System and method for detecting IRC bot network based on data packet sequence characteristics

Abstract

The invention discloses a method for detecting an IRC bot network based on data packet sequence characteristics. The method finishes the detection of the IRC bot network through the cooperative work of an off-line basic data acquisition module, an on-line data real-time analysis module, a data center and a detection strategy control module. The thought of the method comprises that the method uses the periodicity and size characteristic of data packet size sequences during communicating between an IRC botmaster and a C and C (Command and Control) control server, identifies and acquires the IRCflow at the network outlet, and judges the periodicity of IRC session and the size mean value of a data packet so as to detect the IRC bot network. The method has the main innovation point of distinguishing the RC chat application and the IRC bot network by measuring the periodicity and the mean value of the data packet sequences in the communication process between the IRC botmaster and the C and C server so as to fulfill the aim of detecting the IRC bot network.

Description

Technical field: [0001] The invention relates to the field of network communication security, in particular to an IRC botnet detection system and detection method based on data packet sequence characteristics. Background technique: [0002] A botnet is a collection of zombie hosts (zombie) infected by bot programs (bots), which are distributed in various occasions such as homes, enterprises, and government agencies, and receive instructions from zombie controllers (botmaster or botherder) to conduct DDoS, information Stealing, phishing, spam, advertising abuse, illegal voting and other attacks. Due to the rich and diverse attack methods, strong concealment, ability to launch large-scale attacks, and the purpose of economic interests, botnets have become an important link in the hacker industry chain, and have attracted extensive attention from the news media, the security industry, and academic institutions. . [0003] According to the different Command and Control (C&C) s...

AI Technical Summary

Problems solved by technology

[0005] The periodicity of zombie hosts is generally not strictly periodic, the main reasons are: 1) when the zombie controller sends attack commands to the zombie host, it will break the periodic law, but the person who is the zombie controller generally only controls the zombie network. Accounts for a very small part of the botnet life cycle; 2) Uncertain factors such as network delay, data packet disorder, and data packet retransmission will cause periodic small-scale changes

Since many people participate in the same broadcast chat channel in a normal IRC chat application, and the length of speeches made by each person is random, this leads to the periodicity of the normal IRC chat application. The "ACK-PING-PONG" packet size sequence of , will be overwhelmed by a lot of random noise caused by the chat, and its sequence of session content has no periodic characteristics as a whole

Images