Detection method, system and apparatus of zombie network

A botnet and detection method technology, applied in the transmission system, digital transmission system, data exchange network, etc., can solve the problem of not being able to detect the communication messages of the botnet in real time, and not being able to quickly and accurately locate the botnet and its operators and other issues to achieve the effect of network communication security and avoiding harm

Active Publication Date: 2009-02-04
CHENGDU HUAWEI TECH
View PDF0 Cites 65 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0011] After analyzing the existing technology, the inventor found that: the honey technology cannot detect the communication messages of the botnet in real time, nor can it quic...

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Detection method, system and apparatus of zombie network
  • Detection method, system and apparatus of zombie network
  • Detection method, system and apparatus of zombie network

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0042]The embodiment of the present invention provides a method for detecting a botnet. The method identifies the botnet message through rule matching between the communication message and the rules stored in the rule base, thereby realizing the detection of the botnet.

[0043] Before the botnet detection system performs detection, a rule base has been formed and stored in the database. Among them, the specific steps of the rule base formation process are:

[0044] Step A: The botnet detection system analyzes the communication messages between the bot host and the controller in the detected or existing botnet, extracts the characteristics of the bot messages from the communication messages, and forms a feature library;

[0045] Wherein, the characteristics of the zombie message extracted from the communication message are specifically the name of the zombie tool, the type of the protocol, the type of the botnet, and the like.

[0046] Step B: converting the feature library i...

Embodiment 2

[0089] If the communication message of the botnet is featureless or the feature disappears after encryption, or is a new botnet tool, the embodiment of the present invention provides a botnet detection method for the above situation. The method is to identify the zombie host and the controller according to the difference between the network behavior between the zombie host and the controller and the network behavior between normal users, and save the botnet communication messages between them for use in Manually extract message features to improve the message feature library in Embodiment 1. see Image 6 ,Specific steps are as follows:

[0090] Step 201: the monitoring and analysis center of the botnet detection system receives the IP address list to be detected, and sends the IP address list to the network probe;

[0091]Wherein, the above-mentioned list of IP addresses to be detected is specifically a list of IP addresses that launch attacks or are suspected to be detected...

Embodiment 3

[0104] In order to better grasp the information of the botnet, the embodiment of the present invention also provides two auxiliary means: active detection and remote packet capture, which are used to confirm the information of the botnet; The specific implementation steps of using these two methods to detect botnets are described in detail below.

[0105] (1) see Figure 7 , the specific steps of active detection are as follows:

[0106] Step 301: the botnet detection system simulates a botnet host to send a botnet communication message to the IP suspected of being the controller;

[0107] Among them, the botnet communication message provided by the botnet detection system is the detection message, which has the detection option that the content is blocked, and in some cases, the user is allowed to construct the detection message by himself, so that the user has greater freedom;

[0108] The specific behavioral characteristics of the suspected controller are: regular communi...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

Embodiments of the invention disclose a method, a system and a device for detecting botnet, belonging to the network communication security field. The method comprises: receiving a communication message of the network under test; picking up a botnet information message of the communication message according to the communication message; picking up a bot host IP and a controller IP according to the botnet information message; and inquiring about account numbers corresponding to the bot host IP and the controller IP according to the picked bot host IP and the controller IP. The system comprises: a network probe, a monitoring and analysis center and an authentication server. The device includes a monitoring and analysis center. The botnet detection method can detect the botnet in real time, and can also respond to the botnet in real time, thereby solving the problem that the prior art based on the ex post analysis can not detect and respond to the botnet in real time, avoiding the harm of botnet, and making the network communications more secure.

Description

technical field [0001] The invention relates to the field of network communication security, in particular to a detection method, system and equipment of a botnet. Background technique [0002] A botnet uses one or more propagation methods to infect a large number of hosts with bot programs (bot tools), thereby forming a one-to-many controllable network between the controller and the infected hosts (ie, zombie hosts). like figure 1 Shown is the basic network structure of Botnet, the attacker controls the zombie host through the controller. [0003] The current botnet mainly has two network topologies: [0004] see figure 2 , a tree-like botnet topology with multi-level control: composed of victims, bots, controllers, and attackers. The specific workflow is: the controller opens the port; the zombie host actively initiates a connection to the monitoring window of the controller, and notifies itself to the controller; the controller actively connects to the monitoring win...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L12/26H04L12/56H04L29/06
CPCH04L63/1416
Inventor 李安坤
Owner CHENGDU HUAWEI TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap