Botnet host detection method

A detection method and zombie host technology, which is applied in the field of zombie host detection, can solve the problems of large multi-classification models, difficulty in guaranteeing false positive rate and false negative rate, and difficult to achieve product-level application, so as to solve the difficulty of extraction and selection , low resource usage, and excellent detection capabilities

Active Publication Date: 2019-02-26
北京金睛云华科技有限公司
View PDF7 Cites 31 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

The advantage of the traditional method is that it can accurately detect the DGA domain name generated by the botnet family to a certain extent, but the accuracy relies too much on feature engineering, requiring complex feature selection, principal component analysis and a large number of tests to select effective features
Deeper features, especially effective features that are difficult for humans to understand, cannot be extracted
As a result, the classifiers trained by machine learning are good and bad, an

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Botnet host detection method
  • Botnet host detection method
  • Botnet host detection method

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0215] image 3 It is a schematic diagram of a Botnet structure based on the Fast-Flux technology provided by the embodiment of the present invention. Such as image 3 As shown, the difference between normal network communication and Fast-Flux botnet communication is obvious, and Fast-Flux botnet can be further divided into Single-Flux botnet and Double-Flux botnet.

[0216] For normal network communication, the client initiates a request to the web server, and the web server returns the request content;

[0217]For the Single-Flux botnet, the client needs to resolve the domain name address http: / / flux.example.com. First, query the top-level domain name DNS resolution server ".com", and receive a recommended recursive authoritative server "ns.example.com". Then, the client queries the authoritative DNS server to obtain the real IP address of the domain name. Finally, the client communicates directly with that IP address. For general DNS queries, the IP address remains unc...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The present invention provides a botnet host detection method. The method comprises the steps of: capturing a domain name system (DNS) flow, extracting passive DNS data from the DNS flow, and obtaining DNS protocol metadata of the host inquiring a domain name from the DNS server; for the extracted passive DNS data, filtering a legal domain name and passive DNS data of the legal domain name; takingthe rest of passive DNS data after filtering as data to be detected of the botnet host; performing coding of the target domain name in the data to be detected, employing a preset detection model to perform detection of the target domain name after coding, and outputting a botnet network family name with the highest probability as a classification result of the target domain name; in an assigned time window, detecting a botnet network controlled host and a botnet network command control server through the domain name of the botnet network family. The botnet host detection method has an excellent detection capacity for the DGA domain name of the botnet network C*C communication, is low in resource utilization, rapid, high in accuracy and low in false alarm rate and can perform cross-platform detection.

Description

technical field [0001] The invention relates to the technical field of computer network security, in particular to a method for detecting a zombie host. Background technique [0002] At present, botnets have become one of the biggest security threats to the Internet. Attacks from them occur frequently and spread across the Internet all over the world. There are various types of attacks, such as distributed denial of service attacks, port scanning, sending spam, click fraud, Online identity theft, ad placement, phishing, encrypted extortion, illegal use of user host resources for mining, etc. Due to the huge economic benefits, the optimization and variant development of botnet technology is more rapid, which also makes the detection and defense of botnet more difficult. Whether it is now or in the future, the research on botnets is an important research direction in the field of network security. [0003] In the topology of the botnet, the botnet controls a large number of ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L29/06H04L29/12G06N99/00
CPCH04L63/1416H04L2463/144H04L61/4511
Inventor 曲武
Owner 北京金睛云华科技有限公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products