Visible to the public Botnet Homology Method Based on Symbolic Approximation Algorithm of Communication Characteristic Curve

TitleBotnet Homology Method Based on Symbolic Approximation Algorithm of Communication Characteristic Curve
Publication TypeConference Paper
Year of Publication2018
AuthorsNan, Z., Zhai, L., Zhai, L., Liu, H.
Conference Name2018 15th IEEE International Conference on Advanced Video and Signal Based Surveillance (AVSS)
ISBN Number978-1-5386-9294-3
KeywordsApproximation algorithms, Botnet, botnet client, botnet control server, botnet homology method, botnets, clustering, Clustering algorithms, command and control systems, command control channels, command interaction, communication characteristic curve, compositionality, computational complexity, computer network security, dynamic network communication characteristic curves, dynamic time warping distance clustering, earliest botnet group, effective detection method, extracted curve, Heuristic algorithms, homogenous botnet, homologous botnets, homology, Internet, invasive software, IP networks, IRC botnet, IRC protocol, Metrics, most significant botnet group, multiple zombies hosts, network servers, network traffic, packet capture traffic monitoring, pattern clustering, Protocols, pubcrawl, resilience, Resiliency, Servers, symbolic approximation algorithm, telecommunication traffic, time series, Time series analysis, time warp simulation

The IRC botnet is the earliest and most significant botnet group that has a significant impact. Its characteristic is to control multiple zombies hosts through the IRC protocol and constructing command control channels. Relevant research analyzes the large amount of network traffic generated by command interaction between the botnet client and the C&C server. Packet capture traffic monitoring on the network is currently a more effective detection method, but this information does not reflect the essential characteristics of the IRC botnet. The increase in the amount of erroneous judgments has often occurred. To identify whether the botnet control server is a homogenous botnet, dynamic network communication characteristic curves are extracted. For unequal time series, dynamic time warping distance clustering is used to identify the homologous botnets by category, and in order to improve detection. Speed, experiments will use SAX to reduce the dimension of the extracted curve, reducing the time cost without reducing the accuracy.

Citation Keynan_botnet_2018