RESEARCH OF BOTNET ANOMALY DETECTION ALOGRITHM BASED ON PRIVATE PROTOCOL
Since the most domestic popular botnets based on private protocols use encrypted communication, the performance of traditional anomaly detection methods based on DPI technology for botnet is not ideal. This paper, with utilization of the feature that there exists periodic communication behavior in botnet, regards source IP, destination IP and destination port as the unique identifier to extract the time sequence which is analyzed in frequency domain. Because abnormal data has obvious periodicity, the corresponding distribution of frequency is relatively more centralized while normal data decentralized. Based on the spectral characteristics, this paper uses coefficient of variation of spectrum and spectral entropy to realize anomaly detection of botnet. Experimental results show that the detection algorithm based on coefficient of variation of spectrum achieves better results.
botnet periodic communication variation coefficient
Luying Chen Xinliang Wang Xin Zhao Weimin Li
School of Information and Communication EngineeringBeijing University of Posts and Telecommunication School of Information and Communication Engineering Beijing University of Posts and Telecommunicatio
国际会议
北京
英文
55-59
2010-10-26(万方平台首次上网日期,不代表论文的发表时间)