CN116886380A - Botnet detection method and system - Google Patents
Botnet detection method and system Download PDFInfo
- Publication number
- CN116886380A CN116886380A CN202310908167.7A CN202310908167A CN116886380A CN 116886380 A CN116886380 A CN 116886380A CN 202310908167 A CN202310908167 A CN 202310908167A CN 116886380 A CN116886380 A CN 116886380A
- Authority
- CN
- China
- Prior art keywords
- host
- software
- data
- network
- evaluation coefficient
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 25
- 238000012544 monitoring process Methods 0.000 claims abstract description 20
- 238000011156 evaluation Methods 0.000 claims description 99
- 238000000034 method Methods 0.000 claims description 61
- 230000008569 process Effects 0.000 claims description 50
- 238000004458 analytical method Methods 0.000 claims description 36
- 230000005540 biological transmission Effects 0.000 claims description 33
- 230000004044 response Effects 0.000 claims description 30
- 230000002159 abnormal effect Effects 0.000 claims description 24
- 238000004364 calculation method Methods 0.000 claims description 21
- 206010033799 Paralysis Diseases 0.000 claims description 15
- 230000005856 abnormality Effects 0.000 claims description 13
- 238000013500 data storage Methods 0.000 claims description 11
- 238000011112 process operation Methods 0.000 claims description 5
- 238000011157 data evaluation Methods 0.000 claims description 3
- 230000008901 benefit Effects 0.000 description 3
- 230000007547 defect Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 230000009545 invasion Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/144—Detection or countermeasures against botnets
Abstract
The invention discloses a botnet detection method and a botnet detection system, and relates to the technical field of botnet monitoring.
Description
Technical Field
The invention relates to the technical field of botnet detection, in particular to a botnet detection method and a botnet detection system.
Background
Nowadays, due to rapid technological development and various network technologies, a lot of convenience is provided for life and work of people, and meanwhile, the difficulty of information acquisition of people is reduced, but due to the diversity of network technology development, people enjoy convenience brought by a network and also have a lot of dangers in the future, such as botnet intrusion influences the operation of a host, so that monitoring analysis is needed for the botnet.
1. The current technology mainly monitors the botnet, but because the mode of the botnet changes into a phantom test, the current monitoring of the botnet is shallow, and the botnet cannot be completely and flexibly handled, so that a great amount of network risks exist, a certain influence can be generated on the operation of a host, a certain network paralysis can be caused, service interruption can be caused, a certain data loss can be caused, the efficiency of network handling can be reduced, privacy information and financial information of an individual can be leaked and can be suffered from a certain loss, and the privacy information can be acquired by other persons with hearts to get illegal benefits.
Disclosure of Invention
Aiming at the technical defects, the invention aims to provide a botnet detection method and a botnet detection system.
In order to solve the technical problems, the invention adopts the following technical scheme: the present invention provides in a first aspect a method for detecting botnet, comprising: step one, analyzing the behavior of a host computer: the current host data transmission speed and the network rate are obtained through monitoring and analyzing the current host behavior, so that the host influence evaluation coefficient is analyzed, the progress speed of a host process is judged, and the second step is executed if the host process is slow;
step two, monitoring the operation of the host process: if the host process is slow, acquiring the downloading rate and the host space of the host data, further analyzing the host resource occupation evaluation coefficient, judging the transmissible condition of a host port, and if the port of the host cannot transmit, performing the step three;
step three, port analysis and judgment: if the port of the host cannot transmit, acquiring port information corresponding to the host, including domain name resolution of each network and port number of each network, judging normal use condition of the port of the host, and if the port of the host falls down, performing step four;
step four, host software information acquisition: the method comprises the steps of obtaining basic information of corresponding software in each host, wherein the basic information of each software comprises network data flow, data packet bytes, data request times, data transmission interval time, bytes of request data and bytes of response data;
step five, analyzing information of the host software: analyzing the operation evaluation coefficients of the corresponding software in each host according to the basic information of the corresponding software in each host;
step six, detecting by the host software: monitoring software in each host, acquiring the times of sending junk mails, the number of large data storage and network bytes by each software in each host, analyzing and obtaining an abnormal evaluation coefficient of the software in each host, and judging the depth of network paralysis;
step seven, abnormal warning prompt: and early warning and prompting are carried out on the abnormality of each software in each host.
Preferably, the analyzing host influences the evaluation coefficient, and judges the progress speed of the host process, and the specific analysis process is as follows:
by calculation formulaAnalysis shows that host influence evaluation coefficient +.>,、/>Weight factors respectively expressed as set host data transmission speed, network rate, +.>、/>Respectively expressed as host data transmission speed, network rate,/-, respectively>、/>Respectively representing the set host data transmission speed and the network rate;
comparing the host influence evaluation coefficient threshold value with a set host influence evaluation coefficient threshold value, if the host influence evaluation coefficient threshold value is larger than the set host influence evaluation coefficient threshold value, judging that the host process is slow, and if the host influence evaluation coefficient threshold value is smaller than the set host influence evaluation coefficient threshold value, judging that the host process is normal.
Preferably, the analyzing the host resource occupation evaluation coefficient and judging the transmissible condition of the host port includes the following specific analysis process:
by calculation formulaAnalyzing to obtain host resource occupation evaluation coefficient +.>,/>、Respectively expressed as the set download rate of host data, the weight factor of host space, +.>、/>Respectively expressed as a set download rate of host data, host space, ">、/>Respectively expressed as a download rate of host data and a host space;
comparing the host resource occupation assessment coefficient threshold value with a set host resource occupation assessment coefficient threshold value, if the host resource occupation assessment coefficient threshold value is larger than the set host resource occupation assessment coefficient threshold value, judging that the host resource is too large, and if the host resource occupation assessment coefficient threshold value is smaller than the set host resource occupation assessment coefficient threshold value, judging that the host resource is normal.
Preferably, the specific judging process is as follows:
comparing the network domain name resolution corresponding to the host with the initial network domain name resolution corresponding to the host, and simultaneously comparing each network port number corresponding to the host with the initial network port number corresponding to the host, if the network domain name resolution corresponding to the host is the same as the initial network domain name resolution corresponding to the host, or if the network port number corresponding to the host is the same as the initial network port number corresponding to the host, judging that the network port can be normally used, if the network domain name resolution corresponding to the host is not the same as the initial network domain name resolution corresponding to the host, or if the network port number corresponding to the host is not the same as the initial network port number corresponding to the host, judging that the network port has fallen.
Preferably, the analyzing the operation evaluation coefficients of the corresponding software in each host machine specifically includes the following steps:
calculating each software flow evaluation coefficient corresponding to each host according to each software network data flow and data packet byte corresponding to each host, and recording as,/>Indicating the number of each host, ">,/>The number of each software is indicated,,
according to the number of data requests and the data transmission interval time of each software corresponding to each host, calculating and obtaining each software data evaluation coefficient corresponding to each host, and recording as;
According to the correspondence of each hostThe bytes of the software request data and the bytes of the response data are calculated to obtain the corresponding software data response coefficients of the hosts and recorded as;
By calculation formulaCalculating each software operation evaluation coefficient corresponding to each host computer>,/>、/>、/>Weight factors respectively expressed as set flow rate evaluation coefficient, data response coefficient, +.>、/>、/>Respectively expressed as a set flow rate evaluation coefficient, a data evaluation coefficient and a data response coefficient, and e represents a natural constant.
Preferably, the calculating obtains each software flow evaluation coefficient corresponding to each host, and the specific calculating process is as follows:
by calculation formulaCalculating to obtain the software flow evaluation coefficient corresponding to each host computer>,/>、/>Weight factors respectively representing preset network data flow and data packet bytes, +.>、/>Respectively representing the data flow and the data packet size of the jth software network corresponding to the ith host machine,/respectively>、/>Respectively representing the preset network data flow and the preset data packet byte.
Preferably, the calculating obtains each software data evaluation coefficient corresponding to each host, and the specific calculating process is as follows:
by calculation formulaCalculating to obtain the software flow evaluation coefficient corresponding to each host computer>,/>、/>Weight factors respectively representing preset data request times and data transmission interval time>、/>Respectively represent the jth soft corresponding to the ith hostNumber of data requests, data transmission interval time, < ->、/>Respectively representing the preset data request times and the data transmission interval time.
Preferably, the calculating obtains each software data response coefficient corresponding to each host, and the specific calculating process is as follows:
by calculation formulaCalculating to obtain the software flow evaluation coefficient corresponding to each host computer>,/>、/>Weight factors respectively representing bytes of preset request data and bytes of response data, +.>、/>Respectively representing the size of the j-th software request data and the response data corresponding to the i-th host machine,/->、/>Respectively expressed as bytes of request data and bytes of response data.
Preferably, the analysis further obtains the abnormal evaluation coefficient of each software in each host, and judges the depth of network paralysis, and the specific analysis process is as follows:
by calculation ofFormula (VI)Analyzing and obtaining the abnormality evaluation coefficient of each software in each host computer>,/>、/>、/>Respectively expressed as preset times of sending junk mail, number of large data storage, weight factor of network byte, ">、/>、/>Respectively expressed as the number of times the jth software in the ith host sends the junk mail, the number of large data stores, the network bytes, +.>、/>、/>Respectively representing the preset times of sending the junk mail, the number of large data storage and network bytes;
comparing the abnormal evaluation coefficient threshold value of each software in each host with the preset abnormal evaluation coefficient threshold value of each software in each host, judging that the network is paralyzed if a certain software in a certain host is larger than the preset abnormal evaluation coefficient of the software in the host, and judging that the network is normal if a certain software in a certain host is smaller than the preset abnormal evaluation coefficient of the software in the host.
The present invention provides in a second aspect a botnet detection system comprising: host behavior analysis module: the method comprises the steps of monitoring and analyzing the behavior of a current host, obtaining the data transmission speed and the network rate of the current host, further analyzing the influence evaluation coefficient of the host, judging the progress speed of a host process, and executing the second step if the host process is slow;
the host process operation monitoring module: if the host process is slow, acquiring the downloading rate and the host space of the host data, further analyzing the host resource occupation evaluation coefficient, judging the transmissible condition of a host port, and if the port of the host cannot transmit, performing the step three;
port analysis judging module: if the port of the host cannot transmit, acquiring port information corresponding to the host, including domain name resolution of each network and port number of each network, judging normal use condition of the port of the host, and if the port of the host falls down, performing step four;
host software information acquisition module: the method comprises the steps of obtaining basic information of each piece of software corresponding to each host, wherein the basic information of each piece of software comprises network data flow, data packet bytes, data request times, data transmission interval time, bytes of request data and bytes of response data;
host software information analysis module: the system is used for analyzing the operation evaluation coefficients of the corresponding software in each host according to the basic information of the corresponding software in each host;
host software detection module: the system is used for monitoring the software in each host, analyzing and obtaining the abnormal evaluation coefficient of the software in each host by acquiring the times of sending junk mails, the number of large data storage and network bytes by each software in each host, and judging the depth of network paralysis;
abnormality warning prompt: and early warning and prompting are carried out on the abnormality of each software in each host.
Compared with the prior art, the invention has the beneficial effects that: the invention provides a botnet detection method and a botnet detection system, which are used for better analyzing the normal use condition of a host port by knowing the behavior and the operation condition of a host, further analyzing and detecting each software in the host, so that the network paralysis condition can be better judged, the normal operation of the host can be better ensured, the invasion of the host by the botnet can be prevented, the defects existing in the prior art are overcome, certain data loss is reduced, the network transaction efficiency is improved, privacy information of a person is ensured to a certain extent, and the security benefit of the user is better protected.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of the steps of the method of the present invention.
FIG. 2 is a schematic diagram showing the connection of the system modules according to the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, the present invention provides a machine learning oriented equipment part health management method, which includes: step one, analyzing the behavior of a host computer: the current host data transmission speed and the network rate are obtained through monitoring and analyzing the current host behavior, so that the host influence evaluation coefficient is analyzed, the progress speed of a host process is judged, and the second step is executed if the host process is slow;
as an optional implementation manner, the analyzing host influences the evaluation coefficient, and judges the progress of the host process, and the specific analysis process is as follows:
by calculation formulaAnalysis shows that host influence evaluation coefficient +.>,、/>Weight factors respectively expressed as set host data transmission speed, network rate, +.>、/>Respectively expressed as host data transmission speed, network rate,/-, respectively>、/>Respectively representing the set host data transmission speed and the network rate;
comparing the host influence evaluation coefficient threshold value with a set host influence evaluation coefficient threshold value, if the host influence evaluation coefficient threshold value is larger than the set host influence evaluation coefficient threshold value, judging that the host process is slow, and if the host influence evaluation coefficient threshold value is smaller than the set host influence evaluation coefficient threshold value, judging that the host process is normal.
Step two, monitoring the operation of the host process: if the host process is slow, acquiring the downloading rate and the host space of the host data, further analyzing the host resource occupation evaluation coefficient, judging the transmissible condition of a host port, and if the port of the host cannot transmit, performing the step three;
as an optional implementation manner, the analyzing the host resource occupation evaluation coefficient and judging the transmissible condition of the host port specifically includes the following steps:
by calculation formulaAnalyzing to obtain host resource occupation evaluation coefficient +.>,、/>Respectively expressed as the set download rate of host data, the weight factor of host space, +.>、/>Respectively expressed as a set download rate of host data, host space, ">、/>Respectively expressed as a download rate of host data and a host space;
comparing the host resource occupation assessment coefficient threshold value with a set host resource occupation assessment coefficient threshold value, if the host resource occupation assessment coefficient threshold value is larger than the set host resource occupation assessment coefficient threshold value, judging that the host resource is too large, and if the host resource occupation assessment coefficient threshold value is smaller than the set host resource occupation assessment coefficient threshold value, judging that the host resource is normal.
Step three, port analysis and judgment: if the port of the host cannot transmit, acquiring port information corresponding to the host, including domain name resolution of each network and port number of each network, judging normal use condition of the port of the host, and if the port of the host falls down, performing step four;
as an optional implementation manner, the normal use condition of the host port is described and judged, and the specific judging process is as follows:
it should be noted that, the initial network domain name resolution corresponding to the host and the initial network port number corresponding to the host are viewed from the background of the host.
Comparing the network domain name resolution corresponding to the host with the initial network domain name resolution corresponding to the host, and simultaneously comparing each network port number corresponding to the host with the initial network port number corresponding to the host, if the network domain name resolution corresponding to the host is the same as the initial network domain name resolution corresponding to the host, or if the network port number corresponding to the host is the same as the initial network port number corresponding to the host, judging that the network port can be normally used, if the network domain name resolution corresponding to the host is not the same as the initial network domain name resolution corresponding to the host, or if the network port number corresponding to the host is not the same as the initial network port number corresponding to the host, judging that the network port has fallen.
Step four, host software information acquisition: the method comprises the steps of obtaining basic information of corresponding software in each host, wherein the basic information of each software comprises network data flow, data packet bytes, data request times, data transmission interval time, bytes of request data and bytes of response data;
the basic information of each software is obtained from the background of the host computer.
Step five, analyzing information of the host software: analyzing the operation evaluation coefficients of the corresponding software in each host according to the basic information of the corresponding software in each host;
as an optional implementation manner, the operation evaluation coefficients of the corresponding software in each host are analyzed, and the specific analysis process is as follows:
calculating each software flow evaluation coefficient corresponding to each host according to each software network data flow and data packet byte corresponding to each host, and recording as,/>Indicating the number of each host, ">,/>The number of each software is indicated,,
according to the number of data requests and the data transmission interval time of each software corresponding to each host, calculating and obtaining each software data evaluation coefficient corresponding to each host, and recording as;
According to the bytes of each software request data and the bytes of response data corresponding to each host, each software data response coefficient corresponding to each host is calculated and obtained and recorded as;
By calculation formulaCalculating each software operation evaluation coefficient corresponding to each host computer>,/>、/>、/>Weight factors respectively expressed as set flow rate evaluation coefficient, data response coefficient, +.>、/>、/>Respectively expressed as a set flow rate evaluation coefficient, a data evaluation coefficient and a data response coefficient, and e represents a natural constant.
As an optional implementation manner, the calculating obtains each software flow evaluation coefficient corresponding to each host, and the specific calculating process is as follows:
by calculation formulaCalculating to obtain the software flow evaluation coefficient corresponding to each host computer>,/>、/>Weight factors respectively representing preset network data flow and data packet bytes, +.>、Respectively representing the data flow and the data packet size of the jth software network corresponding to the ith host machine,/respectively>、/>Respectively representing the preset network data flow and the preset data packet byte.
As an optional implementation manner, the calculating obtains each software data evaluation coefficient corresponding to each host, and the specific calculating process is as follows:
by calculation formulaCalculating to obtain the software flow evaluation coefficient corresponding to each host computer>,/>、/>Weight factors respectively representing preset data request times and data transmission interval time>、/>Respectively representing the data request times and the data transmission interval time of the jth software corresponding to the ith host machine,/>、/>Respectively representing the preset data request times and the data transmission interval time.
As an optional implementation manner, the calculating obtains each software data response coefficient corresponding to each host, and the specific calculating process is as follows:
by calculation formulaCalculating to obtain the software flow evaluation coefficient corresponding to each host computer>,/>、/>Weight factors respectively representing bytes of preset request data and bytes of response data, +.>、/>Respectively representing the size of the j-th software request data and the response data corresponding to the i-th host machine,/->、/>Respectively expressed as bytes of request data and bytes of response data.
Step six, detecting by the host software: monitoring software in each host, acquiring the times of sending junk mails, the number of large data storage and network bytes by each software in each host, analyzing and obtaining an abnormal evaluation coefficient of the software in each host, and judging the depth of network paralysis;
the data packets in the host are compared in turn, and the data with the highest rank is called large data.
As an optional implementation manner, the analysis further obtains the abnormality evaluation coefficient of each software in each host, and judges the depth of network paralysis, and the specific analysis process is as follows:
by calculation formulaAnalyzing and obtaining the abnormality evaluation coefficient of each software in each host computer>,/>、/>、/>Respectively expressed as preset times of sending junk mail, number of large data storage, weight factor of network byte, ">、/>、/>Respectively expressed as the number of times the jth software in the ith host sends the junk mail, the number of large data stores, the network bytes, +.>、/>、/>Respectively representing the preset times of sending the junk mail, the number of large data storage and network bytes;
comparing the abnormal evaluation coefficient threshold value of each software in each host with the preset abnormal evaluation coefficient threshold value of each software in each host, judging that the network is paralyzed if a certain software in a certain host is larger than the preset abnormal evaluation coefficient of the software in the host, and judging that the network is normal if a certain software in a certain host is smaller than the preset abnormal evaluation coefficient of the software in the host.
Step seven, abnormal warning prompt: and early warning and prompting are carried out on the abnormality of each software in each host.
Referring to fig. 2, the botnet detection system includes a host behavior analysis module, a host process operation monitoring module, a port analysis and judgment module, a host software information acquisition module, a host software information analysis module, a host software detection module, and an anomaly warning prompt.
The host behavior analysis module is respectively connected with the host process operation monitoring module and the port analysis judging module, the port analysis judging module is respectively connected with the host software information acquisition module and the host software information analysis module, and the host software information analysis module is respectively connected with the host software detection module and the abnormal warning prompt.
Host behavior analysis module: the method comprises the steps of monitoring and analyzing the behavior of a current host, obtaining the data transmission speed and the network rate of the current host, further analyzing the influence evaluation coefficient of the host, judging the progress speed of a host process, and executing the second step if the host process is slow;
the host process operation monitoring module: if the host process is slow, acquiring the downloading rate and the host space of the host data, further analyzing the host resource occupation evaluation coefficient, judging the transmissible condition of a host port, and if the port of the host cannot transmit, performing the step three;
port analysis judging module: if the port of the host cannot transmit, acquiring port information corresponding to the host, including domain name resolution of each network and port number of each network, judging normal use condition of the port of the host, and if the port of the host falls down, performing step four;
host software information acquisition module: the method comprises the steps of obtaining basic information of each piece of software corresponding to each host, wherein the basic information of each piece of software comprises network data flow, data packet bytes, data request times, data transmission interval time, bytes of request data and bytes of response data;
host software information analysis module: the system is used for analyzing the operation evaluation coefficients of the corresponding software in each host according to the basic information of the corresponding software in each host;
host software detection module: the system is used for monitoring the software in each host, analyzing and obtaining the abnormal evaluation coefficient of the software in each host by acquiring the times of sending junk mails, the number of large data storage and network bytes by each software in each host, and judging the depth of network paralysis;
abnormality warning prompt: and early warning and prompting are carried out on the abnormality of each software in each host.
The invention provides a botnet detection method and a botnet detection system, which are used for better analyzing the normal use condition of a host port by knowing the behavior and the operation condition of a host, further analyzing and detecting each software in the host, so that the network paralysis condition can be better judged, the normal operation of the host can be better ensured, the invasion of the host by the botnet can be prevented, the defects existing in the prior art are overcome, certain data loss is reduced, the network transaction efficiency is improved, privacy information of a person is ensured to a certain extent, and the security benefit of the user is better protected.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Claims (10)
1. The botnet detection method is characterized by comprising the following steps:
step one, analyzing the behavior of a host computer: the current host data transmission speed and the network rate are obtained through monitoring and analyzing the current host behavior, so that the host influence evaluation coefficient is analyzed, the progress speed of a host process is judged, and the second step is executed if the host process is slow;
step two, monitoring the operation of the host process: if the host process is slow, acquiring the downloading rate and the host space of the host data, further analyzing the host resource occupation evaluation coefficient, judging the transmissible condition of a host port, and if the port of the host cannot transmit, performing the step three;
step three, port analysis and judgment: if the port of the host cannot transmit, acquiring port information corresponding to the host, including domain name resolution of each network and port number of each network, judging normal use condition of the port of the host, and if the port of the host falls down, performing step four;
step four, host software information acquisition: the method comprises the steps of obtaining basic information of corresponding software in each host, wherein the basic information of each software comprises network data flow, data packet bytes, data request times, data transmission interval time, bytes of request data and bytes of response data;
step five, analyzing information of the host software: analyzing the operation evaluation coefficients of the corresponding software in each host according to the basic information of the corresponding software in each host;
step six, detecting by the host software: monitoring software in each host, acquiring the times of sending junk mails, the number of large data storage and network bytes by each software in each host, analyzing and obtaining an abnormal evaluation coefficient of the software in each host, and judging the depth of network paralysis;
step seven, abnormal warning prompt: and early warning and prompting are carried out on the abnormality of each software in each host.
2. The botnet detection method as claimed in claim 1, wherein the analyzing the host impact evaluation coefficient and determining the progress of the host process includes the following steps:
by calculation formulaAnalysis shows that host influence evaluation coefficient +.>,、/>Weight factors respectively expressed as set host data transmission speed, network rate, +.>、/>Respectively expressed as host data transmission speed, network rate,/-, respectively>、/>Respectively representing the set host data transmission speed and the network rate;
comparing the host influence evaluation coefficient threshold value with a set host influence evaluation coefficient threshold value, if the host influence evaluation coefficient threshold value is larger than the set host influence evaluation coefficient threshold value, judging that the host process is slow, and if the host influence evaluation coefficient threshold value is smaller than the set host influence evaluation coefficient threshold value, judging that the host process is normal.
3. The botnet detection method as claimed in claim 1, wherein the analyzing the host resource occupation evaluation coefficient and judging the transmissible condition of the host port includes the following steps:
by calculation formulaAnalyzing to obtain host resource occupation evaluation coefficient +.>,/>、Respectively expressed as the set download rate of host data, the weight factor of host space, +.>、/>Respectively expressed as a set download rate of host data, host space, ">、/>Respectively expressed as a download rate of host data and a host space;
comparing the host resource occupation assessment coefficient threshold value with a set host resource occupation assessment coefficient threshold value, if the host resource occupation assessment coefficient threshold value is larger than the set host resource occupation assessment coefficient threshold value, judging that the host resource is too large, and if the host resource occupation assessment coefficient threshold value is smaller than the set host resource occupation assessment coefficient threshold value, judging that the host resource is normal.
4. The botnet detection method as claimed in claim 1, wherein the specific judgment process is as follows:
comparing the network domain name resolution corresponding to the host with the initial network domain name resolution corresponding to the host, and simultaneously comparing each network port number corresponding to the host with the initial network port number corresponding to the host, if the network domain name resolution corresponding to the host is the same as the initial network domain name resolution corresponding to the host, or if the network port number corresponding to the host is the same as the initial network port number corresponding to the host, judging that the network port can be normally used, if the network domain name resolution corresponding to the host is not the same as the initial network domain name resolution corresponding to the host, or if the network port number corresponding to the host is not the same as the initial network port number corresponding to the host, judging that the network port has fallen.
5. The botnet detection method as claimed in claim 1, wherein the analysis of the operation evaluation coefficients of the corresponding software in each host machine includes the following specific analysis processes:
calculating each software flow evaluation coefficient corresponding to each host according to each software network data flow and data packet byte corresponding to each host, and recording as,/>Indicating the number of each host, ">,/>The number of each software is indicated,,
according to the number of data requests and the data transmission interval time of each software corresponding to each host, calculating and obtaining each software data evaluation coefficient corresponding to each host, and recording as;
According to the bytes of each software request data and the bytes of response data corresponding to each host, each software data response coefficient corresponding to each host is calculated and obtained and recorded as;
By calculation formulaCalculating each software operation evaluation coefficient corresponding to each host computer>,/>、/>、/>Weight factors respectively expressed as set flow rate evaluation coefficient, data response coefficient, +.>、/>、/>Respectively expressed as a set flow rate evaluation coefficient, a data evaluation coefficient and a data response coefficient, and e represents a natural constant.
6. The botnet detection method as claimed in claim 5, wherein the calculating obtains each software flow evaluation coefficient corresponding to each host, and the specific calculating process is as follows:
by calculation formulaCalculating to obtain the software flow evaluation coefficient corresponding to each host computer>,/>、/>Weight factors respectively representing preset network data flow and data packet bytes, +.>、/>Respectively representing the data flow and the data packet size of the jth software network corresponding to the ith host machine,/respectively>、/>Respectively representing the preset network data flow and the preset data packet byte.
7. The botnet detection method as claimed in claim 5, wherein the calculating obtains each software data evaluation coefficient corresponding to each host, and the specific calculating process is as follows:
by calculation formulaCalculating to obtain the software flow evaluation coefficient corresponding to each host computer>,/>、/>Respectively representing the preset data request times and the weight factors of the data transmission interval time,、/>respectively representing the data request times and the data transmission interval time of the jth software corresponding to the ith host machine,/>、/>Respectively representing the preset data request times and the data transmission interval time.
8. The botnet detection method as set forth in claim 5, wherein the calculating obtains each software data response coefficient corresponding to each host, and the specific calculating process is as follows:
by calculation formulaCalculating to obtain the software flow evaluation coefficient corresponding to each host computer>,/>、/>Weight factors respectively representing bytes of preset request data and bytes of response data, +.>、/>Respectively representing the size of the j-th software request data and the response data corresponding to the i-th host machine,/->、/>Respectively expressed as bytes of request data and bytes of response data.
9. The botnet detection method as claimed in claim 5, wherein the analysis further obtains abnormal evaluation coefficients of each software in each host, and judges the depth of network paralysis, and the specific analysis process is as follows:
by calculation formulaAnalyzing and obtaining the abnormality evaluation coefficient of each software in each host computer>,/>、/>、/>Respectively expressed as preset times of sending junk mail, number of large data storage, weight factor of network byte, ">、/>、/>Respectively expressed as the number of times the jth software in the ith host sends the junk mail, the number of large data stores, the network bytes, +.>、/>、/>Respectively expressed as the preset number of times of sending the junk mail and the number of large data storageNetwork bytes;
comparing the abnormal evaluation coefficient threshold value of each software in each host with the preset abnormal evaluation coefficient threshold value of each software in each host, judging that the network is paralyzed if a certain software in a certain host is larger than the preset abnormal evaluation coefficient of the software in the host, and judging that the network is normal if a certain software in a certain host is smaller than the preset abnormal evaluation coefficient of the software in the host.
10. A botnet detection system, comprising:
host behavior analysis module: the method comprises the steps of monitoring and analyzing the behavior of a current host, obtaining the data transmission speed and the network rate of the current host, further analyzing the influence evaluation coefficient of the host, judging the progress speed of a host process, and executing the second step if the host process is slow;
the host process operation monitoring module: if the host process is slow, acquiring the downloading rate and the host space of the host data, further analyzing the host resource occupation evaluation coefficient, judging the transmissible condition of a host port, and if the port of the host cannot transmit, performing the step three;
port analysis judging module: if the port of the host cannot transmit, acquiring port information corresponding to the host, including domain name resolution of each network and port number of each network, judging normal use condition of the port of the host, and if the port of the host falls down, performing step four;
host software information acquisition module: the method comprises the steps of obtaining basic information of each piece of software corresponding to each host, wherein the basic information of each piece of software comprises network data flow, data packet bytes, data request times, data transmission interval time, bytes of request data and bytes of response data;
host software information analysis module: the system is used for analyzing the operation evaluation coefficients of the corresponding software in each host according to the basic information of the corresponding software in each host;
host software detection module: the system is used for monitoring the software in each host, analyzing and obtaining the abnormal evaluation coefficient of the software in each host by acquiring the times of sending junk mails, the number of large data storage and network bytes by each software in each host, and judging the depth of network paralysis;
abnormality warning prompt: and early warning and prompting are carried out on the abnormality of each software in each host.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310908167.7A CN116886380B (en) | 2023-07-24 | 2023-07-24 | Botnet detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310908167.7A CN116886380B (en) | 2023-07-24 | 2023-07-24 | Botnet detection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116886380A true CN116886380A (en) | 2023-10-13 |
| CN116886380B CN116886380B (en) | 2024-02-13 |
Family
ID=88258494
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310908167.7A Active CN116886380B (en) | 2023-07-24 | 2023-07-24 | Botnet detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116886380B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080028463A1 (en) * | 2005-10-27 | 2008-01-31 | Damballa, Inc. | Method and system for detecting and responding to attacking networks |
| CN103685184A (en) * | 2012-09-14 | 2014-03-26 | 上海宝信软件股份有限公司 | Method for recognizing peer-to-peer zombie hosts based on small flow statistics and analysis |
| CN113271303A (en) * | 2021-05-13 | 2021-08-17 | 国家计算机网络与信息安全管理中心 | Botnet detection method and system based on behavior similarity analysis |
| CN114465739A (en) * | 2020-10-21 | 2022-05-10 | 中兴通讯股份有限公司 | Abnormality recognition method and system, storage medium, and electronic apparatus |
-
2023
- 2023-07-24 CN CN202310908167.7A patent/CN116886380B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080028463A1 (en) * | 2005-10-27 | 2008-01-31 | Damballa, Inc. | Method and system for detecting and responding to attacking networks |
| CN103685184A (en) * | 2012-09-14 | 2014-03-26 | 上海宝信软件股份有限公司 | Method for recognizing peer-to-peer zombie hosts based on small flow statistics and analysis |
| CN114465739A (en) * | 2020-10-21 | 2022-05-10 | 中兴通讯股份有限公司 | Abnormality recognition method and system, storage medium, and electronic apparatus |
| CN113271303A (en) * | 2021-05-13 | 2021-08-17 | 国家计算机网络与信息安全管理中心 | Botnet detection method and system based on behavior similarity analysis |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116886380B (en) | 2024-02-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107122669B (en) | Method and device for evaluating data leakage risk | |
| CN112491805B (en) | Network security equipment management system applied to cloud platform | |
| CN107911396A (en) | Log in method for detecting abnormality and system | |
| CN111669375A (en) | Online safety situation assessment method and system for power industrial control terminal | |
| CN109257393A (en) | XSS attack defence method and device based on machine learning | |
| US20100150008A1 (en) | Apparatus and method for displaying state of network | |
| CN109802973A (en) | Method and apparatus for detection flows | |
| CN111224928B (en) | Network attack behavior prediction method, device, equipment and storage medium | |
| CN114785563B (en) | Encryption malicious traffic detection method of soft voting strategy | |
| CN111782484B (en) | Anomaly detection method and device | |
| CN114826770A (en) | Big data management platform for intelligent analysis of computer network | |
| CN116866012A (en) | Network risk monitoring method and system for electric power facility management platform | |
| CN115001812A (en) | Data center online supervision safety early warning system based on internet | |
| CN117176482B (en) | Big data network safety protection method and system | |
| CN116894247B (en) | Method and system for protecting computer system security | |
| CN114117337A (en) | One-way safety detection and multi-factor weighting evaluation system for industrial control terminal equipment | |
| CN113542199B (en) | Network security state evaluation method and server | |
| CN116886380A (en) | Botnet detection method and system | |
| CN117371044A (en) | Big data-based computer information security processing method and system | |
| CN115643108B (en) | Safety assessment method, system and product for industrial Internet edge computing platform | |
| CN102111302B (en) | Worm detection method | |
| Wang et al. | Searching covert channels by identifying malicious subjects in the time domain | |
| CN111103487A (en) | Non-invasive PST anomaly monitoring method based on power consumption analysis | |
| CN114726600B (en) | Gateway protection method based on Internet of things | |
| CN116032567B (en) | Method, device, equipment and storage medium for describing risk of unknown network threat |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |