CN110493253A - A kind of Botnet analysis method of the home router based on raspberry pie design - Google Patents
A kind of Botnet analysis method of the home router based on raspberry pie design Download PDFInfo
- Publication number
- CN110493253A CN110493253A CN201910823540.2A CN201910823540A CN110493253A CN 110493253 A CN110493253 A CN 110493253A CN 201910823540 A CN201910823540 A CN 201910823540A CN 110493253 A CN110493253 A CN 110493253A
- Authority
- CN
- China
- Prior art keywords
- botnet
- address
- raspberry pie
- threat value
- domain name
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/60—Router architectures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention discloses a kind of Botnet analysis methods of home router based on raspberry pie design based on raspberry pie design, it monitors the following steps are included: A. carries out the network port using the library pyshark in python to extract network traffic information, and the information of extraction is subjected to data preservation;B. calculate according to the data obtained in step A and obtain traffic characteristic;C. the value of the calculated traffic characteristic of step B is added up by weight, obtains threat value, D. carries out matching detection to threat value, therefore, it is determined that whether the network flow is Botnet flow.Method of the invention, which is used, extracts calculating to the network flow of router, then to the method for the Comparative result analysis after calculating, solves the problems, such as that existing small-sized household router is insufficient for the accuracy for detecting and handling Botnet.
Description
Technical field
The present invention relates to internet of things field, in particular to the corpse of a kind of home router based on raspberry pie design
Network analysis method.
Background technique
With the continuous development of social informatization and internet, various internet of things equipment also go deep into people's lives.These
Internet of things equipment also becomes the target of criminal's attack and the tool that utilizes while bringing people's life and facilitating.
" Botnet " is a kind of harm and its serious internet malicious attack mode, and Botnet is attacked using loophole
Goal systems, then the concealment of manipulation instruction downloading trojan horse becomes " puppet " being steered in internet of things equipment.It is stiff
The harm of corpse network includes but is not limited to: starting DDos attack, infection other systems to become new using a large amount of corpse clients
Corpse client sends spam and phishing, information theft.It can be seen that Botnet be have it is propagated and highly controllable
High-risk information security threats mode.
The workflow of Botnet starts from discovery and utilizes loophole: or by social worker's means, or by system vulnerability, or
By residual wooden horse back door, or is guessed by password and solved/cracked.And it communicates with C&C (ordering and control) and informs new client
When online, has there are various encrypted communication channels in Botnet of today, to avoid the network of IDS, firewall or other modes
It listens to, the purpose communicated with C&C is to update client modules that may be present, the client name list at the end C&C, IP address
Or channel name, as notice client when server end is online when Trojan attack.C&C is that corpse client is herded with corpse
The communication transfer of people: corpse shepherd sends C&C and instructs, and C&C sends corpse client and instructs.
Currently, for enterprise or mechanism, detection Botnet whether infected Intranet system can by network and
Two levels of system are detected, and network level includes flow detection, firewall/NIDS, log analysis, and system level includes taking
Build honey jar and log analysis.But for home network, there are no be specifically used to detect Botnet on the market at present
Small-sized household router.Therefore, household internet of things equipment is difficult to be protected.How a small-sized household router is made, and
Pass through detection means.While blocked and be isolated to hit Botnet crime to Botnet, to Botnet flow
Log is acquired, and is carried out its behavioral study and is very necessary.
Botnet and other viruses are only difference is that Botnet possesses unified highly controllable system, corpse
The flow and normal flow that the distribution of client is not limited to some country and Botnet are almost without any area
Not.Therefore cannot rely on single flow to determine whether for Botnet flow, need a large amount of data analyze and
Accurately calculation.Accurately judge that the presence of Botnet has very big difficulty.
Summary of the invention
It is insufficient in above-mentioned background technique the purpose of the present invention is overcoming, a kind of household routing based on raspberry pie design is provided
The Botnet analysis method of device extracts calculating using the network flow to router, then to the Comparative result after calculating
The method of analysis solves the problems, such as that existing small-sized household router is insufficient for the accuracy for detecting and handling Botnet.
In order to reach above-mentioned technical effect, the present invention takes following technical scheme:
A kind of Botnet analysis method of the home router based on raspberry pie design based on raspberry pie design, including
Following steps:
A. network port monitoring is carried out using the library pyshark in python to extract network traffic information, and will extract
Information carry out data preservation;
B. calculate according to the data obtained in step A and obtain traffic characteristic;
C. the value of the calculated traffic characteristic of step B is added up by weight, obtains threat value, wherein each feature
The design of the specific weight of value can be by user's sets itself according to the actual situation;
D. matching detection is carried out to threat value, therefore, it is determined that whether the network flow is Botnet flow.
It further, is specifically to save as the information of extraction in the form of [key:value] value pair in the step A
The data of json format.
It further, is specifically that traffic characteristic is obtained by calculating to the data of the json format of acquisition in the step B,
It specifically calculates and includes:
S1. the daily average similarity of IP is calculated;
S2. port threat value is calculated;
S3. inquiry IP distribution show that IP is distributed threat value;
S4. domain name random character ratio is calculated;
S5. current network flow change rate is calculated.
Further, the calculation that the daily average similarity of IP is calculated in the S1 is as follows:
Wherein, I indicates the average similarity of IP n days, and n indicates number of days, dI, jFor i-th day and the IP address and access in jth day
The Euclidean distance of quantity;Specifically, Euclidean distance (Euclidean Distance) is the distance definition generallyd use, it
It is in the actual distance in m-dimensional space between two points;Because normal IP address has similar inquiry and access daily
Quantity, and there is unstable inquiry and access number for Botnet IP, daily queries gap is huge;So passing through
The daily inquiry quantity gap of an IP is inquired, then the IP address whether can be Botnet with auxiliary judgment.
Further, the calculation of the S2 middle port threat value is as follows: P=(1- (r-1)/A)2r, wherein r is
Know disclosed Botnet query-attack port ranking, A is all virtual port quantity, and general default number is 65535, finally
Threat value calculated result in port is bigger, then it is bigger for the probability of Botnet flow, because one of harm of Botnet exists
Attack and explosion are carried out in the serve port provided server, so judging that the high-risk access port in network flow is also
Exclude one of the effective means of Botnet flow.
Further, IP distribution is inquired in the S3 show that IP distribution threat value J is specifically included:
S3.1 extracts IP address according to the network flow that router transfers, or carries out dns resolution to domain name and obtain really
IP address;
S3.2 judges according to IP address, if it is IP address of internal network either local address, does not then make analysis, and obtain
It is J that IP, which is distributed threat value,1;
If S3.3 IP address is outer net IP address, judge the IP address whether in white list or blacklist;If
It in white list, does not then analyze, and show that IP distribution threat value is J0;If, it is concluded that IP is distributed threat value in blacklist
For J3;Above-mentioned white and black list can be customized by users setting;
S3.4 if IP address be outer net IP address and IP ownership place at abroad, if show that IP distribution threat value is J2;Its
In, 0≤J0< J1< J2< J3≤1;Propagated due to Botnet is mainly scattered in North America and Europe very by force, stiff
The domain name of corpse network can be queried in the region for infecting the corpse, so inquiry IP distribution can further identify corpse net
Network.
Further, J0Equal to 0 and J3Equal to 1.
Further, the calculation of domain name random character ratio is as follows in the S4:
Wherein, n is the character string number of contiguous alphabet or number in domain name, aiFor i-th of contiguous alphabet and consecutive numbers in domain name
The length of word;ljIt is the length of continuous number in domain name;lkIt is the length of contiguous alphabet in domain name, wherein continuous number and continuous
Letter needs NULI character interval to link together, and A is domain name character string total length, and max (x) function representation takes the maximum value of x;Because
Botnet domain name no one goes normal browsing to access, so will not take notice of the characteristic easy to remember of domain name;It is usually random
The domain name character string of generation is often used the mixed form of number and letter;And typically no multistage domain name;It is special at random for domain name
Sign ratio calculated result, ratio are bigger, it was demonstrated that a possibility that being Botnet is bigger.
Further, the calculation of current network flow change rate is as follows in the S5:
Wherein f (x) is function of the network flow for the time;What network flow change rate essentially described that network flow steeply rises becomes
Gesture and the excessive state of network flow after rising, due to Botnet client with C&C (order and control client)
It carries out instruction interaction or carries out being usually associated with the network flow that increased dramatically when function execution, therefore the network flow to rise sharply is all
Be it is unreasonable, when encountering router cpu caused by excessive network flow and unbearable memory, can be adopted by flow
Sample is further analyzed, and above-mentioned calculation can be used as an auxiliary judgment foundation.
Further, the step D is to be compared threat value and default threshold that step C is obtained, specifically: work as prestige
When side of body value is greater than or equal to default threshold, then judge the network flow for Botnet flow;Otherwise, judge the network flow not
It is Botnet flow, wherein default threshold can sets itself as the case may be.
Compared with prior art, the present invention have it is below the utility model has the advantages that
The Botnet analysis method of home router based on raspberry pie design of the invention, by calculating raspberry pie
Machine is transformed into home router, is realized using python script and monitors, analyzes the network flow for passing through the router;Then it extracts
Traffic characteristic carries out detection matching, increases threat value to the network flow of hit detection rule;When the threat value is more than default
When threshold value (can customize threshold size), then it is judged as Botnet flow, it is carried out to intercept operation and deposits its data
Enter and carries out long-term analysis and comparison in database.
To realize the deficiency for solving existing small-sized household router for detecting and handling Botnet, then pass through stream
Measure analysis means, reach from network flow extract Botnet traffic log so that Botnet is analyzed and from
Reason.There is the advantages that small and exquisite, powerful, power saving, performance is high, and expansibility is strong using the router of raspberry pie production simultaneously;
Humanized and flexible Botnet detected rule is provided using list detection method;Front end display module can show road
By device network traffic conditions, can more convenient user intuitively observe and grasp Botnet traffic conditions.
Detailed description of the invention
Fig. 1 is raspberry pie router design thinking schematic diagram of the invention.
Fig. 2 is the Botnet analysis method of the home router of the invention based on raspberry pie design for Botnet
Detection and processing flow schematic diagram.
Fig. 3 is the name single system in the Botnet analysis method of the home router of the invention based on raspberry pie design
The acquisition flow diagram of detected rule and data.
Specific embodiment
Below with reference to the embodiment of the present invention, the invention will be further elaborated.
Embodiment:
Embodiment one:
Firstly, a kind of method that raspberry pie is designed to routing device is specifically disclosed in the present embodiment, it is specific such as Fig. 1
Shown, based on raspberry pie, using the home router of wireless network card design, the specific implementation steps are as follows:
Step 1: preparing raspberry pie 3B+ (Raspberry Pi 3Model B+), (AR9271 chip is fast for wireless network card
Fw150ud), power supply line (5V, 2A), two cables.
Step 2: preparing the SD card of 128M, SD card is written into the disk mirroring file of openwrt.Wherein, described
Openwrt is can to provide the writeable file system of an addition software package.
Step 3: production boot disk (using order dd if=~/name.img of dev/sdX, wherein~/
Name.img is the absolute path and title of openwrt, and sdX is implementor name).
Step 4: modifying included network interface card defaults the address ipv4.
Step 5: installation USB network card drives, (opening the address that browser input has been arranged can enter Hostapd
The configuration management interface of openwrt selects system- > software, clicks to update software matrix).Wherein Hostapd is one
A tool for establishing open or encryption (WEP, WPA, WPA2 etc.) a wireless network.
Step 6: restarting raspberry pie.
Step 7: creating two databases in raspberry pie, (field includes unique id, name to a list system database
Single type, domain name, IP), the other is Botnet log database (field includes unique id, domain name, IP, traffic characteristic).
Step 8: being downloaded in raspberry pie and installing python environment.Python script is run, can be completed based on raspberry
The router of the Botnet analysis of group's design.
It is illustrated in figure 2 the Botnet analysis method using the above-mentioned home router based on raspberry pie design, is needed
Illustrate, the method for also there are other that raspberry pie is designed to routing device in the prior art in practice can be as the case may be
It selects.
The Botnet analysis method of the home router based on raspberry pie design of the present embodiment specifically includes:
Step 1. carries out network port monitoring using the library pyshark in python to extract network traffic information, and will
The information of extraction saves as the data of json format in the form of [key:value] value pair.
Wherein, the acquisition of network flow data is based on the script that pyshark writes in library in python, and the library pyshark can
Sniff is carried out on the network interfaces and obtains data packet complete information, and analytical procedure is then filtered out by the matched mode of canonical
In analysis log.
The data for the json format that step 2. pair obtains obtain traffic characteristic by calculating;Being in python script will not
Same traffic characteristic is realized with different functions.
It specifically calculates and includes:
S1. the daily average similarity I of IP is calculated.
Calculation is as follows:Wherein, I indicates that IP n's days is flat
Equal similitude, n indicate number of days, dI, jFor i-th day and the IP address in jth day and the Euclidean distance of access number;Specifically, Europe
Family name's distance (Euclidean Distance) is the distance definition generallyd use, it is in m-dimensional space between two points
Actual distance;Because normal IP address has similar inquiry and access number daily, and has for Botnet IP
There are unstable inquiry and access number, daily queries gap is huge;So the inquiry number daily by one IP of inquiry
Gap is measured, then the IP address whether can be Botnet with auxiliary judgment.
Such as assume that the IP of local raspberry pie router is 11.11.11.11, the IP of Botnet is 22.22.22.22.It will
IP address conversion is that binary system is 00001011000010110000101100001011 and 0001011000010110000101
1000010110, as one-dimensional variable x, the daily queries of Botnet is used as two-dimentional variable y, then the two dimension of Euclidean distance
The formula in space are as follows:Assuming that the inquiry on the first and secondth of an IP or domain name
Number is 10 times, and third day inquiry times are 30000 times, and inquiry times on the 4th are 40 times, then according to formula from third day
Calculate the daily average similarity of IPThe daily average similarity of IP on the 4th
S2. port threat value P is calculated.
Calculation is as follows: P=(1- (r-1)/A)2r, wherein r is known disclosed Botnet query-attack port row
Name, A are all virtual port quantity, and general default number is 65535, and last port threat value calculated result is bigger, then it is
The probability of Botnet flow is bigger, because one of the harm of Botnet is that the serve port provided server is attacked
Hit and explosion, thus judge the high-risk access port in network flow be also exclude Botnet flow effective means it
One.
If in the present embodiment, the port of network flow request at this time is 23 ports, and the port is in Botnet port
It threatens in investigation and is ranked first 0, then port threat value calculated result are as follows: P=(I- (10-1)/65535)20=0.9973.
S3. inquiry IP distribution show that IP is distributed threat value J.
It specifically includes:
S3.1 extracts IP address according to the network flow that router transfers, or carries out dns resolution to domain name and obtain really
IP address;
S3.2 judges according to IP address, if it is IP address of internal network either local address, does not then make analysis, and obtain
It is J that IP, which is distributed threat value,1;
If S3.3 IP address is outer net IP address, judge the IP address whether in white list or blacklist;If
It in white list, does not then analyze, and show that IP distribution threat value is J0;If, it is concluded that IP is distributed threat value in blacklist
For J3;Above-mentioned white and black list can be customized by users setting;
S3.4 if IP address be outer net IP address and IP ownership place at abroad, if show that IP distribution threat value is J2;Its
In, 0≤J0< J1< J2< J3≤1。
Specifically, being illustrated in figure 3 the concrete mode for obtaining data in the present embodiment and judging the specific of black and white lists
Embodiment specifically includes, one list system database of system creation.It is advised for artificial setting blacklist and white list
Then.It, can also be periodically from the Botnet analysis intercepted other than artificial addition blacklist domain name or IP for blacklist
Blacklist domain name and IP address are extracted in log.System, can be first to list system database before carrying out traffic characteristic matching
It is inquired.If being matched to blacklist domain name or IP address, the data packet is directly considered as Botnet flow;If being matched to
White list domain name or IP address are let pass then without matching detection directly as normal discharge.
It is propagated very strong due to Botnet, it is mainly scattered in North America and Europe, the domain name of Botnet exists
The region for infecting the corpse can be queried, so inquiry IP distribution can further identify Botnet.
Specifically, above-mentioned IP is distributed threat value J0、J1、J2、J3Can self-defining, IP address judgement specific judgment mode
For IP address submission database compares, foundation return value judges, in the present embodiment, J0=0 and J3=1.
S4. domain name random character ratio R is calculated.
Calculation is as follows:Wherein, n be domain name in contiguous alphabet or
The character string number of number, aiFor the length of i-th of contiguous alphabet and continuous number in domain name;ljIt is continuous number in domain name
Length;lkIt is the length of contiguous alphabet in domain name, wherein continuous number and contiguous alphabet need NULI character interval to link together, A
For domain name character string total length, max (x) function representation takes the maximum value of x;Because Botnet domain name no one goes normal clear
Access is look at, so will not take notice of the characteristic easy to remember of domain name;The domain name character string being generally randomly generated, be often used number and
The mixed form of letter;And typically no multistage domain name;For domain name random character ratio calculated result, ratio is bigger, it was demonstrated that
A possibility that being Botnet, is bigger.
In the present embodiment, it is assumed that Botnet domain name is kdyencs23hsjds4bf.cn, then domain name random character ratio
Example
S5. current network flow change rate is calculated.
Calculation is as follows:Wherein f (x) is function of the network flow for the time;
Network flow change rate essentially describes the excessive state of the network flow after the trend and rising that network flow steeply rises,
Due to Botnet client when carrying out instruction interaction with C&C (order with control client) or carrying out function execution often companion
With the network flow that increased dramatically, thus the network flow to rise sharply be all it is unreasonable, led encountering excessive network flow
When the router cpu and unbearable memory of cause, it can be further analyzed by traffic sampling, above-mentioned calculation
It can be used as an auxiliary judgment foundation.
In the present embodiment, it is assumed that network flow is f (x)=1- (x-1) for the function of time2(0 < x < 2), then G
=max (2x3-6x2+ 4x) (0 < x < 2), so G ≈ 0.7869.
Step 3. adds up the value of the calculated traffic characteristic of step 2 by weight, obtains threat value, wherein each
The design of the specific weight of characteristic value can be by user's sets itself according to the actual situation.
The above are the specific implementation step of traffic characteristic described in technical solution and formula to calculate step and meter in detail
Calculate result;It is cumulative according to weight by the threat value that is calculated above, then will it is cumulative after threat value carry out matching detection.
It is specific as follows in the present embodiment:
Assuming that the daily average similarity of IP, port threat value, inquiry IP distribution, domain name random character ratio in traffic characteristic
Example, current network flow change rate threat value weight proportion are 1:1:1:1:1;Then:
Total threat value=(1/5) I+ (1/5) P+ (1/5) R+ (1/5) G+ (1/5) J.
Step 4. carries out matching detection to total threat value, therefore, it is determined that whether the network flow is Botnet flow.
Specifically: when total threat value is greater than or equal to default threshold, then judge the network flow for Botnet flow;
Otherwise, judging the network flow not is Botnet flow, wherein default threshold can sets itself as the case may be.
It is specially to be judged as input the data packet got in the present embodiment, if total threat value is more than that setting is silent
Recognize threshold value, then judges it for Botnet feature flow, at this point, purpose IP address and the port of data packet are changed, after change
IP address and port are for receiving the Botnet flow being blocked and being passed to database simultaneously to reach Botnet flow
The operation of truncation.If it is determined that total threat value is not above threshold value, then normally forwarded as normal discharge.
It is understood that the principle that embodiment of above is intended to be merely illustrative of the present and the exemplary implementation that uses
Mode, however the present invention is not limited thereto.For those skilled in the art, essence of the invention is not being departed from
In the case where mind and essence, various changes and modifications can be made therein, these variations and modifications are also considered as protection scope of the present invention.
Claims (10)
1. a kind of Botnet analysis method of the home router based on raspberry pie design based on raspberry pie design, feature
It is, comprising the following steps:
A. it carries out the network port using the library pyshark in python and monitors to extract network traffic information, and by the letter of extraction
Breath carries out data preservation;
B. calculate according to the data obtained in step A and obtain traffic characteristic;
C. the value of the calculated traffic characteristic of step B is added up by weight, obtains threat value;
D. matching detection is carried out to threat value, therefore, it is determined that whether the network flow is Botnet flow.
2. a kind of Botnet analysis method of home router based on raspberry pie design according to claim 1,
It is characterized in that, is specifically that the information of extraction is saved as into json format in the form of [key:value] value pair in the step A
Data.
3. a kind of Botnet analysis method of home router based on raspberry pie design according to claim 2,
It is characterized in that, is specifically that traffic characteristic is obtained by calculating to the data of the json format of acquisition in the step B, it is specific to count
Include:
S1. the daily average similarity of IP is calculated;
S2. port threat value is calculated;
S3. inquiry IP distribution show that IP is distributed threat value;
S4. domain name random character ratio is calculated;
S5. current network flow change rate is calculated.
4. a kind of Botnet analysis method of home router based on raspberry pie design according to claim 3,
It is characterized in that, the calculation that the daily average similarity of IP is calculated in the S1 is as follows:
Wherein, I indicates the average similarity of n days IP, and n indicates number of days, dI, jFor i-th day and the IP address and access in jth day
The Euclidean distance of quantity.
5. a kind of Botnet analysis method of home router based on raspberry pie design according to claim 3,
It is characterized in that, the calculation of the S2 middle port threat value is as follows: P=(1- (r-1)/A)2r, wherein r is known disclosed
Botnet query-attack port ranking, A are all virtual port quantity.
6. a kind of Botnet analysis method of home router based on raspberry pie design according to claim 3,
It is characterized in that, IP distribution is inquired in the S3 and show that IP distribution threat value J is specifically included:
S3.1 extracts IP address according to the network flow that router transfers, or carries out dns resolution with obtaining real IP to domain name
Location;
S3.2 judges according to IP address, if it is IP address of internal network either local address, does not then make analysis, and obtain IP
Distribution threat value is J1;
If S3.3 IP address is outer net IP address, judge the IP address whether in white list or blacklist;If white
It in list, does not then analyze, and show that IP distribution threat value is J0;If, it is concluded that IP distribution threat value is J in blacklist3;
S3.4 if IP address be outer net IP address and IP ownership place at abroad, if show that IP distribution threat value is J2;
Wherein, 0≤J0< J1< J2< J3≤1。
7. a kind of Botnet analysis method of home router based on raspberry pie design according to claim 6,
It is characterized in that, J0Equal to 0 and J3Equal to 1.
8. a kind of Botnet analysis method of home router based on raspberry pie design according to claim 3,
It is characterized in that, the calculation of domain name random character ratio is as follows in the S4:
Wherein, n is the character string number of contiguous alphabet or number in domain name, aiFor i-th of contiguous alphabet in domain name and continuous number
Length;ljIt is the length of continuous number in domain name;lkIt is the length of contiguous alphabet in domain name, wherein continuous number and contiguous alphabet
NULI character interval is needed to link together, A is domain name character string total length.
9. a kind of Botnet analysis method of home router based on raspberry pie design according to claim 3,
It is characterized in that, the calculation of current network flow change rate is as follows in the S5:Wherein
F (x) is function of the network flow for the time.
10. a kind of Botnet analysis method of home router based on raspberry pie design according to claim 3,
It being characterized in that, the step D is to be compared threat value and default threshold that step C is obtained, specifically: when threat value is greater than
Or when being equal to default threshold, then judge the network flow for Botnet flow;Otherwise, judging the network flow not is corpse net
Network flow.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910823540.2A CN110493253B (en) | 2019-09-02 | 2019-09-02 | Botnet analysis method of home router based on raspberry group design |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910823540.2A CN110493253B (en) | 2019-09-02 | 2019-09-02 | Botnet analysis method of home router based on raspberry group design |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110493253A true CN110493253A (en) | 2019-11-22 |
CN110493253B CN110493253B (en) | 2021-06-22 |
Family
ID=68556022
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910823540.2A Active CN110493253B (en) | 2019-09-02 | 2019-09-02 | Botnet analysis method of home router based on raspberry group design |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110493253B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111092881A (en) * | 2019-12-12 | 2020-05-01 | 杭州安恒信息技术股份有限公司 | Access interception method, device, equipment and readable storage medium |
CN112019523A (en) * | 2020-08-07 | 2020-12-01 | 贵州黔源电力股份有限公司 | Network auditing method and device for industrial control system |
CN113709744A (en) * | 2021-10-28 | 2021-11-26 | 连连(杭州)信息技术有限公司 | Wi-Fi control method and device, electronic equipment and storage medium |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103001825A (en) * | 2012-11-15 | 2013-03-27 | 中国科学院计算机网络信息中心 | Method and system for detecting DNS (domain name system) traffic abnormality |
CN103152442A (en) * | 2013-01-31 | 2013-06-12 | 中国科学院计算机网络信息中心 | Detection and processing method and system for botnet domain names |
CN105721406A (en) * | 2014-12-05 | 2016-06-29 | 中国移动通信集团广东有限公司 | Method and device for obtaining IP black list |
CN105897714A (en) * | 2016-04-11 | 2016-08-24 | 天津大学 | Botnet detection method based on DNS (Domain Name System) flow characteristics |
CN106789459A (en) * | 2016-12-07 | 2017-05-31 | 中国人民解放军理工大学 | A kind of smart machine control device and control method based on raspberry group |
CN107508816A (en) * | 2017-08-31 | 2017-12-22 | 杭州迪普科技股份有限公司 | A kind of attack traffic means of defence and device |
US20180083990A1 (en) * | 2015-04-20 | 2018-03-22 | John Richard Abe | Network Security Device and Application |
CN108494746A (en) * | 2018-03-07 | 2018-09-04 | 长安通信科技有限责任公司 | A kind of network port Traffic anomaly detection method and system |
CN108512805A (en) * | 2017-02-24 | 2018-09-07 | 腾讯科技(深圳)有限公司 | A kind of network security defence method and network security defence installation |
CN109117341A (en) * | 2018-08-14 | 2019-01-01 | 郑州云海信息技术有限公司 | A kind of monitoring method of virtual machine, device, equipment and medium |
-
2019
- 2019-09-02 CN CN201910823540.2A patent/CN110493253B/en active Active
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103001825A (en) * | 2012-11-15 | 2013-03-27 | 中国科学院计算机网络信息中心 | Method and system for detecting DNS (domain name system) traffic abnormality |
CN103152442A (en) * | 2013-01-31 | 2013-06-12 | 中国科学院计算机网络信息中心 | Detection and processing method and system for botnet domain names |
CN105721406A (en) * | 2014-12-05 | 2016-06-29 | 中国移动通信集团广东有限公司 | Method and device for obtaining IP black list |
US20180083990A1 (en) * | 2015-04-20 | 2018-03-22 | John Richard Abe | Network Security Device and Application |
CN105897714A (en) * | 2016-04-11 | 2016-08-24 | 天津大学 | Botnet detection method based on DNS (Domain Name System) flow characteristics |
CN106789459A (en) * | 2016-12-07 | 2017-05-31 | 中国人民解放军理工大学 | A kind of smart machine control device and control method based on raspberry group |
CN108512805A (en) * | 2017-02-24 | 2018-09-07 | 腾讯科技(深圳)有限公司 | A kind of network security defence method and network security defence installation |
CN107508816A (en) * | 2017-08-31 | 2017-12-22 | 杭州迪普科技股份有限公司 | A kind of attack traffic means of defence and device |
CN108494746A (en) * | 2018-03-07 | 2018-09-04 | 长安通信科技有限责任公司 | A kind of network port Traffic anomaly detection method and system |
CN109117341A (en) * | 2018-08-14 | 2019-01-01 | 郑州云海信息技术有限公司 | A kind of monitoring method of virtual machine, device, equipment and medium |
Non-Patent Citations (2)
Title |
---|
李可: "僵尸网络发展研究", 《计算机研究与发展》 * |
黄祥才,张志伟,彭意兵,何顶新: "一种基于Thread的Ipv6智能家居解决方案", 《单片机与嵌入式系统应用》 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111092881A (en) * | 2019-12-12 | 2020-05-01 | 杭州安恒信息技术股份有限公司 | Access interception method, device, equipment and readable storage medium |
CN112019523A (en) * | 2020-08-07 | 2020-12-01 | 贵州黔源电力股份有限公司 | Network auditing method and device for industrial control system |
CN113709744A (en) * | 2021-10-28 | 2021-11-26 | 连连(杭州)信息技术有限公司 | Wi-Fi control method and device, electronic equipment and storage medium |
CN113709744B (en) * | 2021-10-28 | 2022-03-11 | 连连(杭州)信息技术有限公司 | Wi-Fi control method and device, electronic equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN110493253B (en) | 2021-06-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Borkar et al. | A survey on Intrusion Detection System (IDS) and Internal Intrusion Detection and protection system (IIDPS) | |
Protić | Review of KDD Cup ‘99, NSL-KDD and Kyoto 2006+ datasets | |
US8931099B2 (en) | System, method and program for identifying and preventing malicious intrusions | |
EP1244967B1 (en) | Method for automatic intrusion detection and deflection in a network | |
JP6097849B2 (en) | Information processing apparatus, fraudulent activity determination method and fraudulent activity determination program, information processing apparatus, activity determination method and activity determination program | |
US11399288B2 (en) | Method for HTTP-based access point fingerprint and classification using machine learning | |
CN102594825B (en) | The detection method of a kind of intranet Trojans and device | |
US9112895B1 (en) | Anomaly detection system for enterprise network security | |
US8042182B2 (en) | Method and system for network intrusion detection, related network and computer program product | |
CN107733851A (en) | DNS tunnels Trojan detecting method based on communication behavior analysis | |
CN109587179A (en) | A kind of SSH agreement behavior pattern recognition and alarm method based on bypass network full flow | |
CN110493253A (en) | A kind of Botnet analysis method of the home router based on raspberry pie design | |
JP4774307B2 (en) | Unauthorized access monitoring device and packet relay device | |
KR20100075043A (en) | Management system for security control of irc and http botnet and method thereof | |
CN105681250A (en) | Botnet distributed real-time detection method and system | |
CN104378255B (en) | The detection method and device of web malicious users | |
CN105959290A (en) | Detection method and device of attack message | |
CN104135474A (en) | Network anomaly behavior detection method based on out-degree and in-degree of host | |
Jiang et al. | Novel intrusion prediction mechanism based on honeypot log similarity | |
CN102882748A (en) | Network access detection system and network access detection method | |
Shin et al. | Unsupervised multi-stage attack detection framework without details on single-stage attacks | |
Gunasekaran | Comparison of network intrusion detection systems in cloud computing environment | |
Lu et al. | APT traffic detection based on time transform | |
CN106911665A (en) | A kind of method and system for recognizing malicious code weak passwurd intrusion behavior | |
Raftopoulos et al. | Understanding network forensics analysis in an operational environment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |