基于流角色检测P2P botnet

doi:10.3969/j.issn.1000-436x.2012.z1.035

Abstract

Abstract:

Towards the weaknesses of the existing detection methods of P2P botnet,a novel real-time detection model based on the role of flows was proposed,which was named as RF.According to the characteristics of flows,the model made the flows play the different roles in the detection of the P2P botnet to detect the essential abnormality and the attacking abnormality.And the model considered the influence on the detection of the P2P botnet which the Web applications generated,especially the applications based on the P2P protocols.To minimize the false positive rate and false negative rate,a real-time method based on the sliding window to estimate the Hurst parameter was proposed,and the Kaufman algorithm was applied to adjust the threshold dynamically.The experiments showed that the model was able to detect the new P2P botnet with a relatively high precision.

Key words: P2P botnet, self-similarity, multi-chart CUSUM, Kaufman

Yuan-zhang SONG,Jun-ting HE,Bo ZHANG,Jun-jie WANG,An-bang WANG. Detecting P2P botnet based on the role of flows[J]. Journal on Communications, 2012, 33(Z1): 262-269.

Figures/Tables 7

References 19

[1]	JOE STEWART . Storm Worm DDOS Attack[R]. SecureWorks,Inc,Atlanta GA, 2007.
[2]	GRIZZARD J B , SHARMA V , NUNNERY C . Peer-to-peer botnets:overview and case study[A]. HotBots’07 conference[C]. 2007.
[3]	SARAT S , TERZIS A . Measuring the Storm Worm Network[R]. Technical Report 01-10-2007,HiNRG Johns Hopkins University, 2007.
[4]	HOLZ T , STEINER M , DAHL F . Measurements and mitigation of peer-to-peer-based botnets:a case study on storm worm[A]. 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats[C]. San Francisco, 2008.
[5]	STEGGINK M , IDZIEJCZAK I . Detection of Peer-to-Peer Botnets[R]. University of Amsterdam,Netherlands, 2007.
[6]	PORRAS P , SAIDI H , YEGNESWARAN V . A multi-perspective analysis of the storm (peacomm)worm[A]. Computer Science Laboratory,SRI International[C]. CA, 2007.
[7]	王海龙, 胡宁, 龚正虎 . Bot_CODA:僵尸网络协同检测体系结构[J]. 通信学报, 2009,30(10A): 15-22. WANG H L , HU N , GONG Z H . Bot_CODA:botnet collaborative detection architecture[J]. Journal on Communications, 2009,30(10A): 15-22.
[8]	王劲松, 刘帆, 张健 . 基于组特征过滤器的僵尸主机检测方法的研究[J]. 通信学报, 2010,31(2): 29-35. WANG J S , LIU F , ZHANG J . Botnet detecting method based on group-signature filter[J]. Journal on Communications, 2010,31(2): 29-35.
[9]	臧天宁, 云晓春, 张永铮 . 僵尸网络关系云模型分析算法[J]. 武汉大学学报(信息科学版), 2012,37(2): 247-251. ZANG T N , WANG X CCC , ZHANG Y Z . A botnet relationship analyzer based on cloud model[J]. Geomatics and Information Science of Wuhan University, 2012,37(2): 247-251.
[10]	诸葛建伟, 韩心慧, 周勇林 . 僵尸网络研究[J]. 软件学报, 2008,19(3): 702-715. ZHUGE J W , HAN X H , ZHOU Y L . Research and development of botnets[J]. Journal of Software, 2008,19(3): 702-715.
[11]	江健, 诸葛建伟, 段海新 . 僵尸网络机理与防御技术[J]. 软件学报, 2012,23(1): 82-96. JIANG J , ZHUGE J W , DUAN H X . Research on botnet mechanisms and defenses[J]. Journal of Software, 2012,23(1): 82-96.
[12]	LELAND W E , TAQQU M S , WILLINGER W . On the self-similar nature of Ethernet traffic(extended version)[J]. IEEE/ACM Trans on Networking, 1994,2(1): 1-15.
[13]	BERAN J , SHERMAN R , TRAQQU M S . Long range dependence in variable bit rate video traffic[A]. IEEE Trans on Communication[C]. 1995,43(234): 1566-1579.
[14]	KIM J S , KAHNG B , KIM D . Self-similarity in fractal and non-fractal networks[J]. Journal of the Korean Physical Society, 2008,52: 350-356.
[15]	KARAGIANNIS T , MOLLE M , FALOUTSOS M . Understanding the Limitations of Estimation Methods for Long-range Dependence[R]. University of Califomia,Tech ReP:TRUCR-CS-2006-10245, 2006.
[16]	KARAGIANNIS T , MOLLE M , FALOUTSOS M . Long-range dependence:Ten years of Internet traffic modeling[J]. IEEE Intenet Computing, 2004,8(5): 57-64.
[17]	TARTAKOVSKY A G , ROZOVSKII B , SHAH K . A Nonparametric Multichart CUSUM test for rapid intrusion detection[A]. Proceedings of Joint Statistical Meetings[C]. 2005.
[18]	KASERA S , PINHEIRO J , LOADER C . Fast and robust signaling overload control[A]. Proceedings of Ninth International Conference on Network Protocols[C]. 2001. 323-331.
[19]	SEN S , SPATSCHECK O , WANG D M . Accurate,scalable in-network identification of P2P traffic using application signatures[A]. Proceedings of the 13th international conference on World Wide Web[C]. New York, 2004. 512-521.

Metrics

Recommended 0

No Suggested Reading articles found!

检测方案	No.1	No.2	No.3	No.4
真实情况	0	0	100	100
UDP	11	42	79	143:69
ICMP	16	20	61	135:57
SMTP	11	14	68	105:63
RF	5	3	92	113:77

Detecting P2P botnet based on the role of flows

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 7

References 19

Related Articles 15

Metrics

Recommended 0

[1]	Debin WEI,Ting SHEN,Li YANG,Yaowen QI. Network queue scheduling algorithm based on self-similar traffic level grading prediction [J]. Journal on Communications, 2020, 41(4): 182-189.
[2]	. Self-organized CAC mechanism adopting for self-similarity service in wireless network [J]. Journal on Communications, 2013, 34(8): 4-34.
[3]	Lei FENG,Wen-jing LI,Xue-song QIU. Self-organized CAC mechanism adopting for self-similarity service in wireless network [J]. Journal on Communications, 2013, 34(8): 27-34.
[4]	Tong GUO,Ju-long LAN,Wan-wei HUANG,Zhen ZHANG. Analysis the self-similarity of network traffic in fractional Fourier transform domain [J]. Journal on Communications, 2013, 34(6): 38-48.
[5]	. Analysis the self-similarity of network traffic in fractional Fourier transform domain [J]. Journal on Communications, 2013, 34(6): 5-48.
[6]	Hui WANG,Zhen-zhou JI,Yan-dong SUN,Yuan-zheng WANG. Time slot-based RED algorithm on self-similar flows:SFRED [J]. Journal on Communications, 2010, 31(10): 115-120.
[7]	Hua-mei QI,Zhi-gang CHEN. Traffic model for wireless mesh networks by statistical networks calculus [J]. Journal on Communications, 2009, 30(7): 1-6.
[8]	Chen CHEN,Xin-bo GAO,Qing-qi PEI. Adaptive MANET mobility model based on fuzzy control with Hurst adjustment [J]. Journal on Communications, 2009, 30(10A): 132-138.
[9]	Ming CHEN,Ling-bo PEI,Wen LIANG. Double-mode model about distributions of network traffic [J]. Journal on Communications, 2008, 29(5): 100-106.
[10]	Lei XUAN,Xi-cheng LU,Rui-hou YU,Xue-ming ZHAO. Self-similarity analysis of network threat time series [J]. Journal on Communications, 2008, 29(4): 45-50.
[11]	Jie ZHANG,Yuan-ming WU. Effect of wireless gateway on incoming self-similar traffic [J]. Journal on Communications, 2008, 29(2): 66-70.
[12]	Xun-yi REN,Ru-chuan WANG,Hai-yan WANG. Wavelet analysis method for detection of DDoS attack based on self-similar [J]. Journal on Communications, 2006, 27(5): 6-11.
[13]	Yuan-ming WU,Lian-zhu XIAO,Le-min LI. Modifying the adaptive assembly algorithm based on the length threshold [J]. Journal on Communications, 2006, 27(4): 37-41.
[14]	Yu-feng CHEN,Ya-bo DONG,Dong-ming LU,Yun-he PAN. Simulating method for TCP aggregated traffic of large scale network [J]. Journal on Communications, 2006, 27(2): 100-106.
[15]	Hua CHENG,Zhi-qing SHAO,Yi-quan FANG. Multifractal analysis of Internet traffic [J]. Journal on Communications, 2005, 26(1A): 27-30.