Botnet was composed of the virus-infected computers severely threaten the security of Internet. Its principle is that hackers implanted virus in targeted computcrs, which were then commanded and controlled by them via the Internet to operate distributed denial of services(DDoS) , steal confidential information, distribute junk mails and other malicious acts. By imitating P2P software, P2P botnet used multiple main controller to avoid single point of failure, and failed various misuse detecting technologies together with encryption technologies. Differentiating from the normal network behavior, P2P botnet sets up numerous sessions without consuming bandwidth substantially, causing itself exposed to the anomaly detection technology. Crucially, the research applied the original dissimilarity of P2P botnet differing from normal Internet behaviors as parameters of data mining, which were then clustered and distinguished to obtain reliable results with acceptable accuracy.%僵尸网络由一群被病毒感染的计算机组成,它严重的威胁着Internet的安全.其原理是黑客把病毒植入到目标计算机,然后黑客通过Internet控制这些计算机来实施DDoS攻击、盗取认证信息、分发垃圾邮件和其他恶意行为.通过仿P2P软件,P2P僵尸网络用多个主控制器来避免单点丢失(single pointof failure),并且使用加密技术使得各种各样的misuse detection技术失效.与正常网络行为不同的是,P2P僵尸网络建立了大量不占用带宽的会话,这就使它不会暴露在异常检测技术下.本文采用P2P僵尸网络不同于正常网络行为的特征作为数据挖掘的参数,然后对这些参数进行聚类并加以区分来获得可接受精度范围内可信任的结果.为了证明该方法在发现僵尸网络主机上的有效性,我们在实际的网络环境中进行了验证测试.
展开▼
