CN110149331B - P2P botnet detection method, device and medium - Google Patents

P2P botnet detection method, device and medium Download PDF

Info

Publication number
CN110149331B
CN110149331B CN201910429292.3A CN201910429292A CN110149331B CN 110149331 B CN110149331 B CN 110149331B CN 201910429292 A CN201910429292 A CN 201910429292A CN 110149331 B CN110149331 B CN 110149331B
Authority
CN
China
Prior art keywords
characteristic value
botnet
network
neural network
traffic data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910429292.3A
Other languages
Chinese (zh)
Other versions
CN110149331A (en
Inventor
宋元章
王俊杰
陈媛
王安邦
李洪雨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Changchun Institute of Optics Fine Mechanics and Physics of CAS
Original Assignee
Changchun Institute of Optics Fine Mechanics and Physics of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Changchun Institute of Optics Fine Mechanics and Physics of CAS filed Critical Changchun Institute of Optics Fine Mechanics and Physics of CAS
Priority to CN201910429292.3A priority Critical patent/CN110149331B/en
Publication of CN110149331A publication Critical patent/CN110149331A/en
Application granted granted Critical
Publication of CN110149331B publication Critical patent/CN110149331B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/044Recurrent networks, e.g. Hopfield networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/144Detection or countermeasures against botnets
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks

Abstract

The embodiment of the invention discloses a method, a device and a medium for detecting a P2P botnet, which are used for acquiring normal network traffic data and abnormal network traffic data; calculating a time domain characteristic value, a frequency domain characteristic value and a communication characteristic value of the network traffic data; and training the initial BP neural network by taking the time domain characteristic value, the frequency domain characteristic value, the communication characteristic value and the corresponding P2P botnet burst result as sample data to obtain the BP neural network meeting the accuracy requirement. And processing the network traffic data to be detected by using the BP neural network, and determining a P2P botnet explosion result corresponding to the network traffic data to be detected. When P2P botnet bursts, the characteristics of the network traffic data may change. And training the BP neural network according to the characteristic values of the network traffic data, so that the accuracy of the BP neural network in detecting the P2P botnet outbreak is improved.

Description

P2P botnet detection method, device and medium
Technical Field
The invention relates to the technical field of computer security, in particular to a method, a device and a medium for detecting P2P botnet based on multidimensional characteristics and a BP neural network.
Background
Botnet is a malicious host cluster, and an attacker can change the load of a bot node by using secondary injection, so that the type of the attack to be sent finally can be changed very conveniently and rapidly, such as distributed denial of service attack, phishing, spam attack and the like. The current novel P2P botnet adopts a decentralized structure of a P2P network to construct a Command and Control mechanism (C & C, Command and Control), and because the structure has no Control center, single-point failure is effectively avoided, and robustness and reliability are stronger.
Currently, research on the analysis and detection of P2P botnet is in the rise. Most detection methods mainly start with some specific and detailed characteristics of the P2P botnet, and do not sufficiently deeply analyze and characterize the macroscopic characteristics of network traffic. When a certain novel P2P botnet appears and the network structure, protocol, attack type and the like of the botnet are different from those of the existing P2P botnet, the P2P botnet detection has a large missing report rate.
Therefore, how to improve the accuracy of botnet detection is an urgent problem to be solved by those skilled in the art.
Disclosure of Invention
The embodiment of the invention aims to provide a method, a device and a medium for detecting P2P botnet based on multidimensional characteristics and a BP neural network, which can improve the accuracy of botnet detection.
To solve the foregoing technical problem, an embodiment of the present invention provides a P2P botnet detection method based on multidimensional features and a BP neural network, including:
acquiring network flow data; the network traffic data comprises normal network traffic data under a normal network environment and abnormal network traffic data under a P2P botnet network environment;
calculating a time domain characteristic value, a frequency domain characteristic value and a communication characteristic value of the network traffic data;
training an initial BP neural network by taking the time domain characteristic value, the frequency domain characteristic value, the communication characteristic value and a corresponding P2P botnet explosion result as sample data to obtain the BP neural network meeting the requirement of accuracy rate;
and processing the network traffic data to be detected by using the BP neural network, and determining a P2P botnet outbreak result corresponding to the network traffic data to be detected.
Optionally, the calculating the time domain characteristic value, the frequency domain characteristic value, and the connection characteristic value of the network traffic data includes:
calculating the Hurst index and the Holder index of the network flow data by utilizing a fractal theory; taking the Hurst index and the Holder index as time domain characteristic values;
calculating a power spectral density of a single time window in the network traffic data; calculating the relative entropy of the power spectral densities of two adjacent time windows according to the power spectral densities; taking the relative entropy as a frequency domain characteristic value;
taking the source IP address and the destination IP address of the network flow data as a binary group, and calculating the information entropy of the binary group; and taking the information entropy as a connected characteristic value.
Optionally, the processing, by using the BP neural network, network traffic data to be detected, and determining a P2P botnet explosion result corresponding to the network traffic data to be detected includes:
calculating a time domain characteristic value, a frequency domain characteristic value and a communication characteristic value of the network traffic data to be detected;
inputting the time domain characteristic value, the frequency domain characteristic value and the communication characteristic value into the BP neural network to obtain an output result of P2P botnet outbreak corresponding to the network traffic data to be detected;
and determining a P2P botnet explosion result corresponding to the output result according to a preset decision rule.
Optionally, the BP neural network includes two outputs;
correspondingly, the determining, according to a preset decision rule, the P2P botnet burst result corresponding to the output result includes:
normalizing the output result, and judging the normalized output result R ═ R (R)1,r2) Whether or not to satisfy r1>r2And r is1≥0.5;
When the output result R is equal to (R)1,r2) Satisfy r1>r2And r is1If the number is more than or equal to 0.5, outputting the result that P2P botnet does not explode;
when the output result R is equal to (R)1,r2) Does not satisfy r1>r2And r is1More than or equal to 0.5, judging whether the output result meets r2>r1And r is2≥0.5;
If yes, outputting the result of P2P botnet explosion;
if not, the prompt message that the P2P botnet explosion cannot be judged is output.
Optionally, the training an initial BP neural network with the time domain characteristic value, the frequency domain characteristic value, the connected characteristic value, and the corresponding P2P botnet burst result as sample data to obtain a BP neural network meeting the accuracy requirement includes:
taking the time domain characteristic value, the frequency domain characteristic value, the connected characteristic value and a P2P botnet explosion result corresponding to the connected characteristic value as sample data, and dividing the sample data into a training sample set and a test sample set;
training the initial BP neural network by using the training sample set to obtain a trained BP neural network;
inputting a target test sample into the BP neural network to obtain an output result; the target test sample is any one of the test samples in the test sample set which are not tested;
converting the output result into a target P2P botnet explosion result according to a preset decision rule;
determining whether the target P2P botnet burst result is consistent with the P2P botnet burst result of the test sample;
if not, returning to the step of training the initial BP neural network by using the training sample set to obtain a trained BP neural network;
if so, selecting an untested test sample from the test sample set as a target test sample, returning to the step of inputting the target test sample into the BP neural network to obtain an output result, and taking the BP neural network as the BP neural network meeting the accuracy requirement until all the test samples in the test sample set are tested.
The embodiment of the invention also provides a P2Pbotnet detection device based on the multidimensional feature and the BP neural network, which comprises an acquisition unit, a feature value calculation unit, a training unit and a processing unit;
the acquiring unit is used for acquiring network flow data; the network traffic data comprises normal network traffic data under a normal network environment and abnormal network traffic data under a P2P botnet network environment;
the characteristic value calculating unit is used for calculating a time domain characteristic value, a frequency domain characteristic value and a communication characteristic value of the network traffic data;
the training unit is used for training an initial BP neural network by taking the time domain characteristic value, the frequency domain characteristic value, the connection characteristic value and a corresponding P2P botnet explosion result as sample data to obtain the BP neural network meeting the accuracy requirement;
and the processing unit is used for processing the network traffic data to be detected by using the BP neural network and determining a P2P botnet explosion result corresponding to the network traffic data to be detected.
Optionally, the eigenvalue calculation unit includes a time domain eigenvalue operator unit, a frequency domain eigenvalue operator unit, and a connected eigenvalue operator unit;
the time domain characteristic value operator unit is used for calculating the Hurst index and the Holder index of the network flow data by utilizing a fractal theory; taking the Hurst index and the Holder index as time domain characteristic values;
the frequency domain characteristic value operator unit is used for calculating the power spectral density of a single time window in the network flow data; calculating the relative entropy of the power spectral densities of two adjacent time windows according to the power spectral densities; taking the relative entropy as a frequency domain characteristic value;
the connected characteristic value operator unit is used for taking a source IP address and a destination IP address of the network flow data as a binary group and calculating the information entropy of the binary group; and taking the information entropy as a connected characteristic value.
Optionally, the processing unit includes a calculating subunit, an outputting subunit, and a determining subunit;
the calculating subunit is configured to calculate a time domain characteristic value, a frequency domain characteristic value, and a communication characteristic value of the to-be-detected network traffic data;
the output subunit is configured to input the time domain characteristic value, the frequency domain characteristic value, and the communication characteristic value into the BP neural network, so as to obtain an output result of P2P botnet outbreak corresponding to the network traffic data to be detected;
the determining subunit is configured to determine, according to a preset decision rule, a P2P botnet explosion result corresponding to the output result.
Optionally, the BP neural network includes two outputs;
correspondingly, the determining subunit is specifically configured to perform normalization processing on the output result, and determine that the normalized output result R is (R ═ R)1,r2) Whether or not to satisfy r1>r2And r is1Not less than 0.5; when the output result R is equal to (R)1,r2) Satisfy r1>r2And r is1If the number is more than or equal to 0.5, outputting the result that P2P botnet does not explode; when the output result R is equal to (R)1,r2) Does not satisfy r1>r2And r is1More than or equal to 0.5, judging whether the output result meets r2>r1And r is2Not less than 0.5; if yes, outputting the result of P2P botnet explosion; if not, the prompt message that the P2P botnet explosion cannot be judged is output.
Optionally, the training unit includes a dividing subunit, a training subunit, a testing subunit, a judging subunit, and a selecting subunit;
the dividing subunit is configured to use the time domain characteristic value, the frequency domain characteristic value, the connected characteristic value, and a P2P botnet burst result corresponding to the connected characteristic value as sample data, and divide the sample data into a training sample set and a test sample set;
the training subunit is configured to train the initial BP neural network by using the training sample set to obtain a trained BP neural network;
the test subunit is used for inputting a target test sample into the BP neural network to obtain an output result; the target test sample is any one of the test samples in the test sample set which are not tested;
the judgment subunit is configured to convert the output result into a target P2P botnet explosion result according to a preset decision rule; determining whether the target P2P botnet burst result is consistent with the P2P botnet burst result of the test sample; if not, returning to the training subunit; if yes, triggering the selected subunit;
and the selecting subunit is used for selecting an untested test sample from the test sample set as a target test sample, returning to the test subunit, and taking the BP neural network as the BP neural network meeting the accuracy requirement until all the test samples in the test sample set are tested.
The embodiment of the invention also provides a P2Pbotnet detection device based on the multidimensional characteristic and the BP neural network, which comprises:
a memory for storing a computer program;
a processor for executing the computer program to implement the steps of the above-mentioned P2P botnet detection method based on multidimensional feature and BP neural network.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the above P2P botnet detection method based on multidimensional feature and BP neural network are implemented.
According to the technical scheme, the network flow data are obtained; the network traffic data comprises normal network traffic data in a normal network environment and abnormal network traffic data in a P2P botnet network environment; calculating a time domain characteristic value, a frequency domain characteristic value and a communication characteristic value of the network traffic data; and training the initial BP neural network by taking the time domain characteristic value, the frequency domain characteristic value, the communication characteristic value and the corresponding P2P botnet burst result as sample data to obtain the BP neural network meeting the accuracy requirement. When P2P botnet bursts, the characteristics of the network traffic data are changed, and the time domain characteristics of the network traffic data are reflected by using the self-similarity and local singularity of the network traffic data; reflecting the frequency domain characteristics of the network traffic data by using the power spectral density of the network traffic data; and reflecting the connection characteristics of the network traffic data by using the information entropy of the binary group of the network traffic data. The BP neural network is trained according to different characteristic feature values of network traffic data, so that the accuracy of the BP neural network in detecting P2Pbotnet outbreak is effectively improved. When the network environment of the network traffic data to be detected needs to be analyzed, the BP neural network can be used for processing the network traffic data to be detected, so that a P2P botnet explosion result corresponding to the network traffic data to be detected is determined, and the predicted explosion result has higher accuracy.
Drawings
In order to illustrate the embodiments of the present invention more clearly, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a flowchart of a P2P botnet detection method based on multidimensional features and a BP neural network according to an embodiment of the present invention;
fig. 2 is a logic block diagram of performing P2P botnet detection on network data traffic to be detected by using a trained BP neural network according to an embodiment of the present invention;
fig. 3 is an overall flowchart of performing P2P botnet detection on network data traffic to be detected by using a trained BP neural network according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a P2P botnet detection device based on multidimensional features and a BP neural network according to an embodiment of the present invention;
fig. 5 is a schematic hardware structure diagram of a P2P botnet detection device based on multidimensional features and a BP neural network according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without any creative work belong to the protection scope of the present invention.
In order that those skilled in the art will better understand the disclosure, the invention will be described in further detail with reference to the accompanying drawings and specific embodiments.
Next, a P2P botnet detection method based on multidimensional features and a BP neural network according to an embodiment of the present invention will be described in detail. Fig. 1 is a flowchart of a P2P botnet detection method based on multidimensional features and a BP neural network according to an embodiment of the present invention, where the method includes:
s101: and acquiring network flow data.
In the embodiment of the present invention, the acquired network traffic data includes normal network traffic data in a normal network environment and abnormal network traffic data in a P2P botnet network environment.
S102: and calculating a time domain characteristic value, a frequency domain characteristic value and a communication characteristic value of the network flow data.
The characteristic value of the network traffic data has a close relation with whether P2P botnet is bursty or not. In the embodiment of the invention, the training of the BP neural network is realized by calculating the time domain characteristic value, the frequency domain characteristic value and the communication characteristic value of the network traffic data.
In a specific implementation, the time domain characteristic values for the network traffic data may be represented by Hurst index and Holder index. In practical application, the self-similarity of network flow data can be measured by using the Hurst index in the fractal theory, and is marked as Ftime1The value range is [0, 1 ]](ii) a Measuring local singularity of network flow data by using Holder index in fractal theory, and recording as Ftime2The value range is [0, 1 ]]. When P2P botnet bursts, the self-similarity of network traffic is weakened and local singularity is enhanced.
The frequency domain feature values for the network traffic data may be represented by relative entropy of power spectral density. Calculating the power spectral density of a single time window in the network traffic data; and calculating two adjacent time intervals according to the power spectral densityRelative entropy of the power spectral density of the inter-window; and taking the relative entropy as a frequency domain characteristic value. In practical application, the Power Spectral Density (PSD) of a current time window is calculated first, and then the relative entropy of the PSD of two adjacent time windows is calculated; and taking the relative entropy as a frequency domain characteristic value to measure the periodicity of the network traffic data. In order to ensure that each characteristic value adopts a uniform standard representation, the relative entropy of the power spectral density needs to be normalized, which is denoted as FfrequencyThe value range is [0, 1 ]]. When P2P botnet bursts, it causes network traffic to appear more periodic.
The connected characteristic value for the network traffic data can be represented by information entropy of a binary. The source IP address and the destination IP address of the network flow data can be used as a binary group, and the information entropy of the binary group is calculated; the information entropy is taken as a connected eigenvalue. In practical application, the connectivity of network traffic data is measured by using the information entropy of the binary group. The definition of the doublet is
Calculating the information entropy of the binary group and normalizing the information entropy, wherein the information entropy is denoted as FlinkThe value range is [0, 1 ]]. When P2P botnet bursts, more apparent connectivity may occur to network traffic.
The embodiment of the invention mainly focuses on common abnormity of the P2P botnet, and describes the multidimensional characteristic of network flow by using the time domain characteristic value, the frequency domain characteristic value and the communication characteristic value, and the characteristics do not depend on the network type, the topological structure and the attack launching type of the P2P botnet, so that certain detection accuracy can be still ensured when a novel botnet different from the conventional P2P botnet appears.
S103: and training the initial BP neural network by taking the time domain characteristic value, the frequency domain characteristic value, the communication characteristic value and the corresponding P2P botnet burst result as sample data to obtain the BP neural network meeting the accuracy requirement.
The embodiment of the invention mainly focuses on the time domain characteristics, the frequency domain characteristics and the communication characteristics of the network flow, does not need to analyze and detect the content of the data packet, and can still detect the data packet when the P2P botnet encrypts the data packet. The embodiment of the invention adopts the BP neural network, and has stronger classification capability.
In the embodiment of the present invention, the burst result of P2P botnet corresponding to each feature value under a normal network environment can be represented by (1, 0), that is, (1, 0) represents that P2P botnet has not burst. The P2P botnet burst result corresponding to each feature value in the P2P botnet network environment can be represented by (0, 1), that is, (0, 1) represents the P2P botnet burst.
And a corresponding decision criterion is made according to the output result of the BP neural network, so that whether the P2P botnet outbreak occurs in the current network environment can be more accurately judged.
The format of the sample data is shown in table 1a,
data type Ftime1 Ftime2 Ffrequency Flink R
Value of (r1,r2)
TABLE 1a
Taking the format shown in table 1a as an example, the format of the sample data corresponding to the normal network traffic data is shown in table 1 b:
data type Ftime1 Ftime2 Ffrequency Flink R
Value of (1,0)
TABLE 1b
Taking the format shown in table 1a as an example, the format of the sample data corresponding to the abnormal network traffic data in the P2P botnet network environment is shown in table 1 c:
data type Ftime1 Ftime2 Ffrequency Flink R
Value of (0,1)
TABLE 1c
In the embodiment of the invention, each network complexity characteristic and the corresponding P2Pbotnet outbreak result can be used as sample data, and the sample data is divided into a training sample set and a test sample set. And training the initial BP neural network by utilizing the training sample set to obtain the trained BP neural network. The specific training process is as follows:
(1) the sample data is divided into a training sample set and a testing sample set.
And randomly selecting 70% of sample data as a training sample set and 30% of the sample data as a testing sample set without loss of generality.
(2) Determining a topological structure and parameter configuration.
Topological structure:
input layer: the number of layers is 1 and the number of nodes is 4.
② hidden layer: the number of layers is 1, the node number is determined according to the combination of an empirical formula (1) and a learning training result, wherein i is the node number of an input layer, o is the node number of an output layer, and a is
Integers in the interval [1, 10 ].
Figure BDA0002068458520000101
Output layer: the number of layers is 1 and the number of nodes is 2.
(2) And determining an activation function and a learning algorithm of the BP neural network.
Parameter configuration:
the Sigmoid function is selected as the activation function, and the Levenberg-Marquard algorithm is selected as the learning algorithm.
(3) And determining a decision criterion for judging whether the P2P botnet bursts or not according to the output of the BP neural network.
Let the output of BP neural network be R ═ (R)1,r2) Normalizing R such that R1And r2Has a value range of [0, 1 ]]. The decision criteria are as follows:
if r is1>r2And r is1If the detection result is more than or equal to 0.5, the detection result is that the P2P botnet does not burst;
if r is2>r1And r is2If the detection result is more than or equal to 0.5, the detection result is P2P botnet outbreak;
otherwise, the detection result is 'unable to judge'.
(4) And training the BP neural network by utilizing the training sample set.
(5) And testing the BP neural network by using the test sample set.
(6) And inputting the characteristic data of the test sample into the BP neural network to obtain an output result of the BP neural network.
Inputting the test sample into the trained probabilistic neural network, verifying whether the P2P botnet detection result given by the BP neural network is consistent with the real situation of the test sample, if so, selecting the next test sample for processing, otherwise, determining that the test is not passed, modifying the parameter configuration, and then re-training and testing. If the detection results of the current BP neural network for all the test samples in the test sample set are consistent with the real situation, the test is considered to be passed, and the BP neural network can be used for the subsequent P2P botnet detection.
(7) And according to a decision criterion, obtaining a P2P botnet detection result corresponding to the test sample according to the output result of the neural network.
(8) Comparing the detection result of the detection P2P botnet with the actual result of the test sample, and if the two results are consistent, the test sample passes the test; otherwise, the test sample fails the test.
(9) If all the test samples pass the test, the training of the BP neural network is finished, and the BP neural network can be used for detecting P2P botnet; otherwise, the parameter configuration is modified and then the training and the testing are carried out again.
The sample data is divided into a training sample set and a testing sample set. And training the initial BP neural network by utilizing the training sample set to obtain the trained BP neural network. And then inputting the test sample into the trained BP neural network, verifying whether the P2Pbotnet detection result given by the BP neural network is consistent with the real situation of the test sample, if so, selecting the next test sample for processing, otherwise, determining that the test is failed, modifying the parameter configuration, and then re-training and testing. If the detection results of the current BP neural network for all the test samples in the test sample set are consistent with the real conditions, the test is considered to be passed, and the BP neural network is the BP neural network meeting the accuracy requirement and can be used for subsequent P2Pbotnet detection.
S104: and processing the network traffic data to be detected by using the BP neural network, and determining a P2P botnet explosion result corresponding to the network traffic data to be detected.
In the embodiment of the invention, the characteristic value of the network traffic data is used as sample data for training, so that when the network environment of the network traffic data to be detected needs to be analyzed, the network traffic data to be detected needs to be input into the BP neural network in the form of the characteristic value.
Specifically, the time domain characteristic value, the frequency domain characteristic value and the communication characteristic value of the network traffic data to be detected may be calculated, and the calculation mode may refer to the calculation mode of the characteristic value in S102, which is not described herein again.
And inputting the time domain characteristic value, the frequency domain characteristic value and the communication characteristic value into the BP neural network, so as to obtain an output result of P2P botnet outbreak corresponding to the network traffic data to be detected. Outputting the result in combination with the above description as R ═ (R)1,r2) The form of the P2Pbotnet is presented, so that after the output result is obtained, the P2Pbotnet explosion result corresponding to the output result can be determined according to a preset decision rule.
Decision rules are used to represent the relationship between the output results and the P2P botnet burst results. In a specific implementation, the output result may be normalized, and the normalized output result R ═ may be determined (R)1,r2) Whether or not to satisfy r1>r2And r is1Not less than 0.5; when the output result R is equal to (R)1,r2) Satisfy r1>r2And r is1If the number is more than or equal to 0.5, outputting the result that P2P botnet does not explode; when the output result R is equal to (R)1,r2) Does not satisfy r1>r2And r is1If the output result meets r or not, more than 0.52>r1And r is2Not less than 0.5. When the output result satisfies r2>r1And r is2When the pressure is more than or equal to 0.5, outputting the result of P2P botnet explosion;
the normalized output result R ═ R (R) of Chinese angelica1,r2) Neither satisfy r1>r2And r is1Not less than 0.5, and r is not satisfied1>r2And r is1When the number is more than or equal to 0.5, the prompt message that the P2P botnet outbreak cannot be judged is output.
In the embodiment of the present invention, the numbers "0" and "1" in the training process of the BP neural network indicate the P2P botnet burst result, and accordingly, the output result R of the BP neural network is (R ═ R1,r2) After normalization1And r2Is in the range of 0 to 1.
Taking the time domain characteristic value, the frequency domain characteristic value and the connectivity characteristic value as training data in the above description as an example, a logic diagram of performing P2P botnet detection on network data traffic to be detected by using a trained BP neural network is shown in fig. 2, when the network traffic data to be detected is obtained, the time domain characteristic value, the frequency domain characteristic value and the connectivity characteristic value of the network traffic data to be detected can be calculated and input as input data into the trained BP neural network, so that an output result of a P2P botnet burst can be obtained, because an output layer has two outputs during the training of the BP neural network, in order to facilitate a manager to directly obtain the P2P botnet burst result, the output result can be converted into a P2P botnet burst result which can be directly recognized by a user according to a set decision rule, the botnet in fig. 2 indicates that the P2P botnet burst occurs, and normal network environment occurs, i.e., P2P botnet has not exploded.
It should be noted that, after the BP neural network meeting the accuracy requirement is obtained according to the operations of S101 to S103 in the embodiment of the present invention, when the P2P botnet outbreak detection is subsequently performed on the network environment where the network traffic data to be detected is located, the BP neural network may be directly used to analyze and process the network traffic data to be detected, and there is no need to repeatedly train the BP neural network.
In the above description, a training process and an application process of the BP neural network are separately explained, as shown in fig. 3, an overall flowchart for performing P2P botnet detection on network data traffic to be detected by using the trained BP neural network provided in the embodiment of the present invention is shown, where the test pass in fig. 3 indicates that all test samples pass through, and at this time, the BP neural network meets the requirement of accuracy, and can be used to implement P2P botnet detection.
According to the technical scheme, the network flow data are obtained; the network traffic data comprises normal network traffic data in a normal network environment and abnormal network traffic data in a P2P botnet network environment; calculating a time domain characteristic value, a frequency domain characteristic value and a communication characteristic value of the network traffic data; and training the initial BP neural network by taking the time domain characteristic value, the frequency domain characteristic value, the communication characteristic value and the corresponding P2P botnet burst result as sample data to obtain the BP neural network meeting the accuracy requirement. When P2P botnet bursts, the characteristics of the network traffic data are changed, and the time domain characteristics of the network traffic data are reflected by using the self-similarity and local singularity of the network traffic data; reflecting the frequency domain characteristics of the network traffic data by using the power spectral density of the network traffic data; and reflecting the connection characteristics of the network traffic data by using the information entropy of the binary group of the network traffic data. By training the BP neural network according to the characteristic feature values of the network traffic data, the accuracy of the BP neural network in detecting P2Pbotnet outbreak is effectively improved. When the network environment of the network traffic data to be detected needs to be analyzed, the BP neural network can be used for processing the network traffic data to be detected, so that a P2P botnet explosion result corresponding to the network traffic data to be detected is determined, and the predicted explosion result has higher accuracy.
Fig. 4 is a schematic structural diagram of a P2P botnet detection device based on multidimensional feature and BP neural network according to an embodiment of the present invention, which includes an obtaining unit 41, a feature value calculating unit 42, a training unit 43, and a processing unit 44;
an obtaining unit 41, configured to obtain network traffic data; the network traffic data comprises normal network traffic data in a normal network environment and abnormal network traffic data in a P2P botnet network environment;
a feature value calculating unit 42, configured to calculate a time domain feature value, a frequency domain feature value, and a communication feature value of the network traffic data;
a training unit 43, configured to train the initial BP neural network by using the time domain characteristic value, the frequency domain characteristic value, the connected characteristic value, and the P2P botnet burst result corresponding to the time domain characteristic value, the frequency domain characteristic value, and the connected characteristic value as sample data, so as to obtain a BP neural network meeting the accuracy requirement;
and the processing unit 44 is configured to process the network traffic data to be detected by using the BP neural network, and determine a P2P botnet explosion result corresponding to the network traffic data to be detected.
Optionally, the eigenvalue calculation unit includes a time domain eigenvalue operator unit, a frequency domain eigenvalue operator unit, and a connected eigenvalue operator unit;
the time domain characteristic value calculating operator unit is used for calculating the Hurst index and the Holder index of the network flow data by utilizing a fractal theory; taking the Hurst index and the Holder index as time domain characteristic values;
the frequency domain characteristic value operator unit is used for calculating the power spectral density of a single time window in the network flow data; calculating the relative entropy of the power spectral densities of two adjacent time windows according to the power spectral densities; taking the relative entropy as a frequency domain characteristic value;
the system comprises a connected characteristic value computing operator unit, a characteristic value calculating unit and a characteristic value calculating unit, wherein the connected characteristic value computing operator unit is used for taking a source IP address and a destination IP address of network flow data as a binary group and calculating the information entropy of the binary group; and taking the information entropy as a connected characteristic value.
Optionally, the processing unit includes a calculating subunit, an outputting subunit and a determining subunit;
the calculating subunit is used for calculating a time domain characteristic value, a frequency domain characteristic value and a communication characteristic value of the network traffic data to be detected;
the output subunit is used for inputting the time domain characteristic value, the frequency domain characteristic value and the communication characteristic value into a BP neural network so as to obtain an output result of P2P botnet outbreak corresponding to the network traffic data to be detected;
and the determining subunit is used for determining the P2P botnet explosion result corresponding to the output result according to a preset decision rule.
Optionally, the BP neural network includes two outputs;
correspondingly, the determining subunit is specifically configured to classify the output resultNormalizing and judging the normalized output result R ═ R (R)1,r2) Whether or not to satisfy r1>r2And r is1Not less than 0.5; when the output result R is equal to (R)1,r2) Satisfy r1>r2And r is1If the number is more than or equal to 0.5, outputting the result that P2P botnet does not explode; when the output result R is equal to (R)1,r2) Does not satisfy r1>r2And r is1If the output result meets r or not, more than 0.52>r1And r is2Not less than 0.5; if yes, outputting the result of P2P botnet explosion; if not, the prompt message that the P2P botnet explosion cannot be judged is output.
Optionally, the training unit includes a dividing subunit, a training subunit, a testing subunit, a judging subunit and a selecting subunit;
the dividing subunit is used for taking the time domain characteristic value, the frequency domain characteristic value, the communication characteristic value and the corresponding P2P botnet explosion result as sample data, and dividing the sample data into a training sample set and a test sample set;
the training subunit is used for training the initial BP neural network by utilizing a training sample set to obtain a trained BP neural network;
the test subunit is used for inputting the target test sample into the BP neural network to obtain an output result; the target test sample is any one of the test samples in the test sample set which are not tested;
the judgment subunit is used for converting the output result into a target P2P botnet explosion result according to a preset decision rule; judging whether the target P2P botnet burst result is consistent with the P2P botnet burst result of the test sample; if not, returning to the training subunit; if yes, triggering and selecting the subunit;
and the selecting subunit is used for selecting an untested test sample from the test sample set as a target test sample, returning to the testing subunit, and taking the BP neural network as the BP neural network meeting the accuracy requirement until all the test samples in the test sample set are tested.
For the description of the features in the embodiment corresponding to fig. 4, reference may be made to the related description of the embodiments corresponding to fig. 1 to fig. 3, which is not repeated here.
According to the technical scheme, the network flow data are obtained; the network traffic data comprises normal network traffic data in a normal network environment and abnormal network traffic data in a P2P botnet network environment; calculating a time domain characteristic value, a frequency domain characteristic value and a communication characteristic value of the network traffic data; and training the initial BP neural network by taking the time domain characteristic value, the frequency domain characteristic value, the communication characteristic value and the corresponding P2P botnet burst result as sample data to obtain the BP neural network meeting the accuracy requirement. When P2P botnet bursts, the characteristics of the network traffic data are changed, and the time domain characteristics of the network traffic data are reflected by using the self-similarity and local singularity of the network traffic data; reflecting the frequency domain characteristics of the network traffic data by using the power spectral density of the network traffic data; and reflecting the connection characteristics of the network traffic data by using the information entropy of the binary group of the network traffic data. By training the BP neural network according to the characteristic feature values of the network traffic data, the accuracy of the BP neural network in detecting P2Pbotnet outbreak is effectively improved. When the network environment of the network traffic data to be detected needs to be analyzed, the BP neural network can be used for processing the network traffic data to be detected, so that a P2P botnet explosion result corresponding to the network traffic data to be detected is determined, and the predicted explosion result has higher accuracy.
Fig. 5 is a schematic hardware structure diagram of a P2P botnet detection apparatus 50 based on multidimensional features and a BP neural network according to an embodiment of the present invention, including:
a memory 51 for storing a computer program;
a processor 52 for executing a computer program to implement the steps of the above-mentioned P2P botnet detection method based on multidimensional feature and BP neural network.
The embodiment of the invention also provides a computer readable storage medium, a computer program is stored on the computer readable storage medium, and when being executed by a processor, the computer program realizes the steps of the above P2P botnet detection method based on the multidimensional feature and the BP neural network.
The method, the device and the medium for detecting the P2P botnet based on the multidimensional feature and the BP neural network provided by the embodiment of the invention are described in detail above. The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present invention.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.

Claims (10)

1. A P2P botnet detection method based on multi-dimensional features and a BP neural network is characterized by comprising the following steps:
acquiring network flow data; the network traffic data comprises normal network traffic data under a normal network environment and abnormal network traffic data under a P2P botnet network environment;
calculating a time domain characteristic value, a frequency domain characteristic value and a communication characteristic value of the network traffic data; the time domain characteristic value of the network flow data comprises a Hurst index and a Holder index; the frequency domain characteristic values of the network traffic data comprise relative entropy of power spectral density; the communication characteristic value of the network traffic data comprises information entropy of a binary group; the binary group comprises a source IP address and a destination IP address of the network flow data;
training an initial BP neural network by taking the time domain characteristic value, the frequency domain characteristic value, the communication characteristic value and a corresponding P2P botnet explosion result as sample data to obtain the BP neural network meeting the requirement of accuracy rate;
and processing the network traffic data to be detected by using the BP neural network, and determining a P2P botnet outbreak result corresponding to the network traffic data to be detected.
2. The method of claim 1, wherein the calculating the time domain eigenvalues, the frequency domain eigenvalues and the connectivity eigenvalues of the network traffic data comprises:
calculating the Hurst index and the Holder index of the network flow data by utilizing a fractal theory; taking the Hurst index and the Holder index as time domain characteristic values;
calculating a power spectral density of a single time window in the network traffic data; calculating the relative entropy of the power spectral densities of two adjacent time windows according to the power spectral densities; taking the relative entropy as a frequency domain characteristic value;
taking the source IP address and the destination IP address of the network flow data as a binary group, and calculating the information entropy of the binary group; and taking the information entropy as a connected characteristic value.
3. The method according to claim 1, wherein the processing the network traffic data to be detected by using the BP neural network, and determining the P2P botnet explosion result corresponding to the network traffic data to be detected comprises:
calculating a time domain characteristic value, a frequency domain characteristic value and a communication characteristic value of the network traffic data to be detected;
inputting the time domain characteristic value, the frequency domain characteristic value and the communication characteristic value into the BP neural network to obtain an output result of P2P botnet outbreak corresponding to the network traffic data to be detected;
and determining a P2P botnet explosion result corresponding to the output result according to a preset decision rule.
4. The method of claim 3, wherein the BP neural network comprises two outputs;
correspondingly, the determining, according to a preset decision rule, the P2P botnet burst result corresponding to the output result includes:
normalizing the output result, and judging the normalized output result R ═ R (R)1,r2) Whether or not to satisfy r1>r2And r is1≥0.5;
When the output result R is equal to (R)1,r2) Satisfy r1>r2And r is1If the number is more than or equal to 0.5, outputting the result that P2P botnet does not explode;
when the output result R is equal to (R)1,r2) Does not satisfy r1>r2And r is1More than or equal to 0.5, judging whether the output result meets r2>r1And r is2≥0.5;
If yes, outputting the result of P2P botnet explosion;
if not, the prompt message that the P2P botnet explosion cannot be judged is output.
5. The method according to any one of claims 1 to 4, wherein the training an initial BP neural network by using the time domain characteristic value, the frequency domain characteristic value, the connected characteristic value and a corresponding P2P botnet burst result as sample data to obtain a BP neural network meeting an accuracy requirement comprises:
taking the time domain characteristic value, the frequency domain characteristic value, the connected characteristic value and a P2P botnet explosion result corresponding to the connected characteristic value as sample data, and dividing the sample data into a training sample set and a test sample set;
training the initial BP neural network by using the training sample set to obtain a trained BP neural network;
inputting a target test sample into the BP neural network to obtain an output result; the target test sample is any one of the test samples in the test sample set which are not tested;
converting the output result into a target P2P botnet explosion result according to a preset decision rule;
determining whether the target P2P botnet burst result is consistent with the P2P botnet burst result of the test sample;
if not, returning to the step of training the initial BP neural network by using the training sample set to obtain a trained BP neural network;
if so, selecting an untested test sample from the test sample set as a target test sample, returning to the step of inputting the target test sample into the BP neural network to obtain an output result, and taking the BP neural network as the BP neural network meeting the accuracy requirement until all the test samples in the test sample set are tested.
6. A P2P botnet detection device based on multi-dimensional features and a BP neural network is characterized by comprising an acquisition unit, a feature value calculation unit, a training unit and a processing unit;
the acquiring unit is used for acquiring network flow data; the network traffic data comprises normal network traffic data under a normal network environment and abnormal network traffic data under a P2P botnet network environment;
the characteristic value calculating unit is used for calculating a time domain characteristic value, a frequency domain characteristic value and a communication characteristic value of the network traffic data; the time domain characteristic value of the network flow data comprises a Hurst index and a Holder index; the frequency domain characteristic values of the network traffic data comprise relative entropy of power spectral density; the communication characteristic value of the network traffic data comprises information entropy of a binary group; the binary group comprises a source IP address and a destination IP address of the network flow data;
the training unit is used for training an initial BP neural network by taking the time domain characteristic value, the frequency domain characteristic value, the connection characteristic value and a corresponding P2P botnet explosion result as sample data to obtain the BP neural network meeting the accuracy requirement;
and the processing unit is used for processing the network traffic data to be detected by using the BP neural network and determining a P2P botnet explosion result corresponding to the network traffic data to be detected.
7. The apparatus according to claim 6, wherein the eigenvalue calculation unit comprises a time domain eigenvalue operator unit, a frequency domain eigenvalue operator unit, and a connected eigenvalue operator unit;
the time domain characteristic value operator unit is used for calculating the Hurst index and the Holder index of the network flow data by utilizing a fractal theory; taking the Hurst index and the Holder index as time domain characteristic values;
the frequency domain characteristic value operator unit is used for calculating the power spectral density of a single time window in the network flow data; calculating the relative entropy of the power spectral densities of two adjacent time windows according to the power spectral densities; taking the relative entropy as a frequency domain characteristic value;
the connected characteristic value operator unit is used for taking a source IP address and a destination IP address of the network flow data as a binary group and calculating the information entropy of the binary group; and taking the information entropy as a connected characteristic value.
8. The apparatus of claim 6, wherein the processing unit comprises a computation subunit, an output subunit, and a determination subunit;
the calculating subunit is configured to calculate a time domain characteristic value, a frequency domain characteristic value, and a communication characteristic value of the to-be-detected network traffic data;
the output subunit is configured to input the time domain characteristic value, the frequency domain characteristic value, and the communication characteristic value into the BP neural network, so as to obtain an output result of P2P botnet outbreak corresponding to the network traffic data to be detected;
the determining subunit is configured to determine, according to a preset decision rule, a P2P botnet explosion result corresponding to the output result.
9. A P2P botnet detection device based on multi-dimensional features and BP neural network, characterized by comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the steps of the multi-dimensional feature and BP neural network based P2P botnet detection method according to any one of claims 1 to 5.
10. A computer-readable storage medium, having stored thereon a computer program which, when being executed by a processor, carries out the steps of the multidimensional feature and BP neural network based P2P botnet detection method according to any one of claims 1 to 5.
CN201910429292.3A 2019-05-22 2019-05-22 P2P botnet detection method, device and medium Active CN110149331B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910429292.3A CN110149331B (en) 2019-05-22 2019-05-22 P2P botnet detection method, device and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910429292.3A CN110149331B (en) 2019-05-22 2019-05-22 P2P botnet detection method, device and medium

Publications (2)

Publication Number Publication Date
CN110149331A CN110149331A (en) 2019-08-20
CN110149331B true CN110149331B (en) 2021-07-06

Family

ID=67592722

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910429292.3A Active CN110149331B (en) 2019-05-22 2019-05-22 P2P botnet detection method, device and medium

Country Status (1)

Country Link
CN (1) CN110149331B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113965393B (en) * 2021-10-27 2023-08-01 浙江网安信创电子技术有限公司 Botnet detection method based on complex network and graph neural network

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102821002B (en) * 2011-06-09 2015-08-26 中国移动通信集团河南有限公司信阳分公司 Network flow abnormal detecting method and system
US9088606B2 (en) * 2012-07-05 2015-07-21 Tenable Network Security, Inc. System and method for strategic anti-malware monitoring
CN108156174B (en) * 2018-01-15 2020-03-27 深圳市联软科技股份有限公司 Botnet detection method, device, equipment and medium based on C & C domain name analysis

Also Published As

Publication number Publication date
CN110149331A (en) 2019-08-20

Similar Documents

Publication Publication Date Title
CN110505241B (en) Network attack plane detection method and system
CN111355697B (en) Detection method, device, equipment and storage medium for botnet domain name family
US8483056B2 (en) Analysis apparatus and method for abnormal network traffic
KR101538709B1 (en) Anomaly detection system and method for industrial control network
US20160055335A1 (en) Method and apparatus for detecting a multi-stage event
CN111478920A (en) Method, device and equipment for detecting communication of hidden channel
CN113489619B (en) Network topology inference method and device based on time series analysis
CN110611640A (en) DNS protocol hidden channel detection method based on random forest
CN110798426A (en) Method and system for detecting flood DoS attack behavior and related components
CN113408609A (en) Network attack detection method and system
Islam et al. Network anomaly detection using lightgbm: A gradient boosting classifier
CN114553523A (en) Attack detection method and device based on attack detection model, medium and equipment
CN113486343A (en) Attack behavior detection method, device, equipment and medium
CN110149331B (en) P2P botnet detection method, device and medium
CN110008987B (en) Method and device for testing robustness of classifier, terminal and storage medium
CN112822223B (en) DNS hidden tunnel event automatic detection method and device and electronic equipment
CN113542252A (en) Detection method, detection model and detection device for Web attack
CN111291078B (en) Domain name matching detection method and device
CN110099073B (en) P2P botnet detection method, device and medium
CN112073396A (en) Method and device for detecting transverse movement attack behavior of intranet
Kodali et al. An Investigation into Deep Learning Based Network Intrusion Detection System for IoT Systems
CN116112209A (en) Vulnerability attack flow detection method and device
CN117391214A (en) Model training method and device and related equipment
Li et al. Network-wide traffic anomaly detection and localization based on robust multivariate probabilistic calibration model
CN115085956B (en) Intrusion detection method, intrusion detection device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant