CN102014025A - Method for detecting P2P botnet structure based on network flow clustering - Google Patents
Method for detecting P2P botnet structure based on network flow clustering Download PDFInfo
- Publication number
- CN102014025A CN102014025A CN 201010573650 CN201010573650A CN102014025A CN 102014025 A CN102014025 A CN 102014025A CN 201010573650 CN201010573650 CN 201010573650 CN 201010573650 A CN201010573650 A CN 201010573650A CN 102014025 A CN102014025 A CN 102014025A
- Authority
- CN
- China
- Prior art keywords
- network flow
- record
- datagram
- network
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a method for detecting a peer-to-peer (P2P) botnet structure based on network flow clustering. In the method, the detection of the P2P botnet structure is finished by the sequential execution of a real-time communication data acquisition module, a datagram record and filter module, a network flow extraction module, a network flow record and filter module, a network flow clustering module and a data association and result display module. The basic thought of the method is that: a defender determines a command and control relationship between P2P botnet nodes in a monitored network so as to give a P2P botnet structure by identifying a command and control communication in the communication data of the monitored network by utilizing the regularity, namely the characteristics such as the duration, the quantity of datagrams, the quantity of bytes and the like, between the command and the control communication between the P2P botnet nodes. The main innovations are that: communication network flows which have similar characteristics are clustered by a clustering method; and compared with the characteristics in a characteristic set of the command and the control communication, normal communication is distinguished from P2P botnet communication, so that the aim of detecting the P2P botnet structure is fulfilled.
Description
Technical field
The present invention relates to a kind of method of finding network configuration, more particularly say, be meant that a kind of stream cluster Network Based detects the method for P2P Botnet structure.
Background technology
Botnet (Botnets) is to control computer resource in a large number without permission, can accept remote control command and carry out the network that the computer program of corresponding operating is formed.It is a kind of novel attack pattern that comes from traditional malicious code form evolution, for the assailant provides concealment, flexibly and one-to-many order efficiently and controlling mechanism, can control that a large amount of corpse main frame realization information are stolen, distributed denial of service attack and spam transmission etc. attack purpose; Wherein, the order of one-to-many and controlling mechanism are its substantive characteristics.The assailant be meant by the network that uses a computer take action upset, prevention, weaken or damage the information that resides on computer and the computer network thereof or the computer or the people of computer and network self thereof.
The defender is meant in computer network and information system thereof, takes a series of action protections, monitors, analyzes, detects and respond movable without permission people.
The order and the controller of Botnet are shaped on various modes: centralized, P2P pattern and stochastic model.The characteristics of P2P Botnet are to be a kind of peer-to-peer between the node (corpse process), do not have typical order and Control Server in the network, and the servent node in the network both can be used as client, can be used as server end again.With respect to centralized Botnet, the P2P Botnet is not easy detected discovery, has stronger disguise.
Referring to shown in Figure 1, include A node, B node, C node, D node, E node, F node, G node, H node and I node among the figure and amount to 9 nodes, pass through order and control Huo DongC ﹠amp between A~I node; C constitutes P2P Botnet structure.The assailant can transmit by predefined some node and attack instruction AI
n, the node in the P2P Botnet then can be by order and control Huo DongC ﹠amp; C will attack instruction AI
nBe transmitted to each node in the described network; All nodes in the network will be explained described attack instruction AI
nAnd carrying out corresponding attack activity AA, described attack activity AA will cause damage to the network of victim, information system etc.
Summary of the invention
The objective of the invention is to propose the method that a kind of stream cluster Network Based detects P2P Botnet structure, this method is by the real-time communication data acquisition module, datagram record filtering module, the network flow abstraction module, network flow record filtering module, network flow cluster module, data order related and display module as a result is complete to the detection of P2P Botnet structure, its basic thought is that the defender utilizes the regularity that order is communicated by letter with control between P2P Botnet node, it is the duration, datagram quantity, byte quantity etc. has feature, communicate by letter to determine P2P Botnet node and internodal order and control relation in the monitored network by discerning order and control in the monitored network communication data, and then provide P2P Botnet structure; The communication network stream aggregation that main innovate point of the present invention is will to have a similar features by clustering method together, the feature of concentrating with order and control communication feature contrasts, the difference proper communication is communicated by letter with the P2P Botnet, thereby reaches the purpose that detects P2P Botnet structure.
A kind of stream cluster Network Based of the present invention detects the method for P2P Botnet structure, and this method includes following detection step:
Step 1: gather real-time communication data
The real-time communication data acquisition module at first obtains the IP datagram IPD of this monitored network from monitored network, and extracts critical field KF={SIP, DIP, SPT, DPT, IHL, ITL, THL, PTL} from described IP datagram IPD; Note the acquisition time T of current collection IP datagram IPD then
tAt last with described critical field KF={SIP, DIP, SPT, DPT, IHL, ITL, THL, the source IP address SIP among the PTL}, purpose IP address D IP, source port number SPT, destination slogan DPT, IP datagram protocol fields type PTL, and acquisition time T
t, application layer message length AML is expressed as datagram record PR and is stored among the datagram record sheet PRT; Described datagram record PR is expressed as PR=(SIP, DIP, SPT, DPT, PTL, T according to the tuple form in the mathematics
t, AML);
Step 2: filtering data newspaper record
Datagram record filtering module writes down PR according to the datagram that the first filtering rule set FFR filters out among the described datagram record sheet PRT;
Step 3: extract network flow
The network flow abstraction module is at first accepted the timeout interval TO of defender's input; Extract tactful FEP according to network flow then, according to described acquisition time T
tSequencing processing said data newspaper record sheet PRT in datagram record PR;
Step 4: screen stream record
Network flow record filtering module filters out irrelevant network flow record according to the second filtering rule set SFR;
Step 5: carry out the network flow cluster
Network flow cluster module is at first accepted the order and the controlling features collection CCFFT of defender's input; Utilize maximin method MM that the network flow feature FFT of the record of the network flow among network flow record sheet FRT FR carry out data requirementization then; At last the network flow record FR that carries out among the network flow record sheet FRT is carried out cluster, with one or more cluster of feature among approaching described order of cluster centre point and the controlling features collection CCFFT as order of P2P Botnet and Control Network adfluxion CCS;
Step 6: display result
Data related and as a result display module at first extract IP address set IPS among described order and the Control Network adfluxion CCS; Then each the IP address table among the IP address set IPS is shown a point, between described order source IP address SIP, the purpose IP address D IP corresponding, draws a limit with each network flow record FR among the Control Network adfluxion CCS; Constituted the detected P2P Botnet of defender structure by point that obtains and limit.
Description of drawings
Fig. 1 is conventional P2P Botnet structural representation.
Fig. 2 is the schematic diagram that the present invention detects P2P Botnet structure.
Embodiment
The present invention is described in further detail below in conjunction with drawings and Examples.
A kind of stream cluster Network Based of the present invention detects the method for P2P Botnet structure, and this method includes following detection step:
Step 1: gather real-time communication data
Real-time communication data acquisition module first aspect is obtained the IP datagram IPD of this monitored network from monitored network, and extracts critical field KF from described IP datagram IPD;
Include source IP address SIP, purpose IP address D IP, source port number SPT, destination slogan DPT, IP head length IHL, IP datagram total length ITL, TCP/UDP head length THL, IP datagram protocol fields type PTL among the described critical field KF; According to the set expression-form in the mathematics is KF={SIP, DIP, SPT, DPT, IHL, ITL, THL, PTL}.
In the present invention, when PTL is same as Transmission Control Protocol, utilize ITL-IHL-THL to come computing application layer message length AML.
In the present invention, when PTL is same as udp protocol, utilize ITL-IHL-THL+8 to come computing application layer message length AML.
TCP (Transmission Control Protocol), transmission control protocol.TCP can provide a reliable end-to-end byte stream communication on insecure internet.
UDP (User Datagram Protocol), User Datagram Protoco (UDP).UDP can send IP datagram through encapsulation for application program provides a kind of method, and needn't connect and just can send these IP datagram.
Real-time communication data acquisition module second aspect is noted the temporal information of current collection IP datagram IPD, is designated as T
t(abbreviate acquisition time T as
t);
The real-time communication data acquisition module third aspect, with the source IP address SIP among the described critical field KF, purpose IP address D IP, source port number SPT, destination slogan DPT, IP datagram protocol fields type PTL, and acquisition time T
t, application layer message length AML is expressed as datagram record PR and is stored among the datagram record sheet PRT; Described datagram record PR is expressed as PR=(SIP, DIP, SPT, DPT, PTL, T according to the tuple form in the mathematics
t, AML).
Step 2: filtering data newspaper record
Datagram record filtering module writes down PR according to the datagram that the first filtering rule set FFR filters out among the described datagram record sheet PRT.
In the present invention, the described first filtering rule set FFR first aspect comprises protocol type filtering rule PFR; Protocol fields type PTL is different from the datagram record PR of described protocol type filtering rule PFR among the datagram record filtering module deleted data newspaper record sheet PRT;
In the present invention, the described first filtering rule set FFR second aspect comprises white list filtering rule WLFR; Described white list filtering rule WLFR comprises the IP address that the defender trusts; Source IP address SIP or purpose IP address D IP are same as the datagram record PR of described white list filtering rule WLFR among the datagram record filtering module deleted data newspaper record sheet PRT;
In the present invention, the described first filtering rule set FFR third aspect comprises blacklist filtering rule BLFR; Described blacklist filtering rule BLFR comprises the IP address that the defender suspects; Source IP address SIP or purpose IP address D IP are different from the datagram record PR of described blacklist filtering rule BLFR among the datagram record filtering module deleted data newspaper record sheet PRT.
Step 3: extract network flow
Network flow record FR comprise source IP address SIP, purpose IP address D IP, source port number SPT, destination slogan DPT, protocol type PTL, time started ST, concluding time ET, datagram quantity PN, byte quantity BN, network flow duration DRT, on average each datagram byte quantity BPP, average each second datagram quantity PPS, average each second byte quantity BPS; With described network flow record FR according to the tuple form in the mathematics be expressed as FR=(SIP, DIP, SPT, DPT, PTL, ST, ET, PN, BN, DRT, BPP, PPS, BPS); Described network flow record FR is stored among the network flow record sheet FRT.
Five-tuple FT comprises the tuple that source IP address SIP, purpose IP address D IP, source port number SPT, destination slogan DPT, IP datagram protocol fields type PTL are formed; With described five-tuple FT according to the tuple form in the mathematics be expressed as FT=(SIP, DIP, SPT, DPT, PTL).
Network flow feature FFT comprise network flow duration DRT, on average each datagram byte quantity BPP, average each second datagram quantity PPS, average each second byte quantity BPS; With described network flow feature FFT according to the tuple form in the mathematics be expressed as FFT=(DRT, BPP, PPS, BPS).
Described network flow feature FFT calculates according to network flow feature calculation strategy FFTCP.
Described network flow feature calculation strategy FFTCP utilizes ST-ET to calculate described network flow duration DRT, utilize BN/PN to calculate described average each datagram byte quantity BPP, utilize PN/DRT to calculate described average each second of datagram quantity PPS, utilize BN/DRT to calculate described average each second of byte quantity BPS.
Network flow abstraction module first aspect is accepted the timeout interval of defender's input, is designated as TO (being called for short time-out time TO);
Network flow abstraction module second aspect extracts tactful FEP according to network flow, according to described acquisition time T
tSequencing processing said data newspaper record sheet PRT in datagram record PR.
In the present invention, described network flow extracts tactful FEP first aspect and search the network flow record FR of time started ST maximum that five-tuple FT is same as the five-tuple FT of described datagram record PR from described network flow record sheet FRT;
If have described network flow record FR, and the acquisition time T of described datagram record PR
tSatisfy T with the time started ST of described network flow record FR
t-ST then upgrades network flow record FR according to datagram record PR smaller or equal to described time-out time TO: the concluding time ET of described network flow record FR equals the acquisition time T of described datagram record PR
tThe datagram quantity PN of described network flow record FR equals currency and adds 1; The byte quantity BN of described network flow record FR equals the application layer message length AML that currency adds the above datagram record PR; According to described network flow feature calculation strategy FFTCP recomputate described network flow duration DRT, on average each datagram byte quantity BPP, average each second datagram quantity PPS, average each second byte quantity BPS.
If have described network flow record FR, and the acquisition time T of described datagram record PR
tSatisfy T with the time started ST of described network flow record FR
t-ST then inserts a new network flow record FR greater than described time-out time TO in described network flow record sheet FRT; The time started ST of described network flow record FR equals the acquisition time T of described datagram record PR
tThe datagram quantity PN of described network flow record FR equals 1; The byte quantity BN of described network flow record FR equals the application layer message length AML of described datagram record PR; According to described network flow feature calculation strategy FFTCP calculate described network flow duration DRT, on average each datagram byte quantity BPP, average each second datagram quantity PPS, average each second byte quantity BPS.
If there is no described network flow record FR then inserts a new network flow record FR in described network flow record sheet FRT; The time started ST of described network flow record FR equals the acquisition time T of described datagram record PR
tThe datagram quantity PN of described network flow record FR equals 1; The byte quantity BN of described network flow record FR equals the application layer message length AML of described datagram record PR; According to described network flow feature calculation strategy FFTCP calculate described network flow duration DRT, on average each datagram byte quantity BPP, average each second datagram quantity PPS, average each second byte quantity BPS.
Step 4: screen stream record
Network flow record filtering module filters out irrelevant network flow record according to the second filtering rule set SFR.
In the present invention, the described second filtering rule set SFR first aspect comprises specific communication filtering rule SCFR; Described specific communication filtering rule SCFR comprises that datagram quantity PN is 1, byte quantity BN is 0; Network flow record FR is same as the network flow record FR with described specific communication filtering rule SCFR among the network flow record filtering module deletion network flow record sheet FRT;
In the present invention, the described second filtering rule set SFR second aspect comprises P2P communication filtering rule PPFR; It is a certain particular value that described P2P communication filtering rule PPFR comprises described network flow feature FFT; Network flow feature FFT is same as the network flow record FR of described P2P communication filtering rule PPFR among the network flow record filtering module deletion network flow record sheet FRT.
Step 5: carry out the network flow cluster
Network flow cluster module first aspect is accepted the order and the Control Network stream feature set of defender's input, is designated as CCFFT (abbreviating order and controlling features collection CCFFT as);
Network flow cluster module second aspect utilizes maximin method MM that the network flow feature FFT of the record of the network flow among network flow record sheet FRT FR carry out data requirementization;
Described maximin method MM is the concentrated minimum value MIN of fetching data, data centralization maximum MAX, and each data D of data centralization equals D-MIN divided by MAX-MIN then.
The network flow cluster module third aspect is carried out cluster to the network flow record FR that carries out among the network flow record sheet FRT, with one or more cluster of feature among approaching described order of cluster centre point and the controlling features collection CCFFT as order of P2P Botnet and Control Network adfluxion CCS.
Step 6: display result
Data related and as a result the display module first aspect extract source IP address SIP, purpose IP address D IP among described order and the Control Network adfluxion CCS, be designated as order and control IP address set IPS (abbreviation IP address set IPS);
Data related and as a result the display module second aspect each the IP address table among the IP address set IPS is shown a point, each network flow writes down limit of drafting between FR corresponding source IP address SIP, the purpose IP address D IP in described order and Control Network adfluxion CCS; Constituted the detected P2P Botnet of defender structure by point that obtains and limit.
The advantage that the present invention is based on network flow cluster detection P2P Botnet structural approach is:
1. utilize the characteristics of P2P Botnet, the node in the network as monitor node (watchlist), perhaps as the filtering rule of data to be analyzed, has been reduced pending data volume.
2. Adoption Network stream plotting method has improved the applicability that stream cluster Network Based detects the method for P2P Botnet structure, therefore both can process based on the order of Transmission Control Protocol and communicate by letter with control, also can process based on the order of udp protocol and communicate by letter with control.
3. method of the present invention combines network data packet filtering and network flow filtration. Namely at first carry out the filtration of network packet, the input data of network flow and feature activity thereof are extracted in reduction, to improve this movable efficient. And then carry out network flow and filter, the data scale of reduction network flow improves the efficient of network flow cluster analysis.
4. the inventive method detects and to provide P2P Botnet structure, and the person that can promote the cyber-defence is to the understanding and cognition of the working mechanism of P2P Botnet, and then proposes more effectively defensive measure.
Claims (7)
1. a stream cluster Network Based detects the method for P2P Botnet structure, it is characterized in that this method includes following detection step:
Step 1: gather real-time communication data
The real-time communication data acquisition module at first obtains the IP datagram IPD of this monitored network from monitored network, and extracts critical field KF={SIP, DIP, SPT, DPT, IHL, ITL, THL, PTL} from described IP datagram IPD; Note the acquisition time Tt of current collection IP datagram IPD then; At last with described critical field KF={SIP, DIP, SPT, DPT, IHL, ITL, THL, the source IP address SIP among the PTL}, purpose IP address D IP, source port number SPT, destination slogan DPT, IP datagram protocol fields type PTL, and acquisition time T
t, application layer message length AML is expressed as datagram record PR and is stored among the datagram record sheet PRT; Described datagram record PR is expressed as PR=(SIP, DIP, SPT, DPT, PTL, T according to the tuple form in the mathematics
t, AML);
Step 2: filtering data newspaper record
Datagram record filtering module writes down PR according to the datagram that the first filtering rule set FFR filters out among the described datagram record sheet PRT;
Step 3: extract network flow
The network flow abstraction module is at first accepted the timeout interval TO of defender's input; Extract tactful FEP according to network flow then, according to the datagram record PR among the sequencing processing said data newspaper record sheet PRT of described acquisition time Tt;
Step 4: screen stream record
Network flow record filtering module filters out irrelevant network flow record according to the second filtering rule set SFR; The described second filtering rule set SFR first aspect comprises specific communication filtering rule SCFR; Described specific communication filtering rule SCFR comprises that datagram quantity PN is 1, byte quantity BN is 0; Network flow record FR is same as the network flow record FR with described specific communication filtering rule SCFR among the network flow record filtering module deletion network flow record sheet FRT; Second aspect comprises P2P communication filtering rule PPFR; It is a certain particular value that described P2P communication filtering rule PPFR comprises described network flow feature FFT; Network flow feature FFT is same as the network flow record FR of described P2P communication filtering rule PPFR among the network flow record filtering module deletion network flow record sheet FRT;
Step 5: carry out the network flow cluster
Network flow cluster module is at first accepted the order and the controlling features collection CCFFT of defender's input; Utilize maximin method MM that the network flow feature FFT of the record of the network flow among network flow record sheet FRT FR carry out data requirementization then; At last the network flow record FR that carries out among the network flow record sheet FRT is carried out cluster, with one or more cluster of feature among approaching described order of cluster centre point and the controlling features collection CCFFT as order of P2P Botnet and Control Network adfluxion CCS; Described maximin method MM is the concentrated minimum value MIN of fetching data, data centralization maximum MAX, and each data D of data centralization equals D-MIN divided by MAX-MIN then;
Step 6: display result
Data related and as a result display module at first extract IP address set IPS among described order and the Control Network adfluxion CCS; Then each the IP address table among the IP address set IPS is shown a point, between described order source IP address SIP, the purpose IP address D IP corresponding, draws a limit with each network flow record FR among the Control Network adfluxion CCS; Constituted the detected P2P Botnet of defender structure by point that obtains and limit.
2. stream cluster Network Based according to claim 1 detects the method for P2P Botnet structure, it is characterized in that: in step 1, when PTL is same as Transmission Control Protocol, utilize ITL-IHL-THL to come computing application layer message length AML.
3. stream cluster Network Based according to claim 1 detects the method for P2P Botnet structure, it is characterized in that: in step 1, when PTL is same as udp protocol, utilize ITL-IHL-THL+8 to come computing application layer message length AML.
4. stream cluster Network Based according to claim 1 detects the method for P2P Botnet structure, and it is characterized in that: in step 2, the described first filtering rule set FFR first aspect comprises protocol type filtering rule PFR; Protocol fields type PTL is different from the datagram record PR of described protocol type filtering rule PFR among the datagram record filtering module deleted data newspaper record sheet PRT; Second aspect comprises white list filtering rule WLFR; Described white list filtering rule WLFR comprises the IP address that the defender trusts; Source IP address SIP or purpose IP address D IP are same as the datagram record PR of described white list filtering rule WLFR among the datagram record filtering module deleted data newspaper record sheet PRT; The third aspect comprises blacklist filtering rule BLFR; Described blacklist filtering rule BLFR comprises the IP address that the defender suspects; Source IP address SIP or purpose IP address D IP are different from the datagram record PR of described blacklist filtering rule BLFR among the datagram record filtering module deleted data newspaper record sheet PRT.
5. stream cluster Network Based according to claim 1 detects the method for P2P Botnet structure, it is characterized in that: in step 3, network flow record FR comprise source IP address SIP, purpose IP address D IP, source port number SPT, destination slogan DPT, protocol type PTL, time started ST, concluding time ET, datagram quantity PN, byte quantity BN, network flow duration DRT, on average each datagram byte quantity BPP, average each second datagram quantity PPS, average each second byte quantity BPS; With described network flow record FR according to the tuple form in the mathematics be expressed as FR=(SIP, DIP, SPT, DPT, PTL, ST, ET, PN, BN, DRT, BPP, PPS, BPS); Described network flow record FR is stored among the network flow record sheet FRT.
6. stream cluster Network Based according to claim 1 detects the method for P2P Botnet structure, it is characterized in that: in step 3, network flow feature FFT comprise network flow duration DRT, on average each datagram byte quantity BPP, average each second datagram quantity PPS, average each second byte quantity BPS; With described network flow feature FFT according to the tuple form in the mathematics be expressed as FFT=(DRT, BPP, PPS, BPS).
7. stream cluster Network Based according to claim 1 detects the method for P2P Botnet structure, and it is characterized in that: in step 3, described network flow feature FFT calculates according to network flow feature calculation strategy FFTCP.Described network flow feature calculation strategy FFTCP utilizes ST-ET to calculate described network flow duration DRT, utilize BN/PN to calculate described average each datagram byte quantity BPP, utilize PN/DRT to calculate described average each second of datagram quantity PPS, utilize BN/DRT to calculate described average each second of byte quantity BPS.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010573650A CN102014025B (en) | 2010-12-06 | 2010-12-06 | Method for detecting P2P botnet structure based on network flow clustering |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010573650A CN102014025B (en) | 2010-12-06 | 2010-12-06 | Method for detecting P2P botnet structure based on network flow clustering |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102014025A true CN102014025A (en) | 2011-04-13 |
| CN102014025B CN102014025B (en) | 2012-09-05 |
Family
ID=43844051
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010573650A Expired - Fee Related CN102014025B (en) | 2010-12-06 | 2010-12-06 | Method for detecting P2P botnet structure based on network flow clustering |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102014025B (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102571487A (en) * | 2011-12-20 | 2012-07-11 | 东南大学 | Distributed bot network scale measuring and tracking method based on multiple data sources |
| CN103532969A (en) * | 2013-10-23 | 2014-01-22 | 国家电网公司 | Zombie network detection method, device and processor |
| CN104021348A (en) * | 2014-06-26 | 2014-09-03 | 中国人民解放军国防科学技术大学 | Real-time detection method and system of dormant P2P (Peer to Peer) programs |
| CN104683346A (en) * | 2015-03-06 | 2015-06-03 | 西安电子科技大学 | P2P botnet detection device and method based on flow analysis |
| CN105516096A (en) * | 2015-11-30 | 2016-04-20 | 睿峰网云(北京)科技股份有限公司 | Botnet network discovery technology and apparatus |
| CN105827630A (en) * | 2016-05-03 | 2016-08-03 | 国家计算机网络与信息安全管理中心 | Botnet attribute identification method, defense method and device |
| CN106790245A (en) * | 2017-01-20 | 2017-05-31 | 中新网络信息安全股份有限公司 | A kind of real-time Botnet detection method based on cloud service |
| CN107273409A (en) * | 2017-05-03 | 2017-10-20 | 广州赫炎大数据科技有限公司 | A kind of network data acquisition, storage and processing method and system |
| CN107864110A (en) * | 2016-09-22 | 2018-03-30 | 中国电信股份有限公司 | Botnet main control end detection method and device |
| CN108965248A (en) * | 2018-06-04 | 2018-12-07 | 上海交通大学 | A kind of P2P Botnet detection system and method based on flow analysis |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1906620A1 (en) * | 2006-09-29 | 2008-04-02 | AT&T Corp. | Method and apparatus for detecting compromised host computers |
| US20080307526A1 (en) * | 2007-06-07 | 2008-12-11 | Mi5 Networks | Method to perform botnet detection |
| CN101360019A (en) * | 2008-09-18 | 2009-02-04 | 华为技术有限公司 | Detection method, system and apparatus of zombie network |
| CN101404658A (en) * | 2008-10-31 | 2009-04-08 | 北京锐安科技有限公司 | Method and system for detecting bot network |
| CN101741862A (en) * | 2010-01-22 | 2010-06-16 | 西安交通大学 | System and method for detecting IRC bot network based on data packet sequence characteristics |
| CN101753377A (en) * | 2009-12-29 | 2010-06-23 | 吉林大学 | p2p_botnet real-time detection method and system |
-
2010
- 2010-12-06 CN CN201010573650A patent/CN102014025B/en not_active Expired - Fee Related
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1906620A1 (en) * | 2006-09-29 | 2008-04-02 | AT&T Corp. | Method and apparatus for detecting compromised host computers |
| US20080307526A1 (en) * | 2007-06-07 | 2008-12-11 | Mi5 Networks | Method to perform botnet detection |
| CN101360019A (en) * | 2008-09-18 | 2009-02-04 | 华为技术有限公司 | Detection method, system and apparatus of zombie network |
| CN101404658A (en) * | 2008-10-31 | 2009-04-08 | 北京锐安科技有限公司 | Method and system for detecting bot network |
| CN101753377A (en) * | 2009-12-29 | 2010-06-23 | 吉林大学 | p2p_botnet real-time detection method and system |
| CN101741862A (en) * | 2010-01-22 | 2010-06-16 | 西安交通大学 | System and method for detecting IRC bot network based on data packet sequence characteristics |
Non-Patent Citations (1)
| Title |
|---|
| 《2010 1nternational Conference on Educational and Information Technology (lCEIT 2010)》 20100919 junfeng duan等 Descriptive Model of Peer-to-Peer Botnet Structures v3-153--v3-157 , 2 * |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102571487B (en) * | 2011-12-20 | 2014-05-07 | 东南大学 | Distributed bot network scale measuring and tracking method based on multiple data sources |
| CN102571487A (en) * | 2011-12-20 | 2012-07-11 | 东南大学 | Distributed bot network scale measuring and tracking method based on multiple data sources |
| CN103532969A (en) * | 2013-10-23 | 2014-01-22 | 国家电网公司 | Zombie network detection method, device and processor |
| CN104021348A (en) * | 2014-06-26 | 2014-09-03 | 中国人民解放军国防科学技术大学 | Real-time detection method and system of dormant P2P (Peer to Peer) programs |
| CN104021348B (en) * | 2014-06-26 | 2017-01-11 | 中国人民解放军国防科学技术大学 | Real-time detection method and system of dormant P2P (Peer to Peer) programs |
| CN104683346A (en) * | 2015-03-06 | 2015-06-03 | 西安电子科技大学 | P2P botnet detection device and method based on flow analysis |
| CN105516096A (en) * | 2015-11-30 | 2016-04-20 | 睿峰网云(北京)科技股份有限公司 | Botnet network discovery technology and apparatus |
| CN105516096B (en) * | 2015-11-30 | 2018-10-30 | 睿峰网云(北京)科技股份有限公司 | A kind of Botnet discovery technique and device |
| CN105827630B (en) * | 2016-05-03 | 2019-11-12 | 国家计算机网络与信息安全管理中心 | Botnet attribute recognition approach, defence method and device |
| CN105827630A (en) * | 2016-05-03 | 2016-08-03 | 国家计算机网络与信息安全管理中心 | Botnet attribute identification method, defense method and device |
| CN107864110B (en) * | 2016-09-22 | 2021-02-02 | 中国电信股份有限公司 | Botnet main control terminal detection method and device |
| CN107864110A (en) * | 2016-09-22 | 2018-03-30 | 中国电信股份有限公司 | Botnet main control end detection method and device |
| CN106790245A (en) * | 2017-01-20 | 2017-05-31 | 中新网络信息安全股份有限公司 | A kind of real-time Botnet detection method based on cloud service |
| CN106790245B (en) * | 2017-01-20 | 2020-06-19 | 中新网络信息安全股份有限公司 | Real-time botnet detection method based on cloud service |
| CN107273409A (en) * | 2017-05-03 | 2017-10-20 | 广州赫炎大数据科技有限公司 | A kind of network data acquisition, storage and processing method and system |
| CN108965248A (en) * | 2018-06-04 | 2018-12-07 | 上海交通大学 | A kind of P2P Botnet detection system and method based on flow analysis |
| CN108965248B (en) * | 2018-06-04 | 2021-08-20 | 上海交通大学 | P2P botnet detection system and method based on traffic analysis |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102014025B (en) | 2012-09-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102014025B (en) | Method for detecting P2P botnet structure based on network flow clustering | |
| US8117655B2 (en) | Detecting anomalous web proxy activity | |
| US8180892B2 (en) | Apparatus and method for multi-user NAT session identification and tracking | |
| CN1160899C (en) | Distributed dynamic network security protecting system | |
| CN102857486A (en) | Next-generation application firewall system and defense method | |
| CN101741862B (en) | System and method for detecting IRC bot network based on data packet sequence characteristics | |
| CN108429761B (en) | DDoS attack detection and defense method for resource adaptation analysis server in intelligent cooperative network | |
| CN103139315A (en) | Application layer protocol analysis method suitable for home gateway | |
| US20120159623A1 (en) | Method and apparatus for monitoring and processing dns query traffic | |
| CN105282169A (en) | DDoS attack warning method and system based on SDN controller threshold | |
| US20120173712A1 (en) | Method and device for identifying p2p application connections | |
| CN103746982B (en) | A kind of http network condition code automatic generation method and its system | |
| WO2013003493A3 (en) | System and method for protocol fingerprinting and reputation correlation | |
| Varalakshmi et al. | Thwarting DDoS attacks in grid using information divergence | |
| CN108683686A (en) | A kind of Stochastic subspace name ddos attack detection method | |
| CN105337957A (en) | SDN network DDoS and DLDoS distributed space-time detection system | |
| CN109474485A (en) | Method, system and storage medium based on network traffic information detection Botnet | |
| CN107623691A (en) | A kind of ddos attack detecting system and method based on reverse transmittance nerve network algorithm | |
| TW202127834A (en) | Threat detection system for mobile communication system, and global device and local device thereof | |
| CN104021348B (en) | Real-time detection method and system of dormant P2P (Peer to Peer) programs | |
| CN102075535B (en) | Distributed denial-of-service attack filter method and system for application layer | |
| CN106534111A (en) | Method for defending network attack for cloud platform based on flow rule | |
| CN105323206B (en) | Ip defence method | |
| CN109936557A (en) | A kind of method and system based in ForCES framework using sFlow defending DDoS (Distributed Denial of Service) attacks | |
| CN103220329B (en) | P2P protocol identification method based on protocol content identification and behavior identification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120905 Termination date: 20141206 |
|
| EXPY | Termination of patent right or utility model |