Domain-floux botnet detection method based on hybrid learning

A botnet and hybrid learning technology, which is applied in the field of domain-flux botnet detection based on hybrid learning, can solve the problem of high time complexity of the training set

Inactive Publication Date: 2019-10-15
BEIJING UNIV OF POSTS & TELECOMM +1
View PDF6 Cites 12 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0006] The present invention solves the ubiquitous situation in the prior art that includes the use of domain name-related features or time features alone, which is easy to be bypassed, and the detection method based on threshold or classification algori...

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Domain-floux botnet detection method based on hybrid learning

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0035] The present invention will be described in further detail below in conjunction with the examples, but the protection scope of the present invention is not limited thereto.

[0036] The invention relates to a method for detecting a Domain-flux botnet based on hybrid learning, and the method includes the following steps.

[0037] Step 1: Divide the input DNS data into a training dataset and a detection dataset.

[0038] In the step 1, the DNS data includes DNS traffic and DNS logs.

[0039] Step 2: Preprocess the training dataset and the detection dataset respectively.

[0040] In the step 2, the preprocessing includes filtering the non-compliant or illegal DNS in the training data set and the detection data set and extracting features from the remaining DNS after filtering.

[0041] The features include domain name length, domain name level, 1-gram common degree, 2-gram common degree, 3-gram common degree, accessed time span, average TTL, total number of resolved IPs, ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to a Domain-floux botnet detection method based on hybrid learning. The method comprises the following steps: distinguishing a training data set and a detection data set from input DNS data, respectively preprocessing the training data set and the detection data set, inputting the preprocessed training data set into a model, training to obtain a classifier, inputting the preprocessed detection data set into the classifier, outputting clustered domain name clusters, calculating domain name cluster scores, and screening domain name cluster scores which belong to Domain-fluxbotnet domain name; and obtaining the IP address of the infected host and the IP address of the C & C server. According to the invention, a foundation is laid for subsequent defense measures, and characteristics related to domain names, time, request IPs, resolution IPs and the like are used during resolution and are not easy to bypass; the advantages of supervised learning and unsupervised learning are considered, the classification and clustering algorithms are combined, unknown zombie samples which are greatly different from a training set and different in expression form can be effectively detected, and the detection speed is higher than that of other clustering algorithms.

Description

technical field [0001] The present invention relates to the transmission of digital information, such as the technical field of telegraph communication, in particular to a method for detecting Domain-flux botnets based on hybrid learning. Background technique [0002] With the development of network technology, more and more computers in various forms are connected to the Internet, which also gives greater opportunities for botnets. Botnet consists of four parts: zombie host, bot program, state transition function, and C&C channel. From the perspective of an attacker, a zombie host can have multiple states, such as unavailable, available, active, etc. These zombie hosts will Without the owner's knowledge and authorization, they do some behaviors that are beneficial to the controller of the botnet, including DDoS (distributed denial of service) attacks, spam, click fraud, traffic eavesdropping and Bitcoin collection, etc. Bots are attackers A tool for manipulating zombie hos...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L29/06H04L29/12G06K9/62
CPCH04L63/1408H04L61/4511G06F18/23213
Inventor 谷勇浩崔卓群范渊郭振洋李良训李凯悦林明峰刘博杨勃
Owner BEIJING UNIV OF POSTS & TELECOMM
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap