CN108965248B - P2P botnet detection system and method based on traffic analysis - Google Patents
P2P botnet detection system and method based on traffic analysis Download PDFInfo
- Publication number
- CN108965248B CN108965248B CN201810565197.1A CN201810565197A CN108965248B CN 108965248 B CN108965248 B CN 108965248B CN 201810565197 A CN201810565197 A CN 201810565197A CN 108965248 B CN108965248 B CN 108965248B
- Authority
- CN
- China
- Prior art keywords
- botnet
- communication
- module
- detection
- flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/144—Detection or countermeasures against botnets
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a P2P botnet detection system based on flow analysis, which belongs to the field of computer network safety and comprises a network flow receiving module, a communication structure chart construction module, a detection algorithm module, a P2P structure, a decision tree and Bayesian network machine learning method, a P2P botnet detection module, a database module and relevant data storage modules, wherein the network flow receiving module obtains network flow from different monitoring points, the detection algorithm module discovers the P2P structure by using a community discovery algorithm from the communication structure chart, the P2P botnet detection module is combined with tracking communication with other nodes, and the database module stores relevant data. The invention also discloses a P2P botnet detection method based on flow analysis. The invention does not take the port as a characteristic to prevent detection failure caused by port randomization, performs P2P botnet detection based on flow analysis, improves detection efficiency by filtering benign network flow, reduces data processing capacity by using packet length as a characteristic, can efficiently identify P2P botnet communication, and provides support for an intrusion detection system.
Description
Technical Field
The invention relates to the field of computer network security, in particular to a P2P botnet detection system and method based on flow analysis.
Background
Botnets (botnets) are a large number of hosts on the internet that are under the control of attackers, using C & C (command and control) channel control and issuing commands to hosts that exist within botnets. Botnets are commonly used to launch Distributed Denial-of-Service (DDoS) attacks, send spam, bitcoin mining, and other attacks.
P2P (Peer-to-Peer) Peer-to-Peer networks, also known as Peer-to-Peer technologies, have equal capabilities on each node, and typically do not rely on a central node. The dispersive nature of P2P networks makes them difficult to discover, and the distributed nature also handles single points of failure well. Since users began to have more and more powerful servers, storage space and bandwidth in the beginning of the 21 st century, the share of the internet with the P2P architecture increased sharply, and since the P2P model has been plagued by privacy, piracy, etc., the share of the internet that later occupied has decreased.
The P2P botnets are a wide variety of types, but the bottom most layer is the P2P fabric network consisting of peer bot host nodes. An attacker can issue commands to botnet hosts controlled by the attacker through setting the super agent node, and can also encrypt the commands in an asymmetric encryption mode so as to guide the botnet to continue attacking.
The initial botnet detection work was to detect traffic packet information for a particular port using a port and signature approach that would not work if an encrypted botnet was encountered or a randomized botnet was employed for the communication port.
Some subsequent detection methods use a graph clustering technology to detect P2P traffic, but do not analyze benign P2P traffic, and have the problems that the detection consumes large computing resources and the detection efficiency is low, and in addition, the method also has the problem that graphs cannot be expanded.
Accordingly, those skilled in the art have endeavored to develop a P2P botnet detection system based on traffic analysis that does not rely on communication port detection, to distinguish between benign and malignant P2P traffic, and to improve detection efficiency. In addition, the botnet structure obtained by the system is further ensured to be expanded by further tracking on the basis of the botnet mined by the system.
Disclosure of Invention
In view of the above-mentioned drawbacks of the prior art, the technical problem to be solved by the present invention is to distinguish benign and malignant P2P traffic, thereby improving the detection efficiency. In addition, the botnet structure obtained by the system is further ensured to be expanded by further tracking on the basis of the botnet mined by the system.
In order to achieve the above object, the present invention provides a P2P botnet detection system based on traffic analysis, which includes a network traffic receiving module, a communication structure diagram constructing module, a detection algorithm module, and a database module, wherein:
a network flow receiving module: acquiring network traffic from programs distributed at different monitoring points, filtering out benign network traffic according to a filtering rule, and recording uncertain traffic in a database module;
the communication structure diagram construction module: reading uncertain flow records and constructing a communication structure chart;
a detection algorithm module: analyzing and researching the generated communication structure diagram, and judging whether the IP address of the node in the communication structure diagram is a botnet host or not;
a database module: and storing the calculation results of the network flow receiving module, the communication structure chart constructing module and the detection algorithm module.
Further, the filtering rules contain well-established network addresses.
Further, the filtering rules include benign P2P network addresses detected by the present system.
Further, the communication structure diagram building module is configured to: and constructing a weighted directed graph by taking the monitored IP addresses as nodes and the communication among the nodes as edges, and performing subgraph segmentation by utilizing a community discovery algorithm to find a P2P structural subgraph.
Further, the weight of the weighted directed graph can be obtained by calculating the communication similarity between the node and other connected nodes.
Further, the communication similarity is calculated by using the time stamp TS and the packet payload length PS.
Further, the detection algorithm module is configured to: integrating the communication between nodes in a communication structure chart into a session between the nodes, calculating the difference value of a session start timestamp and a session end timestamp to obtain a session duration TD, the total length APS of a data packet effective load sent by a source IP A to a target IP B, the total length BPS of a data packet effective load sent by the source IP B to the target IP A, and the number of times NOC of communication between the two parties, taking the APS, the BPS, the NOC and the TD as characteristics, adopting an integrated classifier combining two machine learning methods of a decision tree and a Bayesian network to detect malicious P2P traffic, adding a benign P2P network into a filtering rule of a traffic receiving module, and storing the detection result of a P2P botnet into a database module.
Further, the detection algorithm module is configured to: when detecting that the nodes in the botnet communicate with other nodes which do not belong to the botnet, tracking the conversation between the two nodes, calculating the values of APS, BPS, NOC and TD and the conversation characteristics of the botnet to carry out similarity judgment, and if the values are similar, adding the values into the previous P2P botnet structure and recording the similarity.
The invention also provides a P2P botnet detection method based on flow analysis, which comprises the following steps:
step 1: for a known communication structure diagram, acquiring a key field group of related flow in the communication structure diagram, wherein the key field group comprises a source IP address SIP, a destination IP address DIP, a time stamp TS and a data packet effective load length PS in primary communication;
step 2: using the SIP, DIP, TS and PS obtained in the step 1 as characteristics, carrying out sub-graph segmentation on the communication structure chart by using a community discovery algorithm, discovering a P2P structure therein, and obtaining P2P structure flow;
and step 3: traversing key field groups belonging to P2P structure flow, grouping the communication with the same IP addresses of both communication parties into a group, namely, the SIP and DIP of the A data packet are respectively the same as the DIP and SIP of the B data packet, and grouping A and B into a group;
and 4, step 4: traversing each group in the step 3, sorting the data in the group according to a time rule, and dividing the data in the group into sessions based on time;
and 5: calculating a difference value of a session starting timestamp and a session ending timestamp to obtain a session duration time TD, wherein SIP is a total length APS of a data packet effective load sent from A to DIP as B, SIP is a total length BPS of the data packet effective load sent from B to DIP as A, and the number of times NOC of communication between the two parties;
step 6: taking APS, BPS, NOC and TD as a quadruple, and adopting an integrated classifier combining two machine learning methods of a decision tree and a Bayesian network to detect malicious P2P flow, thereby detecting a P2P botnet;
and 7: and (6) storing the detection result of the step (6) into a database.
And 8: reading a detected host IP in a P2P botnet, and acquiring a key field group comprising a source IP address SIP, a destination IP address DIP, a timestamp TS and a packet payload length PS in one communication when detecting that the IP is communicated with other IPs which do not belong to the botnet;
and step 9: tracking the next communication, and calculating to obtain quadruples including APS, BPS, NOC and TD;
step 10: and (4) carrying out similarity comparison on the quadruple acquired in the step (9) and the quadruple of the previous botnet, if the quadruple is malicious traffic, adding a new node into the P2P botnet, and recording the new node in a database.
In the preferred embodiment of the present invention, the recognized benign traffic of 10000 before the Alexa rank and the normal network traffic of the benign P2P network detected by the present system are selected from the filtering rules, which greatly reduces the amount of data to be processed in the subsequent steps.
The invention discloses a P2P botnet detection system and method based on network flow, which centralizes the network flow monitored by different nodes distributed on a network, takes the network flow as input, and takes the detection result of the botnet as output. The invention does not take the ports of both communication parties as characteristics for detection, avoids the failure of a detection method caused by port randomization, performs P2P botnet detection based on flow analysis, improves the detection efficiency by filtering benign network flow, does not take the specific effective load of a flow packet as the characteristics, but selects the length of the flow packet as the characteristics, reduces the data processing capacity, and can efficiently identify P2P botnet communication. Meanwhile, the invention can further track based on the existing botnet result of the system, thereby realizing the characteristic that the detection result can be expanded. The final detection result can enable the P2P botnet communication behavior to be recognized, and can provide support for some intrusion detection systems.
The conception, the specific structure and the technical effects of the present invention will be further described with reference to the accompanying drawings to fully understand the objects, the features and the effects of the present invention.
Drawings
FIG. 1 is a system diagram of a preferred embodiment of the present invention;
FIG. 2 is a flow chart of a network traffic receiving module in accordance with a preferred embodiment of the present invention;
FIG. 3 is a process of detecting a P2P botnet in the detection algorithm module of a preferred embodiment of the present invention;
FIG. 4 is a diagram of the P2P botnet tracking process in the detection algorithm module in accordance with a preferred embodiment of the present invention;
FIG. 5 is a flow chart of a preferred embodiment of the present invention.
Detailed Description
The technical contents of the preferred embodiments of the present invention will be more clearly and easily understood by referring to the drawings attached to the specification. The present invention may be embodied in many different forms of embodiments and the scope of the invention is not limited to the embodiments set forth herein.
In the drawings, structurally identical elements are represented by like reference numerals, and structurally or functionally similar elements are represented by like reference numerals throughout the several views. The size and thickness of each component shown in the drawings are arbitrarily illustrated, and the present invention is not limited to the size and thickness of each component. The thickness of the components may be exaggerated where appropriate in the figures to improve clarity.
As shown in fig. 1, the system is composed of four modules, which are a network traffic receiving module, a communication structure diagram constructing module, a detection algorithm module, and a database module.
The system sets a monitoring program at each peer node to collect network traffic. The collected flow enters a network flow receiving module, benign flow is filtered out according to a filtering rule, and the remaining uncertain network flow is stored in a database module;
the communication structure chart building module reads the uncertain flow records, and builds a weighted directed communication structure chart by taking the monitored IP addresses as nodes and the communication between the nodes as edges;
the detection algorithm module analyzes and explores the generated communication structure diagram, judges whether the IP address of the node in the communication structure diagram is a botnet host or not and tracks the botnet again;
the database module stores the calculation results of the network flow receiving module, the communication structure diagram constructing module and the detection algorithm module, and comprises the steps of storing the filtered network flow, the monitored benign P2P network structure, the P2P botnet structure and the characteristics of the botnet structure;
as shown in fig. 2, the flow of the network traffic receiving module is as follows:
the network traffic receiving module acquires network traffic collected by using NETFLOW from monitoring points of peer nodes in a traversing manner;
judging whether the traffic belongs to recognized benign traffic ranked 10000 before Alexa ranking, and if so, discarding the network traffic;
if not, the next step is carried out, whether the network traffic belongs to benign P2P network traffic which is detected by the system is judged, and if the network traffic belongs to benign P2P network traffic which is detected by the system, the network traffic is discarded;
if not, storing the flow into a database;
and continuously judging the next network flow until the traversal is completed.
Through the screening of the network flow receiving module, the network flow needing further judgment is greatly reduced.
As shown in fig. 3, the P2P botnet detection process in the detection algorithm module is as follows:
the detection algorithm module calculates the communication similarity between the nodes in the graph and other connected nodes according to the communication structure graph constructed by the communication structure graph construction module, wherein the communication similarity is calculated by adopting a time stamp TS and a data packet effective load length PS. The calculated node communication similarity is used as a weight of an edge, a community discovery algorithm is used for carrying out subgraph segmentation, and a P2P structural subgraph is found;
integrating communications between the nodes into a session between the nodes;
calculating values of APS, BPS, NOC and TD by using TS and PS values in communication, the number of communication times in conversation and the number of exchange packets, taking the values as characteristics, and detecting malicious P2P traffic by adopting an integrated classifier combining two machine learning methods of a decision tree and a Bayesian network;
the benign P2P network is placed into the filtering rules of the traffic receiving module and the P2P botnet detection results are stored into the database.
As shown in fig. 4, the P2P botnet tracking process in the detection algorithm module is as follows:
the P2P mode botnet tracking process is established on the basis of the P2P botnets detected by the system, and as time goes on, the botnets may infect more and more hosts, the scales of the botnets become larger and larger, and the problem of expansibility can be well solved by the tracking process of the system.
Firstly, acquiring communication traffic of nodes in a botnet and other nodes which do not belong to the botnet;
tracking the communication between the two nodes and establishing a session;
calculating the values of APS, BPS, NOC and TD, and judging the similarity with the conversation characteristics of the botnet;
if so, it is added to the previous P2P botnet structure and recorded.
As shown in fig. 5, the steps of the P2P botnet detection method based on network traffic are as follows:
step S1: for a known communication structure diagram, acquiring a key field group of related flow in the communication structure diagram, wherein the key field group comprises a source IP address SIP, a destination IP address DIP, a time stamp TS and a data packet effective load length PS in primary communication;
step S2: using the SIP, DIP, TS and PS obtained in the step S1 as features, carrying out sub-graph segmentation on the communication structure chart by using a community discovery algorithm, discovering a P2P structure therein, and obtaining P2P structure flow;
step S3: traversing key field groups belonging to P2P structure flow, grouping the communication with the same IP addresses of both communication parties into a group, namely, the SIP and DIP of the A data packet are respectively the same as the DIP and SIP of the B data packet, and grouping A and B into a group;
step S4: traversing each group in the step S3, sorting the data in the group according to a time rule, and dividing the data in the group into sessions based on time;
step S5: calculating a difference value of a session starting timestamp and a session ending timestamp to obtain a session duration time TD, wherein SIP is a total length APS of a data packet effective load sent from A to DIP as B, SIP is a total length BPS of the data packet effective load sent from B to DIP as A, and the number of times NOC of communication between the two parties;
step S6: taking (APS, BPS, NOC, TD) as a quadruple, and adopting an integrated classifier combining two machine learning methods of a decision tree and a Bayesian network to detect malicious P2P flow, thereby detecting a P2P botnet;
step S7: storing the detection result of the step S6 in a database;
step S8: reading a detected host IP in a P2P botnet, and acquiring a key field group comprising a source IP address SIP, a destination IP address DIP, a timestamp TS and a packet payload length PS in one communication when detecting that the IP is communicated with other IPs which do not belong to the botnet;
step S9: tracking the next communication and calculating to obtain a quadruple containing (APS, BPS, NOC, TD);
step S10: and (4) carrying out similarity comparison on the quadruple acquired in the step (S9) and the quadruple of the previous botnet, if the quadruple is malicious traffic, adding a new node into the P2P botnet, and recording the new node in a database.
The foregoing detailed description of the preferred embodiments of the invention has been presented. It should be understood that numerous modifications and variations could be devised by those skilled in the art in light of the present teachings without departing from the inventive concepts. Therefore, the technical solutions available to those skilled in the art through logic analysis, reasoning and limited experiments based on the prior art according to the concept of the present invention should be within the scope of protection defined by the claims.
Claims (5)
1. The utility model provides a P2P botnet detecting system based on flow analysis which characterized in that, includes network flow receiving module, communication structure picture construction module, detection algorithm module, database module, wherein:
the network flow receiving module acquires network flow from programs distributed at different monitoring points, filters out benign network flow according to a filtering rule and records uncertain flow in the database module;
the communication structure chart constructing module reads the uncertain flow records and constructs a communication structure chart;
the detection algorithm module analyzes and explores the communication structure diagram and judges whether the IP address of the node in the communication structure diagram is a botnet host or not;
the database module stores the calculation results of the network flow receiving module, the communication structure diagram constructing module and the detection algorithm module;
the filtering rules comprise recognized benign network addresses;
the filtering rules comprise benign P2P network addresses detected by the system;
the communication structure diagram building module is configured to: constructing a weighted directed graph by taking the monitored IP addresses as nodes and the communication among the nodes as edges, and performing subgraph segmentation by utilizing a community discovery algorithm to find a P2P structural subgraph;
the detection algorithm module is configured to: integrating the communication among the nodes of the communication structure chart into a session among the nodes, calculating the difference value of a session starting timestamp and a session ending timestamp to obtain a session duration time TD, a total effective load length APS of a data packet sent from a source IP to a target IP as B, a total effective load length BPS of the data packet sent from the source IP as B to the target IP as A, and communication times NOC between the two parties, taking the APS, the BPS, the NOC and the TD as characteristics, detecting malicious P2P traffic by adopting an integrated classifier combining two machine learning methods of a decision tree and a Bayesian network, adding a benign P2P network into the filtering rules of the traffic receiving module, and storing the detection result of the P2P botnet into the database module.
2. The traffic analysis-based P2P botnet detection system of claim 1, wherein the weighted directed graph is capable of being derived by computing communication similarities of the node with other connected nodes.
3. The traffic analysis-based P2P botnet detection system of claim 2, wherein the communication similarity is calculated using a timestamp TS, a packet payload length PS.
4. The traffic analysis-based P2P botnet detection system of claim 1, wherein the detection algorithm module is configured to: when detecting that the nodes in the botnet communicate with other nodes which do not belong to the botnet, tracking the conversation between the two nodes, calculating the values of the APS, the BPS, the NOC and the TD and the conversation characteristics of the botnet to carry out similarity judgment, and if the values are similar, adding the values into the previous P2P botnet structure and recording the similarity.
5. A P2P botnet detection method based on traffic analysis is characterized by comprising the following steps:
step 1: for a known communication structure diagram, acquiring a key field group of related flow in the communication structure diagram, wherein the key field group comprises a source IP address SIP, a destination IP address DIP, a time stamp TS and a data packet effective load length PS in primary communication;
step 2: using the SIP, DIP, TS and PS obtained in the step 1 as features, carrying out sub-graph segmentation on the communication structure diagram by using a community discovery algorithm, discovering a P2P structure therein, and obtaining P2P structure flow;
and step 3: traversing key field groups belonging to the P2P structure flow, and grouping the communication with the same IP addresses of both communication parties into a group;
and 4, step 4: traversing each group in the step 3, sorting the group internal data according to a time rule, and dividing the group internal data into sessions based on time;
and 5: calculating the difference value between the session starting timestamp and the session ending timestamp in the step 4 to obtain the duration time TD of the session, wherein SIP is the total length APS of the effective load of the data packet sent from A to DIP as B, SIP is the total length BPS of the effective load of the data packet sent from B to DIP as A, and the number of times NOC of communication between the two parties;
step 6: taking the APS, the BPS and the NOCTD as a quadruple, and adopting an integrated classifier combining two machine learning methods of a decision tree and a Bayesian network to detect malicious P2P flow so as to detect a P2P botnet;
and 7: storing the detection result of the step 6 into a database;
and 8: reading the detected host IP in the P2P botnet, and acquiring a key field group comprising a source IP address SIP, a destination IP address DIP, a timestamp TS and a packet payload length PS in one communication when the IP is detected to be communicated with other IPs which do not belong to the botnet;
and step 9: tracking the next communication, and calculating to obtain a quadruple containing the APS, the BPS, the NOC and the TD;
step 10: and (3) carrying out similarity comparison on the quadruple acquired in the step (9) and the quadruple of the prior botnet, and if the quadruple is malicious traffic, adding a new node into the P2P botnet and recording the new node in a database.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810565197.1A CN108965248B (en) | 2018-06-04 | 2018-06-04 | P2P botnet detection system and method based on traffic analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810565197.1A CN108965248B (en) | 2018-06-04 | 2018-06-04 | P2P botnet detection system and method based on traffic analysis |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108965248A CN108965248A (en) | 2018-12-07 |
| CN108965248B true CN108965248B (en) | 2021-08-20 |
Family
ID=64493483
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810565197.1A Active CN108965248B (en) | 2018-06-04 | 2018-06-04 | P2P botnet detection system and method based on traffic analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108965248B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110417810B (en) * | 2019-08-20 | 2021-06-25 | 西安电子科技大学 | Malicious encrypted flow detection method based on enhanced model of logistic regression |
| CN110912888B (en) * | 2019-11-22 | 2021-08-10 | 上海交通大学 | Malicious HTTP (hyper text transport protocol) traffic detection system and method based on deep learning |
| CN111931168B (en) * | 2020-06-19 | 2022-09-09 | 河海大学常州校区 | Alarm correlation-based zombie machine detection method |
| CN112788065B (en) * | 2021-02-20 | 2022-09-06 | 苏州知微安全科技有限公司 | Internet of things zombie network tracking method and device based on honeypots and sandboxes |
| CN113518073B (en) * | 2021-05-05 | 2022-07-19 | 东南大学 | Method for rapidly identifying bit currency mining botnet flow |
| CN113381996B (en) * | 2021-06-08 | 2023-04-28 | 中电福富信息科技有限公司 | C & C communication attack detection method based on machine learning |
| CN114513325B (en) * | 2021-12-21 | 2023-05-12 | 中国人民解放军战略支援部队信息工程大学 | Unstructured P2P botnet detection method and device based on SAW community discovery |
| CN115118491B (en) * | 2022-06-24 | 2024-02-09 | 北京天融信网络安全技术有限公司 | Botnet detection method, device, electronic equipment and readable storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100877911B1 (en) * | 2008-01-31 | 2009-01-12 | 전남대학교산학협력단 | Method for detection of p2p-based botnets using a translation model of network traffic |
| CN102014025A (en) * | 2010-12-06 | 2011-04-13 | 北京航空航天大学 | Method for detecting P2P botnet structure based on network flow clustering |
| CN103685184A (en) * | 2012-09-14 | 2014-03-26 | 上海宝信软件股份有限公司 | Method for recognizing peer-to-peer zombie hosts based on small flow statistics and analysis |
| CN104683346A (en) * | 2015-03-06 | 2015-06-03 | 西安电子科技大学 | P2P botnet detection device and method based on flow analysis |
| CN106657001A (en) * | 2016-11-10 | 2017-05-10 | 广州赛讯信息技术有限公司 | Botnet detection method based on Netflow and DNS blog |
| CN108011894A (en) * | 2017-12-26 | 2018-05-08 | 陈晶 | Botnet detecting system and method under a kind of software defined network |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8176173B2 (en) * | 2008-09-12 | 2012-05-08 | George Mason Intellectual Properties, Inc. | Live botmaster traceback |
-
2018
- 2018-06-04 CN CN201810565197.1A patent/CN108965248B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100877911B1 (en) * | 2008-01-31 | 2009-01-12 | 전남대학교산학협력단 | Method for detection of p2p-based botnets using a translation model of network traffic |
| CN102014025A (en) * | 2010-12-06 | 2011-04-13 | 北京航空航天大学 | Method for detecting P2P botnet structure based on network flow clustering |
| CN103685184A (en) * | 2012-09-14 | 2014-03-26 | 上海宝信软件股份有限公司 | Method for recognizing peer-to-peer zombie hosts based on small flow statistics and analysis |
| CN104683346A (en) * | 2015-03-06 | 2015-06-03 | 西安电子科技大学 | P2P botnet detection device and method based on flow analysis |
| CN106657001A (en) * | 2016-11-10 | 2017-05-10 | 广州赛讯信息技术有限公司 | Botnet detection method based on Netflow and DNS blog |
| CN108011894A (en) * | 2017-12-26 | 2018-05-08 | 陈晶 | Botnet detecting system and method under a kind of software defined network |
Non-Patent Citations (2)
| Title |
|---|
| 基于流量分析的僵尸网络检测技术研究;谢舜;《中国优秀硕士学位论文全文数据库(信息科技辑)》;20160315(第06期);I139-392 * |
| 谢舜.基于流量分析的僵尸网络检测技术研究.《中国优秀硕士学位论文全文数据库(信息科技辑)》.2016,(第06期),I139-392. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108965248A (en) | 2018-12-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108965248B (en) | P2P botnet detection system and method based on traffic analysis | |
| Li et al. | A survey of network flow applications | |
| Stevanovic et al. | An efficient flow-based botnet detection using supervised machine learning | |
| Lu et al. | Clustering botnet communication traffic based on n-gram feature selection | |
| Iliofotou et al. | Graph-based p2p traffic classification at the internet backbone | |
| Li et al. | Detecting saturation attacks based on self-similarity of OpenFlow traffic | |
| Wijesinghe et al. | An enhanced model for network flow based botnet detection | |
| Venkatesh et al. | BotSpot: fast graph based identification of structured P2P bots | |
| CN114513325B (en) | Unstructured P2P botnet detection method and device based on SAW community discovery | |
| Wijesinghe et al. | Botnet detection using software defined networking | |
| Fajana et al. | Torbot stalker: Detecting tor botnets through intelligent circuit data analysis | |
| Wang et al. | Identifying peer-to-peer botnets through periodicity behavior analysis | |
| Qin et al. | MUCM: multilevel user cluster mining based on behavior profiles for network monitoring | |
| Nowakowski et al. | Network covert channels detection using data mining and hierarchical organisation of frequent sets: an initial study | |
| He et al. | PeerSorter: classifying generic P2P traffic in real-time | |
| Rostami et al. | Analysis and detection of P2P botnet connections based on node behaviour | |
| Smadia et al. | VPN Encrypted Traffic classification using XGBoost | |
| CN108347447B (en) | P2P botnet detection method and system based on periodic communication behavior analysis | |
| Singh et al. | Distilling command and control network intrusions from network flow metadata using temporal pagerank | |
| Feizi et al. | Detecting botnet using traffic behaviour analysis and extraction of effective flow features | |
| Acarali et al. | Event graphs for the observation of botnet traffic | |
| Sable et al. | A Review-Botnet Detection and Suppression in Clouds | |
| Roeling et al. | Stochastic block models as an unsupervised approach to detect botnet-infected clusters in networked data | |
| Majed et al. | Efficient and Secure Statistical Port Scan Detection Scheme | |
| Obeidat et al. | Survey of the p2p botnet detection methods |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230301 Address after: No. 588, Longchang Road, Yangpu District, Shanghai, 200090_ Room 2602-60, 26th floor, No. 1 Patentee after: SHANGHAI SHIYUE COMPUTER TECHNOLOGY Co.,Ltd. Address before: 200240 No. 800, Dongchuan Road, Shanghai, Minhang District Patentee before: SHANGHAI JIAO TONG University |
|
| TR01 | Transfer of patent right |