基于神经网络的僵尸网络检测

目前主流的僵尸网络检测方法主要利用网络流量分析技术，这往往需要数据包的内部信息，或者依赖于外部系统提供的信息或僵尸主机的恶意行为，并且大多数方法不能自动存储僵尸网络的流量特征，不具有联想记忆功能.为此提出了一种基于BP神经网络的僵尸网络检测方法，通过大量的僵尸网络和正常流量样本训练BP神经网络分类器，使其学会辨认僵尸网络的流量，自动记忆僵尸流量特征，从而有效检测出被感染的主机.该神经网络分类器以主机对为分析对象，提取2个主机间通信的流量特征，将主机对的特征向量作为输入，有效地区分出正常主机和僵尸主机.实验表明，该方法的检测率达到99%，误报率在1%以下，具有良好的性能.

Botnet detection algorithm based on neural network

The most current botnet detection algorithm are typically based on network traffic analyzing technologies that usually need packet payload. The botnet detection algorithm also relies on information obtained by external systems or malicious behaviors of bots that do not automatically store the features of botnet traffic and do not have the ability of associative memory. As a result, this paper proposes a botnet detection algorithm based on BP neural network which trains the BP neural network classifier through a lot of botnet and normal traffic samples and allows it to learn how to identify botnet traffic and automatically remember the features of botnet traffic and therefore, detect the infected hosts effectively. The neural network classifier takes the host-pairs as analysis objects, extracts the traffic features of communications between two hosts and takes the feature vectors of host-pairs as input, thus, effectively distinguishing the normal hosts and bots. The experimental results show that the detection rate of our algorithm can achieve to 99% and the false positive rate is below 1% and the algorithm has a good performance.