Research of botnet anomaly detection alogrithm based on private protocol

Author

Chen, Luying ; Wang, Xinliang ; Zhao, Xin ; Li, Weimin

Author_Institution

Sch. of Inf. & Commun. Eng., Beijing Univ. of Posts & Telecommun., Beijing, China

fYear

2010

fDate

26-28 Oct. 2010

Firstpage

55

Lastpage

59

Abstract

Since the most domestic popular botnets based on private protocols use encrypted communication, the performance of traditional anomaly detection methods based on DPI technology for botnet is not ideal. This paper, with utilization of the feature that there exists periodic communication behavior in botnet, regards source IP, destination IP and destination port as the unique identifier to extract the time sequence which is analyzed in frequency domain. Because abnormal data has obvious periodicity, the corresponding distribution of frequency is relatively more centralized while normal data decentralized. Based on the spectral characteristics, this paper uses coefficient of variation of spectrum and spectral entropy to realize anomaly detection of botnet. Experimental results show that the detection algorithm based on coefficient of variation of spectrum achieves better results.

Keywords

IP networks; computer network security; cryptographic protocols; entropy; frequency allocation; frequency-domain analysis; spectral analysis; IP; botnet anomaly detection; encrypted communication; frequency-domain; periodic communication; private protocol; spectral entropy; spectrum entropy; Conferences; Educational institutions; Internet; Protocols; Security; botnet; periodic communication; variation coefficient;

fLanguage

English

Publisher

ieee

Conference_Titel

Broadband Network and Multimedia Technology (IC-BNMT), 2010 3rd IEEE International Conference on

Conference_Location

Beijing

Print_ISBN

978-1-4244-6769-3

Type

conf

DOI

10.1109/ICBNMT.2010.5704868

Filename

5704868