characteristic then
Equal 1, otherwise
Equal 0;
(
) be Botnet behavioural characteristic weight to be detected, Botnet can show multiple malicious act feature, each malicious act feature is to judging that whether it be that the contribution done of corpse machine is different, communicating by letter with control channel as the Botnet order is the characteristic feature of Botnet, then weights are higher, and the malicious code that sends spam, vulnerability scanning and start the service of refusal formula to attack other also can possess these malicious acts, therefore its weights are less, give different weights to different Botnet behavioural characteristics and can effectively reduce rate of false alarm;
SBe a detection threshold of setting in advance, if give preset threshold in advance more than or equal to this
S, then be a corpse machine, otherwise be not.
The detection method of Botnet behavioural characteristic is for building the feature database of the special sign indicating number of Botnet behavior in advance, then by the feature in network packet and each the Botnet behavioural characteristic sign indicating number storehouse is mated, if the match is successful then this network packet meets the Botnet behavioural characteristic, otherwise do not meet the Botnet behavioural characteristic.
The network packet that is judged to be the corpse machine transferred to the Botnet condition code is mentioned module 16 and the Botnet generation module is for further processing.
5, Botnet condition code extraction module 16: this module is carried out depth analysis to being judged to be the network packet that meets the Botnet behavioural characteristic, extracts the Botnet condition code, and joins in the Botnet condition code storehouse; Can effectively improve discovery speed by extraction to Botnet to the Botnet condition code that meets the Botnet behavioural characteristic of the unknown.
6, the Botnet generation module 14: this module gathers the computer analysis that successfully is identified as the corpse machine by Botnet condition code matching module and Botnet behavioural characteristic identification module, generate the Botnet statistical report, and this Botnet statistical report is transferred to the Botnet alarm handle with monitor module.
7, Botnet alarm and monitor module 17: this module is handled the Botnet statistical report of being submitted to by the Botnet generation module, mainly comprises the content of two aspects:
(1) each computer in the Botnet statistical report is alarmed, on supervisory computer, alarmed demonstration in mode highlighted and flicker.
(2) computer that is defined as the corpse machine is paid close attention to, main its malice Botnet activity of supervision, as send spam, start refusal formula service to attack, carry out vulnerability scanning etc., take effective defensive measure to carrying out the activity of malice Botnet, collect evidence as the connection of cut-out network, collection network packet etc.
Fig. 3 and Fig. 4 are concrete deployment way of the present invention.Deployed position of the present invention is the network exit in key, the network packet that flows into and flow out is carried out transferring to the Botnet discovering device behind the road of next door detect.Fig. 3 is the on-position, the Internet that is deployed in internal lan, as the gateway device place of enterprises and institutions' local network accessing Internet, realizes the monitoring to the local area network (LAN) inner computer; Fig. 4 is the key node that is deployed in the Internet, as telecom operators provincial backbone node on-position, crucial node is all disposed the Botnet discovering device in each the Internet, each Botnet discovering device is sent to Botnet alarm and monitoring analysis center with the Botnet information of finding simultaneously, realization is to the centralized monitor of the whole network Botnet, thereby makes more effective, whole Botnet defence policies.
The present invention is not limited to aforesaid embodiment.The present invention expands to any new feature or any new combination that discloses in this manual, and the arbitrary new method that discloses or step or any new combination of process.
Claims (11)
1. the discover method of a Botnet comprises the step of catching network packet, it is characterized in that, also comprises:
Identify the step of the network packet that adopts the communication of Botnet bearing protocol;
Botnet condition code in the network packet that adopts the communication of Botnet bearing protocol and the Botnet condition code storehouse is carried out the step of characteristic matching;
Network packet to not success coupling is carried out the step that the Botnet behavioural characteristic detects;
According to successfully mating Botnet condition code and the network packet calculating Botnet scale and the step that generates the Botnet topological structure that meet the Botnet behavioural characteristic in the Botnet condition code storehouse;
The network packet that meets the network behavior feature is carried out the step that the Botnet feature database was extracted and the Botnet condition code of extracting was added to the Botnet condition code.
2. the discover method of Botnet according to claim 1 is characterized in that, also comprises: according to successfully mating Botnet condition code in the Botnet condition code storehouse and meeting the step of the network packet identification corpse machine of Botnet behavioural characteristic.
3. the recognition methods of Botnet according to claim 2 is characterized in that, also comprises:
The computer analysis that is identified as the corpse machine is gathered and generated the Botnet statistical report;
The step that report is alarmed or monitored the corpse machine according to Botnet.
4. the recognition methods of Botnet according to claim 3 is characterized in that, described warning is that each computer in the Botnet statistical report is alarmed, and alarms demonstration in the mode of high brightness and flicker on supervisory control comuter; Described supervision is that the computer that is defined as the corpse machine is paid close attention to, and monitors its malice Botnet activity, takes defensive measure to carrying out the activity of malice Botnet.
5. the recognition methods of Botnet according to claim 4 is characterized in that, described defensive measure includes but not limited to cut off the network connection, the collection network packet is collected evidence.
6. the discover method of Botnet according to claim 1 is characterized in that, described network carrying agreement includes but not limited to IRC agreement, P2P agreement and http protocol.
7. the discover method of Botnet according to claim 1 is characterized in that, the step that described Botnet behavioural characteristic detects comprises:
Set a detection threshold S;
Set the feature weight of each Botnet behavior;
If certain network data of computer meets the Botnet behavioural characteristic, then this Botnet behavioural characteristic is changed to 1, and multiply by the weight of this Botnet behavioural characteristic correspondence;
All of computing computer meet Botnet behavioural characteristic sum T, if T more than or equal to S, then computer is the corpse machine, otherwise computer is not the corpse machine.
8. the discover method of Botnet according to claim 1, it is characterized in that the method for described calculating Botnet scale: the network packet IP number of addresses that will successfully mate the Botnet condition code adds that the network packet IP number of addresses that meets the Botnet behavioural characteristic is the scale of Botnet in the network.
9. according to the discover method of claim 1 or 2 or 7 or 8 described Botnets, it is characterized in that described Botnet behavior includes but not limited to: order is communicated by letter, is sent spam, vulnerability scanning, starts the service of refusal formula to attack with control channel.
10. the discovery system of a Botnet is characterized in that, comprising:
Botnet bearing protocol identification module (11), this module are realized the network data communication protocol packet of catching is discerned, and identify the network packet that adopts the Botnet bearing protocol;
Botnet condition code storehouse (13), this module stores Botnet condition code;
Botnet condition code matching module (12), this module is mated Botnet condition code in the network packet that adopts the Botnet bearing protocol and the Botnet condition code storehouse, finds out the Botnet communication data packet;
Botnet behavioural characteristic identification module (15), this module to adopting the Botnet bearing protocol and communicating but the network packet of successfully not mating Botnet condition code in the Botnet feature database carry out the identification of Botnet behavioural characteristic and detect;
Botnet condition code extraction module (16), this module is carried out depth analysis to being judged to be the network packet that meets the Botnet behavioural characteristic, extracts the Botnet condition code and joins in the Botnet condition code storehouse;
Botnet generation module (14), this module gathers the computer analysis that successfully is identified as the corpse machine by Botnet condition code matching module and Botnet behavioural characteristic identification module, generates the Botnet statistical report.
11. the discovery system of Botnet according to claim 10 is characterized in that, also comprises Botnet alarm and monitor module (17), this module is carried out the processing of two aspects to the Botnet statistical report of being submitted to by the Botnet generation module:
1), each computer in the Botnet statistical report is alarmed, and on supervisory control comuter alarms demonstration in the mode of high brightness and flicker;
2), the computer that is defined as the corpse machine is paid close attention to, monitor its malice Botnet activity, take to include but not limited to cut off the defensive measure that network connects, the collection network packet is collected evidence carrying out the activity of malice Botnet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100980152A CN102130920A (en) | 2011-04-19 | 2011-04-19 | Botnet discovery method and system thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100980152A CN102130920A (en) | 2011-04-19 | 2011-04-19 | Botnet discovery method and system thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102130920A true CN102130920A (en) | 2011-07-20 |
Family
ID=44268808
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011100980152A Pending CN102130920A (en) | 2011-04-19 | 2011-04-19 | Botnet discovery method and system thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102130920A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102333313A (en) * | 2011-10-18 | 2012-01-25 | 中国科学院计算技术研究所 | Feature code generation method and detection method of mobile botnet |
| CN102546298A (en) * | 2012-01-06 | 2012-07-04 | 北京大学 | Botnet family detection method based on active probing |
| CN102571796A (en) * | 2012-01-13 | 2012-07-11 | 电子科技大学 | Protection method and protection system for corpse Trojans in mobile Internet |
| CN102571487A (en) * | 2011-12-20 | 2012-07-11 | 东南大学 | Distributed bot network scale measuring and tracking method based on multiple data sources |
| CN102932373A (en) * | 2012-11-22 | 2013-02-13 | 北京荣之联科技股份有限公司 | Zombie network detection method and device |
| CN102970309A (en) * | 2012-12-25 | 2013-03-13 | 苏州山石网络有限公司 | Detection method, detection device and firewall for zombie host |
| CN103152356A (en) * | 2013-03-20 | 2013-06-12 | 北京奇虎科技有限公司 | Method, server and system for detecting safety of file sample |
| CN103795591B (en) * | 2014-01-16 | 2017-08-01 | 北京天融信软件有限公司 | A kind of corpse methods for plant community analysis and device |
| CN109698814A (en) * | 2017-10-23 | 2019-04-30 | 中国电信股份有限公司 | Botnet finds that method and Botnet find device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101404658A (en) * | 2008-10-31 | 2009-04-08 | 北京锐安科技有限公司 | Method and system for detecting bot network |
| CN101651579A (en) * | 2009-09-15 | 2010-02-17 | 成都市华为赛门铁克科技有限公司 | Method and gateway device for identifying Botnet |
| WO2010037955A1 (en) * | 2008-09-30 | 2010-04-08 | France Telecom | Method for characterising entities at the origin of fluctuations in a network traffic |
-
2011
- 2011-04-19 CN CN2011100980152A patent/CN102130920A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010037955A1 (en) * | 2008-09-30 | 2010-04-08 | France Telecom | Method for characterising entities at the origin of fluctuations in a network traffic |
| CN101404658A (en) * | 2008-10-31 | 2009-04-08 | 北京锐安科技有限公司 | Method and system for detecting bot network |
| CN101651579A (en) * | 2009-09-15 | 2010-02-17 | 成都市华为赛门铁克科技有限公司 | Method and gateway device for identifying Botnet |
Non-Patent Citations (4)
| Title |
|---|
| 《中国优秀硕士论文电子期刊网www.cmfd.cnki.net》 20110331 苏云琳 《僵尸网络检测系统的分析与设计》 第51-52页 1-11 , * |
| 李晓桢等: "《基于聚类分析的僵尸网络识别系统》", 《计算机系统应用》, 31 August 2009 (2009-08-31), pages 131 - 134 * |
| 苏云琳: "《僵尸网络检测系统的分析与设计》", 《中国优秀硕士论文电子期刊网WWW.CMFD.CNKI.NET》, 31 March 2011 (2011-03-31), pages 51 - 52 * |
| 蔡隽等: "《基于IRC协议的僵尸网络及检测方案的研究》", 《中原工学院学报》, vol. 19, no. 1, 29 February 2008 (2008-02-29), pages 48 - 50 * |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102333313A (en) * | 2011-10-18 | 2012-01-25 | 中国科学院计算技术研究所 | Feature code generation method and detection method of mobile botnet |
| CN102571487B (en) * | 2011-12-20 | 2014-05-07 | 东南大学 | Distributed bot network scale measuring and tracking method based on multiple data sources |
| CN102571487A (en) * | 2011-12-20 | 2012-07-11 | 东南大学 | Distributed bot network scale measuring and tracking method based on multiple data sources |
| CN102546298A (en) * | 2012-01-06 | 2012-07-04 | 北京大学 | Botnet family detection method based on active probing |
| CN102546298B (en) * | 2012-01-06 | 2015-03-04 | 北京大学 | Botnet family detection method based on active probing |
| CN102571796A (en) * | 2012-01-13 | 2012-07-11 | 电子科技大学 | Protection method and protection system for corpse Trojans in mobile Internet |
| CN102571796B (en) * | 2012-01-13 | 2014-07-16 | 电子科技大学 | Protection method and protection system for corpse Trojans in mobile Internet |
| CN102932373A (en) * | 2012-11-22 | 2013-02-13 | 北京荣之联科技股份有限公司 | Zombie network detection method and device |
| CN102932373B (en) * | 2012-11-22 | 2014-12-17 | 北京荣之联科技股份有限公司 | Zombie network detection method and device |
| CN102970309A (en) * | 2012-12-25 | 2013-03-13 | 苏州山石网络有限公司 | Detection method, detection device and firewall for zombie host |
| CN102970309B (en) * | 2012-12-25 | 2016-12-28 | 山石网科通信技术有限公司 | The detection method of zombie host, detection device and fire wall |
| CN103152356A (en) * | 2013-03-20 | 2013-06-12 | 北京奇虎科技有限公司 | Method, server and system for detecting safety of file sample |
| CN103152356B (en) * | 2013-03-20 | 2016-05-25 | 北京奇虎科技有限公司 | Detect method, server and the system of paper sample security |
| CN103795591B (en) * | 2014-01-16 | 2017-08-01 | 北京天融信软件有限公司 | A kind of corpse methods for plant community analysis and device |
| CN109698814A (en) * | 2017-10-23 | 2019-04-30 | 中国电信股份有限公司 | Botnet finds that method and Botnet find device |
| CN109698814B (en) * | 2017-10-23 | 2021-06-15 | 中国电信股份有限公司 | Botnet discovery method and botnet discovery device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10721243B2 (en) | Apparatus, system and method for identifying and mitigating malicious network threats | |
| CN102130920A (en) | Botnet discovery method and system thereof | |
| Borkar et al. | A survey on Intrusion Detection System (IDS) and Internal Intrusion Detection and protection system (IIDPS) | |
| KR101070614B1 (en) | Malicious traffic isolation system using botnet infomation and malicious traffic isolation method using botnet infomation | |
| Bilge et al. | Disclosure: detecting botnet command and control servers through large-scale netflow analysis | |
| KR100942456B1 (en) | Method for detecting and protecting ddos attack by using cloud computing and server thereof | |
| CN103297433B (en) | The HTTP Botnet detection method of data flow Network Based and system | |
| Dabbagh et al. | Slow port scanning detection | |
| CN104168272A (en) | Trojan horse detection method based on communication behavior clustering | |
| CN104135474B (en) | Intrusion Detection based on host goes out the Network anomalous behaviors detection method of in-degree | |
| CN106992955A (en) | APT fire walls | |
| Kavitha et al. | ANOMALY BASED INTRUSION DETECTION IN WLAN USING DISCRIMINATION ALGORITHM COMBINED WITH NAÏVE BAYESIAN CLASSIFIER NAÏVE BAYESIAN CLASSIFIER. | |
| Tsai et al. | Early warning system for DDoS attacking based on multilayer deployment of time delay neural network | |
| Umamaheswari et al. | Honeypot TB-IDS: trace back model based intrusion detection system using knowledge based honeypot construction model | |
| KR101210622B1 (en) | Method for detecting ip shared router and system thereof | |
| Mohan et al. | Complex event processing based hybrid intrusion detection system | |
| Das et al. | Flood control: Tcp-syn flood detection for software-defined networks using openflow port statistics | |
| Sukhni et al. | A systematic analysis for botnet detection using genetic algorithm | |
| Lu et al. | Botnets detection based on irc-community | |
| Seo et al. | Abnormal behavior detection to identify infected systems using the APChain algorithm and behavioral profiling | |
| CN114978663A (en) | Internet security service system based on behavior camouflage | |
| CN115987531A (en) | Intranet safety protection system and method based on dynamic deception parallel network | |
| Khodadadi et al. | Ichnaea: Effective P2P botnet detection approach based on analysis of network flows | |
| Hamdani et al. | Detection of DDOS attacks in cloud computing environment | |
| Wattanapongsakorn et al. | A network-based internet worm intrusion detection and prevention system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20110720 |