Analysis of Botnet Attack Data Based on Log

doi:10.3969/j.issn.1671-1122.2022.10.012

Abstract

Abstract:

Botnet is an important means of organized hacker attack in recent years. Its unique attack mode makes its data different from other network attack methods. Based on the collected network attack packets, this paper extracted and analyzed the botnet attack data. Firstly, the network attack log analysis system was constructed by using honeypot domain name service agent technology, and the storage format of the attack log file was designed. Then, it realized the cleaning and extraction of the plaintext of the network attack through a variety of ciphertext identification methods, and extracted the botnet attack data according to the characteristics of the botnet attack behavior different from the network scanning and hacker attack. At the same time, the regular matching method was used to find that the botnet attack data contains five types of specific keywords, which could improve the identification efficiency of the botnet by building a string library. Finally, specific clustering features were selected based on the botnet attack data and analyzed by using two-stage clustering algorithm. The experimental results show that botnet attacks have port-biased characteristics. Virus downloading is an important means for botnet attacks. The attribute data distribution of specific port attacks was obviously different from that of other ports. Except for the four attributes related to the size of the sent packet, most of the selected attributes have strong clustering and discrimination ability, which can be used as an important feature for further intelligent analysis.

Key words: botnet, log, two-step clustering, clustering feature

CLC Number:

TP309

ZHU Tao, XIA Lingling, LI Penghui, XU Zhongyi. Analysis of Botnet Attack Data Based on Log[J]. Netinfo Security, 2022, 22(10): 82-90.

Figures/Tables 9

References 28

[1]	LI Ke, FANG Binxing, CUI Xiang, et al. Study of Botnets Trends[J]. Journal of Computer Research and Development, 2016, 53(10): 2189-2206.
	李可, 方滨兴, 崔翔, 等. 僵尸网络发展研究[J]. 计算机研究与发展, 2016, 53(10): 2189-2206.
[2]	CUI Lijuan, MA Weiguo, ZHAO Wei, et al. A Survey of Botnet[J]. Journal of Information Security Research, 2017, 3(7): 589-600.
	崔丽娟, 马卫国, 赵巍, 等. 僵尸网络综述[J]. 信息安全研究, 2017, 3(7): 589-600.
[3]	ZHOU Anmin, ZHONG Yi, ZUO Zheng, et al. D-BitBot: A P2P Duplex Botnet Model in Bitcoin Network[J]. Journal of Harbin Institute of Technology, 2020, 52(5): 66-74.
	周安民, 钟毅, 左政, 等. D-BitBot:比特币网络双向通信的P2P僵尸网络模型[J]. 哈尔滨工业大学学报, 2020, 52(5): 66-74.
[4]	WU Di, CUI Xiang, LIU Qixu, et al. Research on Ubiquitous Botnet[J]. Netinfo Security, 2018, 18(7): 16-28.
	吴迪, 崔翔, 刘奇旭, 等. 泛在僵尸网络发展研究[J]. 信息网络安全, 2018, 18(7): 16-28.
[5]	GE Xin, ZOU Futai, GUO Wanda, et al. Review on the Development of Social Botnets[J]. Computer Engineering, 2022, 48(8): 12-24.
	葛昕, 邹福泰, 郭万达, 等. 社交僵尸网络发展综述[J]. 计算机工程, 2022, 48(8): 12-24.
[6]	FAN Yiyan, WU Guorui. Research of Dynamic Botnet Model[J]. Journal of Computer Applications, 2010, 30(3): 692-694.
	范轶彦, 邬国锐. 动态僵尸网络模型研究[J]. 计算机应用, 2010, 30(3): 692-694.
[7]	HUANG Biao, CHENG Shuping, OUYANG Chenxing, et al. Botnet Propagation Model with Two-Factor on Scale-Free Network[J]. Computer Science, 2012, 39(10): 78-81, 114.
	黄彪, 成淑萍, 欧阳晨星, 等. 无尺度网络下具有双因素的僵尸网络传播模型[J]. 计算机科学, 2012, 39(10): 78-81, 114.
[8]	NIU Weina, ZHANG Xiaosong, YANG Guowu, et al. Modeling and Analysis of Botnet with Heterogeneous Infection Rate[J]. Computer Science, 2018, 45(7): 135-138, 153.
	牛伟纳, 张小松, 杨国武, 等. 具有异构感染率的僵尸网络建模与分析[J]. 计算机科学, 2018, 45(7): 135-138, 153.
[9]	OUYANG Chenxing, TAN Liang. New Propagation Model of Botnet on Scale-Free Network[J]. Computer Engineering and Applications, 2013, 49(9): 110-114.
	欧阳晨星, 谭良. 无尺度网络下的僵尸网络传播模型研究[J]. 计算机工程与应用, 2013, 49(9): 110-114.
[10]	FENG Liping, SONG Lipeng, WANG Hongbin, et al. Propagation Modeling and Analysis of Peer-to-Peer Botnet[J]. Journal of Computer Applications, 2015, 35(1): 68-71.
	冯丽萍, 宋礼鹏, 王鸿斌, 等. P2P僵尸网络的传播建模与分析[J]. 计算机应用, 2015, 35(1): 68-71.
[11]	ZHOU Anmin, ZHONG Yi, ZUO Zheng, et al. D-BitBot: A P2P Duplex Botnet Model in Bitcoin Network[J]. Journal of Harbin Institute of Technology, 2020, 52(5): 66-74.
	周安民, 钟毅, 左政, 等. D-BitBot:比特币网络双向通信的P2P僵尸网络模型[J]. 哈尔滨工业大学学报, 2020, 52(5): 66-74.
[12]	ZHANG Xiran, LIU Wanping, LONG Hua. Dynamic Model and Analysis of Spreading of Botnet Viruses over Internet of Things[J]. Computer Science, 2022, 49(S1): 738-743.
	张翕然, 刘万平, 龙华. 物联网僵尸网络病毒的传播动力学模型与分析[J]. 计算机科学, 2022, 49(S1): 738-743.
[13]	XIA Qin, WANG Zhiwen, LIU Lu. Tracking Botnet Activity Based on Co-Occurrence Relation of Domain Name System Queries[J]. Journal of Xi’an Jiaotong University, 2012, 46(4): 7-12.
	夏秦, 王志文, 刘璐. 基于域名共现行为的僵尸网络行为追踪[J]. 西安交通大学学报, 2012, 46(4): 7-12.
[14]	WANG Hailong, TANG Yong, GONG Zhenghu. Signature Generation Model for Botnet Command and Control Channel[J]. Computer Engineering & Science, 2013, 35(2): 62-67.
	王海龙, 唐勇, 龚正虎. 僵尸网络命令与控制信道的特征提取模型研究[J]. 计算机工程与科学, 2013, 35(2): 62-67.
[15]	NIU Weina, JIANG Tianyu, ZHANG Xiaosong, et al. Fast-Flux Botnet Detection Method Based on Spatiotemporal Feature of Network Traffic[J]. Journal of Electronics & Information Technology, 2020, 42(8): 1872-1880.
	牛伟纳, 蒋天宇, 张小松, 等. 基于流量时空特征的fast-flux僵尸网络检测方法[J]. 电子与信息学报, 2020, 42(8): 1872-1880.
[16]	HE Yukun, LI Qiang, JI Yuede, et al. Analysis of Botnet Detection Technique Based on Traffic Graph[J]. Journal of Jilin University (Science Edition), 2013, 51(4): 681-688.
	何毓锟, 李强, 嵇跃德, 等. 基于流量图的僵尸网络检测技术分析[J]. 吉林大学学报(理学版), 2013, 51(4): 681-688.
[17]	BAI Jun, XIA Jingbo, ZHANG Wenjing, et al. Rapid Botnet Detecting Method Based on Multi-Dimensional Information Divergence[J]. Journal of Huazhong University of Science and Technology(Natural Science Edition), 2014, 42(9): 28-32.
	柏骏, 夏靖波, 张文静, 等. 基于多维信息散度的僵尸网络快速检测方法[J]. 华中科技大学学报(自然科学版), 2014, 42(9): 28-32.
[18]	CHEN Ruidong, ZHAO Lingyuan, ZHANG Xiaosong. Botnet Identification Technology Based on Fuzzy Clustering[J]. Computer Engineering, 2018, 44(10): 46-50.
	陈瑞东, 赵凌园, 张小松. 基于模糊聚类的僵尸网络识别技术[J]. 计算机工程, 2018, 44(10): 46-50.
[19]	XIAO Qi, SU Kaiyu. Botnet Traffic Detection Based on Random Forest Algorithm[J]. Microelectronics & Computer, 2019, 36(3): 43-47.
	肖琦, 苏开宇. 基于随机森林的僵尸网络流量检测[J]. 微电子学与计算机, 2019, 36(3): 43-47.
[20]	ZOU Futai, TAN Yue, WANG Lin, et al. Botnet Detection Based on Generative Adversarial Network[J]. Journal on Communications, 2021, 42(7): 95-106.
	邹福泰, 谭越, 王林, 等. 基于生成对抗网络的僵尸网络检测[J]. 通信学报, 2021, 42(7): 95-106.
[21]	LIN Honggang, ZHANG Yunli, GUO Nanxin, et al. P2P Botnet Detection Method Based on Graph Neural Network[J]. Advanced Engineering Sciences, 2022, 54(2): 65-72.
	林宏刚, 张运理, 郭楠馨, 等. 基于图神经网络的P2P僵尸网络检测方法[J]. 工程科学与技术, 2022, 54(2): 65-72.
[22]	FENG Liping, HAN Qi, WANG Hongbin, et al. Effective Immune Measures on P2P Botnets[J]. Journal of Computer Applications, 2012, 32(9): 2617-2619, 2623.
	冯丽萍, 韩琦, 王鸿斌, 等. P2P僵尸网络的有效免疫措施[J]. 计算机应用, 2012, 32(9): 2617-2619, 2623.
[23]	YING Lingyun, FENG Dengguo, SU Purui. P2P-Based Super Botnet: Threats and Defenses[J]. Acta Electronica Sinica, 2009, 37(1): 31-37.
	应凌云, 冯登国, 苏璞睿. 基于P2P的僵尸网络及其防御[J]. 电子学报, 2009, 37(1): 31-37.
[24]	CHEN Duanbing, WAN Ying, TIAN Junwei, et al. P2P Botnet Control Strategy Based on Social Network Analysis[J]. Computer Science, 2009, 36(6): 101-104, 111.
	陈端兵, 万英, 田军伟, 等. 一种基于社会网络分析的P2P僵尸网络反制策略[J]. 计算机科学, 2009, 36(6): 101-104, 111.
[25]	ZHANG Sijie, SU Yang. Defense System of P2P Botnet Based on Domain[J]. Computer Engineering and Design, 2013, 34(7): 2291-2295.
	张斯捷, 苏旸. 基于域的P2P僵尸网络防御体系[J]. 计算机工程与设计, 2013, 34(7): 2291-2295.
[26]	YANG M S, SINAGA K P. A Feature-Reduction Multi-View K-Means Clustering Algorithm[J]. IEEE Access, 2019(7): 114472-114486.
[27]	TUAN T A, LONG H V, SON L H, et al. Performance Evaluation of Botnet DDoS Attack Detection Using Machine Learning[J]. Evolutionary Intelligence, 2020, 13(2): 283-294.
[28]	CHIU T, FANG Dongping, CHEN J, et al. A Robust and Scalable Clustering Algorithm for Mixed Type Attributes in Large Database Environment[C]// ACM. ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York: ACM, 2001: 263-268.

序号	特定字符串	类型
1	Mozi.a	特定词T4
2	http://z.shavsl.com	下载地址T2
3	http://crypto.htxreceive.top/	下载地址T2
4	http://oracle.zzhreceive.top/	下载地址T2
5	http://185.142.239.128/	下载地址T2
6	http://188.213.49.155/	下载地址T2
7	http://194.147.142.88/	下载地址T2
8	/MyPlugin	交互报文T1
9	http://103.209.103.16/	下载地址T2
10	http://199.19.226.117/	下载地址T2
11	http://205.185.121.185/	下载地址T2
12	http://86.105.195.120/	下载地址T2
13	http://104.192.82.138/	下载地址T2
14	Mozi.m	特定词T4
15	http://185.224.129.251/	下载地址T2
16	http://149.28.85.17/	下载地址T2
17	http://128.199.240.129/	下载地址T2
18	STOR/Photo.scr	执行操作T3
19	http://194.87.139.103/	下载地址T2
20	http://45.133.203.192/	下载地址T2
21	http://85.239.33.9/	下载地址T2
22	http://34.66.229.152/	下载地址T2

序号	报文数据属性	含义
1	attackPort	受到攻击的端口号
2	packetNumber	攻击过程中的包数量
3	recvPacketNumber	攻击过程中接收的包数量
4	sendPacketNumber	攻击过程中发送的包数量
5	recvPktSizeAvg	攻击过程中接收的包的平均大小
6	sendPktSizeAvg	攻击过程中发送的包的平均大小
7	recvPktSizeMin	攻击过程中接收的最小包的大小
8	sendPktSizeMin	攻击过程中发送的最小包的大小
9	recvPktSizeMax	攻击过程中接收的最大包的大小
10	sendPktSizeMax	攻击过程中发送的最大包的大小
11	recvPktSizeStd	攻击过程中接收的包的大小的标准差
12	sendPktSizeStd	攻击过程中发送的包的大小的标准差
13	timeDuration	持续时间
14	timeDelayAve	平均延迟时间
15	timeDelayMax	最大延迟时间
16	timeDelayMin	最小延迟时间
17	timeDelayMedian	延迟时间中间值
18	timeDelayStd	延迟时间标准差

特定字符串序号	相关的攻击次数	比例
1	295	4%
2	126	1.70%
3	136	3.20%
4	3672	50.40%
7	1	0.10%
10	318	4.30%
13	1173	16.10%
18	217	2.90%
19	841	11.50%
21	157	2.10%

簇号	个案数	占组合的比例	占总计的百分比
1	1800	24.8%	24.8%
2	4986	68.8%	68.8%
3	465	6.4%	6.4%
组合	7251	100%	100%

序号	报文数据属性	重要性	簇1	簇2	簇3
1	attackPort	1	80	6379	5555
2	packetNumber	1	1.46	55.19	18.99
3	recvPacketNumber	1	1.42	26.37	14.24
4	sendPacketNumber	1	0.04	28.83	4.75
5	recvPktSizeAvg	1	232.85	375.15	112.86
6	sendPktSizeAvg	0	0.00	0.00	0.00
7	recvPktSizeMin	1	212.63	5.02	49.51
8	sendPktSizeMin	0	0.00	0.00	0.00
9	recvPktSizeMax	1	257.81	12862.02	470.78
10	sendPktSizeMax	0	0.00	0.00	0.00
11	recvPktSizeStd	1	4601.21	377825.12	74255.04
12	sendPktSizeStd	0	0.00	0.00	0.00
13	timeDuration	1	534.27	234.82	60668.96
14	timeDelayAve	1	123.06	3.12	7373.01
15	timeDelayMax	1	381.42	231.93	27280.19
16	timeDelayMin	0.02	0.11	0.00	264.96
17	timeDelayMedian	0.25	0.14	0.00	1108.72
18	timeDelayStd	1	827693.26	64625.06	123535682.12