计算机科学

计算机科学 ›› 2025, Vol. 52 ›› Issue (11): 373-381.doi: 10.11896/jsjkx.241100019

• 信息安全 • 上一篇    下一篇

基于多粒度统计特征的僵尸网络流量智能检测方法

张海霞1, 黄克振1, 连一峰1, 赵昌志2, 袁云静1, 彭媛媛1   

  1. 1 中国科学院软件研究所可信计算与信息保障实验室 北京 100190
    2 中国科学院信息工程研究所 北京 100085
  • 收稿日期:2024-11-04 修回日期:2025-03-04 出版日期:2025-11-15 发布日期:2025-11-06
  • 通讯作者: 黄克振(kezhen@iscas.ac.cn)
  • 作者简介:(haixia@iscas.ac.cn)
  • 基金资助:
    国家重点研发计划(2023YFB3107203)

Intelligent Botnet Traffic Detection Method Based on Multi-granularity Statistical Features

ZHANG Haixia1, HUANG Kezhen1, LIAN Yifeng1, ZHAO Changzhi2, YUAN Yunjing1, PENG Yuanyuan1   

  1. 1 Trusted Computing and Information Assurance Laboratory,Institute of Software,The Chinese Academy of Science,Beijing 100190,China
    2 Institute of Information Engineering,The Chinese Academy of Science,Beijing 100085,China
  • Received:2024-11-04 Revised:2025-03-04 Online:2025-11-15 Published:2025-11-06
  • About author:ZHANG Haixia,born in 1981,Ph.D,associate professor.Her main research interest is cyber information security.
    HUANG Kezhen,born in 1988,Ph.D,associate professor.His main research interests include cyber security situation and cyber threat intelligence.
  • Supported by:
    National Key Research and Development Program of China(2023YFB3107203).

PDF (PC)

23

摘要: 随着信息技术的飞速发展,僵尸网络攻击已成为具有高危害程度的网络安全威胁,及时有效的僵尸网络检测和处置可以遏制攻击者利用僵尸网络发起其他衍生攻击。当前已有的僵尸网络检测方法存在因特征选取视角单一而易被攻击者绕过、误报率高等局限性。对此,提出一种基于多粒度统计特征的僵尸网络流量智能检测方法,该方法提取待检测网络流量的局部粗粒度统计特征和面向源IP的全局细粒度画像,进而利用具有多头注意力机制的长短期记忆网络挖掘良性网络流量与僵尸网络流量在两类统计特征方面存在的差异性,最终基于这些差异性识别僵尸网络流量。在CTU-13和ISCX僵尸网络数据集上进行了对比实验,该方法在准确率、精确率、召回率和F1分数均可达到99%以上。

关键词: 网络攻击, 僵尸网络, 统计特征, 注意力机制, 长短期记忆网络

Abstract: With the rapid development of information technology,botnet attacks have become a higly harmful cyber security threat.Botnet detection and disposal can prevent attackers from launching other derivative attacks based on botnets.The current botnet detection methods have limitations such as single feature selection perspective,easy to be bypassed or high false alarm rate.In response to these limitations,this paper proposes an intelligent botnet traffic detection method based on multi-granularity statistical features.This method extracts local coarse-grained statistical features of the network flows to be detected and global fine-grained profile of the source IP based on historical network flows,and then uses the long-short term memory networks with a multi-head attention mechanism to mine the difference in these features between benign network flows and botnet flows at different times.The botnet is ultimately identified based on these differences.Comparative experiments are conducted on the CTU-13 and ISCX botnet datasets,the proposed method achieves more than 99% in accuracy,precision,recall and F1 score.

Key words: Cyber attack, Botnet, Statistical features, Attention mechanism, Long-short term memory

中图分类号: 

  • TP311.1
[1]Office of Public Affairs.Qakbot Malware Disrupted in International Cyber Takedown[EB/OL].https://www.justice.gov/opa/pr/qakbot-malware-disrupted-international-cyber-takedown.
[2]MAHMOUD M,NIR M,MATRAWY A.A survey on botnet architectures,detection and defences[J].International Journal of Network Security,2015,17(3):264-281.
[3]BEER F,BÜHLER U.Feature selection for flow-based intru-sion detection using rough set theory[C]//2017 IEEE 14th International Conference on Networking,Sensing and Control(ICNSC).IEEE,2017:617-624.
[4]CLAISE B.Cisco systems netflow services export version 9[R].2004.
[5]KONDO S,SATO N.Botnet traffic detection techniques byC&C session classification using SVM[C]//International Workshop on Security.Berlin:Springer,2007:91-104.
[6]AYO F E,AWOTUNDE J B,FOLORUNSO S O,et al.A genomic rule-basedKNN model for fast flux botnet detection[J].Egyptian Informatics Journal,2023,24(2):313-325.
[7]ALHIJAJ T B,HAMEED S M,BARA'A A A.A decision tree-aware genetic algorithm for botnet detection[J].Iraqi Journal of Science,2021,62(7):2454-2462.
[8]HOANG X D,VUX H.An improved model for detecting DGAbotnets using random forest algorithm[J].Information Security Journal:A Global Perspective,2022,31(4):441-450.
[9]ZANG X,CAO J,ZHANG X,et al.BotDetector:a system foridentifying DGA-based botnet with CNN-LSTM[J].Telecommunication Systems,2023,85(2):207-223.
[10]ABOU DAYA A,SALAHUDDIN M A,LIMAM N,et al.A graph-based machine learning approach for bot detection[C]//2019 IFIP/IEEE Symposium on Integrated Network and Service Management(IM).IEEE,2019:144-152.
[11]UMER M F,SHER M,BI Y.Flow-based intrusion detection:Techniques and challenges[J].Computers & Security,2017,70:238-254.
[12]THASEEN S,KUMAR C A.An analysis of supervised treebased classifiers for intrusion detection system[C]//2013 International Conference on Pattern Recognition,Informatics and Mobile Engineering.IEEE,2013:294-299.
[13]HEGNA A.Visualizing spatial and temporal dynamics of a class of irc-based botnets[EB/OL].https://ntnuopen.ntnu.no/ntnu-xmlui/bitstream/handle/11250/262293/353050_FULLTEXT.01pdf?sequence=2&isAllowed=y.
[14]GARCIA S,GRILL M,STIBOREK J,et al.An empirical comparison of botnet detection methods[J].Computers & Security,2014,45:100-123.
[15]HOCHREITER S,SCHMIDHUBER J.Long short-term memory[J].Neural Computation,1997,9(8):1735-1780.
[16]ZHANG A,LIPTON Z C,LI M,et al.Dive into deep learning[M].Cambridge:Cambridge University Press,2023.
[17]VASWANI A,SHAZEER N,PARMAR N,et al.Attention isall you need[C]//Proceedings of the 31st International Confe-rence on Neural Information Processing Systems.2017:6000-6010.
[18]GARCÍA S.Identifying,modeling and detecting botnet beha-viors in the network[EB/OL].https://www.stratosphereips.org/publications/2014/12/5/identifying-modeling-and-detec-ting-botnet-behaviors-in-the-network.
[19]BEIGI E B,JAZI H H,STAKHANOVA N,et al.Towards effective feature selection in machine learning-based botnet detection approaches[C]//2014 IEEE Conference on Communications and Network Security.2014.
[20]ZOU F T,TAN Y,WANG L,et al.Botnet detection based on generative adversarial network[J].Journal on Communications,2021,42(7):95-106.
[21]SRINARAYANI K,PADMAVATHI B,KAVITHA D.Detec-tion of Botnet Traffic using Deep Learning Approach[C]//2023 International Conference on Sustainable Computing and Data Communication Systems(ICSCDS).IEEE,2023:201-206.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发