[1] Song Yuanzhang, Chen Yuan, Wang Junjie, Wang Anbang, et al. Detection of P2P botnet based on network behavior featuresand Dezert-Smarandache theory [J]. Journal of Southeast University (English Edition), 2018, 34 (2): 191-198. [doi:10.3969/j.issn.1003-7985.2018.02.008]
Copy
Detection of P2P botnet based on network behavior featuresand Dezert-Smarandache theory(
)
基于网络行为特征与Dezert-Smarandache理论的 P2P僵尸网络检测
)Journal of Southeast University (English Edition)[ISSN:1003-7985/CN:32-1325/N]
- Volumn:
- 34
- Issue:
- 2018 2
- Page:
- 191-198
- Research Field:
- Computer Science and Engineering
- Publishing date:
- 2018-06-20
Info
- Title:
- Detection of P2P botnet based on network behavior featuresand Dezert-Smarandache theory
- 基于网络行为特征与Dezert-Smarandache理论的 P2P僵尸网络检测
- Author(s):
- Song Yuanzhang; Chen Yuan; Wang Junjie; Wang Anbang; Li Hongyu
- Changchun Institute of Optics, Fine Mechanics and Physics, Chinese Academy of Sciences, Changchun 130033, China
- Keywords:
- P2P(peer-to-peer)botnet; local singularity; entropy; Kalman filter; Dezert-Smarandache theory
- PACS:
- TP393
- DOI:
- 10.3969/j.issn.1003-7985.2018.02.008
- Abstract:
- In order to improve the accuracy of detecting the new P2P(peer-to-peer)botnet, a novel P2P botnet detection method based on the network behavior features and Dezert-Smarandache theory is proposed. It focuses on the network behavior features, which are the essential abnormal features of the P2P botnet and do not change with the network topology, the network protocol or the network attack type launched by the P2P botnet. First, the network behavior features are accurately described by the local singularity and the information entropy theory. Then, two detection results are acquired by using the Kalman filter to detect the anomalies of the above two features. Finally, the above two detection results are fused with the Dezert-Smarandache theory to obtain the final detection results. The experimental results demonstrate that the proposed method can effectively detect the new P2P botnet and that it considerably outperforms other methods at a lower degree of false negative rate and false positive rate, and the false negative rate and the false positive rate can reach 0.09 and 0.12, respectively.
- 为提升对新型P2P僵尸的检测精度, 提出了一种基于网络行为特征和Dezert-Smarandache理论的P2P僵尸检测方法. 该方法主要关注P2P 僵尸的本质异常特征, 即网络行为特征, 该特征不受拓扑结构、协议和攻击类型的影响. 首先, 利用局部奇异性和信息熵对网络行为特征进行多方面的描述;然后, 利用卡尔曼滤波器对网络行为特性进行异常检测;最后, 用Dezert-Smarandache理论对上述检测结果进行融合以得到最终检测结果. 实验结果表明:所提方法可有效检测新型P2P僵尸;相比其他方法, 其漏报率和误报率较低, 分别为0.09和0.12.
References:
[1] Stewart J. Storm worm DDOS attack[R]. Atlanta, GA, USA:SecureWorks, Inc, 2007.
[2] Sarat S, Terzis A. HiNRG Technical Report:01-10-2007 Measuring the storm worm network[R]. Baltimore, ML, USA:Johns Hopkins University, 2007.
[3] Steggink M, Idziejczak I. Detection of peer-to-peer botnets[D]. Amsterdam, the Netherlands: System and Network Engineering, University of Amsterdam, 2007.
[4] Porras P, Saidi H, Yegneswaran V. A multi-perspective analysis of the storm(Peacomm)worm[R]. Menlo Park, CA, USA: SRI International Computer Science Laboratory, 2007.
[5] Holz T, Steiner M, Dahl F. Measurements and mitigation of peer-to-peer-based botnets: A case study on storm worm[C]//1st USENIX Workshop on Large-Scale Exploits and Emergent Threats. San Francisco, USA, 2008.
[6] Wang Z, Cai YY, Liu L, et al. Using coverage analysis to extract botnet command-and-control protocol[J]. Journal on Communications, 2014, 35(1): 156-166. DOI:10.3969/j.issn.1000-436x.2014.01.018. (in Chinese)
[7] Wang H L, Hu N, Gong Z H. Bot_CODA: Botnet collaborative detection architecture[J]. Journal on Communications, 2009, 30(S1):15-22.(in Chinese)
[8] Zang T N, Yun X C, Zhang Y Z, et al. A model of network device coordinative run[J]. Journal of Computers, 2011, 34: 216-228.(in Chinese)
[9] Fang B X, Cui X, Wang W. Survey of botnets[J]. Journal of Computer Research and Development, 2011, 48(8): 1315-1331.(in Chinese)
[10] Jiang J, Zhuge J W, Duan H X, et al. Research on botnet mechanisms and defenses[J]. Journal of Software, 2012, 23(1): 82-96.DOI:10.3724/SP.J.1001.2012.04101. (in Chinese)
[11] Karim A, Salleh R B, Shiraz M, et al. Botnet detection techniques: Review, future trends, and issues[J]. Journal of Zhejiang University—Science C(Computers & Electronics), 2014, 15(11): 943-983.
[12] Yahyazadeh M, Abadi M. BotGrab: A negative reputation system for botnet detection[J]. Computers and Electrical Engineering, 2015, 41:68-85. DOI:10.1016/j.compeleceng.2014.10.010.
[13] Li K, Fang B X, Cui X, et al. Study of botnets trends[J]. Journal of Computer Research and Development, 2016, 53(10): 2189-2206.(in Chinese)
[14] Maulik K, Resnick S. The self-similar and multifractal nature of a network traffic model[J]. Stochastic Models, 2003, 19(4):549-577. DOI:10.1081/stm-120025404.
[15] Masugi M. Multi-fractal analysis of IP-network traffic based on a hierarchical clustering approach[J]. Communications in Nonlinear Science and Numerical Simulation, 2007, 12(7): 1316-1325. DOI:10.1016/j.cnsns.2005.12.004.
[16] Gu L, Yang P, Dong Y Q. A novel similarity measurement approach considering intrinsic user groups in collaborative filtering[J]. Journal of Southeast University(English Edition), 2015, 31(4): 462-468.
[17] Liu Z M, Cao S Q, Zhang Y, et al. Inverse depth parameterized attitude estimation for non-cooperative spacecraft[J]. Optics and Precision Engineering, 2017, 25(2): 451-460.(in Chinese)
[18] Liu Z M, Zhang Y, Lu S, et al. Closed-loop detection and pose optimization of non-cooperation rotating target[J]. Guangxue Jingmi Gongcheng/Optics and Precision Engineering, 2017, 25(4): 1036-1043.(in Chinese)
[19] Cheng L, Chen J, Chen M S, et al.Fast acquisition of time optimal sliding model control technology for photoelectric tracking system[J].Optics and Precision Engineering, 2017, 25(1):148-154. DOI:10.3788/OPE.20172501.0148. (in Chinese)
[20] Li Z Y, Li X M, Liu Q S, et al. Adaptive fast initial attitude estimation for inflight loitering munition[J]. Guangxue Jingmi Gongcheng/Optics and Precision Engineering, 2017, 25(2): 493-501.(in Chinese)
[21] Min W D, Shi J, Han Q, et al. A distributed face recognition approach and performance optimization[J]. Guangxue Jingmi Gongcheng/Optics and Precision Engineering, 2017, 25(3): 780-785.(in Chinese)
[22] Zhou J P, Chen J, Li Y, et al. Research on target prediction algorithm of shipboard photoelectric tracking equipment[J]. Optics and Precision Engineering, 2017, 25(2): 519-528.(in Chinese)
[23] Mruphy C K. Combing belief function when evidence conflicts[J]. Decision Support System, 2000, 29(1):1-9. DOI:10.1016/s0167-9236(99)00084-6.
[24] Mathon B R, Ozbek M M, Pinder G F.Dempster-Shafer theory applied to uncertainty surrounding permeability[J]. Mathematical Geosciences, 2009, 42(3):293-307. DOI:10.1007/s11004-009-9246-0.
[25] Smarandache F, Dezert J. Advances and applications of DSmT for information fusion[M]. Rehoboth, USA:American Research Press, 2006.
[26] Kasera S, Pinheiro J, Loader C. Fast and robust signaling overload control[C] //Proceedings of Ninth International Conference on Network Protocols. Riverside, USA, 2001: 323-331.
[27] Zhao D, Traore I, Sayed B, et al. Botnet detection based on traffic behavior analysis and flow intervals[J]. Computers & Security, 2013, 39:2-16. DOI:10.1016/j.cose.2013.04.007.
[28] Kang J, Zhang J Y, Li Q, et al. Detecting new P2P botnet with multi-chart CUSUM[C]//International Conference on Networks Security, Wireless Communications and Trusted Computing. Wuhan, China, 2009: 688-691.
Memo
- Memo:
-
Biography: Song Yuanzhang(1986—), male, master, associate research fellow, songyuanzhang@163.com.
Foundation items: The National High Technology Research and Development Program of China(863 Program)(No.2011AA7031024G), the National Natural Science Foundation of China(No.61133011, 61373053, 61472161).
Citation: Song Yuanzhang, Chen Yuan, Wang Junjie, et al.Detection of P2P botnet based on network behavior features and Dezert-Smarandache theory[J].Journal of Southeast University(English Edition), 2018, 34(2):191-198.DOI:10.3969/j.issn.1003-7985.2018.02.008.