基于流量摘要的僵尸网络检测

随着僵尸网络的日益进化,检测和防范僵尸网络攻击成为网络安全研究的重要任务.现有的研究很少考虑到僵尸网络中的时序模式,并且在实时僵尸网络检测中效果不佳,也无法检测未知的僵尸网络.针对这些问题,本文提出了基于流量摘要的僵尸网络检测方法,首先将原始流数据按照源主机地址聚合,划分适当的时间窗口生成流量摘要记录,然后构建决策树、随机森林和XGBoost机器学习分类模型.在CTU-13数据集上的实验结果表明,本文提出的方法能够有效检测僵尸流量,并且能够检测未知僵尸网络,此外,借助Spark技术也能满足现实应用中快速检测的需要.

Botnet Detection Based on Flow Summary

With the development of botnets, detecting and preventing botnet attacks has become an important task of network security research. Existing studies, which rarely consider the timing patterns in botnets, are ineffective in real-time botnet detection and cannot detect unknown botnets. To tackle these problems, this study proposes a flow summary based botnet detection method. First, the network flow data is aggregated according to the source host IPs, and the flow summary records are generated in a given time window. Then, decision tree, random forest, and XGBoost machine-learning classification models are built to validate the performance of our method. The experimental results on the CTU-13 dataset show that the method we propose can effectively detect botnet traffic and detect unknown botnets. With the help of Spark technology, our method can also meet the needs of rapid detection in real applications.