CN117914566A - Botnet detection and classification method and system - Google Patents
Botnet detection and classification method and system Download PDFInfo
- Publication number
- CN117914566A CN117914566A CN202410005581.1A CN202410005581A CN117914566A CN 117914566 A CN117914566 A CN 117914566A CN 202410005581 A CN202410005581 A CN 202410005581A CN 117914566 A CN117914566 A CN 117914566A
- Authority
- CN
- China
- Prior art keywords
- network communication
- communication data
- similarity value
- detected
- sim
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 238000001514 detection method Methods 0.000 title claims abstract description 38
- 238000004891 communication Methods 0.000 claims abstract description 153
- 238000012216 screening Methods 0.000 claims abstract description 14
- 238000004364 calculation method Methods 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 7
- 230000007306 turnover Effects 0.000 claims description 5
- 239000013598 vector Substances 0.000 claims description 5
- 238000001914 filtration Methods 0.000 claims description 4
- 238000007689 inspection Methods 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 6
- 230000006399 behavior Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000005215 recombination Methods 0.000 description 2
- 230000006798 recombination Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 235000012907 honey Nutrition 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Abstract
The embodiment of the invention discloses a botnet detection classification method and system, which are used for collecting network communication data and screening the network communication data to obtain network communication data to be detected; acquiring the same-packet sequence loads corresponding to two different network communication data to be detected; calculating similarity values between the same-packet sequence loads corresponding to two different network communication data to be detected to obtain a first similarity value; calculating similarity values between network communication metadata corresponding to two different network communication data to be detected to obtain a second similarity value; calculating a total similarity value through a formula 1; and judging whether the total similarity value is larger than a preset threshold value, if so, judging that the two different networks to be detected are the same type of botnet. The botnet detection and classification method solves the problem that in the prior art, unknown botnets cannot be accurately detected and detected botnets cannot be classified.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a botnet detection classification method, a botnet detection classification system, electronic equipment and a storage medium.
Background
Botnet (Botnet) is a network of infected computers, which are infected by means of vulnerabilities, weak passwords or social engineering in computer systems, and once infected, become part of the network, waiting for the instructions of an attacker who can launch large-scale network attacks by controlling these bots, which are often difficult to track to their real sources.
The existing method for detecting the botnet mainly comprises signature detection, behavior feature statistical analysis, detection based on network traffic protocol features, detection based on a honey network system, detection based on threat information indicators and detection based on network traffic communication diagram features;
However, in practical applications, since the actual controllers of the botnet can make various deformations on command and control content, and the botnet can often transform IP addresses and domain names, in most cases, we can only detect and find some known botnets, and for other novel and unknown botnets, a large number of missed detection occurs, and even if machine learning technology or deep learning is used, the botnet behaviors can only be learned through known samples.
There is a need for a method that can accurately detect unknown botnets and classify the detected botnets.
Disclosure of Invention
The embodiment of the invention aims to provide a botnet detection and classification method, a system, electronic equipment and a storage medium, which are used for solving the problem that an unknown botnet cannot be accurately detected and the detected botnet cannot be classified in the prior art.
In order to achieve the above objective, an embodiment of the present invention provides a method for detecting and classifying botnets, the method specifically includes:
Collecting network communication data, and screening the network communication data to obtain network communication data to be detected;
acquiring the same-packet sequence loads corresponding to two different network communication data to be detected;
Calculating similarity values between the same-packet sequence loads corresponding to two different network communication data to be detected to obtain a first similarity value;
Calculating similarity values between network communication metadata corresponding to two different network communication data to be detected to obtain a second similarity value;
calculating a total similarity value through a formula 1;
SIM(si,sj)=wp*sim(si,sj)+wm*sim′(si,sj) Equation 1;
Wherein SIM (s i,sj) is a total similarity value, w p is a load weight of the same packet sequence, SIM (s i,sj) is a first similarity value, w m is a metadata weight of network communication, SIM (s i,sj) is a second similarity value, w p+wm =1, and w p is larger than w m;
And judging whether the total similarity value is larger than a preset threshold value, if so, judging that the two different networks to be detected are the same type of botnet.
Based on the technical scheme, the invention can also be improved as follows:
further, the collecting network communication data, and screening the network communication data to obtain network communication data to be detected includes:
filtering out network communication data hitting the self-list to obtain remaining network communication data, and detecting the remaining network communication data based on a preset inspection rule to obtain network communication data to be detected.
Further, the obtaining the same-packet sequence loads corresponding to the two different network communication data to be detected includes:
numbering the network communication data to be detected in sequence to obtain a data packet sequence ordered in time;
Slicing the network communication data to be detected in the data packet sequence according to a fixed length to obtain the same packet sequence loads corresponding to different network communication data to be detected, wherein the slicing mode comprises an overlapping window mode or a turnover window mode.
Further, the calculating the similarity value between the same packet sequence loads corresponding to two different network communication data to be detected to obtain a first similarity value includes:
calculating a first similarity value by formula 2;
Wherein sim (s i,sj) is a first similarity value, i and j are respectively different packet sequences, p si is the packet number of s i data packets, p sj is the packet number of sj data packets, and s i and s j are respectively two different network communication data to be detected.
Further, the calculating the similarity value between the network communication metadata corresponding to the two different network communication data to be detected, to obtain a second similarity value, includes:
calculating a second similarity value by formula 3;
Where sim' (s i,sj) is a second similarity value, v ik and v jk are the same dimension of different vectors, i and j are different packet sequences, and k is the same dimension.
Further, the botnet detection classification method further comprises the following steps:
Pushing the first similarity value, the second similarity value and the total similarity value to a user side.
Further, the botnet detection classification method further comprises the following steps:
Threat intelligence is generated based on the first similarity value, the second similarity value, and the overall similarity value.
A botnet detection classification system, comprising:
The data acquisition module is used for acquiring network communication data, and screening the network communication data to obtain network communication data to be detected;
the load acquisition module is used for acquiring the same-packet sequence loads corresponding to two different network communication data to be detected;
the first calculation module is used for calculating similarity values between the same-packet sequence loads corresponding to two different network communication data to be detected to obtain a first similarity value;
the second calculation module is used for calculating the similarity value between the network communication metadata corresponding to the two different network communication data to be detected to obtain a second similarity value;
A third calculation module for calculating the total similarity value by formula 1;
SIM (si, sj) =wp SIM (si, sj) +wm SIM' (si, sj) formula 1;
Wherein SIM (s i,sj) is a total similarity value, w p is a load weight of the same packet sequence, SIM (s i,sj) is a first similarity value, w m is a metadata weight of network communication, SIM (s i,sj) is a second similarity value, w p+wm =1, and w p is larger than w m;
and the judging module is used for judging whether the total similarity value is larger than a preset threshold value, and if so, judging that the two different networks to be detected are the same type of botnet.
An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the method when the computer program is executed.
A non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method.
The embodiment of the invention has the following advantages:
According to the botnet detection classification method, network communication data are collected, and screening is carried out on the network communication data to obtain network communication data to be detected; acquiring the same-packet sequence loads corresponding to two different network communication data to be detected; calculating similarity values between the same-packet sequence loads corresponding to two different network communication data to be detected to obtain a first similarity value; calculating similarity values between network communication metadata corresponding to two different network communication data to be detected to obtain a second similarity value; judging whether the total similarity value is larger than a preset threshold value, if so, judging that two different networks to be detected are identical in communication data, and solving the problem that the unknown botnet cannot be accurately detected and the detected botnet cannot be classified in the prior art.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It will be apparent to those skilled in the art from this disclosure that the drawings described below are merely exemplary and that other embodiments may be derived from the drawings provided without undue effort.
The structures, proportions, sizes, etc. shown in the present specification are shown only for the purposes of illustration and description, and are not intended to limit the scope of the invention, which is defined by the claims, so that any structural modifications, changes in proportions, or adjustments of sizes, which do not affect the efficacy or the achievement of the present invention, should fall within the scope of the invention.
FIG. 1 is a flow chart of a botnet detection classification method of the present invention;
FIG. 2 is a first architecture diagram of a botnet detection classification system of the present invention;
FIG. 3 is a second architecture diagram of a botnet detection classification system of the present invention;
fig. 4 is a schematic diagram of an entity structure of an electronic device according to the present invention.
Wherein the reference numerals are as follows:
The system comprises a data acquisition module 10, a load acquisition module 20, a first calculation module 30, a second calculation module 40, a third calculation module 50, a judgment module 60, a push module 70, an information generation module 80, an electronic device 90, a processor 901, a memory 902 and a bus 903.
Detailed Description
Further advantages and effects of the present invention will become apparent to those skilled in the art from the disclosure of the present invention, wherein it is apparent that the embodiments described are some, but not all, of the embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Examples
Fig. 1 is a flowchart of an embodiment of a botnet detection and classification method according to the present invention, as shown in fig. 1, where the botnet detection and classification method according to the embodiment of the present invention includes the following steps:
s101, collecting network communication data, and screening the network communication data to obtain network communication data to be detected;
specifically, filtering out network communication data hitting a self-list to obtain remaining network communication data, and detecting the remaining network communication data based on a preset inspection rule to obtain network communication data to be detected.
All network communication data are unloaded from the network card in the switch mirror image (whether SPAN or ERSPAN is used), and the network communication data are transmitted to a user state network data acquisition engine in a zero copy mode;
The network data acquisition engine carries out stream recombination on various sessions, carries out TCP recombination on network communication data transmitted in a TCP mode, and sends the various recombined sessions to the core analysis engine;
The core analysis engine filters the network communication data hit from the list, detects network session by using various preset signature rules, strategies or informations and the like aiming at the non-white list network communication data, if the network session is found, the processing is terminated, otherwise, the network communication data meeting the conditions is transmitted to a botnet detection module, wherein the network communication data flow meeting the conditions is the part from an intranet to an extranet server and the part from the extranet to the intranet (the botnet with attack or scanning behaviors is detected but the botnet cannot be broken), and the internal interconnection part data is not in the detection range.
S102, acquiring the same-packet sequence loads corresponding to two different network communication data to be detected;
specifically, the network communication data to be detected are numbered in sequence to obtain a data packet sequence which is ordered in time;
Slicing the network communication data to be detected in the data packet sequence according to a fixed length to obtain the same packet sequence loads corresponding to different network communication data to be detected, wherein the slicing mode comprises an overlapping window mode or a turnover window mode.
In order to avoid being detected by various security devices, the communication between the botnet master (Botmaster) and the sinking host is generally carried out in an encryption or compression mode, but a plaintext mode is not used (of course, the attack is not encrypted);
the invention numbers the sent and received network communication data packets in sequence, namely, a time-ordered network communication data packet sequence is obtained;
Slicing data in the network communication data packet according to a fixed length, wherein the fixed length is denoted by 1, in order to accurately compare the data packet load contents of different sessions, the l is not excessively large (such as set to be 4), an overlapping window mode (Overlapping Window) or a turnover window mode (Tumbling WindOw) is adopted, wherein an overlapping parameter can be set in an overlapping window, the value range of the overlapping parameter is between 1 and 1-1, and a fixed character such as a blank is filled in a part of the non-part of the overlapping window; whether the load is binary or text processed in the same way.
S103, calculating similarity values between the same-packet sequence loads corresponding to two different network communication data to be detected, and obtaining a first similarity value;
Specifically, for two different network sessions, the same packet sequence load sampled as described above is compared, and when the comparison packet sequence p_limit reaches an upper limit, the comparison is stopped, and then whether the same packet sequence belongs to the same class of botnet is determined according to the set upper limit of similarity, and the comparison method for the load similarity degree of the same packet sequence (whether transmitted or received, and subscripted as k) is as follows (i and j are different packet sequences, and r is a certain offset byte in a packet):
The above equation is actually that by comparing the degree of matrix difference between different packets in the same packet sequence, the greater the sim k(pki,pkj) value, the greater the degree of similarity is indicated, and vice versa; where m and n are the number of packets of the packet sequence in the first session and the number of packets of the packet sequence in the second session, respectively, and in actual implementation, only the smaller one of them can be considered, the above formula is mutated as follows:
for two different network sessions, the degree of similarity is:
calculating a first similarity value by formula 2;
Equation 2;
wherein sim (s i,sj) is a first similarity value, i and j are respectively different packet sequences, p si is the packet number of s i data packets, p sj is the packet number of s j data packets, and s i and s j are respectively two different network communication data to be detected.
For the above equation, the numerator is the degree of similarity between packets of the same sequence of packets for different network sessions, and the denominator is a smaller value of the number of packets contained in the different network sessions.
And S104, calculating the similarity value between the network communication metadata corresponding to the two different network communication data to be detected, and obtaining a second similarity value.
Specifically, clustering in the aspect of communication metadata, namely clustering different communications in a network session layer; it is also common in this patent to extract the following web session metadata:
the number of the sending packets, the number of the sending bytes, the number of the receiving newspapers, the number of the receiving bytes, the average number of the sending bytes, the average number of the receiving bytes, the average sending bytes per second and the average receiving bytes per second;
The above-described related metadata is constructed as a vector, and the similarity of the inter-session metadata is calculated using the following formula.
Calculating a second similarity value by formula 3;
Where sim' (s i,sj) is a second similarity value, v ik and v jk are the same dimension of different vectors, i and j are different packet sequences, and k is the same dimension.
When sim' (s i,sj) is greater than a certain threshold, it can be considered that they are highly probable to belong to the same type of botnet (not necessarily the same botnet);
s105, calculating a total similarity value through a formula 1;
Specific ,SIM(si,sj)=wp*sim(si,sj)+wm*sim′(si,sj) equation 1;
Where SIM (s i,sj) is the total similarity value, w p is the same-packet sequence load weight, SIM (s i,sj) is the first similarity value, w m is the network communication metadata weight, SIM' (s i,sj) is the second similarity value, w p+wm =1, and w p is greater than w m.
When the SIM (s i,sj) is greater than a certain threshold th (this threshold is between 0 and 1), it can be considered that they may belong to the same class of botnets;
S106, judging whether the total similarity value is larger than a preset threshold value, if so, judging that the two different network communication data to be detected belong to botnets of the same type;
specifically, the first similarity value, the second similarity value and the total similarity value are pushed to a user side.
Threat intelligence is generated based on the first similarity value, the second similarity value, and the overall similarity value.
And presenting the clustered results to a user for viewing, and generating endogenous threat information for determining the domain name and the IP address identified as the botnet.
Clustering different sessions by using XMeans algorithm to calculate similarity, wherein the method is different from KMeans method, and XMeans method does not need to specify the expected classification quantity;
The botnet detection classification method comprises the steps of collecting network communication data, and screening the network communication data to obtain network communication data to be detected; acquiring the same-packet sequence loads corresponding to two different network communication data to be detected; calculating similarity values between the same-packet sequence loads corresponding to two different network communication data to be detected to obtain a first similarity value; calculating similarity values between network communication metadata corresponding to two different network communication data to be detected to obtain a second similarity value; calculating a total similarity value through a formula 1; and judging whether the total similarity value is larger than a preset threshold value, if so, judging that the two different networks to be detected are the same type of botnet. The method solves the problem that the unknown botnet cannot be accurately detected and the detected botnet cannot be classified in the prior art.
The botnet detection classification method can identify a plurality of novel or modified botnets; identifying and classifying the possible botnet by using a plurality of layers of clustering methods; the loading characteristics of various external network sessions are highlighted, a pre-training mode of data or other characteristic-based detection modes are not adopted, and botnets in two aspects of botnet attack and botnet host collapse can be identified instead of the botnets in a specific certain direction.
FIGS. 2-3 are architecture diagrams of embodiments of a botnet detection classification system of the present invention; as shown in fig. 2-3, the detection classification system for botnets provided by the embodiment of the invention includes the following steps:
The data acquisition module 10 is used for acquiring network communication data, and screening the network communication data to obtain network communication data to be detected;
the data acquisition module 10 is further configured to:
filtering out network communication data hitting the self-list to obtain remaining network communication data, and detecting the remaining network communication data based on a preset inspection rule to obtain network communication data to be detected.
The load obtaining module 20 is configured to obtain the same packet sequence loads corresponding to two different network communication data to be detected;
the load acquisition module 20 is further configured to:
numbering the network communication data to be detected in sequence to obtain a data packet sequence ordered in time;
Slicing the network communication data to be detected in the data packet sequence according to a fixed length to obtain the same packet sequence loads corresponding to different network communication data to be detected, wherein the slicing mode comprises an overlapping window mode or a turnover window mode.
The first calculating module 30 is configured to calculate a similarity value between the same packet sequence loads corresponding to two different network communication data to be detected, so as to obtain a first similarity value;
the first computing module 30 is further configured to:
calculating a first similarity value by formula 2;
wherein sim (s i,sj) is a first similarity value, i and j are respectively different packet sequences, p si is the packet number of s i data packets, p sj is the packet number of s j data packets, and s i and s j are respectively two different network communication data to be detected.
A second calculation module 40, configured to calculate a similarity value between network communication metadata corresponding to two different network communication data to be detected, so as to obtain a second similarity value;
The second computing module 40 is further configured to:
calculating a second similarity value by formula 3;
Where sim' (s i,sj) is a second similarity value, v ik and v jk are the same dimension of different vectors, i and j are different packet sequences, and k is the same dimension.
A third calculation module 50 for calculating the total similarity value by equation 1;
SIM(si,sj)=wp*sim(si,sj)+wm*sim′(si,sj) Equation 1;
Wherein SIM (s i,sj) is a total similarity value, w p is a load weight of the same packet sequence, SIM (s i,sj) is a first similarity value, w m is a metadata weight of network communication, SIM' (s i,sj) is a second similarity value, w p+wm =1, and w p is larger than w m;
And the judging module 60 is configured to judge whether the total similarity value is greater than a preset threshold, and if yes, judge that two different networks to be detected are botnets of the same type.
And the pushing module 70 is configured to push the first similarity value, the second similarity value, and the total similarity value to a user side.
The intelligence generation module 80 is configured to generate threat intelligence based on the first similarity value, the second similarity value, and the total similarity value.
According to the botnet detection classification system, the data acquisition module 10 is used for acquiring network communication data and screening the network communication data to obtain network communication data to be detected; the load obtaining module 20 is configured to obtain the same-packet sequence loads corresponding to two different network communication data to be detected; calculating similarity values between the same-packet sequence loads corresponding to two different network communication data to be detected through a first calculation module 30 to obtain a first similarity value; calculating a similarity value between network communication metadata corresponding to two different network communication data to be detected through a second calculation module 40 to obtain a second similarity value; calculating the total similarity value by the third calculation module 50 through equation 1; and the judging module 60 is configured to judge whether the total similarity value is greater than a preset threshold, and if yes, judge that two different networks to be detected are botnets of the same type. The botnet detection and classification method solves the problem that in the prior art, unknown botnets cannot be accurately detected and detected botnets cannot be classified.
Fig. 4 is a schematic diagram of an entity structure of an electronic device according to an embodiment of the present invention, as shown in fig. 4, an electronic device 90 includes: a processor 901 (processor), a memory 902 (memory), and a bus 903;
The processor 901 and the memory 902 complete communication with each other through the bus 903;
The processor 901 is configured to call program instructions in the memory 902 to perform the methods provided in the above method embodiments, for example, including: collecting network communication data, and screening the network communication data to obtain network communication data to be detected; acquiring the same-packet sequence loads corresponding to two different network communication data to be detected; calculating similarity values between the same-packet sequence loads corresponding to two different network communication data to be detected to obtain a first similarity value; calculating similarity values between network communication metadata corresponding to two different network communication data to be detected to obtain a second similarity value; calculating a total similarity value through a formula 1; and judging whether the total similarity value is larger than a preset threshold value, if so, judging that the two different networks to be detected are the same type of botnet.
The present embodiment provides a non-transitory computer readable storage medium storing computer instructions that cause a computer to perform the methods provided by the above-described method embodiments, for example, including: collecting network communication data, and screening the network communication data to obtain network communication data to be detected; acquiring the same-packet sequence loads corresponding to two different network communication data to be detected; calculating similarity values between the same-packet sequence loads corresponding to two different network communication data to be detected to obtain a first similarity value; calculating similarity values between network communication metadata corresponding to two different network communication data to be detected to obtain a second similarity value; calculating a total similarity value through a formula 1; and judging whether the total similarity value is larger than a preset threshold value, if so, judging that the two different networks to be detected are the same type of botnet.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware associated with program instructions, where the foregoing program may be stored in a computer readable storage medium, and when executed, the program performs steps including the above method embodiments; and the aforementioned storage medium includes: various storage media such as ROM, RAM, magnetic or optical disks may store program code.
The apparatus embodiments described above are merely illustrative, wherein elements illustrated as separate elements may or may not be physically separate, and elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on such understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the embodiments or the methods of some parts of the embodiments.
While the invention has been described in detail in the foregoing general description and specific examples, it will be apparent to those skilled in the art that modifications and improvements can be made thereto. Accordingly, such modifications or improvements may be made without departing from the spirit of the invention and are intended to be within the scope of the invention as claimed.
Claims (10)
1. The detection classification method of the botnet is characterized by comprising the following steps of:
Collecting network communication data, and screening the network communication data to obtain network communication data to be detected;
acquiring the same-packet sequence loads corresponding to two different network communication data to be detected;
Calculating similarity values between the same-packet sequence loads corresponding to two different network communication data to be detected to obtain a first similarity value;
Calculating similarity values between network communication metadata corresponding to two different network communication data to be detected to obtain a second similarity value;
calculating a total similarity value through a formula 1;
SIM(si,sj)=wp*sim(si,sj)+wm*sim′(si,sj) Equation 1;
Wherein SIM (s i,sj) is a total similarity value, w p is a load weight of the same packet sequence, SIM (s i,sj) is a first similarity value, w m is a metadata weight of network communication, SIM (s i,sj) is a second similarity value, w p+wm =1, and w p is larger than w m;
And judging whether the total similarity value is larger than a preset threshold value, if so, judging that the two different networks to be detected are the same type of botnet.
2. The botnet detection and classification method as claimed in claim 1, wherein said collecting network communication data, and screening said network communication data to obtain network communication data to be detected, includes:
filtering out network communication data hitting the self-list to obtain remaining network communication data, and detecting the remaining network communication data based on a preset inspection rule to obtain network communication data to be detected.
3. The botnet detection and classification method as claimed in claim 1, wherein said obtaining the same packet sequence load corresponding to two different network communication data to be detected includes:
numbering the network communication data to be detected in sequence to obtain a data packet sequence ordered in time;
Slicing the network communication data to be detected in the data packet sequence according to a fixed length to obtain the same packet sequence loads corresponding to different network communication data to be detected, wherein the slicing mode comprises an overlapping window mode or a turnover window mode.
4. The method for detecting and classifying botnets according to claim 1, wherein the calculating the similarity value between the same-packet-sequence loads corresponding to two different network communication data to be detected to obtain the first similarity value includes:
calculating a first similarity value by formula 2;
wherein sim (s i,sj) is a first similarity value, i and j are respectively different packet sequences, p si is the packet number of s i data packets, p sj is the packet number of s j data packets, and s i and s j are respectively two different network communication data to be detected.
5. The botnet detection and classification method as claimed in claim 1, wherein calculating a similarity value between network communication metadata corresponding to two different network communication data to be detected, to obtain a second similarity value includes:
calculating a second similarity value by formula 3;
Where sim (s i,sj) is a second similarity value, v ik and v jk are the same dimension of different vectors, i and j are different packet sequences, and k is the same dimension.
6. The botnet detection and classification method as set forth in claim 1, further comprising:
Pushing the first similarity value, the second similarity value and the total similarity value to a user side.
7. The botnet detection and classification method as set forth in claim 1, further comprising:
Threat intelligence is generated based on the first similarity value, the second similarity value, and the overall similarity value.
8. A botnet detection classification system, comprising:
The data acquisition module is used for acquiring network communication data, and screening the network communication data to obtain network communication data to be detected;
the load acquisition module is used for acquiring the same-packet sequence loads corresponding to two different network communication data to be detected;
the first calculation module is used for calculating similarity values between the same-packet sequence loads corresponding to two different network communication data to be detected to obtain a first similarity value;
the second calculation module is used for calculating the similarity value between the network communication metadata corresponding to the two different network communication data to be detected to obtain a second similarity value;
A third calculation module for calculating the total similarity value by formula 1;
SIM(si,sj)=wp*sim(si,sj)+wm*sim′(si,sj) Equation 1;
Wherein SIM (s i,sj) is a total similarity value, w p is a load weight of the same packet sequence, SIM (s i,sj) is a first similarity value, w m is a metadata weight of network communication, SIM (s i,sj) is a second similarity value, w p+wm =1, and w p is larger than w m;
and the judging module is used for judging whether the total similarity value is larger than a preset threshold value, and if so, judging that the two different networks to be detected are the same type of botnet.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method according to any one of claims 1 to 7 when the computer program is executed.
10. A non-transitory computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method according to any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410005581.1A CN117914566A (en) | 2024-01-03 | 2024-01-03 | Botnet detection and classification method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410005581.1A CN117914566A (en) | 2024-01-03 | 2024-01-03 | Botnet detection and classification method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117914566A true CN117914566A (en) | 2024-04-19 |
Family
ID=90688247
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410005581.1A Pending CN117914566A (en) | 2024-01-03 | 2024-01-03 | Botnet detection and classification method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117914566A (en) |
-
2024
- 2024-01-03 CN CN202410005581.1A patent/CN117914566A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Radford et al. | Network traffic anomaly detection using recurrent neural networks | |
| CN109960729B (en) | Method and system for detecting HTTP malicious traffic | |
| Shetu et al. | A survey of botnet in cyber security | |
| CN113364752B (en) | Flow abnormity detection method, detection equipment and computer readable storage medium | |
| Sofi et al. | Machine learning techniques used for the detection and analysis of modern types of ddos attacks | |
| Tufan et al. | Anomaly-based intrusion detection by machine learning: A case study on probing attacks to an institutional network | |
| Bagui et al. | Machine learning based intrusion detection for IoT botnet | |
| US11431741B1 (en) | Detecting unmanaged and unauthorized assets in an information technology network with a recurrent neural network that identifies anomalously-named assets | |
| Khan et al. | A hybrid technique to detect botnets, based on P2P traffic similarity | |
| CN111245784A (en) | Method for multi-dimensional detection of malicious domain name | |
| CN111049783A (en) | Network attack detection method, device, equipment and storage medium | |
| Fallah et al. | Android malware detection using network traffic based on sequential deep learning models | |
| CN111464510B (en) | Network real-time intrusion detection method based on rapid gradient lifting tree classification model | |
| Mughaid et al. | Utilizing machine learning algorithms for effectively detection iot ddos attacks | |
| Almousa et al. | Identification of ransomware families by analyzing network traffic using machine learning techniques | |
| Nakahara et al. | Malware Detection for IoT Devices using Automatically Generated White List and Isolation Forest. | |
| Raja Sree et al. | HAP: detection of HTTP flooding attacks in cloud using diffusion map and affinity propagation clustering | |
| CN117914566A (en) | Botnet detection and classification method and system | |
| Ramesh et al. | Analyzing and detecting Botnet Attacks using Anomaly Detection with Machine Learning | |
| Sopuru et al. | Modeling A malware detection and categorization system based on seven network flow-based features | |
| Mathew et al. | Genetic algorithm based layered detection and defense of HTTP botnet | |
| Rani et al. | Analysis of machine learning and deep learning intrusion detection system in Internet of Things network | |
| Maslan et al. | DDoS detection on network protocol using cosine similarity and N-Gram+ Method | |
| CN114615056B (en) | Tor malicious flow detection method based on robust learning | |
| Devakunchari et al. | Network intrusion detection system using two stage classifier |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |