JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE) ›› 2017, Vol. 52 ›› Issue (3): 74-81.doi: 10.6040/j.issn.1671-9352.2.2016.001

Previous Articles     Next Articles

P2P botnet detection method based on fractal and adaptive data fusion

SONG Yuan-zhang, LI Hong-yu, CHEN Yuan, WANG Jun-jie   

  1. Changchun Institute of Optics, Fine Mechanics and Physics, Chinese Academy of Sciences, Changchun 130033, Jilin, China
  • Received:2016-08-18 Online:2017-03-20 Published:2017-03-20

Abstract: A novel P2P botnet detection algorithm based on fractal and adaptive data fusion was proposed. Firstly, it built the single-fractal detection sensor and the multi-fractal detection sensor, and they used the self-similarity under the large time scale and the local singularity under the small time scale to describe the characteristics of network. Kalman filter was used to detect abnormalities of the above characteristics. To get the more accurate detection result, an adaptive data fusion method based on DST(Dempster-Shafer Theory)and DSmT(Dezert-Smarandache Theory)was proposed. Depending on the conflict factor of evidences, DST and DSmT were adaptively utilized to fuse the results of two above detection sensors to get the final result. The side effects on detecting P2P botnet which P2P programs generated are considered. The experiments show that the proposed algorithm is able to detect P2P botnet with high accuracy.

Key words: P2P botnet, Adaptive Data Fusion, Dezert-Smarandache Theory, Dempster-Shafer Theory

CLC Number: 

  • TP393.08
[1] 王志, 蔡亚运, 刘露, 等. 基于覆盖率分析的僵尸网络控制命令发掘方法[J]. 通信学报, 2014, 35(1):156-166. WANG Zhi, CAI Yayun, LIU Lu, et al. Using coverage analysis to extract Botnet command-and-control protocol[J]. Journal on Communications, 2014, 35(1):156-166.
[2] 臧天宁, 云晓春, 张永铮, 等. 僵尸网络关系云模型分析算法[J]. 武汉大学学报·信息科学版, 2012, 37(2):247-251. ZANG Tianning, YUN Xiaochun, ZHANG Yongzheng, et al. A botnet relationship analyzer based on cloud model[J]. Geomatics and Information Science of Wuhan University, 2012(37):247-251.
[3] HOLZ T, STEINER M, DAHL F. Measurements and mitigation of Peer-to-Peer-based botnets: a case study on storm worm[C] // 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats San Francisco.[S.l.] : [s.n.] , 2008: 3-12.
[4] 王海龙, 胡宁, 龚正虎. Bot_CODA: 僵尸网络协同检测体系结构[J]. 通信学报, 2009, 30(10A):15-22. WANG Hailong, HU Ning, GONG Zhenghu. Bot_CODA: botnet collaborative detection architecture[J]. Journal on Communications, 2009, 30:15-22.
[5] 臧天宁, 云晓春, 张永铮, 等. 网络设备协同联动模型[J].计算机学报, 2011, 34(2):216-228. ZANG Tianning, YUN Xiaochun, ZHANG Yongzheng, et al. A Model of network device coordinative run[J]. Journal of Computers, 2011, 34:216-228.
[6] 江健, 诸葛建伟, 段海新, 等. 僵尸网络机理与防御技术[J].软件学报, 2012, 23(1):82-96. JIAN Jiang, ZHUGE Jianwei, DUAN Haixin, et al. Research on botnet mechanisms and defenses[J]. Journal of Software, 2012, 23:82-96.
[7] KARIM Ahmad, SALLEH Rosli Bin, SHIRAZ Muhammad, et al. Review: botnet detection techniques: review, future trends, and issues[J]. Journal of Zhejiang University-Science C(Computers & Electronics), 2014, 15(11):943-983.
[8] JAIKUMAR Padmini, KAK Avinash C. A graph-theoretic framework for isolating botnets in a network[J]. Security and Communication Networks, 2015, 8(16):2605-2623.
[9] YAHYAZADEH Moosa, ABADI Mahdi. BotGrab: a negative reputation system for botnet detection[J]. Computers and Electrical Engineering, 2015, 41:68-85.
[10] KIM J S, KAHNG B, KIM D, et al. Self-similarity in fractal and non-fractal networks[J]. Journal of the Korean Physical Society, 2008, 52:350-356.
[11] GIORGI G, NARDUZZI C. A study of measurement-based traffic models for network diagnostics[C] // IEEE Instrumentation & Measurement Technology Conference.[S.l.] :[s.n.] , 2007: 1-3.
[12] LELAND W E, TAQQU M S, WILLINGER W. On the self-similar nature of ethernet traffic(extended version)[J]. IEEE/ACM Trans on Networking, 1994, 2(1):1-15.
[13] KARAGIANNIS T, MOLLE M, FALOUTSOS M. Understanding the limitations of estimation methods for long-range dependence[R]. California: University of California, 2006: 11-15.
[14] RIEDI R H, VEHEL J L. Multifractal properties of TCP traffic: a numberical study[R]. Rocquencourt: INRIA, 1997: 6-17.
[15] MAULIK Krishanu, RESNICK Sidney. The self-similar and multifractal nature of a network traffic model[J]. Stochastic Models, 2003(19):549-577.
[16] 从爽, 孙光立, 邓科, 等. 陀螺稳定平台扰动的自抗扰及其滤波控制[J]. 光学精密工程, 2016, 24(1):169-177. CONG Shuang, SUN Guangli, DENG Ke, et al. Active disturbance rejection and filter control of gyro-stabilized platform[J]. Optics and Precision Engineering, 2016, 24(1):169-177.
[17] 张百强, 储海荣, 孙婷婷, 等. 应用RB无迹卡尔曼滤波组合导航提高GPS重获信号后的导航精度[J]. 光学精密工程, 2016, 24(4):836-843. ZHANG Baiqiang, CHU Hairong, SUN Tingting, et al. Precision improvement methodology for INS/GPS after GPS outage using RB-UKF[J]. Optics and Precision Engineering, 2016, 24(4):836-843.
[18] 陈东, 刘诗斌, 殷世民, 等. 光寻址电位传感器的噪声分析与信号处理方法研究[J]. 光学精密工程, 2016, 24(6):1456-1464. CHEN Dong, LIU Shibin, YIN Shimin, et al. Research on noise analysis and signal processing method of light addressable potentiometric sensor[J]. Optics and Precision Engineering, 2016, 24(6):1456-1464.
[19] 刘志青, 李鹏程, 陈小卫, 等. 基于信息向量机的机载激光雷达点云数据分类[J]. 光学精密工程, 2016, 24(1):210-219. LIU Zhiqing, LI Pengcheng, CHEN Xiaowei, et al. Classification of airborne LiDAR point cloud data based on information vector machine[J]. Optics and Precision Engineering, 2016, 24(1):210-219.
[20] 吴禄慎, 史皓良, 陈华伟. 基于特征信息分类的三维点数据去噪[J]. 光学精密工程, 2016, 24(6):1465-1473. WU Lushen, SHI Haoliang, CHEN Huawei. Denoising of three-dimensional point data based on classification of feature information[J]. Optics and Precision Engineering, 2016, 24(6):1465-1473.
[21] YAGER Rr, LIU L. Classic works of the dempster-shafer theory of belief functions [M]. Berlin: Springer-Verlag, 2008: 23-49.
[22] MRUPHY C K. Combing belief function when evidence conflicts[J]. Decision Support System, 2000, 29(1):1-9.
[23] MATHON B R, OZBEK M M, PINDER G F. Dempster-shafer theory applied to uncertainty surrounding permeability[J]. Math Geosci, 2010, 42:293-307.
[24] SMARANDACHE F, DEZERT J. Advances and applications of DSmT for information fusion, Vol. 2[M]. Rehoboth:American Research Press, 2006: 15-39.
[25] SEN Subhabrata, SPATSCHECK Oliver, WANG Dongmei. Accurate, scalable in-network identification of P2P traffic using application signatures[C] // Proceedings of the 13th international conference on World Wide Web. New York: ACM, 2004: 512-521.
[26] KASERA S, PINHEIRO J, LOADER C. Fast and robust signaling overload control[C] // Proceedings of Ninth International Conference on Network Protocols. Riverside, USA: IEEE, 2001: 323-331.
[27] STEGGINK M, IDZIEJCZAK I. Detection Of Peer-To-Peer botnets [R/OL]. http://staff.science.uva.nl/~delaat/sne-2007-2008/p22/report.pdf.
[28] ZHAOA David, TRAOREA Issa, SAYED Bassam, et al. Botnet detection based on traffic behavior analysis and flow intervals[J]. Computers & Security, 2013(39):2-16.
[29] KANG Jian, ZHANG Jun-Yao, et al. Detecting new P2P botnet with multi-chart CUSUM[C] //International Conference on Networks Security, Wireless Communications and Trusted Computing. Wuhan: [s.n.] 2009, 1:688-691.
[30] 康健, 宋元章. 利用多维观测序列的KCFM混合模型检测新型P2P botnet[J]. 武汉大学学报(信息科学版), 2010, 35(5):520-523. KANG Jian, SONG yuanzhang. Application KCFM to Detect New P2P Botnet Based on Multi-Observed Sequence[J].Geomatics and Information Science of Wuhan University, 2010, 35(5):520-523.
[1] ZHANG Jia,DUAN Hai-xin,GE Lian-sheng . Analysis algorithm for the worm metwork behavior based on event sequence [J]. J4, 2007, 42(9): 36-40 .
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!