CN110493253B - Botnet analysis method of home router based on raspberry group design - Google Patents

Botnet analysis method of home router based on raspberry group design Download PDF

Info

Publication number
CN110493253B
CN110493253B CN201910823540.2A CN201910823540A CN110493253B CN 110493253 B CN110493253 B CN 110493253B CN 201910823540 A CN201910823540 A CN 201910823540A CN 110493253 B CN110493253 B CN 110493253B
Authority
CN
China
Prior art keywords
botnet
address
flow
domain name
threat value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910823540.2A
Other languages
Chinese (zh)
Other versions
CN110493253A (en
Inventor
孙祥
张攀
常清雪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Changhong Electric Co Ltd
Original Assignee
Sichuan Changhong Electric Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Changhong Electric Co Ltd filed Critical Sichuan Changhong Electric Co Ltd
Priority to CN201910823540.2A priority Critical patent/CN110493253B/en
Publication of CN110493253A publication Critical patent/CN110493253A/en
Application granted granted Critical
Publication of CN110493253B publication Critical patent/CN110493253B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/60Router architectures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a botnet analysis method of a home router based on a raspberry group design, which comprises the following steps: A. performing network port monitoring by using a pyshark library in python to extract network traffic information, and performing data storage on the extracted information; B. calculating according to the data obtained in the step A to obtain flow characteristics; C. and D, carrying out matching detection on the threat value so as to judge whether the network flow is the botnet flow. The method of the invention adopts a method of extracting and calculating the network flow of the router and comparing and analyzing the calculated result, thereby solving the problem that the existing small-sized household router has insufficient accuracy for detecting and processing botnet.

Description

Botnet analysis method of home router based on raspberry group design
Technical Field
The invention relates to the technical field of Internet of things, in particular to a botnet analysis method of a home router based on raspberry pie design.
Background
With the continuous development of social informatization and the Internet, various Internet of things devices also go deep into the lives of people. The Internet of things equipment is convenient for life of people and becomes a target and utilization tool for lawless persons to attack.
The botnet attacks a target system by using a vulnerability, and then controls an instruction to download the trojan virus hidden in the internet of things device, so that the trojan virus becomes a controlled puppet. Botnets hazards include, but are not limited to: a large number of zombie clients are utilized to launch DDos attack, infect other systems to become new zombie clients, send junk mails, phishing and information stealing. The botnet is a high-risk information security threat mode with the advantages of being transmissible and highly controllable.
The workflow of botnets begins with discovering and exploiting vulnerabilities: or by a social means, or by a system bug, or by a residual trojan backdoor, or by password guessing/cracking. While communication with C & C (command and control) informs new clients of coming online, today's botnets have come on various encrypted communication channels to avoid IDS, firewall or other forms of network interception, the purpose of communication with C & C is to update the client module, list of client names, IP addresses or channel names of C & C that may exist, just as clients are informed when server comes online in trojan attacks. C & C is the communication transfer between the zombie client and the zombie herd: the zombie herd sends an instruction to the C & C, and the C & C sends an instruction to the zombie client.
At present, for enterprises or organizations, an intranet system for detecting whether a botnet is infected can be detected through two levels of networks and systems, wherein the network level comprises flow detection, firewall/NIDS and log analysis, and the system level comprises honeypot establishment and log analysis. However, for home networks, no small home router dedicated to detecting botnets is currently available. Therefore, the household internet of things equipment is difficult to protect. How to make a small household router and by detection means. Blocking and isolating the botnet to attack the botnet crime, and collecting the botnet flow log to conduct behavior research is very necessary.
Botnets differ from other viruses only in that botnets have uniform highly controllable systems, the distribution of botnet clients is not limited to a certain country or region and there is hardly any difference between botnet traffic and normal traffic. Therefore, it is impossible to determine whether the traffic is botnet traffic by means of a single traffic, and a large amount of data is needed for comparison and analysis and an accurate calculation method. There is great difficulty in accurately judging the existence of botnets.
Disclosure of Invention
The invention aims to overcome the defects in the background art and provide a botnet analysis method of a home router based on raspberry group design, which adopts a method of extracting and calculating the network flow of the router and then comparing and analyzing the calculated result, thereby solving the problem of insufficient accuracy of the existing small home router for detecting and processing botnets.
In order to achieve the technical effects, the invention adopts the following technical scheme:
a botnet analysis method of a home router based on a raspberry pi design comprises the following steps:
A. performing network port monitoring by using a pyshark library in python to extract network traffic information, and performing data storage on the extracted information;
B. calculating according to the data obtained in the step A to obtain flow characteristics;
C. b, accumulating the values of the flow characteristics calculated in the step B through weights to obtain threat values, wherein the specific weight design of each characteristic value can be set by a user according to the actual situation;
D. and matching and detecting the threat value so as to judge whether the network flow is the botnet flow.
Further, in the step a, the extracted information is stored as data in json format in a form of [ key: value ] value pair.
Further, in the step B, the flow characteristics are obtained by calculating the obtained json-format data, and the specific calculation includes:
s1, calculating daily average similarity of IP;
s2, calculating a port threat value;
s3, inquiring IP distribution to obtain an IP distribution threat value;
s4, calculating a domain name random feature proportion;
and S5, calculating the current network flow change rate.
Further, the IP average similarity per day in S1 is calculated as follows:
Figure BDA0002188336090000031
wherein I represents the average similarity of IP for n days, n represents the number of days, di,jEuclidean distances for the IP addresses and access numbers on day i and day j; specifically, Euclidean Distance (Euclidean Distance) is a commonly used Distance definition, which is the true Distance between two points in an m-dimensional space; due to the fact thatThe method has the advantages that the query quantity and the access quantity are similar for normal IP addresses every day, the query quantity and the access quantity are unstable for botnet IP, and the query quantity difference every day is large; therefore, by inquiring the inquiry quantity difference of an IP every day, the method can assist in judging whether the IP address is a botnet or not.
Further, the port threat value in S2 is calculated as follows: p ═ 1- (r-1)/A)2rWherein r is a known public botnet attack request port ranking, a is the number of all virtual ports, a general default value is 65535, and the larger the calculation result of the port threat value is, the higher the probability that the port is botnet traffic is, because one of the hazards of botnets is to attack and blast a service port provided by a server, it is determined that a high-risk access port in network traffic is also one of effective means for eliminating botnet traffic.
Further, the querying the IP distribution in S3 to obtain the IP distribution threat value J specifically includes:
s3.1, extracting an IP address according to the network flow forwarded by the router, or performing DNS (domain name system) analysis on a domain name to obtain a real IP address;
s3.2, judging according to the IP address, if the IP address is the intranet IP address or the local address, not analyzing, and obtaining that the IP distribution threat value is J1
S3.3, if the IP address is the IP address of the external network, judging whether the IP address is in a white list or a black list; if the IP distribution threat value is in the white list, no analysis is carried out, and the IP distribution threat value is J0(ii) a If the threat value is in the blacklist, the IP distribution threat value is J3(ii) a The white list and the black list can be set by a user in a self-defined way;
s3.4 if the IP address is the IP address of the external network and the IP attribution is abroad, the IP distribution threat value is J2(ii) a Wherein J is more than or equal to 00<J1<J2<J3Less than or equal to 1; because the dissemination of botnets is very strong, the botnets are mainly dispersed in north america and europe, and domain names of the botnets can be inquired in regions infected with the botnets, the inquiry IP distribution range can further identify the botnets.
Further, J0Is equal to 0 and J3Equal to 1.
Further, the calculation method of the domain name random feature ratio in S4 is as follows:
Figure BDA0002188336090000041
wherein n is the number of character strings of continuous letters or numbers in the domain name, aiThe length of the ith continuous letter and continuous number in the domain name; ljIs the length of consecutive digits in the domain name; lkIs the length of continuous letters in the domain name, wherein, the continuous numbers and continuous letters are connected together without character intervals, A is the total length of the domain name character string, and max (x) function represents the maximum value of x; because no person can browse and access the botnet domain name normally, the easy-to-remember characteristic of the domain name can not be noticed; generally, the domain name character string is randomly generated, and a mixed form of numbers and letters is often used; and generally do not have multi-level domain names; for domain name random feature scale calculations, the greater the scale, the greater the likelihood of proving to be a botnet.
Further, the current network traffic change rate in S5 is calculated as follows:
Figure BDA0002188336090000051
where f (x) is a function of network traffic over time; the network traffic change rate mainly describes the sharp rising trend of the network traffic and the over-large state of the network traffic after rising, because the botnet client is connected with the client C&When the command and control client terminal (C) performs command interaction or performs function execution, there is a sudden increase of network traffic, so that the sudden increase of network traffic is unreasonable, when the CPU and the memory of the router cannot bear the load due to the excessive network traffic, further analysis can be performed by traffic sampling, and the above calculation method can be used as an auxiliary judgment basis.
Further, the step D is to compare the threat value obtained in the step C with a default threshold, specifically: when the threat value is greater than or equal to a default threshold value, judging that the network flow is botnet flow; otherwise, judging that the network flow is not the botnet flow, wherein the default threshold value can be set according to specific conditions.
Compared with the prior art, the invention has the following beneficial effects:
the botnet analysis method of the home router based on the raspberry group design comprises the steps of reconstructing a raspberry group computer into the home router, and monitoring and analyzing network flow passing through the router by using a python script; then extracting flow characteristics to carry out detection matching, and increasing a threat value to the network flow hitting the detection rule; and when the threat value exceeds a default threshold (the size of the threshold can be defined by a user), judging the threat value to be botnet flow, carrying out interception operation on the botnet flow, and storing the data into a database for long-term analysis and comparison.
Therefore, the defects of the existing small household router in detecting and processing the botnet are solved, and then the purpose of extracting the flow log of the botnet from the network flow and further analyzing and processing the botnet is achieved through a flow analysis means. Meanwhile, the router manufactured by utilizing the raspberry group has the advantages of small size, powerful function, power saving, high performance, strong expansibility and the like; providing a more humanized and flexible zombie network detection rule by utilizing a list detection method; the front-end display module can display the network traffic condition of the router, and can be more convenient for a user to visually observe and master the botnet traffic condition.
Drawings
FIG. 1 is a schematic diagram of a raspberry dispatch router design concept according to the present invention.
Fig. 2 is a schematic diagram of the detection and processing flow of the botnet analysis method of the home router based on the raspberry pi design according to the present invention.
Fig. 3 is a schematic diagram of a list system detection rule and a data acquisition flow in the botnet analysis method of the home router based on the raspberry pi design according to the present invention.
Detailed Description
The invention will be further elucidated and described with reference to the embodiments of the invention described hereinafter.
Example (b):
the first embodiment is as follows:
first, in this embodiment, a method for designing a raspberry pi as a routing device is specifically disclosed, and specifically as shown in fig. 1, a home router designed by using a wireless network card based on a raspberry pi specifically includes the following steps:
the first step is as follows: a Raspberry Pi 3B + (Raspberry Pi 3Model B +), a wireless network card (AR9271 chip express fw150ud), power lines (5V and 2A) and two network lines are prepared.
The second step is that: and preparing a 128M SD card, and writing the openwrt disk image file into the SD card. Wherein the openwrt is a writable file system that can provide an add-on package.
The third step: a boot disc is created (using the command dd if ═ name. img of dev/sdX, where —/name. img is the absolute path and name of openwrt, sdX is the device name).
The fourth step: the default ipv4 address of the self-contained network card is modified.
The fifth step: installing a USB network card driver and Hostapd (opening a browser and inputting a set address to enter a configuration management interface of openwrt, selecting system- > software, and clicking an update software list). Where Hostapd is a tool that can establish an open or encrypted (WEP, WPA2, etc.) wireless network.
And a sixth step: the raspberry pie is restarted.
The seventh step: two databases are created in the raspberry pie, one roster system database (fields include unique id, roster type, domain name, IP) and the other is the botnet log database (fields include unique id, domain name, IP, traffic characteristics).
Eighth step: the python environment is downloaded and installed in the raspberry pie. And (5) running the python script to finish the router of botnet analysis based on the raspberry pie design.
As shown in fig. 2, a botnet analysis method using the home router designed based on the raspberry pi is shown, it should be noted that other methods for designing a raspberry pi as a routing device exist in the prior art, and in practice, the method can be selected according to specific situations.
The botnet analysis method of the home router based on the raspberry pi design in this embodiment specifically includes:
step 1, utilizing a pyshark library in python to perform network port monitoring to extract network traffic information, and storing the extracted information as json format data in a form of [ key: value ] value pair.
The acquisition of the network flow data is based on a script written by a pyshark library in python, the pyshark library can sniff on a network interface and acquire complete information of a data packet, and then an analysis log in an analysis step is screened out in a regular matching mode.
Step 2, calculating the obtained json format data to obtain flow characteristics; in the python script, different traffic characteristics are realized by different functions.
The specific calculation includes:
s1, calculating the average similarity I of the IP per day.
The calculation method is as follows:
Figure BDA0002188336090000081
wherein I represents the average similarity of IP for n days, n represents the number of days, di,jEuclidean distances for the IP addresses and access numbers on day i and day j; specifically, Euclidean Distance (Euclidean Distance) is a commonly used Distance definition, which is the true Distance between two points in an m-dimensional space; because normal IP addresses have similar query and access numbers per day, and unstable query and access numbers for botnet IP, the query volume per day is a large difference; therefore, by inquiring the inquiry quantity difference of an IP every day, the method can assist in judging whether the IP address is a botnet or not.
If we assume that the IP of the local raspberry dispatch router is 11.11.11.11, the IP of botnet is 22.22.22.22. Converting the IP address into binary systems of 00001011000010110000101100001011 and 00010110000101100001011000010110, taking the binary systems as a one-dimensional variable x, and taking the per-day query quantity of the botnet as a two-dimensional variable y, wherein the formula of the two-dimensional space of the Euclidean distance is as follows:
Figure BDA0002188336090000082
assuming that the number of first and second day queries of an IP or domain name is 10, the number of third day queries is 30000, and the number of fourth day queries is 40, calculating the average daily similarity of the IP from the third day according to a formula
Figure BDA0002188336090000083
Daily average IP similarity on day four
Figure BDA0002188336090000084
And S2, calculating a port threat value P.
The calculation method is as follows: p ═ 1- (r-1)/A)2rWherein r is a known public botnet attack request port ranking, a is the number of all virtual ports, a general default value is 65535, and the larger the calculation result of the port threat value is, the higher the probability that the port is botnet traffic is, because one of the hazards of botnets is to attack and blast a service port provided by a server, it is determined that a high-risk access port in network traffic is also one of effective means for eliminating botnet traffic.
If, in this embodiment, the port of the network traffic request is 23 ports, and the port is ranked 10 th in the botnet port threat investigation, the port threat value calculation result is: p ═ (I- (10-1)/65535)20=0.9973。
And S3, inquiring IP distribution to obtain an IP distribution threat value J.
The method specifically comprises the following steps:
s3.1, extracting an IP address according to the network flow forwarded by the router, or performing DNS (domain name system) analysis on a domain name to obtain a real IP address;
s3.2, judging according to the IP address, if the IP address is the intranet IP address or the local address, not analyzing, and obtaining that the IP distribution threat value is J1
S3.3, if the IP address is the IP address of the external network, judging whether the IP address is in a white list or a black list; if in the white list, do not analyze, and getIP distribution threat value is J0(ii) a If the threat value is in the blacklist, the IP distribution threat value is J3(ii) a The white list and the black list can be set by a user in a self-defined way;
s3.4 if the IP address is the IP address of the external network and the IP attribution is abroad, the IP distribution threat value is J2(ii) a Wherein J is more than or equal to 00<J1<J2<J3≤1。
Specifically, as shown in fig. 3, a specific manner of acquiring data and a specific manner of determining a black-and-white list in this embodiment specifically include that the system creates a list system database. The method is used for artificially setting the black list and white list rules. For blacklists, in addition to the manual addition of blacklisted domain names or IPs, blacklisted domain names and IP addresses are also periodically extracted from intercepted zombie network analysis logs. Before the system carries out flow characteristic matching, the system firstly queries a list system database. If the blacklist domain name or the IP address is matched, directly regarding the data packet as botnet traffic; and if the white list domain name or the IP address is matched, the matching detection is not carried out, and the flow is directly released as normal flow.
Because the dissemination of botnets is very strong, the botnets are mainly dispersed in north america and europe, and domain names of the botnets can be inquired in regions infected with the botnets, the inquiry IP distribution range can further identify the botnets.
Specifically, the IP distribution threat value J is0、J1、J2、J3Can be self-defined, the specific judgment mode of IP address judgment is to submit the IP address to the database for comparison and judge according to the return value, in this embodiment, J00 and J3=1。
And S4, calculating the random feature ratio R of the domain name.
The calculation method is as follows:
Figure BDA0002188336090000101
wherein n is the number of character strings of continuous letters or numbers in the domain name, aiThe length of the ith continuous letter and continuous number in the domain name; ljIs the length of consecutive digits in the domain name; lkIs the length of continuous letters in the domain name, wherein, the continuous numbers and continuous letters are connected together without character intervals, A is the total length of the domain name character string, and max (x) function represents the maximum value of x; because no person can browse and access the botnet domain name normally, the easy-to-remember characteristic of the domain name can not be noticed; generally, the domain name character string is randomly generated, and a mixed form of numbers and letters is often used; and generally do not have multi-level domain names; for domain name random feature scale calculations, the greater the scale, the greater the likelihood of proving to be a botnet.
In this embodiment, assuming that the botnet domain name is kdiencs 23hsjds4bf.cn, the domain name random feature ratio is
Figure BDA0002188336090000102
And S5, calculating the current network flow change rate.
The calculation method is as follows:
Figure BDA0002188336090000111
where f (x) is a function of network traffic over time; the network traffic change rate mainly describes the sharp rising trend of the network traffic and the over-large state of the network traffic after rising, because the botnet client is connected with the client C&When the command and control client terminal (C) performs command interaction or performs function execution, there is a sudden increase of network traffic, so that the sudden increase of network traffic is unreasonable, when the CPU and the memory of the router cannot bear the load due to the excessive network traffic, further analysis can be performed by traffic sampling, and the above calculation method can be used as an auxiliary judgment basis.
As in this embodiment, assume that the network traffic is a function of time of f (x) 1- (x-1)2(0 < x < 2), then G ═ max (2 x)3-6x2+4x) (0 < x < 2), so G ≈ 0.7869.
And 3, accumulating the flow characteristic values calculated in the step 2 through weights to obtain threat values, wherein the specific weight design of each characteristic value can be set by a user according to actual conditions.
The above steps are the specific implementation steps of the flow characteristics, the detailed formula calculation steps and the calculation results in the technical scheme; and accumulating the threat values obtained by the calculation according to the weight, and then carrying out matching detection on the accumulated threat values. The embodiment is as follows:
assuming that the average similarity of IP in each day, port threat value, query IP distribution, domain name random feature proportion and current network traffic change rate threat value weight proportion in traffic features are all 1: 1: 1: 1: 1; then:
the total threat value is (1/5) I + (1/5) P + (1/5) R + (1/5) G + (1/5) J.
And 4, carrying out matching detection on the total threat value so as to judge whether the network flow is the botnet flow.
The method specifically comprises the following steps: when the total threat value is greater than or equal to a default threshold value, judging that the network flow is botnet flow; otherwise, judging that the network flow is not the botnet flow, wherein the default threshold value can be set according to specific conditions.
In this embodiment, the obtained data packet is specifically determined as an input, and if the total threat value exceeds a set default threshold, it is determined that the data packet is a botnet feature traffic, at this time, a destination IP address and a port of the data packet are changed, and the changed IP address and port are used for receiving the blocked botnet traffic and simultaneously transmitting the blocked botnet traffic into the database, thereby achieving the operation of blocking the botnet traffic. And if the total threat value is judged not to exceed the threshold value, the traffic is forwarded normally as normal traffic.
It will be understood that the above embodiments are merely exemplary embodiments taken to illustrate the principles of the present invention, which is not limited thereto. It will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the spirit and substance of the invention, and these modifications and improvements are also considered to be within the scope of the invention.

Claims (7)

1. A botnet analysis method of a home router based on raspberry pi design is characterized by comprising the following steps:
A. performing network port monitoring by using a pyshark library in python to extract network traffic information, and performing data storage on the extracted information; specifically, the extracted information is expressed as [ key: value ] value pairs are stored as data in json format;
B. calculating according to the data obtained in the step A to obtain flow characteristics; specifically, the flow characteristics are obtained by calculating the obtained json format data, and the specific calculation includes:
s1, calculating daily average similarity of IP;
s2, calculating a port threat value; the port threat value is calculated as follows: p ═ 1- (r-1)/A)2rWherein r is the known public botnet attack request port ranking, and A is the number of all virtual ports;
s3, inquiring IP distribution to obtain an IP distribution threat value;
s4, calculating a domain name random feature proportion;
s5, calculating the current network flow change rate;
C. accumulating the values of the flow characteristics calculated in the step B through weights to obtain threat values;
D. and matching and detecting the threat value so as to judge whether the network flow is the botnet flow.
2. The botnet analysis method for a home router based on raspberry pi design according to claim 1, wherein the calculation of the average daily similarity of IP in S1 is as follows:
Figure FDA0002962238970000021
wherein I represents the average similarity of IP for n days, n represents the number of days, di,jEuclidean distances for the IP addresses and number of visits on day i and day j.
3. The botnet analysis method for a home router based on raspberry pi design according to claim 1, wherein said querying IP distribution in S3 to obtain an IP distribution threat value J specifically comprises:
s3.1, extracting an IP address according to the network flow forwarded by the router, or performing DNS (domain name system) analysis on a domain name to obtain a real IP address;
s3.2, judging according to the IP address, if the IP address is the intranet IP address or the local address, not analyzing, and obtaining that the IP distribution threat value is J1
S3.3, if the IP address is the IP address of the external network, judging whether the IP address is in a white list or a black list; if the IP distribution threat value is in the white list, no analysis is carried out, and the IP distribution threat value is J0(ii) a If the threat value is in the blacklist, the IP distribution threat value is J3
S3.4 if the IP address is the IP address of the external network and the IP attribution is abroad, the IP distribution threat value is J2
Wherein J is more than or equal to 00<J1<J2<J3≤1。
4. The botnet analysis method for a raspberry pi based home router of claim 3, wherein J is0Is equal to 0 and J3Equal to 1.
5. The botnet analysis method for a home router based on raspberry pi of claim 1, wherein the random feature ratio of the domain name in S4 is calculated as follows:
Figure FDA0002962238970000031
wherein n is the number of character strings of continuous letters or numbers in the domain name, aiThe length of the ith continuous letter and continuous number in the domain name; ljIs the length of consecutive digits in the domain name; lkIs the length of the continuous letters in the domain name, wherein the continuous numbers and the continuous letters are connected together without character intervals, and A is the total length of the domain name character string.
6. The raspberry pi based household road of claim 1The botnet analysis method of the router is characterized in that the current network traffic change rate in S5 is calculated as follows:
Figure FDA0002962238970000032
where f (x) is the network traffic as a function of time.
7. The botnet analysis method for a home router based on raspberry pi design according to claim 1, wherein step D is to compare the threat value obtained in step C with a default threshold, specifically: when the threat value is greater than or equal to a default threshold value, judging that the network flow is botnet flow; otherwise, judging that the network flow is not the botnet flow.
CN201910823540.2A 2019-09-02 2019-09-02 Botnet analysis method of home router based on raspberry group design Active CN110493253B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910823540.2A CN110493253B (en) 2019-09-02 2019-09-02 Botnet analysis method of home router based on raspberry group design

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910823540.2A CN110493253B (en) 2019-09-02 2019-09-02 Botnet analysis method of home router based on raspberry group design

Publications (2)

Publication Number Publication Date
CN110493253A CN110493253A (en) 2019-11-22
CN110493253B true CN110493253B (en) 2021-06-22

Family

ID=68556022

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910823540.2A Active CN110493253B (en) 2019-09-02 2019-09-02 Botnet analysis method of home router based on raspberry group design

Country Status (1)

Country Link
CN (1) CN110493253B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111092881B (en) * 2019-12-12 2022-08-02 杭州安恒信息技术股份有限公司 Access interception method, device, equipment and readable storage medium
CN112019523A (en) * 2020-08-07 2020-12-01 贵州黔源电力股份有限公司 Network auditing method and device for industrial control system
CN113709744B (en) * 2021-10-28 2022-03-11 连连(杭州)信息技术有限公司 Wi-Fi control method and device, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105721406A (en) * 2014-12-05 2016-06-29 中国移动通信集团广东有限公司 Method and device for obtaining IP black list
CN105897714A (en) * 2016-04-11 2016-08-24 天津大学 Botnet detection method based on DNS (Domain Name System) flow characteristics
CN108494746A (en) * 2018-03-07 2018-09-04 长安通信科技有限责任公司 A kind of network port Traffic anomaly detection method and system
CN108512805A (en) * 2017-02-24 2018-09-07 腾讯科技(深圳)有限公司 A kind of network security defence method and network security defence installation

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103001825B (en) * 2012-11-15 2016-03-02 中国科学院计算机网络信息中心 The detection method of DNS Traffic Anomaly and system
CN103152442B (en) * 2013-01-31 2016-06-01 中国科学院计算机网络信息中心 A kind of detection and treatment method of corpse domain names and system
US20180083990A1 (en) * 2015-04-20 2018-03-22 John Richard Abe Network Security Device and Application
CN106789459A (en) * 2016-12-07 2017-05-31 中国人民解放军理工大学 A kind of smart machine control device and control method based on raspberry group
CN107508816A (en) * 2017-08-31 2017-12-22 杭州迪普科技股份有限公司 A kind of attack traffic means of defence and device
CN109117341A (en) * 2018-08-14 2019-01-01 郑州云海信息技术有限公司 A kind of monitoring method of virtual machine, device, equipment and medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105721406A (en) * 2014-12-05 2016-06-29 中国移动通信集团广东有限公司 Method and device for obtaining IP black list
CN105897714A (en) * 2016-04-11 2016-08-24 天津大学 Botnet detection method based on DNS (Domain Name System) flow characteristics
CN108512805A (en) * 2017-02-24 2018-09-07 腾讯科技(深圳)有限公司 A kind of network security defence method and network security defence installation
CN108494746A (en) * 2018-03-07 2018-09-04 长安通信科技有限责任公司 A kind of network port Traffic anomaly detection method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
僵尸网络发展研究;李可;《计算机研究与发展》;20161008(第10期);2189-2206 *

Also Published As

Publication number Publication date
CN110493253A (en) 2019-11-22

Similar Documents

Publication Publication Date Title
US11503044B2 (en) Method computing device for detecting malicious domain names in network traffic
US11399288B2 (en) Method for HTTP-based access point fingerprint and classification using machine learning
CN110730175B (en) Botnet detection method and detection system based on threat information
US9369479B2 (en) Detection of malware beaconing activities
US8745737B2 (en) Systems and methods for detecting similarities in network traffic
US8893278B1 (en) Detecting malware communication on an infected computing device
CN110493253B (en) Botnet analysis method of home router based on raspberry group design
US20110154492A1 (en) Malicious traffic isolation system and method using botnet information
AU2015403433A1 (en) System and method for high speed threat intelligence management using unsupervised machine learning and prioritization algorithms
CN110933111B (en) DDoS attack identification method and device based on DPI
US20200304521A1 (en) Bot Characteristic Detection Method and Apparatus
KR20140027616A (en) Apparatus and method for detecting http botnet based on the density of web transaction
KR20100075043A (en) Management system for security control of irc and http botnet and method thereof
US20160277442A1 (en) System and method for detection of targeted attack based on information from multiple sources
CN105681250A (en) Botnet distributed real-time detection method and system
CN110611640A (en) DNS protocol hidden channel detection method based on random forest
KR20230004222A (en) System and method for selectively collecting computer forensic data using DNS messages
Grill et al. Malware detection using http user-agent discrepancy identification
US20140344931A1 (en) Systems and methods for extracting cryptographic keys from malware
CN111245784A (en) Method for multi-dimensional detection of malicious domain name
Jiang et al. Novel intrusion prediction mechanism based on honeypot log similarity
CN111224941A (en) Threat type identification method and device
Hong et al. Ctracer: uncover C&C in advanced persistent threats based on scalable framework for enterprise log data
KR101045330B1 (en) Method for detecting http botnet based on network
Shin et al. Unsupervised multi-stage attack detection framework without details on single-stage attacks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant