An analysis model of botnet tracking based on ant colony optimization algorithm

Available botnet detection schemes all supposed that ISPs would be cooperative to record or generate the necessary routing information for path reconstruction. In practice, ISP´s service constantly is a mutual benefit for intelligence exchange. Therefore the constraint, require cooperation between ISPs, ought to be relaxed. A new IP traceback scheme based on ant colony optimization (ACO) algorithm is proposed for incomplete routing logs are provided. The aim of our work is to develop an analysis model for reconstruction of attack paths to traceback the botnet C&C via ant-inspired collective intelligence by calculating the pheromone to find possible routes with support and confidence degree. The validation of model uses NS2 (Network Simulator, version2) complied by dark IP map, to simulate the scenario of fake IP attack, to test the effectiveness of model. Furthermore, sensitivity analysis is conducted to investigate significant parameters´ effect on the output of attack paths. Experimental results show that the proposed approach effectively suggests the best attack path of botnet in a dynamic network environment.