A Fuzzy Pattern Recognition-based Filtering Algorithm for Botnet Detection

• Main Authors: Lin, Shang-Jyh, 林上智
• Other Authors: Wang, Kuo-Chen
• Format: Others
• Language: zh-TW
• Published: 2010
• Online Access: http://ndltd.ncl.edu.tw/handle/38508759144590172700

碩士 === 國立交通大學 === 網路工程研究所 === 98 === Botnets become a popular technique for deploying Internet crimes. Existing botnet detection methods using string signature matching usually get high false positive rate (FPR) and low true positive rate (TPR). Therefore, the behavior-based detection method becomes a major way for botnet detection. In this thesis, we propose a behavior-based botnet detection method using a fuzzy pattern recognitions-based filtering (FPRF) algorithm. The proposed FPRF extracts bot features first and then recognizes botnets based on collected bot behaviors. In this algorithm, there are three stages. The traffic reduction stage is to reduce input raw packet traces for speeding processing. The feature extraction stage is used to extract features from the reduced input packet traces. The fuzzy pattern recognition stage has two phases. First, the DNS (domain name system) phase analyzes features of DNS packets. If a domain name (DN) is determined to be malicious, the corresponding DN and its associated IP address(es) will be marked without going to the next phase. Second, the TCP connection phase analyzes features of TCP connection packets. The associated IP addresses will be marked if TCP connection packets are malicious. Performance evaluation results based on real traces show that with features extracted from raw network traces, the proposed FPRF can reduce input raw packet traces by over 70%, while achieve a high TPR (95%) and a low FPR (0 ~ 3.08%). Unlike two representative methods, Livadas and Gu, we used real botnet traffic and only one traffic reduction filter for evaluation. Furthermore, FPRF is resource-efficient so that on-line botnet detection based on FPRF can be incorporated to hosts.