基于Command and Control通信信道流量属性聚类的僵尸网络检测方法

Botnet Detecting Method Based on Clustering Flow Attributes of Command and Control Communication Channel

僵尸网络(Botnet)是一种从传统恶意代码形态进化而来的新型攻击方式,为攻击者提供了隐匿、灵活且高效的一对多命令与控制信道(Command and Control channel,C&C)机制,可以控制大量僵尸主机实现信息窃取、分布式拒绝服务攻击和垃圾邮件发送等攻击目的。该文提出一种与僵尸网络结构和C&C协议无关,不需要分析数据包的特征负载的僵尸网络检测方法。该方法首先使用预过滤规则对捕获的流量进行过滤,去掉与僵尸网络无关的流量;其次对过滤后的流量属性进行统计;接着使用基于X-means聚类的两步聚类算法对C&C信道的流量属性进行分析与聚类,从而达到对僵尸网络检测的目的。实验证明,该方法高效准确地把僵尸网络流量与其他正常网络流量区分,达到从实际网络中检测僵尸网络的要求,并且具有较低的误判率。

Botnet is a novel attack strategy evolved from traditional malware forms; It provides the attackers stealthy, flexible and efficient one to many Command and Control （C＆C） mechanisms, which can be used to order an army of zombies to achieve the goals including information theft, launching Distributed Denial of Service （DDoS）, and sending spam. This paper proposed a botnet detecting method which independent of botnet C＆C protocol and structure, and not analysis payload of packets. At first this method use pre-filter rules to filter flow which have irrelevant with botnet; Second, the flow attributes are analyzed; Third, two-steps clustering algorithm which based on X-means clustering is used to analyze and cluster flow attributes of C＆C channel, and the botnet detection is implemented. The experiment shows that this method can differentiate traffic of botnet and normal network with high accuracy, low false positive, achieve the goal that detects botnet under real network environment.