Analysis on the time-domain characteristics of botnets control traffic

作     者：LI Wei-min MIAO Chen LIU Fang LEI Zhen-ming 

作者机构：School of Information and Communication Engineering Beijing University of Posts and Telecommunications Beijing 100876 China 

出 版 物：《The Journal of China Universities of Posts and Telecommunications》 (中国邮电高校学报（英文版）)

年 卷 期：2011年第18卷第2期

页      面：106-113页

核心收录：

学科分类：0810[工学-信息与通信工程] 1205[管理学-图书情报与档案管理] 080704[工学-流体机械及工程] 0839[工学-网络空间安全] 08[工学] 0807[工学-动力工程及工程热物理] 0811[工学-控制科学与工程] 0812[工学-计算机科学与技术（可授工学、理学学位）] 

基　　金：supported by the National Science & Technology Pillar Program (2008BAH37B04) 

主　　题：botnet detection netflow record time domain analysis deep flow inspection 

摘      要：Botnets are networks composed with malware-infect ed *** are designed and organized to be controlled by an *** victims are infected through their inappropriate network behaviors in most cases,the Internet protocol（IP） addresses of infected bots are ***,a bot can get an IP address through dynamic host configuration protocol（DHCP）,so they need to get in touch with the controller initiatively and they should attempt continuously because a controller can＇t be always *** whole process is carried out under the command and control（C＆C） *** goal is to characterize the network traffic under the C＆C channel on the time *** analysis draws upon massive data obtained from honeynet and a large Internet service provider（ISP） *** extract and summarize fingerprints of the bots collected in our ***,with the fingerprints,we use deep packet inspection（DPI） Technology to search active bots and controllers in the ***,we gather and analyze flow records reported from network traffic monitoring *** this paper,we propose a flow record interval analysis on the time domain characteristics of botnets control traffic,and we propose the algorithm to identify the communications in the C＆C channel based on our *** that,we evaluate our approach with a 3.4 GB flow record trace and the result is *** addition,we believe that our work is also useful information in the design of botnet detection schemes with the deep flow inspection（DFI） technology.