Botnets’ similarity analysis based on communication features and D-S evidence theory

ZANG Tian-ning1; YUN Xiao-chun1; ZHANG Yong-zheng2; MEN Chao-guang1; CUI Xiang2

Tongxin xuebao (Jan 2011)

Botnets’ similarity analysis based on communication features and D-S evidence theory

ZANG Tian-ning1,
YUN Xiao-chun1,
ZHANG Yong-zheng2,
MEN Chao-guang1,
CUI Xiang2

Affiliations

ZANG Tian-ning1
YUN Xiao-chun1
ZHANG Yong-zheng2
MEN Chao-guang1
CUI Xiang2

Journal volume & issue: Vol. 32
pp. 66 – 76

Abstract

Read online

A potential hidden relationship may exist among different zombie groups.A method to analyze the relationship among botnets was proposed based on the communication activities.The method extracted several communication fea-tures of botnet,including the number of flows per hour,the number of packets per flow,the number of flows per IP and the packet payloads.It defined similarity statistical functions of the communication features,and built the analysis model of botnets relationship based on the advanced dempster-shafer（D-S） evidence theory to synthetically evaluate the simi-larities between different zombie groups.The experiments were conducted using several botnet traces.The results show that the method is valid and efficient,even in the case of encrypted botnet communication messages.Moreover,the ideal processing results is achieved by applying our method to analyze the data captured from the security monitoring platform of computer network,as well as compare with similar work.

Botnet;D-S evidence theory;data flow;similarity

Published in Tongxin xuebao

ISSN: 1000-436X (Print)
Publisher: Editorial Department of Journal on Communications
Country of publisher: China
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering: Telecommunication
Website: http://www.infocomm-journal.com/txxb/EN/1000-436X/home.shtml

About the journal

Abstract

Keywords