Unstructured P2P botnet detection method and device based on SAW community discovery

A botnet and unstructured technology, applied in the field of image encryption, can solve the problems of complex topology, difficult to be detected, difficult to obtain complete topology, etc., and achieve good parallelism

Active Publication Date: 2022-05-17
PLA STRATEGIC SUPPORT FORCE INFORMATION ENG UNIV PLA SSF IEU
View PDF7 Cites 1 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] Aiming at the problem that the unstructured P2P botnet uses a custom protocol to communicate, which can be integrated with legal P2P traffic, and its topology is more complex, it is ...

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Unstructured P2P botnet detection method and device based on SAW community discovery
  • Unstructured P2P botnet detection method and device based on SAW community discovery
  • Unstructured P2P botnet detection method and device based on SAW community discovery

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0065] Such as figure 2 As shown, the embodiment of the present invention provides a kind of unstructured P2P botnet detection method based on SAW community discovery, comprises the following steps:

[0066] S101: Using the ARGUS tool, convert the original pcap format traffic data into netflow format traffic data;

[0067] Specifically, the captured original network traffic is a pcap format data stream, which is composed of several data packets. The data volume is huge and the statistical characteristics are not obvious. Therefore, the ARGUS traffic processing tool is used to aggregate it into a two-way netflow format.

[0068] S102: Use the Flink big data platform to convert the traffic data in netflow format into a quintuple cluster flow, and filter the quintuple cluster flow to obtain a P2P cluster;

[0069] Specifically, this step specifically includes:

[0070] S1021: For the netflow format traffic data of each host H, extract according to the same quaternion to obtain...

Embodiment approach

[0083] As an implementable manner, the construction of the shared neighbor graph specifically includes:

[0084] Initialize the undirected graph G={V,E}, then use the number of the P2P cluster of each host as the vertex V, and set the confidence Sim p2p (H i , H j ) greater than 0 for two P2P clusters p2p (H i ), FF p2p (H j )> As the edge E, the confidence Sim of the two P2P clusters p2p (H i , H j ) as the weight w of edge E ij , taking the resulting undirected graph as a shared neighbor graph.

[0085] For example, if image 3 As shown, hosts A, B, and C are vertices in the interconnection graph. Among them, host A and host B share a neighbor node X, and the weight is 1; host B and host C share two neighbor nodes Y, Z, and the weight is 2. Schematic diagram of a P2P network SNG with 500 nodes produced by using Gephi tool as shown in Figure 4 shown.

[0086] S104: Use SAW to access each vertex in the shared neighbor graph, generate a vertex matrix between verti...

Embodiment 2

[0117] An embodiment of the present invention provides an unstructured P2P botnet detection device based on SAW community discovery, including: a data preprocessing module, a feature extraction module, a shared neighbor graph construction module, a community discovery module, and a classification module; wherein:

[0118] The data preprocessing module is used to convert the original pcap format traffic data into netflow format traffic data. The feature extraction module is used to use the F-link big data platform to convert the traffic data in the netflow format into a quintuple cluster flow, and filter the quintuple cluster flow to obtain a P2P cluster. The shared neighbor graph construction module is used to calculate the weight of the shared neighbor nodes between P2P clusters by using the Jaccard coefficient, and construct the shared neighbor graph. The community discovery module is used to use SAW to access each vertex in the shared neighbor graph, generate a vertex matri...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides an unstructured P2P botnet detection method and device based on SAW community discovery. The method comprises the following steps: step 1, converting original flow data in a pcap format into flow data in a netflow format; 2, converting the flow data in the netflow format into a quintuple cluster flow by using an F-link big data platform, and filtering from the quintuple cluster flow to obtain a P2P (Peer-to-Peer) cluster; 3, calculating weights of shared neighbor nodes among the P2P clusters by using a Jaccard coefficient, and constructing a shared neighbor graph; step 4, using SAW to access each vertex in the shared neighbor graph, generating a vertex matrix between the vertexes, using principal component analysis (PCA) to perform dimension reduction on the vertex matrix, calculating Bray-Curis dissimilarity, using hierarchical clustering to calculate node similarity, and performing community mining, thereby clustering the P2P nodes of the same kind; and 5, classifying clustering results by using community attributes, and filtering out the botnet.

Description

technical field [0001] The invention relates to the technical field of image encryption, in particular to a method and device for unstructured P2P botnet detection based on SAW community discovery. Background technique [0002] A botnet is an overlay network for malicious activities formed by a large number of zombie hosts (bots) infected by bots controlled by attackers, usually by attackers (also called controllers), command and control channels (C&CChannel) , Command and Control Channel) and zombie hosts. Botnets can launch cyber attacks such as distributed denial of service, spam, phishing, click fraud, and steal sensitive information, and have been regarded as the most serious threat to many industries such as finance, education, healthcare, critical infrastructure, and the Internet of Things one. Different from traditional viruses and worms, a botnet is an advanced form of malicious code, and its core is a command-and-control channel. The traditional centralized comm...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L9/40G06K9/62H04L67/104
CPCH04L63/1408H04L63/1441H04L67/104H04L63/1416G06F18/23Y02D30/50
Inventor 舒辉邢颖光焱赵耘田
Owner PLA STRATEGIC SUPPORT FORCE INFORMATION ENG UNIV PLA SSF IEU
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap