Botnet detection device based on HTTP first question and answer packet clustering analysis

A botnet and cluster analysis technology, applied in electrical components, transmission systems, etc., can solve problems such as time-consuming and labor-intensive work, undetectable botnets, etc., achieve high accuracy, prevent and contain attacks, and reduce the number of analysis objects and the effect of storage overhead on

Inactive Publication Date: 2020-05-19
BEIJING ACT TECH DEV CO LTD
View PDF6 Cites 4 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

This method can quickly discover botnets with this characteristic communication, but the disadvantage is that it cannot detect botnets with encrypted communication, and extracti

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Botnet detection device based on HTTP first question and answer packet clustering analysis
  • Botnet detection device based on HTTP first question and answer packet clustering analysis

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0031] see figure 1, realizing the botnet detection device based on the first HTTP question-and-answer packet clustering analysis of the present invention, comprising an HTTP header field statistical feature extraction module 1, a botnet traffic recording module 5, a request packet and a response packet content acquisition module 2, and a feature vector Extraction module 3, clustering module 4, signature generation module 6 and rule generator 7 are made up; Wherein signature generation module 6 is made up of single signature generator 61, signature merger 62 and signature trimmer 63;

[0032] HTTP header field statistical feature extraction module 1, input intercepted HTTP traffic 10, compare four kinds of parameters in the HTTP request packet and HTTP response packet identified by IP quadruple, four kinds of parameters include: request line path length , request parameters, number of path layers, and number of parameters; HTTP traffic with four completely consistent paramete...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a botnet detection device based on HTTP first question and answer packet clustering analysis, and relates to the field of information technology. The botnet detection device iscomposed of an HTTP head field statistical feature extraction module, a botnet traffic recording module, a request packet and response packet content acquisition module, a feature vector extraction module, a clustering module, a feature code generation module and a rule generator, wherein the feature code generation module consists of a single feature code generator, a feature code combiner and afeature code trimmer. The botnet detection device does not depend on priori knowledge, does not need a large amount of manual intervention, and can automatically extract and generate high-quality feature codes from HTTP botnet traffic. The feature code detection can be added into an intrusion detection system to be used for rapid and wide botnet threat perception and botnet family classification,and wide and rapid botnet host discovery is achieved.

Description

technical field [0001] The present invention relates to the field of information technology, especially the field of information security technology. Background technique [0002] After years of development and evolution of botnets, the HTTP protocol has become one of the mainstream control protocols for botnets due to its good business carrying capacity and penetration capability of border defense. Typical spam botnets, such as Rustock, Kelihos, etc., and typical stealing botnets, such as Spyeye, Tinba, etc., all use the HTTP protocol for C&C communication. At present, among the detection devices for the botnet of the HTTP protocol, the two most common methods are based on statistical characteristics of data flow and deep inspection based on data packets. [0003] The method based on the statistical characteristics of the data flow does not depend on the specific content, and can detect encrypted communication traffic, but due to the lack of payload content, the signature ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L29/06
CPCH04L63/0428H04L63/1416H04L63/1441
Inventor 古元周铁林飞华仲锋毛华阳易永波乔伟袁俊杰
Owner BEIJING ACT TECH DEV CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap