[1] Song Yuanzhang, Chen Yuan, Wang Junjie, Wang Anbang, et al. Detection of P2P botnet based on network behavior featuresand Dezert-Smarandache theory [J]. Journal of Southeast University (English Edition), 2018, 34 (2): 191-198. [doi:10.3969/j.issn.1003-7985.2018.02.008]

Copy

Detection of P2P botnet based on network behavior featuresand Dezert-Smarandache theory()

Share：

Journal of Southeast University (English Edition)[ISSN:1003-7985/CN:32-1325/N]

Volumn:

34

Issue:

2018 2

Page:

191-198

Research Field:

Computer Science and Engineering

Publishing date:

2018-06-20

Info

Title:

Detection of P2P botnet based on network behavior featuresand Dezert-Smarandache theory

Author(s):

Song Yuanzhang;  Chen Yuan;  Wang Junjie;  Wang Anbang;  Li Hongyu

Changchun Institute of Optics, Fine Mechanics and Physics, Chinese Academy of Sciences, Changchun 130033, China

Keywords:

P2P(peer-to-peer)botnet;  local singularity;  entropy;  Kalman filter;  Dezert-Smarandache theory

PACS:

TP393

DOI:

10.3969/j.issn.1003-7985.2018.02.008

Abstract:

In order to improve the accuracy of detecting the new P2P(peer-to-peer)botnet, a novel P2P botnet detection method based on the network behavior features and Dezert-Smarandache theory is proposed. It focuses on the network behavior features, which are the essential abnormal features of the P2P botnet and do not change with the network topology, the network protocol or the network attack type launched by the P2P botnet. First, the network behavior features are accurately described by the local singularity and the information entropy theory. Then, two detection results are acquired by using the Kalman filter to detect the anomalies of the above two features. Finally, the above two detection results are fused with the Dezert-Smarandache theory to obtain the final detection results. The experimental results demonstrate that the proposed method can effectively detect the new P2P botnet and that it considerably outperforms other methods at a lower degree of false negative rate and false positive rate, and the false negative rate and the false positive rate can reach 0.09 and 0.12, respectively.

References:

[1] Stewart J. Storm worm DDOS attack[R]. Atlanta, GA, USA:SecureWorks, Inc, 2007.
[2] Sarat S, Terzis A. HiNRG Technical Report:01-10-2007 Measuring the storm worm network[R]. Baltimore, ML, USA:Johns Hopkins University, 2007.
[3] Steggink M, Idziejczak I. Detection of peer-to-peer botnets[D]. Amsterdam, the Netherlands: System and Network Engineering, University of Amsterdam, 2007.
[4] Porras P, Saidi H, Yegneswaran V. A multi-perspective analysis of the storm(Peacomm)worm[R]. Menlo Park, CA, USA: SRI International Computer Science Laboratory, 2007.
[5] Holz T, Steiner M, Dahl F. Measurements and mitigation of peer-to-peer-based botnets: A case study on storm worm[C]//1st USENIX Workshop on Large-Scale Exploits and Emergent Threats. San Francisco, USA, 2008.
[6] Wang Z, Cai YY, Liu L, et al. Using coverage analysis to extract botnet command-and-control protocol[J]. Journal on Communications, 2014, 35(1): 156-166. DOI:10.3969/j.issn.1000-436x.2014.01.018. (in Chinese)
[7] Wang H L, Hu N, Gong Z H. Bot_CODA: Botnet collaborative detection architecture[J]. Journal on Communications, 2009, 30(S1):15-22.(in Chinese)
[8] Zang T N, Yun X C, Zhang Y Z, et al. A model of network device coordinative run[J]. Journal of Computers, 2011, 34: 216-228.(in Chinese)
[9] Fang B X, Cui X, Wang W. Survey of botnets[J]. Journal of Computer Research and Development, 2011, 48(8): 1315-1331.(in Chinese)
[10] Jiang J, Zhuge J W, Duan H X, et al. Research on botnet mechanisms and defenses[J]. Journal of Software, 2012, 23(1): 82-96.DOI:10.3724/SP.J.1001.2012.04101. (in Chinese)
[11] Karim A, Salleh R B, Shiraz M, et al. Botnet detection techniques: Review, future trends, and issues[J]. Journal of Zhejiang University—Science C(Computers & Electronics), 2014, 15(11): 943-983.
[12] Yahyazadeh M, Abadi M. BotGrab: A negative reputation system for botnet detection[J]. Computers and Electrical Engineering, 2015, 41:68-85. DOI:10.1016/j.compeleceng.2014.10.010.
[13] Li K, Fang B X, Cui X, et al. Study of botnets trends[J]. Journal of Computer Research and Development, 2016, 53(10): 2189-2206.(in Chinese)
[14] Maulik K, Resnick S. The self-similar and multifractal nature of a network traffic model[J]. Stochastic Models, 2003, 19(4):549-577. DOI:10.1081/stm-120025404.
[15] Masugi M. Multi-fractal analysis of IP-network traffic based on a hierarchical clustering approach[J]. Communications in Nonlinear Science and Numerical Simulation, 2007, 12(7): 1316-1325. DOI:10.1016/j.cnsns.2005.12.004.
[16] Gu L, Yang P, Dong Y Q. A novel similarity measurement approach considering intrinsic user groups in collaborative filtering[J]. Journal of Southeast University(English Edition), 2015, 31(4): 462-468.
[17] Liu Z M, Cao S Q, Zhang Y, et al. Inverse depth parameterized attitude estimation for non-cooperative spacecraft[J]. Optics and Precision Engineering, 2017, 25(2): 451-460.(in Chinese)
[18] Liu Z M, Zhang Y, Lu S, et al. Closed-loop detection and pose optimization of non-cooperation rotating target[J]. Guangxue Jingmi Gongcheng/Optics and Precision Engineering, 2017, 25(4): 1036-1043.(in Chinese)
[19] Cheng L, Chen J, Chen M S, et al.Fast acquisition of time optimal sliding model control technology for photoelectric tracking system[J].Optics and Precision Engineering, 2017, 25(1):148-154. DOI:10.3788/OPE.20172501.0148. (in Chinese)
[20] Li Z Y, Li X M, Liu Q S, et al. Adaptive fast initial attitude estimation for inflight loitering munition[J]. Guangxue Jingmi Gongcheng/Optics and Precision Engineering, 2017, 25(2): 493-501.(in Chinese)
[21] Min W D, Shi J, Han Q, et al. A distributed face recognition approach and performance optimization[J]. Guangxue Jingmi Gongcheng/Optics and Precision Engineering, 2017, 25(3): 780-785.(in Chinese)
[22] Zhou J P, Chen J, Li Y, et al. Research on target prediction algorithm of shipboard photoelectric tracking equipment[J]. Optics and Precision Engineering, 2017, 25(2): 519-528.(in Chinese)
[23] Mruphy C K. Combing belief function when evidence conflicts[J]. Decision Support System, 2000, 29(1):1-9. DOI:10.1016/s0167-9236(99)00084-6.
[24] Mathon B R, Ozbek M M, Pinder G F.Dempster-Shafer theory applied to uncertainty surrounding permeability[J]. Mathematical Geosciences, 2009, 42(3):293-307. DOI:10.1007/s11004-009-9246-0.
[25] Smarandache F, Dezert J. Advances and applications of DSmT for information fusion[M]. Rehoboth, USA:American Research Press, 2006.
[26] Kasera S, Pinheiro J, Loader C. Fast and robust signaling overload control[C] //Proceedings of Ninth International Conference on Network Protocols. Riverside, USA, 2001: 323-331.
[27] Zhao D, Traore I, Sayed B, et al. Botnet detection based on traffic behavior analysis and flow intervals[J]. Computers & Security, 2013, 39:2-16. DOI:10.1016/j.cose.2013.04.007.
[28] Kang J, Zhang J Y, Li Q, et al. Detecting new P2P botnet with multi-chart CUSUM[C]//International Conference on Networks Security, Wireless Communications and Trusted Computing. Wuhan, China, 2009: 688-691.

Memo

Memo:

Biography: Song Yuanzhang(1986—), male, master, associate research fellow, songyuanzhang@163.com.
Foundation items: The National High Technology Research and Development Program of China(863 Program)(No.2011AA7031024G), the National Natural Science Foundation of China(No.61133011, 61373053, 61472161).
Citation: Song Yuanzhang, Chen Yuan, Wang Junjie, et al.Detection of P2P botnet based on network behavior features and Dezert-Smarandache theory[J].Journal of Southeast University(English Edition), 2018, 34(2):191-198.DOI:10.3969/j.issn.1003-7985.2018.02.008.

Common functions