Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Zombie network detection method, device and processor

A botnet and detection method technology, which is applied in the field of botnet detection methods, devices and processors, can solve the problems that detection algorithms cannot perform effective detection, etc., and achieve the effects of reducing workload, reducing data volume, and improving accuracy

Inactive Publication Date: 2014-01-22
STATE GRID CORP OF CHINA +4
View PDF3 Cites 23 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0005] In view of this, the purpose of the present invention is to provide in order to solve existing botnet detection algorithm, can only detect one or a kind of botnet, when the structure of botnet or communication protocol change, detection algorithm often can't be carried out. For the problem of effective detection, the application discloses a botnet detection method, device and processor, and the specific implementation scheme is as follows:

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Zombie network detection method, device and processor
  • Zombie network detection method, device and processor
  • Zombie network detection method, device and processor

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0051] This application discloses a method for detecting a botnet, so as to realize the detection of the botnet. see figure 1 As shown in the schematic diagram of the workflow, the botnet detection method includes:

[0052] Step S11 , calculating the communication behavior characteristic values ​​of each data flow in the network, the communication behavior characteristic values ​​including: the average number of bytes per packet and the average number of bytes per second.

[0053] The communication of each node is reflected on the network through data flow, and the basic unit is data flow. A typical example is a TCP-based communication: (1) establish a connection through a three-way handshake; (2) perform data transmission; (3) release the connection through four handshakes. Therefore, in order to analyze the similarity between the communication behaviors of each node, the present application analyzes each data flow in the network.

[0054] For each data flow, this applicat...

Embodiment 2

[0121] Embodiment 2 of the present application discloses a botnet detection device, see Figure 4 As shown in the structural diagram, the botnet detection device includes: a feature value calculation module 11, a clustering module 12, a cross-clustering module 13 and a detection module 14, wherein,

[0122] The characteristic value calculation module 11 is used to calculate the communication behavior characteristic value of each data flow in the network, and the communication behavior characteristic value includes: the average number of bytes per packet and the average number of bytes per second;

[0123] The clustering module 12 is configured to perform clustering according to the characteristic value of the communication behavior, and divide the nodes corresponding to the respective data streams into a plurality of communication clustering groups, wherein the nodes in each communication clustering group have similar communication behavior, and the number of nodes contained i...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a zombie network detection method, a device and a processor. The method comprises the steps as follows: each node is divided into a plurality of communication clustering groups according to the communication behavior characteristic value of each data stream in an obtained network, wherein nodes in each communication clustering group have similar communication behavior; aggressive clustering is realized on each node, wherein aggressive behavior produced by nodes in each aggressive clustering group is similar; and then a communication clustering result and an aggressive clustering result are compressively analyzed with a cross clustering algorithm, so that zombie nodes belonging to the same zombie network are finally obtained according to the relation between the communication clustering result and the aggressive clustering result, and detection on the zombie network is realized. The method is based on the basic characteristic of the zombie network, and the basic characteristic of the zombie network is constant. The method is independent from the category of the zombie network and has high universality, and the problem that only one type or one kind of the zombie networks can be detected in the prior art is solved.

Description

technical field [0001] The invention relates to the field of information technology, in particular to a botnet detection method, device and processor. Background technique [0002] Botnet refers to the use of one or more transmission methods to infect a large number of hosts with bot program (bot program) viruses, thus forming a one-to-many controllable network between the controller and the infected hosts. Attackers spread bots in various ways to infect a large number of hosts on the Internet, and the infected hosts will receive instructions from attackers through a control channel, thus forming a botnet. At present, work on botnets has started, and there are some detection algorithms that can detect botnets. [0003] The current botnet detection algorithms are mainly honeypot technology and feature-based detection algorithms. Among them, the honeypot technology refers to placing an unpatched honeypot in the network and monitoring its infection. The honeypot can effectiv...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): H04L29/06
Inventor 李慕峰王春新李信李朝峰王翔宇闫磊马跃易平金燊柳宁吴文昭王焕娟刘亚坤张竞文
Owner STATE GRID CORP OF CHINA
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com