Netinfo Security ›› 2022, Vol. 22 ›› Issue (10): 82-90.doi: 10.3969/j.issn.1671-1122.2022.10.012

Previous Articles     Next Articles

Analysis of Botnet Attack Data Based on Log

ZHU Tao1(), XIA Lingling1, LI Penghui1, XU Zhongyi2   

  1. 1. Department of Computer Information and Cyber Security, Jiangsu Police Institute, Nanjing 210031, China
    2. Beijing Qihoo Technology Co., Ltd., Beijing 100020, China
  • Received:2022-07-03 Online:2022-10-10 Published:2022-11-15
  • Contact: ZHU Tao E-mail:zhutaonj@163.com

Abstract:

Botnet is an important means of organized hacker attack in recent years. Its unique attack mode makes its data different from other network attack methods. Based on the collected network attack packets, this paper extracted and analyzed the botnet attack data. Firstly, the network attack log analysis system was constructed by using honeypot domain name service agent technology, and the storage format of the attack log file was designed. Then, it realized the cleaning and extraction of the plaintext of the network attack through a variety of ciphertext identification methods, and extracted the botnet attack data according to the characteristics of the botnet attack behavior different from the network scanning and hacker attack. At the same time, the regular matching method was used to find that the botnet attack data contains five types of specific keywords, which could improve the identification efficiency of the botnet by building a string library. Finally, specific clustering features were selected based on the botnet attack data and analyzed by using two-stage clustering algorithm. The experimental results show that botnet attacks have port-biased characteristics. Virus downloading is an important means for botnet attacks. The attribute data distribution of specific port attacks was obviously different from that of other ports. Except for the four attributes related to the size of the sent packet, most of the selected attributes have strong clustering and discrimination ability, which can be used as an important feature for further intelligent analysis.

Key words: botnet, log, two-step clustering, clustering feature

CLC Number: