CN110493253A - A kind of Botnet analysis method of the home router based on raspberry pie design - Google Patents

A kind of Botnet analysis method of the home router based on raspberry pie design Download PDF

Info

Publication number
CN110493253A
CN110493253A CN201910823540.2A CN201910823540A CN110493253A CN 110493253 A CN110493253 A CN 110493253A CN 201910823540 A CN201910823540 A CN 201910823540A CN 110493253 A CN110493253 A CN 110493253A
Authority
CN
China
Prior art keywords
botnet
address
raspberry pie
threat value
domain name
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910823540.2A
Other languages
Chinese (zh)
Other versions
CN110493253B (en
Inventor
孙祥
张攀
常清雪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Changhong Electric Co Ltd
Original Assignee
Sichuan Changhong Electric Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Changhong Electric Co Ltd filed Critical Sichuan Changhong Electric Co Ltd
Priority to CN201910823540.2A priority Critical patent/CN110493253B/en
Publication of CN110493253A publication Critical patent/CN110493253A/en
Application granted granted Critical
Publication of CN110493253B publication Critical patent/CN110493253B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/60Router architectures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Abstract

The invention discloses a kind of Botnet analysis methods of home router based on raspberry pie design based on raspberry pie design, it monitors the following steps are included: A. carries out the network port using the library pyshark in python to extract network traffic information, and the information of extraction is subjected to data preservation;B. calculate according to the data obtained in step A and obtain traffic characteristic;C. the value of the calculated traffic characteristic of step B is added up by weight, obtains threat value, D. carries out matching detection to threat value, therefore, it is determined that whether the network flow is Botnet flow.Method of the invention, which is used, extracts calculating to the network flow of router, then to the method for the Comparative result analysis after calculating, solves the problems, such as that existing small-sized household router is insufficient for the accuracy for detecting and handling Botnet.

Description

A kind of Botnet analysis method of the home router based on raspberry pie design
Technical field
The present invention relates to internet of things field, in particular to the corpse of a kind of home router based on raspberry pie design Network analysis method.
Background technique
With the continuous development of social informatization and internet, various internet of things equipment also go deep into people's lives.These Internet of things equipment also becomes the target of criminal's attack and the tool that utilizes while bringing people's life and facilitating.
" Botnet " is a kind of harm and its serious internet malicious attack mode, and Botnet is attacked using loophole Goal systems, then the concealment of manipulation instruction downloading trojan horse becomes " puppet " being steered in internet of things equipment.It is stiff The harm of corpse network includes but is not limited to: starting DDos attack, infection other systems to become new using a large amount of corpse clients Corpse client sends spam and phishing, information theft.It can be seen that Botnet be have it is propagated and highly controllable High-risk information security threats mode.
The workflow of Botnet starts from discovery and utilizes loophole: or by social worker's means, or by system vulnerability, or By residual wooden horse back door, or is guessed by password and solved/cracked.And it communicates with C&C (ordering and control) and informs new client When online, has there are various encrypted communication channels in Botnet of today, to avoid the network of IDS, firewall or other modes It listens to, the purpose communicated with C&C is to update client modules that may be present, the client name list at the end C&C, IP address Or channel name, as notice client when server end is online when Trojan attack.C&C is that corpse client is herded with corpse The communication transfer of people: corpse shepherd sends C&C and instructs, and C&C sends corpse client and instructs.
Currently, for enterprise or mechanism, detection Botnet whether infected Intranet system can by network and Two levels of system are detected, and network level includes flow detection, firewall/NIDS, log analysis, and system level includes taking Build honey jar and log analysis.But for home network, there are no be specifically used to detect Botnet on the market at present Small-sized household router.Therefore, household internet of things equipment is difficult to be protected.How a small-sized household router is made, and Pass through detection means.While blocked and be isolated to hit Botnet crime to Botnet, to Botnet flow Log is acquired, and is carried out its behavioral study and is very necessary.
Botnet and other viruses are only difference is that Botnet possesses unified highly controllable system, corpse The flow and normal flow that the distribution of client is not limited to some country and Botnet are almost without any area Not.Therefore cannot rely on single flow to determine whether for Botnet flow, need a large amount of data analyze and Accurately calculation.Accurately judge that the presence of Botnet has very big difficulty.
Summary of the invention
It is insufficient in above-mentioned background technique the purpose of the present invention is overcoming, a kind of household routing based on raspberry pie design is provided The Botnet analysis method of device extracts calculating using the network flow to router, then to the Comparative result after calculating The method of analysis solves the problems, such as that existing small-sized household router is insufficient for the accuracy for detecting and handling Botnet.
In order to reach above-mentioned technical effect, the present invention takes following technical scheme:
A kind of Botnet analysis method of the home router based on raspberry pie design based on raspberry pie design, including Following steps:
A. network port monitoring is carried out using the library pyshark in python to extract network traffic information, and will extract Information carry out data preservation;
B. calculate according to the data obtained in step A and obtain traffic characteristic;
C. the value of the calculated traffic characteristic of step B is added up by weight, obtains threat value, wherein each feature The design of the specific weight of value can be by user's sets itself according to the actual situation;
D. matching detection is carried out to threat value, therefore, it is determined that whether the network flow is Botnet flow.
It further, is specifically to save as the information of extraction in the form of [key:value] value pair in the step A The data of json format.
It further, is specifically that traffic characteristic is obtained by calculating to the data of the json format of acquisition in the step B, It specifically calculates and includes:
S1. the daily average similarity of IP is calculated;
S2. port threat value is calculated;
S3. inquiry IP distribution show that IP is distributed threat value;
S4. domain name random character ratio is calculated;
S5. current network flow change rate is calculated.
Further, the calculation that the daily average similarity of IP is calculated in the S1 is as follows:
Wherein, I indicates the average similarity of IP n days, and n indicates number of days, dI, jFor i-th day and the IP address and access in jth day The Euclidean distance of quantity;Specifically, Euclidean distance (Euclidean Distance) is the distance definition generallyd use, it It is in the actual distance in m-dimensional space between two points;Because normal IP address has similar inquiry and access daily Quantity, and there is unstable inquiry and access number for Botnet IP, daily queries gap is huge;So passing through The daily inquiry quantity gap of an IP is inquired, then the IP address whether can be Botnet with auxiliary judgment.
Further, the calculation of the S2 middle port threat value is as follows: P=(1- (r-1)/A)2r, wherein r is Know disclosed Botnet query-attack port ranking, A is all virtual port quantity, and general default number is 65535, finally Threat value calculated result in port is bigger, then it is bigger for the probability of Botnet flow, because one of harm of Botnet exists Attack and explosion are carried out in the serve port provided server, so judging that the high-risk access port in network flow is also Exclude one of the effective means of Botnet flow.
Further, IP distribution is inquired in the S3 show that IP distribution threat value J is specifically included:
S3.1 extracts IP address according to the network flow that router transfers, or carries out dns resolution to domain name and obtain really IP address;
S3.2 judges according to IP address, if it is IP address of internal network either local address, does not then make analysis, and obtain It is J that IP, which is distributed threat value,1
If S3.3 IP address is outer net IP address, judge the IP address whether in white list or blacklist;If It in white list, does not then analyze, and show that IP distribution threat value is J0;If, it is concluded that IP is distributed threat value in blacklist For J3;Above-mentioned white and black list can be customized by users setting;
S3.4 if IP address be outer net IP address and IP ownership place at abroad, if show that IP distribution threat value is J2;Its In, 0≤J0< J1< J2< J3≤1;Propagated due to Botnet is mainly scattered in North America and Europe very by force, stiff The domain name of corpse network can be queried in the region for infecting the corpse, so inquiry IP distribution can further identify corpse net Network.
Further, J0Equal to 0 and J3Equal to 1.
Further, the calculation of domain name random character ratio is as follows in the S4:
Wherein, n is the character string number of contiguous alphabet or number in domain name, aiFor i-th of contiguous alphabet and consecutive numbers in domain name The length of word;ljIt is the length of continuous number in domain name;lkIt is the length of contiguous alphabet in domain name, wherein continuous number and continuous Letter needs NULI character interval to link together, and A is domain name character string total length, and max (x) function representation takes the maximum value of x;Because Botnet domain name no one goes normal browsing to access, so will not take notice of the characteristic easy to remember of domain name;It is usually random The domain name character string of generation is often used the mixed form of number and letter;And typically no multistage domain name;It is special at random for domain name Sign ratio calculated result, ratio are bigger, it was demonstrated that a possibility that being Botnet is bigger.
Further, the calculation of current network flow change rate is as follows in the S5: Wherein f (x) is function of the network flow for the time;What network flow change rate essentially described that network flow steeply rises becomes Gesture and the excessive state of network flow after rising, due to Botnet client with C&C (order and control client) It carries out instruction interaction or carries out being usually associated with the network flow that increased dramatically when function execution, therefore the network flow to rise sharply is all Be it is unreasonable, when encountering router cpu caused by excessive network flow and unbearable memory, can be adopted by flow Sample is further analyzed, and above-mentioned calculation can be used as an auxiliary judgment foundation.
Further, the step D is to be compared threat value and default threshold that step C is obtained, specifically: work as prestige When side of body value is greater than or equal to default threshold, then judge the network flow for Botnet flow;Otherwise, judge the network flow not It is Botnet flow, wherein default threshold can sets itself as the case may be.
Compared with prior art, the present invention have it is below the utility model has the advantages that
The Botnet analysis method of home router based on raspberry pie design of the invention, by calculating raspberry pie Machine is transformed into home router, is realized using python script and monitors, analyzes the network flow for passing through the router;Then it extracts Traffic characteristic carries out detection matching, increases threat value to the network flow of hit detection rule;When the threat value is more than default When threshold value (can customize threshold size), then it is judged as Botnet flow, it is carried out to intercept operation and deposits its data Enter and carries out long-term analysis and comparison in database.
To realize the deficiency for solving existing small-sized household router for detecting and handling Botnet, then pass through stream Measure analysis means, reach from network flow extract Botnet traffic log so that Botnet is analyzed and from Reason.There is the advantages that small and exquisite, powerful, power saving, performance is high, and expansibility is strong using the router of raspberry pie production simultaneously; Humanized and flexible Botnet detected rule is provided using list detection method;Front end display module can show road By device network traffic conditions, can more convenient user intuitively observe and grasp Botnet traffic conditions.
Detailed description of the invention
Fig. 1 is raspberry pie router design thinking schematic diagram of the invention.
Fig. 2 is the Botnet analysis method of the home router of the invention based on raspberry pie design for Botnet Detection and processing flow schematic diagram.
Fig. 3 is the name single system in the Botnet analysis method of the home router of the invention based on raspberry pie design The acquisition flow diagram of detected rule and data.
Specific embodiment
Below with reference to the embodiment of the present invention, the invention will be further elaborated.
Embodiment:
Embodiment one:
Firstly, a kind of method that raspberry pie is designed to routing device is specifically disclosed in the present embodiment, it is specific such as Fig. 1 Shown, based on raspberry pie, using the home router of wireless network card design, the specific implementation steps are as follows:
Step 1: preparing raspberry pie 3B+ (Raspberry Pi 3Model B+), (AR9271 chip is fast for wireless network card Fw150ud), power supply line (5V, 2A), two cables.
Step 2: preparing the SD card of 128M, SD card is written into the disk mirroring file of openwrt.Wherein, described Openwrt is can to provide the writeable file system of an addition software package.
Step 3: production boot disk (using order dd if=~/name.img of dev/sdX, wherein~/ Name.img is the absolute path and title of openwrt, and sdX is implementor name).
Step 4: modifying included network interface card defaults the address ipv4.
Step 5: installation USB network card drives, (opening the address that browser input has been arranged can enter Hostapd The configuration management interface of openwrt selects system- > software, clicks to update software matrix).Wherein Hostapd is one A tool for establishing open or encryption (WEP, WPA, WPA2 etc.) a wireless network.
Step 6: restarting raspberry pie.
Step 7: creating two databases in raspberry pie, (field includes unique id, name to a list system database Single type, domain name, IP), the other is Botnet log database (field includes unique id, domain name, IP, traffic characteristic).
Step 8: being downloaded in raspberry pie and installing python environment.Python script is run, can be completed based on raspberry The router of the Botnet analysis of group's design.
It is illustrated in figure 2 the Botnet analysis method using the above-mentioned home router based on raspberry pie design, is needed Illustrate, the method for also there are other that raspberry pie is designed to routing device in the prior art in practice can be as the case may be It selects.
The Botnet analysis method of the home router based on raspberry pie design of the present embodiment specifically includes:
Step 1. carries out network port monitoring using the library pyshark in python to extract network traffic information, and will The information of extraction saves as the data of json format in the form of [key:value] value pair.
Wherein, the acquisition of network flow data is based on the script that pyshark writes in library in python, and the library pyshark can Sniff is carried out on the network interfaces and obtains data packet complete information, and analytical procedure is then filtered out by the matched mode of canonical In analysis log.
The data for the json format that step 2. pair obtains obtain traffic characteristic by calculating;Being in python script will not Same traffic characteristic is realized with different functions.
It specifically calculates and includes:
S1. the daily average similarity I of IP is calculated.
Calculation is as follows:Wherein, I indicates that IP n's days is flat Equal similitude, n indicate number of days, dI, jFor i-th day and the IP address in jth day and the Euclidean distance of access number;Specifically, Europe Family name's distance (Euclidean Distance) is the distance definition generallyd use, it is in m-dimensional space between two points Actual distance;Because normal IP address has similar inquiry and access number daily, and has for Botnet IP There are unstable inquiry and access number, daily queries gap is huge;So the inquiry number daily by one IP of inquiry Gap is measured, then the IP address whether can be Botnet with auxiliary judgment.
Such as assume that the IP of local raspberry pie router is 11.11.11.11, the IP of Botnet is 22.22.22.22.It will IP address conversion is that binary system is 00001011000010110000101100001011 and 0001011000010110000101 1000010110, as one-dimensional variable x, the daily queries of Botnet is used as two-dimentional variable y, then the two dimension of Euclidean distance The formula in space are as follows:Assuming that the inquiry on the first and secondth of an IP or domain name Number is 10 times, and third day inquiry times are 30000 times, and inquiry times on the 4th are 40 times, then according to formula from third day Calculate the daily average similarity of IPThe daily average similarity of IP on the 4th
S2. port threat value P is calculated.
Calculation is as follows: P=(1- (r-1)/A)2r, wherein r is known disclosed Botnet query-attack port row Name, A are all virtual port quantity, and general default number is 65535, and last port threat value calculated result is bigger, then it is The probability of Botnet flow is bigger, because one of the harm of Botnet is that the serve port provided server is attacked Hit and explosion, thus judge the high-risk access port in network flow be also exclude Botnet flow effective means it One.
If in the present embodiment, the port of network flow request at this time is 23 ports, and the port is in Botnet port It threatens in investigation and is ranked first 0, then port threat value calculated result are as follows: P=(I- (10-1)/65535)20=0.9973.
S3. inquiry IP distribution show that IP is distributed threat value J.
It specifically includes:
S3.1 extracts IP address according to the network flow that router transfers, or carries out dns resolution to domain name and obtain really IP address;
S3.2 judges according to IP address, if it is IP address of internal network either local address, does not then make analysis, and obtain It is J that IP, which is distributed threat value,1
If S3.3 IP address is outer net IP address, judge the IP address whether in white list or blacklist;If It in white list, does not then analyze, and show that IP distribution threat value is J0;If, it is concluded that IP is distributed threat value in blacklist For J3;Above-mentioned white and black list can be customized by users setting;
S3.4 if IP address be outer net IP address and IP ownership place at abroad, if show that IP distribution threat value is J2;Its In, 0≤J0< J1< J2< J3≤1。
Specifically, being illustrated in figure 3 the concrete mode for obtaining data in the present embodiment and judging the specific of black and white lists Embodiment specifically includes, one list system database of system creation.It is advised for artificial setting blacklist and white list Then.It, can also be periodically from the Botnet analysis intercepted other than artificial addition blacklist domain name or IP for blacklist Blacklist domain name and IP address are extracted in log.System, can be first to list system database before carrying out traffic characteristic matching It is inquired.If being matched to blacklist domain name or IP address, the data packet is directly considered as Botnet flow;If being matched to White list domain name or IP address are let pass then without matching detection directly as normal discharge.
It is propagated very strong due to Botnet, it is mainly scattered in North America and Europe, the domain name of Botnet exists The region for infecting the corpse can be queried, so inquiry IP distribution can further identify Botnet.
Specifically, above-mentioned IP is distributed threat value J0、J1、J2、J3Can self-defining, IP address judgement specific judgment mode For IP address submission database compares, foundation return value judges, in the present embodiment, J0=0 and J3=1.
S4. domain name random character ratio R is calculated.
Calculation is as follows:Wherein, n be domain name in contiguous alphabet or The character string number of number, aiFor the length of i-th of contiguous alphabet and continuous number in domain name;ljIt is continuous number in domain name Length;lkIt is the length of contiguous alphabet in domain name, wherein continuous number and contiguous alphabet need NULI character interval to link together, A For domain name character string total length, max (x) function representation takes the maximum value of x;Because Botnet domain name no one goes normal clear Access is look at, so will not take notice of the characteristic easy to remember of domain name;The domain name character string being generally randomly generated, be often used number and The mixed form of letter;And typically no multistage domain name;For domain name random character ratio calculated result, ratio is bigger, it was demonstrated that A possibility that being Botnet, is bigger.
In the present embodiment, it is assumed that Botnet domain name is kdyencs23hsjds4bf.cn, then domain name random character ratio Example
S5. current network flow change rate is calculated.
Calculation is as follows:Wherein f (x) is function of the network flow for the time; Network flow change rate essentially describes the excessive state of the network flow after the trend and rising that network flow steeply rises, Due to Botnet client when carrying out instruction interaction with C&C (order with control client) or carrying out function execution often companion With the network flow that increased dramatically, thus the network flow to rise sharply be all it is unreasonable, led encountering excessive network flow When the router cpu and unbearable memory of cause, it can be further analyzed by traffic sampling, above-mentioned calculation It can be used as an auxiliary judgment foundation.
In the present embodiment, it is assumed that network flow is f (x)=1- (x-1) for the function of time2(0 < x < 2), then G =max (2x3-6x2+ 4x) (0 < x < 2), so G ≈ 0.7869.
Step 3. adds up the value of the calculated traffic characteristic of step 2 by weight, obtains threat value, wherein each The design of the specific weight of characteristic value can be by user's sets itself according to the actual situation.
The above are the specific implementation step of traffic characteristic described in technical solution and formula to calculate step and meter in detail Calculate result;It is cumulative according to weight by the threat value that is calculated above, then will it is cumulative after threat value carry out matching detection. It is specific as follows in the present embodiment:
Assuming that the daily average similarity of IP, port threat value, inquiry IP distribution, domain name random character ratio in traffic characteristic Example, current network flow change rate threat value weight proportion are 1:1:1:1:1;Then:
Total threat value=(1/5) I+ (1/5) P+ (1/5) R+ (1/5) G+ (1/5) J.
Step 4. carries out matching detection to total threat value, therefore, it is determined that whether the network flow is Botnet flow.
Specifically: when total threat value is greater than or equal to default threshold, then judge the network flow for Botnet flow; Otherwise, judging the network flow not is Botnet flow, wherein default threshold can sets itself as the case may be.
It is specially to be judged as input the data packet got in the present embodiment, if total threat value is more than that setting is silent Recognize threshold value, then judges it for Botnet feature flow, at this point, purpose IP address and the port of data packet are changed, after change IP address and port are for receiving the Botnet flow being blocked and being passed to database simultaneously to reach Botnet flow The operation of truncation.If it is determined that total threat value is not above threshold value, then normally forwarded as normal discharge.
It is understood that the principle that embodiment of above is intended to be merely illustrative of the present and the exemplary implementation that uses Mode, however the present invention is not limited thereto.For those skilled in the art, essence of the invention is not being departed from In the case where mind and essence, various changes and modifications can be made therein, these variations and modifications are also considered as protection scope of the present invention.

Claims (10)

1. a kind of Botnet analysis method of the home router based on raspberry pie design based on raspberry pie design, feature It is, comprising the following steps:
A. it carries out the network port using the library pyshark in python and monitors to extract network traffic information, and by the letter of extraction Breath carries out data preservation;
B. calculate according to the data obtained in step A and obtain traffic characteristic;
C. the value of the calculated traffic characteristic of step B is added up by weight, obtains threat value;
D. matching detection is carried out to threat value, therefore, it is determined that whether the network flow is Botnet flow.
2. a kind of Botnet analysis method of home router based on raspberry pie design according to claim 1, It is characterized in that, is specifically that the information of extraction is saved as into json format in the form of [key:value] value pair in the step A Data.
3. a kind of Botnet analysis method of home router based on raspberry pie design according to claim 2, It is characterized in that, is specifically that traffic characteristic is obtained by calculating to the data of the json format of acquisition in the step B, it is specific to count Include:
S1. the daily average similarity of IP is calculated;
S2. port threat value is calculated;
S3. inquiry IP distribution show that IP is distributed threat value;
S4. domain name random character ratio is calculated;
S5. current network flow change rate is calculated.
4. a kind of Botnet analysis method of home router based on raspberry pie design according to claim 3, It is characterized in that, the calculation that the daily average similarity of IP is calculated in the S1 is as follows:
Wherein, I indicates the average similarity of n days IP, and n indicates number of days, dI, jFor i-th day and the IP address and access in jth day The Euclidean distance of quantity.
5. a kind of Botnet analysis method of home router based on raspberry pie design according to claim 3, It is characterized in that, the calculation of the S2 middle port threat value is as follows: P=(1- (r-1)/A)2r, wherein r is known disclosed Botnet query-attack port ranking, A are all virtual port quantity.
6. a kind of Botnet analysis method of home router based on raspberry pie design according to claim 3, It is characterized in that, IP distribution is inquired in the S3 and show that IP distribution threat value J is specifically included:
S3.1 extracts IP address according to the network flow that router transfers, or carries out dns resolution with obtaining real IP to domain name Location;
S3.2 judges according to IP address, if it is IP address of internal network either local address, does not then make analysis, and obtain IP Distribution threat value is J1
If S3.3 IP address is outer net IP address, judge the IP address whether in white list or blacklist;If white It in list, does not then analyze, and show that IP distribution threat value is J0;If, it is concluded that IP distribution threat value is J in blacklist3
S3.4 if IP address be outer net IP address and IP ownership place at abroad, if show that IP distribution threat value is J2
Wherein, 0≤J0< J1< J2< J3≤1。
7. a kind of Botnet analysis method of home router based on raspberry pie design according to claim 6, It is characterized in that, J0Equal to 0 and J3Equal to 1.
8. a kind of Botnet analysis method of home router based on raspberry pie design according to claim 3, It is characterized in that, the calculation of domain name random character ratio is as follows in the S4: Wherein, n is the character string number of contiguous alphabet or number in domain name, aiFor i-th of contiguous alphabet in domain name and continuous number Length;ljIt is the length of continuous number in domain name;lkIt is the length of contiguous alphabet in domain name, wherein continuous number and contiguous alphabet NULI character interval is needed to link together, A is domain name character string total length.
9. a kind of Botnet analysis method of home router based on raspberry pie design according to claim 3, It is characterized in that, the calculation of current network flow change rate is as follows in the S5:Wherein F (x) is function of the network flow for the time.
10. a kind of Botnet analysis method of home router based on raspberry pie design according to claim 3, It being characterized in that, the step D is to be compared threat value and default threshold that step C is obtained, specifically: when threat value is greater than Or when being equal to default threshold, then judge the network flow for Botnet flow;Otherwise, judging the network flow not is corpse net Network flow.
CN201910823540.2A 2019-09-02 2019-09-02 Botnet analysis method of home router based on raspberry group design Active CN110493253B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910823540.2A CN110493253B (en) 2019-09-02 2019-09-02 Botnet analysis method of home router based on raspberry group design

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910823540.2A CN110493253B (en) 2019-09-02 2019-09-02 Botnet analysis method of home router based on raspberry group design

Publications (2)

Publication Number Publication Date
CN110493253A true CN110493253A (en) 2019-11-22
CN110493253B CN110493253B (en) 2021-06-22

Family

ID=68556022

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910823540.2A Active CN110493253B (en) 2019-09-02 2019-09-02 Botnet analysis method of home router based on raspberry group design

Country Status (1)

Country Link
CN (1) CN110493253B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111092881A (en) * 2019-12-12 2020-05-01 杭州安恒信息技术股份有限公司 Access interception method, device, equipment and readable storage medium
CN112019523A (en) * 2020-08-07 2020-12-01 贵州黔源电力股份有限公司 Network auditing method and device for industrial control system
CN113709744A (en) * 2021-10-28 2021-11-26 连连(杭州)信息技术有限公司 Wi-Fi control method and device, electronic equipment and storage medium

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103001825A (en) * 2012-11-15 2013-03-27 中国科学院计算机网络信息中心 Method and system for detecting DNS (domain name system) traffic abnormality
CN103152442A (en) * 2013-01-31 2013-06-12 中国科学院计算机网络信息中心 Detection and processing method and system for botnet domain names
CN105721406A (en) * 2014-12-05 2016-06-29 中国移动通信集团广东有限公司 Method and device for obtaining IP black list
CN105897714A (en) * 2016-04-11 2016-08-24 天津大学 Botnet detection method based on DNS (Domain Name System) flow characteristics
CN106789459A (en) * 2016-12-07 2017-05-31 中国人民解放军理工大学 A kind of smart machine control device and control method based on raspberry group
CN107508816A (en) * 2017-08-31 2017-12-22 杭州迪普科技股份有限公司 A kind of attack traffic means of defence and device
US20180083990A1 (en) * 2015-04-20 2018-03-22 John Richard Abe Network Security Device and Application
CN108494746A (en) * 2018-03-07 2018-09-04 长安通信科技有限责任公司 A kind of network port Traffic anomaly detection method and system
CN108512805A (en) * 2017-02-24 2018-09-07 腾讯科技(深圳)有限公司 A kind of network security defence method and network security defence installation
CN109117341A (en) * 2018-08-14 2019-01-01 郑州云海信息技术有限公司 A kind of monitoring method of virtual machine, device, equipment and medium

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103001825A (en) * 2012-11-15 2013-03-27 中国科学院计算机网络信息中心 Method and system for detecting DNS (domain name system) traffic abnormality
CN103152442A (en) * 2013-01-31 2013-06-12 中国科学院计算机网络信息中心 Detection and processing method and system for botnet domain names
CN105721406A (en) * 2014-12-05 2016-06-29 中国移动通信集团广东有限公司 Method and device for obtaining IP black list
US20180083990A1 (en) * 2015-04-20 2018-03-22 John Richard Abe Network Security Device and Application
CN105897714A (en) * 2016-04-11 2016-08-24 天津大学 Botnet detection method based on DNS (Domain Name System) flow characteristics
CN106789459A (en) * 2016-12-07 2017-05-31 中国人民解放军理工大学 A kind of smart machine control device and control method based on raspberry group
CN108512805A (en) * 2017-02-24 2018-09-07 腾讯科技(深圳)有限公司 A kind of network security defence method and network security defence installation
CN107508816A (en) * 2017-08-31 2017-12-22 杭州迪普科技股份有限公司 A kind of attack traffic means of defence and device
CN108494746A (en) * 2018-03-07 2018-09-04 长安通信科技有限责任公司 A kind of network port Traffic anomaly detection method and system
CN109117341A (en) * 2018-08-14 2019-01-01 郑州云海信息技术有限公司 A kind of monitoring method of virtual machine, device, equipment and medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
李可: "僵尸网络发展研究", 《计算机研究与发展》 *
黄祥才,张志伟,彭意兵,何顶新: "一种基于Thread的Ipv6智能家居解决方案", 《单片机与嵌入式系统应用》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111092881A (en) * 2019-12-12 2020-05-01 杭州安恒信息技术股份有限公司 Access interception method, device, equipment and readable storage medium
CN112019523A (en) * 2020-08-07 2020-12-01 贵州黔源电力股份有限公司 Network auditing method and device for industrial control system
CN113709744A (en) * 2021-10-28 2021-11-26 连连(杭州)信息技术有限公司 Wi-Fi control method and device, electronic equipment and storage medium
CN113709744B (en) * 2021-10-28 2022-03-11 连连(杭州)信息技术有限公司 Wi-Fi control method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN110493253B (en) 2021-06-22

Similar Documents

Publication Publication Date Title
Borkar et al. A survey on Intrusion Detection System (IDS) and Internal Intrusion Detection and protection system (IIDPS)
Protić Review of KDD Cup ‘99, NSL-KDD and Kyoto 2006+ datasets
US8931099B2 (en) System, method and program for identifying and preventing malicious intrusions
EP1244967B1 (en) Method for automatic intrusion detection and deflection in a network
JP6097849B2 (en) Information processing apparatus, fraudulent activity determination method and fraudulent activity determination program, information processing apparatus, activity determination method and activity determination program
US11399288B2 (en) Method for HTTP-based access point fingerprint and classification using machine learning
CN102594825B (en) The detection method of a kind of intranet Trojans and device
US9112895B1 (en) Anomaly detection system for enterprise network security
US8042182B2 (en) Method and system for network intrusion detection, related network and computer program product
CN107733851A (en) DNS tunnels Trojan detecting method based on communication behavior analysis
CN109587179A (en) A kind of SSH agreement behavior pattern recognition and alarm method based on bypass network full flow
CN110493253A (en) A kind of Botnet analysis method of the home router based on raspberry pie design
JP4774307B2 (en) Unauthorized access monitoring device and packet relay device
KR20100075043A (en) Management system for security control of irc and http botnet and method thereof
CN105681250A (en) Botnet distributed real-time detection method and system
CN104378255B (en) The detection method and device of web malicious users
CN105959290A (en) Detection method and device of attack message
CN104135474A (en) Network anomaly behavior detection method based on out-degree and in-degree of host
Jiang et al. Novel intrusion prediction mechanism based on honeypot log similarity
CN102882748A (en) Network access detection system and network access detection method
Shin et al. Unsupervised multi-stage attack detection framework without details on single-stage attacks
Gunasekaran Comparison of network intrusion detection systems in cloud computing environment
Lu et al. APT traffic detection based on time transform
CN106911665A (en) A kind of method and system for recognizing malicious code weak passwurd intrusion behavior
Raftopoulos et al. Understanding network forensics analysis in an operational environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant