A Research And Implementation Of Botnet Detection Technology Based On Traffic Analysis

From "drop bot egg" which use IRC protocol to highly modular Ago Bot, zombie program start as the network chat room auxiliary software, becoming a major factor of network security threat. To fight against the botnet detection technology, bot program use HTTP and P2 P protocol to replace IRC protocol as the communication channel. Using fast-flux, domain-flux, url-flux technology to strengthen the concealment of the botnet communication, also abandon the traditional centralization type of C&C structure. Instead, using the more flexible, robust distributed C&C structure.At present, botnet detection techniques include abnormal analysis, DNS traffic detection, traffic clustering detection and so on. Using these detection techniques for distributed botnet detection, there will be some shortcomings, such as the difficulties of deployment, the characteristics of other botnet which detected well dose`t work for distributed botnet, and so on. In order to detect distributed botnets effectively, this thesis has found the traffic between the zombie nodes has a related relationship by research the distributed botnet`s lifecycle, basic elements, and other important features. And this related relationship can be detected by analysis the network data. Combine the detection method and the spatio-temporal relationship between network data, this thesis design and implement a botnet detect system. The system includes three modules, that is the packet aggregation module, extraction the relationship between communication data module, as well as the detection module. The packet aggregation module first grab the original data, and then gather the related original data into a set. The relationship extraction module, first extract any two sets that satisfies the time interval threshold and the threshold of occurrence, then based on known relationships, extract the trusted multilevel related relationship. Botnet detection module uses hierarchical clustering algorithm, gather host nodes whose distance is smaller than the distance threshold into clusters. This procedure will repeat until the cluster number not change any more. Thus the final testing is completed, and the possible zombie hosts are find out.In order to test the detect system, this thesis designed the experimental scene, and set up the test environment in the laboratory. Experimental results show that the detection system can effectively detect distributed botnet.