基于流相似性的两阶段P2P僵尸网络检测方法

僵尸网络利用诸如蠕虫、木马以及rootkit等传统恶意程序，进行分布式拒绝服务攻击、发送钓鱼链接、提供恶意服务，已经成为网络安全的主要威胁之一。由于P2P僵尸网络的典型特征是去中心化和分布式，相对于IRC、HTTP等类型的僵尸网络具有更大的检测难度。为了解决这一问题，该文提出了一个具有两阶段的流量分类方法来检测P2P僵尸网络。首先，根据知名端口、DNS查询、流计数和端口判断来过滤网络流量中的非P2P流量；其次基于数据流特征和流相似性来提取会话特征；最后使用基于决策树模型的随机森林算法来检测P2P僵尸网络。使用UNB ISCX僵尸网络数据集对该方法进行验证，实验结果表明，该两阶段检测方法比传统P2P僵尸网络检测方法具有更高的准确率。

Two Stage P2P Botnet Detection Method Based on Flow Similarity

The botnet has been one of the most common threats to the network security since it exploits multiple malicious codes like worm, Trojans, Rootkit, etc. toperform thedenial-of-service attack, send phishing links, and provide malicious services. Peer-to-peer (P2P) botnet is more difficult to be detected compared with IRC, HTTP and other types of botnets because it has typical features of the centralization and distribution. To solve these problems, we propose an effective two-stage traffic classification method to detect P2P botnet traffic based on both non-P2P traffic filtering mechanism and machine learning techniques on conversation features. At the first stage, the non-P2P packages are filtered to reduce the amount of network traffic, according to well-known ports, DNS query, and flow counting. At the second stage, the conversation features based on data flow features and flow similarity are extracted. Finally, the P2P botnet is detected by using Random Forest based on the decision tree model. Experimental evaluations on UNB ISCX botnet dataset shows that our two-stage detection method has a higher accuracy than traditional P2P botnet detection methods.