一种基于bot优先抽样的P2P botnet 在线检测技术

僵尸网络利用高效灵活的一对多控制机制，为攻击者提供了储备、管理和使用网络攻击能力的基础架构和平台，已成为当前Internet最严重且持续增长的安全威胁之一。为满足在高速网络实时检测P2P僵尸网络的需求，提出了一种基于bot优先抽样的在线检测技术。该方法利用bot优先的分级算法和基于优先级的包抽样算法，使得检测系统能够高效利用计算资源，在整体抽样率有限条件下，优先对疑似P2P僵尸通信数据包进行抽样，并使用流信息重构技术和流簇分析技术对抽样包进行统计分析来发现P2P僵尸主机。实验结果表明，所提出的在线检测技术能够有效提高对疑似P2P僵尸网络流量亚群的包抽样率，具有良好的在线检测效率和P2P僵尸检测命中率。

Bot priority sampling based P2P botnet online detection technique

Botnets pose a steady and growing threat to network security and have become one of the most significant threats to the Internet. Using highly efficient and flexible one to many control mechanisms, botnets provide a infrastructure of reserves, management and use of cyber attack capabilities. To meet the instant detection requirements of P2P botnets on high speed networks, a bot priority sampling based online detection technique was presented. In order to efficiently use as many as possible the limited computing resources and sample packets of suspicious P2P bots, a bot priority classification algorithm and a priority based sampling algorithm were proposed. Flow information recovering and flow cluster analyzing approaches were used to identify the suspicious P2P bots based on the sampled packets. The experimental evaluation results show that the proposed technique can increase the sampling rates packets from P2P botnets traffic subpopulations and has a good sampling efficiency and P2P bots detection hit rate.