电子科技大学学报2017,Vol.46Issue(6):902-906,948,6.DOI:10.3969/j.issn.1001-0548.2017.06.019
基于流相似性的两阶段P2P僵尸网络检测方法
Two Stage P2P Botnet Detection Method Based on Flow Similarity
摘要
Abstract
The botnet has been one of the most common threats to the network security since it exploits multiple malicious codes like worm, Trojans, Rootkit, etc. toperform thedenial-of-service attack, send phishing links, and provide malicious services. Peer-to-peer (P2P) botnet is more difficult to be detected compared with IRC, HTTP and other types of botnets because it has typical features of the centralization and distribution. To solve these problems, we propose an effective two-stage traffic classification method to detect P2P botnet traffic based on both non-P2P traffic filtering mechanism and machine learning techniques on conversation features. At the first stage, the non-P2P packages are filtered to reduce the amount of network traffic, according to well-known ports, DNS query, and flow counting. At the second stage, the conversation features based on data flow features and flow similarity are extracted. Finally, the P2P botnet is detected by using Random Forest based on the decision tree model. Experimental evaluations on UNB ISCX botnet dataset shows that our two-stage detection method has a higher accuracy than traditional P2P botnet detection methods.关键词
僵尸网络检测/会话特征/流相似性/P2P流量识别Key words
botnet detection/conversation feature/flow similarity/P2P traffic identification分类
信息技术与安全科学引用本文复制引用
牛伟纳,张小松,孙恩博,杨国武,赵凌园..基于流相似性的两阶段P2P僵尸网络检测方法[J].电子科技大学学报,2017,46(6):902-906,948,6.基金项目
国家自然科学基金(61572115,61502086,61402080) (61572115,61502086,61402080)
四川省重大基础研究课题(2016JY0007) (2016JY0007)
