BotCatcher：基于深度学习的僵尸网络检测系统

doi:10.11959/j.issn.1000-436x.2018135

Abstract

Abstract:

Machine learning technology has wide application in botnet detection.However,with the changes of the forms and command and control mechanisms of botnets,selecting features manually becomes increasingly difficult.To solve this problem,a botnet detection system called BotCatcher based on deep learning was proposed.It automatically extracted features from time and space dimension,and established classifier through multiple neural network constructions.BotCatcher does not depend on any prior knowledge which about the protocol and the topology,and works without manually selecting features.The experimental results show that the proposed model has good performance in botnet detection and has ability to accurately identify botnet traffic .

Key words: botnet, deep learning, detection, feature

CLC Number:

TP309.5

Di WU,Binxing FANG,Xiang CUI,Qixu LIU. BotCatcher:botnet detection system based on deep learning[J]. Journal on Communications, 2018, 39(8): 18-28.

Figures/Tables 12

References 27

[1]	CUI X , FANG B , SHI J ,et al. Botnet triple-channel model:towards resilient and efficient bidirectional communication botnets[C]// International Conference on Security and Privacy in Communication Systems. 2013: 53-68.
[2]	KOLIAS C , KAMBOURAKIS G , STAVROU A ,et al. DDoS in the IoT:mirai and other botnets[J]. Computer, 2017,50(7): 80-84.
[3]	EHRENFELD J M . Wannacry,cybersecurity and health information technology:a time to act[J]. Journal of Medical Systems, 2017,41(7):104.
[4]	LIVADAS C , WALSH R , LAPSLEY D ,et al. Usilng machine learning technliques to identify botnet traffic[C]// 31st IEEE Conference on Local Computer Networks. 2006: 967-974.
[5]	KONDO S , SATO N . Botnet traffic detection techniques by C＆C session classification using SVM[C]// International Workshop on Security. 2007: 91-104.
[6]	BILGE L , BALZAROTTI D , ROBERTSON W ,et al. Disclosure:detecting botnet command and control servers through large-scale netflow analysis[C]// The 28th Annual Computer Security Applications Conference. 2012: 129-138.
[7]	FRAN?OIS J , WANG S , ENGEL T . BotTrack:tracking botnets using NetFlow and PageRank[C]// International Conference on Research in Networking. 2011: 1-14.
[8]	GU G , PERDISCI R , ZHANG J ,et al. BotMiner:clustering analysis of network traffic for protocol-and structure-independent botnet detection[C]// USENIX Security Symposium. 2008: 139-154.
[9]	CUI X , FANG B X , YIN L H ,et al. Andbot:towards advanced mobile botnets[C]// The 4th Usenix Workshop on Large-scale Exploits and Emergent Threats. 2011:11.
[10]	ZHANG J , SAHA S , GU G ,et al. Systematic mining of associated server herds for malware campaign discovery[C]// 2015 IEEE 35th International Conference on Distributed Computing Systems (ICDCS). 2015: 630-641.
[11]	崔鹏飞, 裘玥, 孙瑞 . 面向网络内容安全的图像识别技术研究[J]. 信息网络安全, 2015(9): 154-157.
	CUI P F , QIU Y , SUN R . Research on image recognition technology for the network content security[J]. Netinfo Security, 2015(9): 154-157.
[12]	GUL K S Q 尹继泽, 潘丽敏, ,等. 基于深度神经网络的命名实体识别方法研究[J]. 信息网络安全, 2017(10): 29-35.
	GUL K S Q , YIN J Z , PAN L M ,等. Research on the algorithm of named entity recognition based on deep neural network[J]. Netinfo Security, 2017(10): 29-35.
[13]	ILGUN K , . USTAT:a real-time intrusion detection system for UNIX[C]// 1993 IEEE Computer Society Symposium on Research in Security and Privacy. 1993: 16-28.
[14]	VIGNA G , KEMMERER R A . NetSTAT:a network-based intrusion detection approach[C]// 14th Annual Computer Security Applications Conference. 1998: 25-34.
[15]	GU G , PORRAS P A , YEGNESWARAN V ,et al. BotHunter:detecting malware infection through IDS-driven dialog correlation[C]// USENIX Security Symposium. 2007: 1-16.
[16]	WURZINGER P , BILGE L , HOLZ T ,et al. Automatically generating models for botnet detection[C]// European Symposium on Research in Computer Security. 2009: 232-249.
[17]	ARSHAD S , ABBASPOUR M , KHARRAZI M ,et al. An anomaly-based botnet detection approach for identifying stealthy botnets[C]// 2011 IEEE International Conference on Computer Applications and Industrial Electronics (ICCAIE). 2011: 564-569.
[18]	SAAD S , TRAORE I , GHORBANI A ,et al. Detecting P2P botnets through network behavior analysis and machine learning[C]// 2011 Ninth Annual International Conference on Privacy,Security and Trust (PST). 2011: 174-180.
[19]	AL-JARRAH O Y , ALHUSSEIN O , YOO P D ,et al. Data randomization and cluster-based partitioning for botnet intrusion detection[J]. IEEE Transactions on Cybernetics, 2016,46(8): 1796-1806.
[20]	VENKATESH G K , NADARAJAN R A . HTTP botnet detection using adaptive learning rate multilayer feed-forward neural network[C]// WISTP. 2012: 38-48.
[21]	TORRES P , CATANIA C , GARCIA S ,et al. An analysis of recurrent neural networks for botnet detection behavior[C]// 2016 IEEE Biennial Congress of Argentina (ARGENCON). 2016: 1-6.
[22]	WANG W , ZHU M , ZENG X ,et al. Malware traffic classification using convolutional neural network for representation learning[C]// 2017 International Conference on Information Networking (ICOIN). 2017: 712-717.
[23]	王勇, 周惠怡, 俸皓 ,等. 基于深度卷积神经网络的网络流量分类方法[J]. 通信学报, 2018,39(1): 14-23.
	WANG Y , ZHOU H Y , FENG H ,et al. Network traffic classification method basing on CNN[J]. Journal on Communications, 2018,39(1): 14-23.
[24]	HADDADI F , PHAN D T , ZINCIR-HEYWOOD A N . How to choose from different botnet detection systems?[C]// Network Operations and Management Symposium (NOMS). 2016: 1079-1084.
[25]	ZHAO D , TRAORE I , SAYED B ,et al. Botnet detection based on traffic behavior analysis and flow intervals[J]. Computers ＆ Security, 2013,39: 2-16.
[26]	WATSON D , RIDEN J . The honeynet project:data collection tools,infrastructure,archives and analysis[C]// WOMBAT Workshop on Information Security Threats Data Collection and Sharing. 2008: 24-30.
[27]	SZABó G , ORINCSAY D , MALOMSOKY S , et al . On the validation of traffic classification algorithms[C]// International Conference on Passive and Active Network Measurement. 2008: 72-81.

Metrics

Recommended 0

No Suggested Reading articles found!

研究方向	研究进展	研究团队	存在问题
基于IDS的误用检测技术	提出一种以IDS为驱动基于状态的检测系统^[15]	德克萨斯A＆M大学	加密流量、无法检测未知攻击需要建立特征模板库、难以识别
	根据不同协议的僵尸网络分别建立检测模型^[16]	维也纳技术大学
	从主机行为和通信模式这2个方面对流量进行聚类^[8]	德克萨斯A＆M大学
基于聚类的异常检测技术	采用时间窗模式对实时聚类结果进行关联^[17]	沙希德贝赫什提大学	需要人工提取特征、聚类关联分析繁杂
	通过客户端重合度等特征聚类挖掘可疑服务器^[10]	德克萨斯A＆M大学
	针对IRC僵尸网络设计多种分类器^[4]	雷神BBN技术中心
基于分类的异常检测技术	针对P2P僵尸网络设计多种分类器^[18]	维多利亚大学	需要人工提取特征、多针对指定类型僵尸网络、多使用简单的分类算法
	采用随机森林模型动态选取特征构造检测系统^[6]	赛门铁克研究实验室
	采用算法过滤多余无关特征并剪枝缩小数据集^[19]	哈立法大学
	利用带有反向传播机制的前馈神经网络进行分类^[20]	PSG技术学院
基于深度学习的检测技术	利用RNN提取网络流状态序列特征^[21]	门多萨大学	只使用一种深度学习算法、学习得到的特征类型单一
	利用CNN在图形分类中的方法提取网络流特征^[22]	中国科学技术大学

僵尸网络	CTU序号	处理
Neris	42	原始（56 MB）
Rbot	44	原始（123 MB）
Virut	46	原始（30 MB）
Zeus	78-2	裁剪（309 MB）
Conficker	90	原始（13 MB）
Geodo	125-1	裁剪（327 MB）
Miuref	127-1	原始（16 MB）
Bunitu	141-1	原始（323 MB）

统计数据	Conficker	Neris	Zeus
总数据流	18 855	9 480	23 146
总数据分组	154 838	195 971	488 858
总字节	9.36×10⁶	3.48×10⁷	3.17×10⁸
每条数据流字节数最大值	19 942	864 526	81 095
每条数据流字节数最小值	232	60	306
每条数据流字节数平均值	496	3 675	13 678
每条数据流字节数众数	480	372	3 496
每条数据流数据分组数最大值	268	6 662	92
每条数据流数据分组数最小值	4	1	5
每条数据流数据分组数平均值	8	20	21
每条数据流数据分组数众数	8	6	10
每个数据分组字节数最大值	1 466	10 274	1 474
每个数据分组字节数最小值	54	60	54
每个数据分组字节数平均值	60	177	647
每个数据分组字节数众数	62	60	54

BotCatcher:botnet detection system based on deep learning

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 12

References 27

Related Articles 15

Metrics

Recommended 0

[1]	Dongyu CHEN, Hua CHEN, Limin FAN, Yifang FU, Jian WANG. Research on test strategy for randomness based on deep learning [J]. Journal on Communications, 2023, 44(6): 23-33.
[2]	Rongpeng LI, Bingyan WANG, Honggang ZHANG, Zhifeng ZHAO. Design of knowledge enhanced semantic communication receiver [J]. Journal on Communications, 2023, 44(6): 70-76.
[3]	Yang GAO, Hongli ZHANG. Survey on community detection method based on random walk [J]. Journal on Communications, 2023, 44(6): 198-210.
[4]	Shuai MA, Ke PEI, Huayan QI, Hang LI, Wen CAO, Hongmei WANG, Hailiang XIONG, Shiyin LI. Research on geomagnetic indoor high-precision positioning algorithm based on generative model [J]. Journal on Communications, 2023, 44(6): 211-222.
[5]	Jinzhi ZHENG, Ruyi JI, Libo ZHANG, Chen ZHAO. End-to-end scene text detection and recognition algorithm based on Transformer decoders [J]. Journal on Communications, 2023, 44(5): 64-78.
[6]	Xin SUN, Guifu ZHANG, Hongyan XING, Wang Zenghui. Research on intrusion detection for maritime meteorological sensor network based on balancing generative adversarial network [J]. Journal on Communications, 2023, 44(4): 124-136.
[7]	Qianyi DAI, Bin ZHANG, Song GUO, Kaiyong XU. Blockchain network layer anomaly traffic detection method based on multiple classifier integration [J]. Journal on Communications, 2023, 44(3): 66-80.
[8]	Bingpeng ZHOU, Shanshan MA. Simultaneous vehicular location and velocity detection towards 6G integrated communication and sensing [J]. Journal on Communications, 2023, 44(3): 81-92.
[9]	Feibo JIANG, Yubo PENG, Li DONG. Deep image semantic communication model for 6G [J]. Journal on Communications, 2023, 44(3): 198-208.
[10]	Shuangyan YI, Yongsheng LIANG, Jingjing LU, Wei LIU, Tao HU, Zhenyu HE. Robust feature selection method via joint low-rank reconstruction and projection reconstruction [J]. Journal on Communications, 2023, 44(3): 209-219.
[11]	Helin SUN, Hongyuan GAO, Yanan DU, Jianhua CHENG, Yapeng LIU. Joint estimation method of target number and orientation parameters for FDA-MIMO radar [J]. Journal on Communications, 2023, 44(2): 41-51.
[12]	Weigang HUO, Rui LIANG, Yonghua LI. Anomaly detection model for multivariate time series based on stochastic Transformer [J]. Journal on Communications, 2023, 44(2): 94-103.
[13]	Guojun LI, Cuiling XIANG, Changrong YE, Zunli WANG. Fast link-establishment method of integrated of communication and detection based on short-wave digital channelization [J]. Journal on Communications, 2023, 44(1): 89-102.
[14]	Hongyu YANG, Haiyun YANG, Liang ZHANG, Xiang CHENG. Feature dependence graph based source code loophole detection method [J]. Journal on Communications, 2023, 44(1): 103-117.
[15]	Yanhua LIU, Jiaqi LI, Zhengui OU, Xiaoling GAO, Ximeng LIU, Weizhi MENG, Baoxu LIU. Adversarial training driven malicious code detection enhancement method [J]. Journal on Communications, 2022, 43(9): 169-180.