A Fast Identification Method for Bitcoin Mining Botnet Traffic

Abstract

The invention proposes a quick identification method for bitcoin mining botnet traffic. The identification framework is divided into three parts. The first part is the construction of the simulated environment, and the specific content is to collect the corresponding mining botnet virus samples and determine the required samples. Set up the required environment for virus samples on the virtual machine, run the virus samples, and obtain the traffic generated by the virus samples; the second part is the extraction of features, and the specific content is to obtain appropriate features through operations such as pattern comparison and data analysis. Use the mining virus traffic and normal traffic to construct the traffic data training set; the third part is the generation and verification of the recognition model, the specific content is to divide the test set and the training set, and use the cross-validation and grid search methods on the training set to randomly The forest algorithm selects the parameters, and after obtaining the corresponding training model, the training model is verified on the test set.

Description

technical field [0001] The invention belongs to the technical field of cyberspace security, and relates to a quick identification method for mining botnet traffic. Background technique [0002] In order to reduce the cost of electricity and infrastructure required for mining, more criminals choose to use a series of malicious software such as mining viruses and mining Trojans to manipulate other people's hosts in order to seek huge profits to achieve the purpose of mining cryptocurrencies. This malicious attack occupies a lot of user resources, seriously affects normal work and life, and also causes irreversible excessive consumption of user equipment. [0003] The current detection of Bitcoin botnet traffic is mainly concentrated in two directions, one is to identify relevant information by extracting packet load information, and the other is to collect the communication traffic of interconnected botnet nodes to graph algorithm Based on this, the clustering coefficient and...

AI Technical Summary

Problems solved by technology

However, these methods have the following main problems: (1) Extracting load information from the data set consumes a lot of resources, and at the same time reduces the speed of detection, making it difficult to use in real-time detection

(2) The features used need to use the entire process of mining botnets, and the time to collect data is too long

(3) It is difficult to obtain the interactive traffic of nodes in the entire botnet, and the communication of a single node cannot be effectively identified

(4) Detecting botnets and cryptocurrency mining separately, without combining the features of the two stages

(5) The data set used is not public, and its detection ability on other data sets cannot be guaranteed

Images