Detecting New Decentralized Botnet Based on Kalman Filter and Multi-chart CUSUM Amplification

Author

Kang, Jian ; Song, Yuan-Zhang

Author_Institution

Dept. of Comput. Sci. & Technol., Jilin Univ., Changchun, China

Volume

1

fYear

2010

fDate

24-25 April 2010

Firstpage

7

Lastpage

10

Abstract

Nowadays new decentralized botnets pose a great threat to Internet. They evolve new features such as decentralized architecture, using P2P networks and etc, which make traditional detection methods no longer be effective and accurate enough for indicating the existence of the bots. Thus, in this paper, based on several of the new P2P botnet characteristic properties, we propose a novel real-time detecting model - KCFM (Kalman filter and Multi-chart CUSUM Fused Model), which use the discrete Kalman filter to find traffic anomaly, and Multi-chart CUSUM acts as the amplifier to make the abnormality clearer. The experiments show our approach can successfully detect new decentralized botnet with a relatively high precision.

Keywords

Kalman filters; amplification; control charts; peer-to-peer computing; real-time systems; security of data; software agents; Internet; P2P botnet characteristic; decentralized architecture; decentralized botnet; discrete Kalman filter; multichart CUSUM fused amplification; real-time detecting model; Computer networks; Computer science; Computer security; IP networks; Internet; Monitoring; Network servers; Storms; Web server; Wireless communication; Multi-chart CUSUM; decentralized botnet; discrete Kalman filter; peer to peer;

fLanguage

English

Publisher

ieee

Conference_Titel

Networks Security Wireless Communications and Trusted Computing (NSWCTC), 2010 Second International Conference on

Conference_Location

Wuhan, Hubei

Print_ISBN

978-0-7695-4011-5

Electronic_ISBN

978-1-4244-6598-9

Type

conf

DOI

10.1109/NSWCTC.2010.10

Filename

5481086