KR101045556B1 - Method for detecting irc botnet based on network - Google Patents

Abstract

The present invention relates to a network-based IRC botnet detection method, comprising: a traffic classification module for collecting traffic having a centralized connection characteristic including domain-based traffic and IP / Port-based traffic, and determining whether the collected traffic is a botnet ( TC), a botnet configuration analysis module (BOA) for performing configuration analysis of traffic collected by the traffic classification module (TC) and classified as a botnet, and a traffic classification module (TC) of traffic collected by the traffic classification module (TC). In a botnet detection system including a botnet behavior analysis module (BBA) for performing behavior analysis, a first step of collecting traffic having the centralized connection characteristics collected by a plurality of traffic information collection sensors and the collected traffic In case of IP / Port based traffic, the traffic is compared with existing detected botnet information and the traffic And a second step of botnet matching.

Botnets; Malware; Group behavior; Traffic collection; IRC botnet

Description

Network based IRC botnet detection method {METHOD FOR DETECTING IRC BOTNET BASED ON NETWORK}

The present invention relates to a botnet detection method, and more particularly, to a method for detecting a network-based IRC botnet.

Numerous threats are emerging in cyberspace. Threats on the Internet are interspersed by stealing or collecting third-party personal information, exploiting it indecently, disseminating advertising mail, distributing advertising money, and disabling competitors' information devices. Amidst such cyber damage, a new threat is dominating the Internet, a botnet. Recently, Arbor Networks has selected botnets and distributed denial of service attacks as the most serious network threats.

BotNet is a network in which many computers infected by malicious software bots are connected by a network. In other words, botnets are networked by computers infected by bots, which are remotely controlled by a botmaster who has the authority to control bots and can perform various malicious activities. This is called.

Botnets have evolved into Forbot, PBot, Toxbot, Machbot, PHP Bot, Storm Bot, etc. in the last 10 years since it first came out as EggDrop in 1993. (5,000 new malwares appear every day, TechNewsWorld, 2007). In particular, C & C servers (command & control, servers for commanding and controlling bot zombies) and malicious bots are widely distributed and concentrated in specific regions. This is because in a well-equipped environment with high-speed Internet, even a single tenth of PCs can use a more powerful DDoS-like attack. In particular, a domestic area with a high-speed Internet infrastructure is preferred as a botnet infection area. In addition, the number of PCs infected with bots and turned into zombie PCs continues to grow, and the size of botnets is growing. Vint Cerf, co-founder of the TCP / IP protocol, estimates that between 11 and 150 million computers, about 11 percent of the world's computers, will be infected with bot malware and will be used to carry out attacks. It is known to be connected to 230,000 zombies by botnet.

The botnet attack is becoming more serious because of its criminalization. As in the case of the item trader's service failure and cash demand intimidation accidents in 2007, the company frequently threatened the service provider to extort money and extort money, collect personal / financial information, and send spam. It is happening.

Bots have various characteristics of various malicious codes such as worms / viruses, backdoors, spyware, and rootkits, and most cyber attacks such as DDoS, Ad-ware, Spyware, spam sending, and illegal information collection are possible through botnet.

Early botnets were mostly IRC botnets, which used the characteristics of IRC, which were flexible and widely used. However, in order to make detection and response more difficult, it is based on the web protocol HTTP or distributed command / control system where all zombies can become C & C by moving away from the centralized command / control system (IRC, HTTP botnet) called C & C. It is evolving into a control botnet (P2P botnet).

Furthermore, it is evolving into a hybrid form that uses two or more protocols for command / control. Recently introduced MayDay worms use two protocols, such as Hypertext Transfer Protocol (HTTP) and Internet Control Message Protocol (ICMP), or multiple centralized point (C & C servers). The centralized point is evolving into a hybrid form that is connected in a P2P fashion.

Along with the evolution of command / control methods, malware also evolves rapidly, making detection / response very difficult. Packing / compression / encryption technology, VM (Virtual Machine) / debugger / sandbox detection bypass technology, RootKit technology to hide malicious codes make it very difficult to detect and analyze bots. In a way that exploits vulnerabilities, it is being diversified by various means such as web, email and messenger.

These botnet response technologies are divided into host-based detection and analysis based on the application and behavior of malicious bot programs on the PC, and network-based detection and analysis based on network traffic from bot zombies and C & C. Depending on the technical characteristics, it can be divided into signature-based and behavior-based.

Recently, as the seriousness of botnets has been highlighted, research has been activated internationally, but the response to the evolving botnets is still insufficient.

The present invention has been made to solve the above problems, and an object of the present invention is to provide a network-based IRC botnet detection method that can effectively detect a network-based IRC botnet.

In order to achieve the above object, the network-based IRC botnet detection method according to the present invention, the communication session by separating the IP and the port between the domain-based traffic and the communication subjects traffic that the user communicates with the outside to analyze the domain A traffic classification module (TC) for collecting traffic having a centralized connection characteristic in which traffic including IP / Port based traffic, which is distinguishable traffic, is concentrated at one destination, and determining whether the collected traffic is a botnet; A botnet configuration analysis module (BOA) and a botnet collected by the traffic classification module (TC) to perform a configuration analysis of traffic analyzed by the C & C server and zombies from traffic classified by the traffic classification module (TC) and classified into botnets. Botnets include the expansion of botnets and the downloading of eggs, which are actions that increase the number of infections and increase their size in traffic classified as In a botnet detection system including a botnet behavior analysis module (BBA) that performs behavior analysis of traffic that analyzes the behavior of a botnet, the method comprising the steps of: detecting the IRC botnet; The first step of collecting traffic having intensive access characteristics and when the collected traffic is IP / Port-based traffic, the traffic is compared with previously detected botnet information and the detected traffic includes C & C server information and a zombie list. And a second step of matching the botnet to any one of the existing botnets included in the botnet information and the new botnets not included in the previously detected botnet information.

Advantageously, the second step further comprises: if the centralized server of the traffic is different from the C & C server information of the botnet information and the accessing client IP list of the traffic is different from the zombie list of the botnet information, the traffic is sent to the new botnet message queue. In step 2-1, when the centralized server of the traffic matches the C & C server information of the botnet information and the access client IP list of the traffic is different from the zombie list of the botnet information, expand the traffic to the botnet. In step 2-2, a separate flag is assigned and stored in an existing botnet message queue, the centralized server of the traffic matches the C & C server information of the botnet information, and the access client IP list of the traffic is the botnet information. Similar to the zombie list, the C & C server reconnects to the traffic and downloads the rows. Steps 2-3 are given to separate flags and stored in the existing botnet message queue, and the centralized server of the traffic is different from the C & C server information of the botnet information, the access client IP list of the traffic is the botnet If the information is similar to the zombie list, the traffic may be classified into main botnet behaviors including C & C server migration, and a second flag may be stored in the existing botnet message queue by assigning a separate flag.

More preferably, the method may further include a third step of checking whether or not VDNS (Virtual DNS) is performed on domain-based traffic among the traffic collected by the traffic collection management module. In addition, before the second step, in step 1-1 for additionally enumerating zombie IP lists introduced on the basis of the same C & C for a predetermined waiting time for the collected traffic, the zombie IPs listed after the set waiting time has elapsed. If the number of the list exceeds the threshold value, if the number of the zombie IP list does not reach the threshold after the first and second steps and the set waiting time after determining the collected traffic as the traffic of the botnet, sharing of the control system The method may further include a first to third step of determining whether or not the botnet traffic is matched with the C & C server blacklist updated by the information. The first and third steps may include "access Dst IP / Port" and "C & C". Step 1-4 of matching server IP / Port ”and steps 1-5 of matching“ response IP for request domain ”and“ DNS sinkhole IP ”.

More preferably, after the second step, a fourth step of receiving the collected traffic information (Domain, Dst_IP / Port) and temporarily storing it in a temporary configuration log, periodically from the temporary configuration log to the traffic information necessary for analysis Read the similarity analysis by domain and Dst_IP / Port, and receive the botnet traffic detected in the 5th and 5th steps of transmitting the traffic detected by the botnet activity, extract and store the C & C, and then send the analyzed traffic The zombie list accessing the IRC channel detected as the botnet is received by receiving the botnet traffic transmitted in the sixth and sixth steps, and stored in the analysis result log. The eighth step of synthesizing the results and sending them to the log manager is included.

In this case, the fifth step is to read the domain information from the temporary configuration log periodically to record the source IPs requested for each domain in the matrix, and to measure the domain similarity by analyzing the matrix after a set time has elapsed. A fifth step of generating a zombie IP list, and a fifth step of periodically reading the Dst_IP / Port information from the temporary configuration log and recording the source IPs which transmitted packets matching the respective IP / Port combinations in a matrix; And a fifth step of analyzing the matrix to measure Dst_IP / Port similarity and generating a zombie IP list after the set time has elapsed.

On the other hand, if the traffic information collected in the first step is Domain-based traffic, the transmission data format includes a Time field, which is the occurrence time of the traffic, in the header, and in the C & C server field of the botnet, C & C, which is the DNS query domain name of the C & C server. Includes the Domain field and the C & C IP field, which is the response IP for DNS queries from the C & C server, and includes the Count field, which is the total number of zombies found in the botnet's zombie list field, and the time interval from the first zombie occurrence to the last zombie occurrence. A zombie IP list, which is a window field and an IP list of all connected zombies, is included. The value of the C & C server field is collected from the communication traffic with the DNS server and the port number is 53.

In addition, if the traffic collected in the first step is IP / Port based traffic, the transmission data format includes a Time field, which is the occurrence time of the traffic in the header, and a C & C IP, which is the IP of the C & C server, in the C & C server field of the botnet. Field, and the C & C Port field, which is the connection port number, in the zombies list field of the botnet, the Count field, which is the total number of zombies found, the Time Window field, which is the time interval from the first zombie occurrence to the last zombie occurrence, It includes a zombie IP list field which is an IP list, and the value of the C & C server field is collected from direct communication traffic, which is a traffic directly communicating with a C & C server without an intermediate transport object, and the collection target port number is all ports.

As described above, the network-based IRC botnet detection method according to the present invention classifies the IP / Port-based traffic into new botnets and existing botnets by the botnet matching module, and classifies the existing botnets according to their types to queue messages. The botnet can be effectively detected and the botnet behavior analysis module can quickly identify the type of botnet.

Hereinafter, with reference to the accompanying drawings will be described in detail the advantages, features and preferred embodiments of the present invention.

1 is a block diagram of a botnet detection system according to the present invention. In order to detect IRC botnets from the traffic information collection sensor, the data format of the traffic with centralized connection characteristics is received, and through this process, the centralized network constituting the star topology is found, and whether the existing botnet is found in the botnet matching module Reclassify various actions after determining. The botnet matching module checks whether the network causing the centralized traffic found matches the existing botnet detected. If it is determined as a new botnet by the botnet matching module, the botnet configuration analysis module (BOA) requests additional behavioral traffic of the discovered zombies to the traffic information collection sensor.

Specifically, the botnet matching module performs botnet matching of the found centralized traffic by identifying the similarity between the centralized server and the access client IP list.

First, the botnet matching module detects a botnet by defining it as a new botnet when the centralized server is not the same as the existing C & C server information and the access client IP list is not similar to the existing zombie list by matching the detected existing botnet information. The botnet configuration analysis module (BOA) requests traffic information collection sensors to collect additional behavior traffic generated by zombies of the detected new botnet, and then monitors and analyzes the behavior of the botnet.

On the other hand, if the centralized server is the same as the existing C & C server information, or the access client IP list is similar to the existing zombie list, the botnet matching module defines the existing botnet, and the matching result of the existing botnet is subsequently added by the botnet behavior analysis module (BBA). In order to be quickly recognized, the botnet matching module allows pre-classification and flagging by three behavioral bases (A, B, C). The flags according to each action base are as follows.

-A flag (botnet extension behavior): the centralized server matches the C & C server information but the access client IP list differs from the existing zombie list

-B flag (C & C server reconnection and egg download behavior): When centralized server matches C & C server information and access client IP list is similar to existing zombie list

C flag (C & C server migration and other major botnet behavior): Centralized server is different from C & C server information, but access client IP list is similar to existing zombie list

As described above, the botnet configuration analysis module (BOA) requests additional behavior traffic from the traffic information collection sensor for the detected botnet by monitoring the centralized traffic (DNS request domain, IP / Port information of the centralized server). In this case, the botnet behavior analysis module (BBA) reclassifies various botnet behaviors based on the received behavior traffic. The IRC Channel is passed back to the Botnet Configuration Analysis Module (BOA) to provide an accurate basis for botnet protocol decisions. The three groups of A / B / Cs that are largely classified based on the centralized traffic are further subdivided into specific activities based on the behavioral traffic.

2 is a block diagram of a traffic classification module TC according to the present invention. As shown in FIG. 1, the traffic classification module TC according to the present invention includes a filter, a collection / classification management policy module, a traffic collection management module, a botnet matching module, and a VDNS check module.

The filter receives only valid traffic from multiple traffic information collection sensors and provides a white list firewall for the IPs of the sensors in charge.

The collection / classification management policy module adjusts the status value by setting the policy transmitted from the management system and reflects it in the management policy so that the botnet detection system can respond quickly by referring to the real-time security event of the botnet control / security management system. Therefore, in order to quickly respond to unknown new botnets, C & C server blacklist matching can be enabled regardless of the zombie list distribution based on shared information of control systems.

The traffic collection management module collects and monitors traffic having a centralized connection characteristic, that is, basic traffic connected to a common single server and forming a star topology. This is the basic collection traffic for IRC botnet detection, and based on this, the botnet matching module determines whether or not a botnet exists. In addition, the traffic collection management module collects additional request traffic for analysis (traffic according to the behavioral traffic request of the botnet configuration analysis module) so that the botnet configuration analysis module can analyze the IRC protocol (channel information, etc.) of the new botnet. do. In this case, additional request traffic is collected only for some bots that have already been sampled among the detected bots, that is, the botnet configuration analysis module. In addition, the traffic collection management module may receive specific traffic urgently requested in order to prepare for the threat of a new botnet discovered by the security management policy and the shared information management policy of the control system.

When the traffic collected by the traffic collection management module is IP / Port-based traffic, the botnet matching module is divided into an existing botnet or a new botnet compared to the existing botnet. First, the botnet matching module detects similar traffic of the new botnet configuration for the traffic collected by the traffic collection management module. Specifically, if the centralized server is different from the existing C & C server information and the access IP list is different from the existing zombie list by matching the detected existing botnet information, it is detected and stored in the new botnet message queue. However, since the probability of normal traffic cannot be excluded, detailed reclassification should be performed in the botnet configuration analysis (BOA) module, and the final determination of authenticity of the traffic occurred in the new botnet configuration stage. Next, the botnet matching module performs existing botnet detection and classification. Specifically, if the centralized server is identical to the existing C & C server information or the access IP list is similar to the existing zombie list, the centralized server is detected and stored in the existing botnet message queue. The botnet matching module specifies three (A / B / C) behavior results that are classified in the message queue as flag bits so that the botnet behavior analysis (BBA) module can quickly recognize them. The three types of action result flags are as described above.

If the traffic collected by the traffic collection management module is domain-based traffic, the VDNS check module checks whether VDNS (Virtual DNS) is present. VDNS is a DNS operated by an attacker and can be used to easily change the IP of a C & C server domain without using Dynamic DNS. Since most of the requested domains are not returned during normal DNS queries, the VDNS check module checks the VDNS by matching the normal DNS table, and stores the newly detected VDNS query information in the message queue to analyze the botnet configuration module. And botnet behavior analysis module for reference.

3 is a diagram illustrating a traffic classification process of the traffic classification module. As shown in FIG. 2, the traffic classification process of the traffic classification module includes a collection management procedure, a botnet matching procedure, and a VDNS check procedure.

1. Collection Management Procedures

After the filter filters valid traffic among the traffic collected from the traffic information collection sensor according to the collection / classification management policy, the traffic collection management module collects traffic having a centralized access characteristic according to the collection / classification management policy ( ST100 to ST120).

The traffic collection management module then classifies the C & C based zombie list and detection system request traffic. The C & C-based zombie list represents the IP list of the zombies who requested the connection based on the same C & C, and the detection system request traffic represents the content information of the C & C communication protocol as behavior traffic for the new botnet requested by the botnet configuration analysis module.

The C & C based zombie list additionally enumerates zombie IP lists introduced based on the same C & C for a certain waiting time for botnet matching (ST130). If the number of enumerated IP lists after the set waiting time exceeds a threshold, botnet matching is performed (ST140). On the other hand, even when the number of IP lists does not reach the threshold, botnet matching is performed as a next step even when it is determined that the traffic of the botnet is matched with the C & C server blacklist updated by the sharing information of the control system (ST150). First of all, “Connect Dst IP / Port” and “C & C Server IP / Port” are matched. The blacklist of C & C server IP / Port is updated by the shared information of the control system, and the blacklist update of C & C server domain is not necessary. not.

It also matches “response IP for request domain” and “DNS sinkhole IP”. The DNS sinkhole IP list is not a shared information of the control system but a fixed list that the botnet detection system should have in advance. Specifically, 1) extract the domain of the C & C server finally determined by the control system, 2) share information with other ISPs, 3) apply all DNS sinkholes for the domain, and 4) When the traffic requesting the domain is collected (sensored), 5) when the response IP of the requesting domain is the sinkhole IP, it is determined as a zombie behavior. In all cases of ST130 to ST150, if it is impossible to determine whether or not botnet traffic, the traffic is invalidated. As described above, the zombie IP list is updated based on the same C & C server while maintaining a prescribed data format of various traffic collected by the traffic information collecting sensor.

2. Botnet Matching Procedure

As described above, the botnet matching module compares the centralized server information with the existing C & C server information for IP / Port based traffic, compares the access client IP list with the existing zombie list, and configures a new botnet for the collected traffic. Existing botnet extensions (A flag), C & C server reconnection and egg download (B flag), C & C server migration and other major botnet actions (C flag) are classified and stored in each message queue (ST160 to ST180).

3. VDNS check procedure

The VDNS check module checks the VDNS status according to the collection / classification management policy for the domain-based traffic and stores new domain query information in the message queue (ST190).

4 is a diagram illustrating an operation sequence between each component module of the traffic classification module, the botnet configuration analysis module, and the botnet behavior analysis module according to the present invention.

Traffic collected by the traffic information collection sensor and the traffic collection management module is classified as a new botnet / existing botnet by the botnet matching module, stored in the message queue, and forwarded to the botnet configuration analysis module. On the other hand, if the collected traffic is a domain request, the VDNS check module performs a VDNS check, and in the case of a new VDNS request domain, it is also stored in the message queue and delivered to the botnet configuration analysis module. The botnet configuration analysis module sends a sampled new zombie IP list to request behavior information for new traffic (new botnet) and new VDNS request domains.

The traffic information collection sensor and the traffic collection management module continue to collect traffic, of which traffic corresponding to the existing botnet is classified by the botnet matching module, stored in the message queue, and forwarded to the botnet configuration analysis module and the botnet behavior analysis module. . In addition, if the collected traffic is a domain request and is determined by the VDNS check module to be a new VDNS request domain, it is stored in a message queue and forwarded to the botnet configuration analysis module and the botnet behavior analysis module. On the other hand, if the traffic collected by the traffic information collection sensor and the traffic collection management module is the traffic requested by the botnet configuration analysis module, that is, the botnet behavior information, the botnet matching module and the VDNS check module are bypassed and stored in the message queue and the IRC. Channel information is passed to the botnet configuration analysis module.

5 is a block diagram of a botnet configuration analysis module according to the present invention. 6 is a view showing an operation sequence of each component module of the botnet configuration analysis module according to the present invention. The operation of each component module of the botnet configuration analysis module according to the present invention will be described below with reference to FIGS. 5 and 6.

The temporary configuration log receives and stores classified traffic information (Domain, Dst_IP / Port) from the traffic collection management module. Meanwhile, the unclassified server access IP list log stores domains and IP / ports classified as normal traffic in the C & C analysis and detection module and transmits the results to the analysis result log.

The C & C analysis and detection module periodically reads the traffic information needed for analysis from the temporary configuration log and analyzes the similarity by domain and Dst_IP / Port. First, domain similarity analysis periodically reads domain information from a temporary configuration log, records source IPs requested for each domain in a matrix, and analyzes the matrix to generate a zombie IP list after analyzing a matrix after a specific time. Next, the Dst_IP / Port similarity analysis periodically reads the Dst_IP / Port information from the temporary configuration log, records the source IPs that transmit packets matching each IP / Port combination, and analyzes the matrix after a specific time. The similarity is measured to generate a zombie IP list. On the other hand, access protocol (command) analysis receives the traffic information sampled from the traffic information collection sensor and analyzes the access protocol (command) of each botnet, and in this process, the traffic detected by the botnet behavior is transmitted to the C & C extraction module.

The C & C extraction module receives the botnet traffic detected by the C & C analysis and detection module, stores the extracted C & C, and sends the analyzed traffic back to the zombie list extraction module.

The zombie list extraction module receives the botnet traffic from the C & C extraction module and extracts the zombie list that accesses the IRC channel detected by the botnet and stores it in the analysis result log.

The configuration event trigger aggregates the analysis results from each module and sends them to the log manager. The analysis results are generated and sent to the event triggers.

7 is a flowchart illustrating transmission and reception data between a traffic information collecting sensor, a botnet detection system, and a control system.

As shown in FIG. 7, the collected traffic data transmitted from the traffic information collecting sensor includes centralized traffic data, Class O-1 (Domain-based traffic) and Class 0-2 (IP / Port-based traffic). Behavior traffic data includes Class B-1 to 6. In addition, the behavior traffic collection request data transmitted from the botnet detection system, specifically, the botnet configuration analysis module, is expressed as Class R for delivering the zombie list to be collected. In addition, the detection data transmitted from the botnet detection system to the control system includes Class O-1, which is the initial configuration of the botnet, Class O-2, which is suspected of the initial configuration of the botnet, and It includes Class B-1 to 8 as a result of behavior classification.

8 is a diagram illustrating a transmission data format of traffic information collected by the traffic collection management module. The basic processing data format of the centralized traffic detected by the traffic collection management module is generated in the form of enumerating IPs of zombies connected to it based on information of one C & C server.

First, in case of Domain-based traffic, Time (Traffic occurrence time) is recorded in the header, and C & C Domain (C & C server's DNS query domain name) and C & C IP (Response IP at this time) in the centralized server (C & C server of botnet) field. ), The Server Connection Host (botnet zombie list) field contains Count (total number of Src objects found), Time Window (time interval from first zombie outbreak to last zombie outbreak), and zombie IP list (total zombie access) IP list) is recorded. At this time, the value of the centralized server field is collected from the communication traffic with the DNS server, not the direct communication traffic with the C & C server, and the collecting target port number is port 53.

Next, in case of IP / Port based traffic, Time (Traffic occurrence time) is also recorded in the header, and C & C IP (C & C Server's IP) and C & C Port (Access port number) in the centralized server (C & C server of botnet) field. ), And the Server Connection Host (botnet zombie list) field contains Count (total number of Src objects found), Time Window (time interval from first zombie outbreak to last zombie occurrence), and zombie IP list (total number of zombie connected). IP list) is recorded. At this time, the value of the centralized server field is collected from direct communication traffic with the C & C server, and the collection target port numbers are all ports.

Accordingly, the traffic collection management module is a data format of the basic collection target traffic, and the request domain based classification list (information extracted from the DNS traffic) includes DNS server request domain name (C & C Domain), DNS server response IP address (C & C IP), Collect enumerated zombie count (Count), time window from first zombie outbreak to last zombie outbreak (Zombie outbreak), and IP list (zombie IP list) of zombies who requested the same domain to DNS server, based on Dst IP / Port The classification list (information extracted from server access traffic) includes the IP address (C & C IP) of the C & C server that generated the centralized traffic, the access port number (C & C Port) of the C & C server that caused the centralized traffic, and the total number of zombies listed. (Count), time window from first zombie occurrence to last zombie occurrence and zombie IP list (zombie IP list) connected with same IP address and port number are collected.

9 is a diagram illustrating a transmission data format of botnet configuration information detected by a botnet detection system. The botnet detection system according to the present invention processes the newly detected botnet in the format as shown in FIG. 9 and delivers the same to the storage or control system. In FIG. 9, detection indicates traffic found by more than a certain number of zombies, and abnormality indicates centralized traffic detected by less than a certain number of clients.

First, the detected botnet configuration information (Class O-1) includes the local ID (local botnet ID number for detection system recognition) and Time in the header, and the Type (botnet configuration) in the C & C server field. Protocol (IRC), Domain (C & C server domain name when DNS query occurs), IP (C & C server IP), Port (C & C server port number), and Locator (connection location indicator (Channel name) in C & C server), In the Zombie List field, include Count (total number of zombie objects accessed) and Zombie IP List (IP list of all connected zombies), and in the analysis result field, Similarity (a similarity analysis value used as a measure for botnet configuration detection). Include.

In addition, the abnormal botnet configuration information (Class O-2) is basically the same as the Class O-1 data format, except that the botnet ID number is unnecessary, so the local ID field is excluded. This is because abnormal botnet configuration information does not need to be synchronized with behavior traffic information.

While the preferred embodiments of the present invention have been described using specific terms, such descriptions are for illustrative purposes only and it should be understood that various changes and modifications can be made without departing from the spirit and scope of the following claims. do.

1 is a block diagram of a botnet detection system according to the present invention.

2 is a block diagram of a traffic classification module according to the present invention.

3 is a flowchart illustrating a traffic classification process of the traffic classification module according to the present invention.

4 is a diagram illustrating an operation sequence between each component module of the traffic classification module, the botnet configuration analysis module, and the botnet behavior analysis module according to the present invention.

5 is a block diagram of a botnet configuration analysis module according to the present invention.

6 is a view showing an operation sequence of each configuration module of the botnet configuration analysis module according to the present invention.

7 is a flowchart illustrating transmission and reception data between a traffic information collecting sensor, a botnet detection system, and a control system.

8 is a diagram illustrating a transmission data format of traffic information collected by the traffic collection management module.

9 is a diagram illustrating a transmission data format of botnet configuration information detected by a botnet detection system.

Claims (11)

The traffic including domain-based traffic, which is the traffic that the user communicates with the outside in order to interpret the domain, and IP / Port-based traffic, which is the traffic that can distinguish the communication session by classifying IP and port between communication subjects, is concentrated on one destination. A traffic classification module (TC) for collecting traffic having a centralized connection characteristic and determining whether the collected traffic is a botnet, and a C & C server and a zombie collected by the traffic classification module (TC) The botnet is an act of increasing the size of botnets by increasing the number of infections in the botnets collected by the botnet configuration analysis module (BOA) and the traffic classification module (TC) and performing the composition analysis of the traffic to be analyzed. Botnet Behavior Analysis Module (BBA) that performs behavioral analysis of traffic that analyzes botnet behavior, including extended behavior and egg download In a botnet detection system comprising a), a method for detecting an IRC botnet, A first step of collecting traffic having the centralized connection characteristic collected by a plurality of traffic information collecting sensors; And If the collected traffic is IP / Port-based traffic, the traffic is compared to the existing botnet information and the existing botnet and the existing detected botnet information included in the previously detected botnet information including the C & C server information and the zombie list. A network-based IRC botnet detection method comprising the step of matching the botnet to any one of the new botnet not included in the botnet information. The method of claim 1, The second step, Step 2-1 of storing the traffic in the new botnet message queue when the centralized server of the traffic is different from the C & C server information of the botnet information and the access client IP list of the traffic is different from the zombie list of the botnet information. Network based IRC botnet detection method comprising a. The method of claim 2, The second step, If the centralized server of the traffic matches the C & C server information of the botnet information and the access client IP list of the traffic is different from the zombie list of the botnet information, the traffic is divided into botnet expansion actions and given a separate flag. Step 2-2 storing the existing botnet message queue; When the centralized server of the traffic matches the C & C server information of the botnet information, and the access client IP list of the traffic is similar to the zombie list of the botnet information, the traffic is divided into a C & C server reconnection and an egg download action. Granting a flag and storing it in an existing botnet message queue; And If the centralized server of the traffic is different from the C & C server information of the botnet information and the access client IP list of the traffic is similar to the zombie list of the botnet information, the traffic is divided into main botnet actions including C & C server migration. The network-based IRC botnet detection method further comprises the step 2-4 to give a separate flag and store in the existing botnet message queue. The method of claim 1, The network-based IRC botnet detection method further comprises the step of checking whether or not the VDNS (Virtual DNS) for the domain-based traffic collected by the traffic collection management module. The method of claim 1, Before the second step, A step 1-1 of additionally enumerating zombie IP lists introduced on the basis of the same C & C for a predetermined waiting time with respect to the collected traffic; If the number of enumerated zombie IP lists exceeds a threshold after the set waiting time elapses, determining the collected traffic as traffic of a botnet; And If the number of zombie IP lists does not reach the threshold after the set waiting time has elapsed, the first to third steps of determining whether or not the botnet traffic is matched with the C & C server blacklist updated by the sharing information of the control system Network based IRC botnet detection method comprising a. The method of claim 5, The first 1-3 steps, Steps 1-4 of matching “access Dst IP / Port” and “C & C server IP / Port”; and A method for detecting an IRC botnet based on a network, comprising steps 1-5 of matching a "response IP for a request domain" and a "DNS sinkhole IP". The method of claim 1, After the second step, A fourth step of receiving the collected traffic information (Domain, Dst_IP / Port) and temporarily storing it in a temporary configuration log; A fifth step of periodically reading traffic information necessary for analysis from the temporary configuration log to analyze similarity for each Domain and Dst_IP / Port and transmitting traffic detected by botnet activity; A sixth step of receiving the botnet traffic detected in the fifth step, extracting and storing the C & C, and transmitting the analyzed traffic; A seventh step of receiving the botnet traffic transmitted in the sixth step, extracting a zombie list accessing the IRC channel detected by the botnet, and storing the zombie list in an analysis result log; And And an eighth step of synthesizing the results analyzed in the sixth and seventh steps to the log manager. The method of claim 7, wherein The fifth step, Step 5-1 of periodically reading domain information from the temporary configuration log and recording source IPs requested for each domain in a matrix; And And a fifth step of analyzing the matrix to measure domain similarity and generating a zombie IP list after a set time elapses. The method of claim 7, wherein The fifth step, A fifth step of periodically reading the Dst_IP / Port information from the temporary configuration log and recording source IPs having transmitted packets matching the respective IP / Port combinations in a matrix; And And a fifth step of analyzing the matrix to measure Dst_IP / Port similarity and generating a zombie IP list after a predetermined time has elapsed. The method of claim 1, If the traffic information collected in the first step is domain-based traffic, the transmission data format is A header including a time field which is an occurrence time of the traffic, In the C & C Server field of the botnet, include the C & C Domain field, which is the DNS query domain name of the C & C server, and the C & C IP field, which is the response IP for DNS queries of the C & C server. In the botnet's zombie list field, include the Count field, which is the total number of zombies found, the Time Window field, which is the time interval from the first zombie occurrence to the last zombie occurrence, and the zombie IP list, which is an IP list of the total zombies that are connected, The value of the C & C server field is collected from the communication traffic with the DNS server and the collection target port number is port 53, characterized in that the network-based IRC botnet detection method. The method of claim 1, If the traffic collected in the first step is IP / Port based traffic, the transmission data format is A header including a time field which is an occurrence time of the traffic, In the C & C Server field of the botnet, include the C & C IP field, which is the IP of the C & C server, and the C & C Port field, which is the access port number. The zombie list field of the botnet includes the Count field, which is the total number of zombies found, the Time Window field, which is the time interval from the first zombie outbreak to the last zombie, and the zombie IP list field, which is the IP list of the total zombies connected. The value of the C & C server field is collected from direct communication traffic, which is traffic directly communicating with a C & C server without an intermediate transport object, and the collection target port numbers are all ports.

Images