A Fuzzy Pattern Recognition-based Filtering Algorithm for Botnet Detection
碩士 === 國立交通大學 === 網路工程研究所 === 98 === Botnets become a popular technique for deploying Internet crimes. Existing botnet detection methods using string signature matching usually get high false positive rate (FPR) and low true positive rate (TPR). Therefore, the behavior-based detection method becomes...
Main Authors: | , |
---|---|
Other Authors: | |
Format: | Others |
Language: | zh-TW |
Published: |
2010
|
Online Access: | http://ndltd.ncl.edu.tw/handle/38508759144590172700 |
id |
ndltd-TW-098NCTU5726046 |
---|---|
record_format |
oai_dc |
spelling |
ndltd-TW-098NCTU57260462016-04-18T04:21:48Z http://ndltd.ncl.edu.tw/handle/38508759144590172700 A Fuzzy Pattern Recognition-based Filtering Algorithm for Botnet Detection 基於模糊識別演算法之僵屍網路偵測方法 Lin, Shang-Jyh 林上智 碩士 國立交通大學 網路工程研究所 98 Botnets become a popular technique for deploying Internet crimes. Existing botnet detection methods using string signature matching usually get high false positive rate (FPR) and low true positive rate (TPR). Therefore, the behavior-based detection method becomes a major way for botnet detection. In this thesis, we propose a behavior-based botnet detection method using a fuzzy pattern recognitions-based filtering (FPRF) algorithm. The proposed FPRF extracts bot features first and then recognizes botnets based on collected bot behaviors. In this algorithm, there are three stages. The traffic reduction stage is to reduce input raw packet traces for speeding processing. The feature extraction stage is used to extract features from the reduced input packet traces. The fuzzy pattern recognition stage has two phases. First, the DNS (domain name system) phase analyzes features of DNS packets. If a domain name (DN) is determined to be malicious, the corresponding DN and its associated IP address(es) will be marked without going to the next phase. Second, the TCP connection phase analyzes features of TCP connection packets. The associated IP addresses will be marked if TCP connection packets are malicious. Performance evaluation results based on real traces show that with features extracted from raw network traces, the proposed FPRF can reduce input raw packet traces by over 70%, while achieve a high TPR (95%) and a low FPR (0 ~ 3.08%). Unlike two representative methods, Livadas and Gu, we used real botnet traffic and only one traffic reduction filter for evaluation. Furthermore, FPRF is resource-efficient so that on-line botnet detection based on FPRF can be incorporated to hosts. Wang, Kuo-Chen 王國禎 2010 學位論文 ; thesis 28 zh-TW |
collection |
NDLTD |
language |
zh-TW |
format |
Others
|
sources |
NDLTD |
description |
碩士 === 國立交通大學 === 網路工程研究所 === 98 === Botnets become a popular technique for deploying Internet crimes. Existing botnet detection methods using string signature matching usually get high false positive rate (FPR) and low true positive rate (TPR). Therefore, the behavior-based detection method becomes a major way for botnet detection. In this thesis, we propose a behavior-based botnet detection method using a fuzzy pattern recognitions-based filtering (FPRF) algorithm. The proposed FPRF extracts bot features first and then recognizes botnets based on collected bot behaviors. In this algorithm, there are three stages. The traffic reduction stage is to reduce input raw packet traces for speeding processing. The feature extraction stage is used to extract features from the reduced input packet traces. The fuzzy pattern recognition stage has two phases. First, the DNS (domain name system) phase analyzes features of DNS packets. If a domain name (DN) is determined to be malicious, the corresponding DN and its associated IP address(es) will be marked without going to the next phase. Second, the TCP connection phase analyzes features of TCP connection packets. The associated IP addresses will be marked if TCP connection packets are malicious. Performance evaluation results based on real traces show that with features extracted from raw network traces, the proposed FPRF can reduce input raw packet traces by over 70%, while achieve a high TPR (95%) and a low FPR (0 ~ 3.08%). Unlike two representative methods, Livadas and Gu, we used real botnet traffic and only one traffic reduction filter for evaluation. Furthermore, FPRF is resource-efficient so that on-line botnet detection based on FPRF can be incorporated to hosts.
|
author2 |
Wang, Kuo-Chen |
author_facet |
Wang, Kuo-Chen Lin, Shang-Jyh 林上智 |
author |
Lin, Shang-Jyh 林上智 |
spellingShingle |
Lin, Shang-Jyh 林上智 A Fuzzy Pattern Recognition-based Filtering Algorithm for Botnet Detection |
author_sort |
Lin, Shang-Jyh |
title |
A Fuzzy Pattern Recognition-based Filtering Algorithm for Botnet Detection |
title_short |
A Fuzzy Pattern Recognition-based Filtering Algorithm for Botnet Detection |
title_full |
A Fuzzy Pattern Recognition-based Filtering Algorithm for Botnet Detection |
title_fullStr |
A Fuzzy Pattern Recognition-based Filtering Algorithm for Botnet Detection |
title_full_unstemmed |
A Fuzzy Pattern Recognition-based Filtering Algorithm for Botnet Detection |
title_sort |
fuzzy pattern recognition-based filtering algorithm for botnet detection |
publishDate |
2010 |
url |
http://ndltd.ncl.edu.tw/handle/38508759144590172700 |
work_keys_str_mv |
AT linshangjyh afuzzypatternrecognitionbasedfilteringalgorithmforbotnetdetection AT línshàngzhì afuzzypatternrecognitionbasedfilteringalgorithmforbotnetdetection AT linshangjyh jīyúmóhúshíbiéyǎnsuànfǎzhījiāngshīwǎnglùzhēncèfāngfǎ AT línshàngzhì jīyúmóhúshíbiéyǎnsuànfǎzhījiāngshīwǎnglùzhēncèfāngfǎ AT linshangjyh fuzzypatternrecognitionbasedfilteringalgorithmforbotnetdetection AT línshàngzhì fuzzypatternrecognitionbasedfilteringalgorithmforbotnetdetection |
_version_ |
1718226980407607296 |