Research Of P2P Botnet Detection Technology

Botnet is a kind of overlay network with the purpose of malicious activities, which is formed by numerous bot program infected hosts under the control of attacker. Due to structural complexity, flexibility, individual differences, and continuous development of P2P botnet, it is necessary to have an in-depth research of its structure and functional mechanism to conduct research of P2P botnet detection technology.This paper analyzed topology structure and core functions of traditional P2P botnets. Based on above research and analysis, it summarized common flow characteristics of P2P botnets. Most of these flow characteristicses are also focused by existing P2P botnet detection methods. Due to the affect of complexity of real network environment and uncontrollability of P2P bot program, it is difficult to have an accure measurement and research of flow characteristics of P2P botnet in real network encironment. Thus, in order to have a better research of detection technology, this paper designed and constructed P2P botnet experimental platform LSBotnet based on hierarchical structure according to flow characteristics P2P botnet. This paper proposed P2P botnet neighbor list mechanism and hiding mechanism of botnet host based on Rootkit Inline Hook. Through design and implementation of different parts and network communication and command mechanism of platform, LSBotnet platform can produce various flow data according to requirements. Thus it can simulate the state of P2P botnet in real network environment and provide basis for study of P2P botnet and its detection technology.This paper used flow data collected in LSBotnet experimental platform as the basis for constructing and testing of detection method. According to testing of LSBotnet and analysis of flow characteristics of P2P botnet, it extracted and constructed P2P botnet characteristic set. This paper selected DSCA characteristic set, which has a better description of flow characteristics, and proposed P2P botnet detection method based on DSCA data stream characteristic set combined with multiple Logistic regression function. It gave a detailed description of method design and realization process. By comparing detection results of DSCA with other characteristics combination, it proved this detection method can achieve better detection of P2P botnet data stream at the end of this paper.