|
|
|
| Botnet Detecting Method Based on Clustering Flow Attributes of Command and Control Communication Channel |
| Su Xin① Zhang Da-fang① Luo Zhang-qi① Zeng Bin② Li Wen-wei① |
①(Information Science and Engineering College Hunan University, Changsha 410082, China)
②(China Mobile Group Hunan Company Limited, Changsha 410015, China) |
|
|
|
|
Abstract Botnet is a novel attack strategy evolved from traditional malware forms; It provides the attackers stealthy, flexible and efficient one to many Command and Control (C&C) mechanisms, which can be used to order an army of zombies to achieve the goals including information theft, launching Distributed Denial of Service (DDoS), and sending spam. This paper proposed a botnet detecting method which independent of botnet C&C protocol and structure, and not analysis payload of packets. At first this method use pre-filter rules to filter flow which have irrelevant with botnet; Second, the flow attributes are analyzed; Third, two-steps clustering algorithm which based on X-means clustering is used to analyze and cluster flow attributes of C&C channel, and the botnet detection is implemented. The experiment shows that this method can differentiate traffic of botnet and normal network with high accuracy, low false positive, achieve the goal that detects botnet under real network environment.
|
|
Received: 24 October 2011
|
|
|
|
Corresponding Authors:
Zhang Da-fang
E-mail: dfzhang@hnu.edu.cn
|
|
|
|
|
|
|
2012, Vol. 34 
