Traffic-based Botnet Detection And Activity Identification

In recent years,botnet security incidents have occurred frequently,and the threat level is increasing day by day.For the detection and identification of botnet traffic,botnet cross-scenario detection performance declines,and there is little work to distinguish botnet behavior and traffic at different stages.In order to solve the above problems,after analyzing the botnet traffic,we propose a botnet traffic detection method based on one-dimensional convolutional neural network and a botnet behavior recognition method based on multi-feature combination.First,we propose a botnet traffic detection method based on a onedimensional convolutional neural network to address the problem of performance degradation in cross-scene detection of botnet traffic.The data packet window cutting method is used for the traffic,and the deep learning method is used to automatically extract the characteristics of the cut traffic samples and classify.It achieves high accuracy in detecting traditional botnet traffic and Io T device botnet traffic without prior knowledge of botnet protocols and families.Then,we use the transfer learning method to add a small number of samples of the target scene to fine-tune the model trained in the source scene to improve the detection accuracy of the target scene data.The migration experiments of different botnet family traffic are carried out respectively.The experimental results show that in all migration experiments,adding 10 samples can improve the accuracy of cross-scene detection by about 4%,and adding 20 samples can improve cross-scene detection by 6%.Second,since most of the existing detection work is to detect a single botnet event without distinguishing the behavior of the botnet stage,we propose a botnet behavior identification method based on multi-feature combination.Botnet traffic is divided into three stages: propagation and aggregation,C&C communication,and attack.By analyzing the packet length sequence,packet arrival time interval sequence,packet source port sequence and packet destination port sequence of the botnet traffic in different stages,the statistical features,sequence features,distribution features and Fourier transform features of the samples are extracted.Then combined with machine learning methods to realize behavior recognition,and evaluate the experimental effects of different feature combinations.The experimental results show that our proposed method achieves an accuracy of over 99% for the three-stage behavior recognition of botnets.