Botnet host detection method

Abstract

The present invention provides a botnet host detection method. The method comprises the steps of: capturing a domain name system (DNS) flow, extracting passive DNS data from the DNS flow, and obtaining DNS protocol metadata of the host inquiring a domain name from the DNS server; for the extracted passive DNS data, filtering a legal domain name and passive DNS data of the legal domain name; takingthe rest of passive DNS data after filtering as data to be detected of the botnet host; performing coding of the target domain name in the data to be detected, employing a preset detection model to perform detection of the target domain name after coding, and outputting a botnet network family name with the highest probability as a classification result of the target domain name; in an assigned time window, detecting a botnet network controlled host and a botnet network command control server through the domain name of the botnet network family. The botnet host detection method has an excellent detection capacity for the DGA domain name of the botnet network C*C communication, is low in resource utilization, rapid, high in accuracy and low in false alarm rate and can perform cross-platform detection.

Description

technical field [0001] The invention relates to the technical field of computer network security, in particular to a method for detecting a zombie host. Background technique [0002] At present, botnets have become one of the biggest security threats to the Internet. Attacks from them occur frequently and spread across the Internet all over the world. There are various types of attacks, such as distributed denial of service attacks, port scanning, sending spam, click fraud, Online identity theft, ad placement, phishing, encrypted extortion, illegal use of user host resources for mining, etc. Due to the huge economic benefits, the optimization and variant development of botnet technology is more rapid, which also makes the detection and defense of botnet more difficult. Whether it is now or in the future, the research on botnets is an important research direction in the field of network security. [0003] In the topology of the botnet, the botnet controls a large number of ...

AI Technical Summary

Problems solved by technology

The advantage of the traditional method is that it can accurately detect the DGA domain name generated by the botnet family to a certain extent, but the accuracy relies too much on feature engineering, requiring complex feature selection, principal component analysis and a large number of tests to select effective features

Deeper features, especially effective features that are difficult for humans to understand, cannot be extracted

As a result, the classifiers trained by machine learning are good and bad, and it is difficult to achieve product-level applications, and the false positive rate and false negative rate are difficult to guarantee.

Moreover, in the detection process, traditional machine learning techniques need to extract domain name features, which is time-consuming

At the same time, the multi-classification model generated based on machine learning technology is too large, and the model with good classification is usually hundreds of megabytes, which is difficult to apply to low-configuration devices

Images