面向物联网的多协议僵尸网络检测方法

A Multi-Protocol Botnet Detection Method for IoT

针对现有僵尸网络检测方法采样不均、特征选择差、泛化能力较弱,导致检测分类效果偏低且对计算和存储资源受限的物联网环境的适应性较差等不足,本文提出了一种面向物联网的多协议僵尸网络检测方法 .通过所设计的基于地址三元组和时间窗口的IP聚合与特征重构方法整合从物联网网关中获取的网络流量,得到重构样本集.采用所提出的自修正混合加权采样算法平衡重构样本集中正常流量与僵尸流量,得到重采样样本集.采用所提出的基于多属性决策和邻接关系链的序列前向选择算法剔除重采样样本集中的冗余特征,得到最优特征子集.采用所设计的基于阵发混沌的秃鹰搜索算法优化后的两阶段混合异构模型,对经最优特征子集筛选后的重采样样本集进行检测分类.实验结果表明,所提方法对僵尸网络的检测效果较好,检测准确率为99.24%,马修斯相关系数为98.49%,误报率为0.17%,漏报率为1.29%,优于现有方法 .该方法能够有效降低采样与特征选择的时空开销,可较好地适应资源受限的物联网环境.

In order to solve the problems of uneven sampling,poor feature selection,and weak generalization ability to the existing botnet detection methods,this paper proposes a multi-protocol botnet detection method for internet of things(IoT).The designed IP aggregation and feature reconstruction method using address triples and time windows is used to in-tegrate the network traffic samples obtained from the IoT gateway to obtain the reconstructed sample set.The proposed self-correcting hybrid weighted sampling algorithm balances the normal and botnet flow samples to get the resampling sample set.The proposed multi-attribute decision making and adjacency relation chain-based sequential forward selection algorithm is used to eliminate the redundant features and obtain the optimal feature subset.The resampling sample set filtered by the optimal feature subset is detected and classified through the designed two-stage hybrid heterogeneous model optimized by the intermittent chaos-based bald eagle search algorithm.Experimental results show that the proposed method has a good de-tection effect on the botnet.The detection accuracy is 99.24%,Matthews correlation coefficient is 98.49%,false positive rate is 0.17%,and false negative rate is 1.29%,which are better than the existing methods.This method can effectively re-duce sampling and feature selection time and space overhead and better adapt to the resource-constrained IoT environment.