CN110099073A - A kind of P2P botnet detection method, device and medium - Google Patents
A kind of P2P botnet detection method, device and medium Download PDFInfo
- Publication number
- CN110099073A CN110099073A CN201910429784.2A CN201910429784A CN110099073A CN 110099073 A CN110099073 A CN 110099073A CN 201910429784 A CN201910429784 A CN 201910429784A CN 110099073 A CN110099073 A CN 110099073A
- Authority
- CN
- China
- Prior art keywords
- network
- botnet
- data
- neural network
- probabilistic neural
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 60
- 238000013528 artificial neural network Methods 0.000 claims abstract description 113
- 230000002159 abnormal effect Effects 0.000 claims abstract description 12
- 238000012360 testing method Methods 0.000 claims description 71
- 238000012549 training Methods 0.000 claims description 33
- 238000000034 method Methods 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 11
- 238000012545 processing Methods 0.000 claims description 10
- 238000004364 calculation method Methods 0.000 claims description 8
- 230000001537 neural effect Effects 0.000 claims description 7
- 238000010586 diagram Methods 0.000 description 6
- 239000012141 concentrate Substances 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000011002 quantification Methods 0.000 description 3
- 239000000243 solution Substances 0.000 description 3
- 108010001267 Protein Subunits Proteins 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003321 amplification Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010219 correlation analysis Methods 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 235000013399 edible fruits Nutrition 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000009499 grossing Methods 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000003199 nucleic acid amplification method Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/047—Probabilistic or stochastic networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- Biomedical Technology (AREA)
- Biophysics (AREA)
- Computational Linguistics (AREA)
- Software Systems (AREA)
- Evolutionary Computation (AREA)
- General Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- Mathematical Physics (AREA)
- Computer Hardware Design (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Probability & Statistics with Applications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses a kind of P2P botnet detection method, device and medium, proper network data on flows under proper network environment and the Abnormal network traffic data under P2P botnet network environment are obtained;Network flow data is divided into different types of data packet, calculates the network complexity feature of Various types of data packet;Using each network complexity feature and its corresponding P2P botnet outburst result as sample data, probability neural network is trained, the probabilistic neural network for meeting accuracy rate requirement is obtained.Network flow data to be detected is handled using probabilistic neural network, obtains P2P botnet outburst result.Careful division is carried out to network flow data according to type of data packet, can more fully excavate the incidence relation between network flow data and P2P botnet outburst, to promote probabilistic neural network to the accuracy of P2P botnet outburst detection.
Description
Technical field
The present invention relates to computer security technical fields, more particularly to one kind based on network complexity feature and probability mind
P2P botnet detection method, device and medium through network.
Background technique
Botnet (botnet) is a kind of malicious host group, and attacker can use secondary injection and bear to bot node
Load is changed, so that very convenient promptly change the type that finally send attack, such as distributed denial of service attack,
Phishing and spam attack etc..Current novel P2P botnet constructs its life using the distributed structure of P2P network
It enables and controlling mechanism because the structure does not have control centre effectively prevents single point failure, robustness and reliability are more
By force.
Currently, being in the rise stage about P2P botnet analysis and the research of context of detection.Most of detection method masters
To start with from certain several distinctive, careful feature of P2P botnet and be detected, not to the gross feature of network flow into
Row and is portrayed at analysis deep enough.When there is certain novel P2P botnet, and the network structure of the botnet, agreement and
When attack type etc. is with existing P2P botnet difference, it will P2P botnet detection is caused biggish rate of failing to report occur.
It is those skilled in the art's urgent problem to be solved as it can be seen that how to promote the accuracy of Botnet detection.
Summary of the invention
The purpose of the embodiment of the present invention is that providing a kind of P2P based on network complexity feature and probabilistic neural network
Botnet detection method, device and medium can promote the accuracy of Botnet detection.
In order to solve the above technical problems, the embodiment of the present invention provides one kind based on network complexity feature and probabilistic neural net
The P2P botnet detection method of network, comprising:
Obtain network flow data;Wherein, the network flow data includes proper network flow under proper network environment
Abnormal network traffic data under data and P2P botnet network environment;
The network flow data is divided into different types of data packet, the network complexity for calculating Various types of data packet is special
Sign;
Using each network complexity feature and its corresponding P2P botnet outburst result as sample data, to initial
Probabilistic neural network is trained, and obtains the probabilistic neural network for meeting accuracy rate requirement;
Network flow data to be detected is handled using the probabilistic neural network, obtains network flow number to be detected
Result is broken out according to corresponding P2P botnet.
Optionally, the network flow data includes TCP data packet, UDP message packet, ICMP data packet and SMTP data
Packet.
Optionally, the network complexity feature of the Various types of data packet includes the arrangement entropy of TCP data packet, UDP message packet
Arrangement entropy, ICMP data packet arrangement entropy and SMTP data packet arrangement entropy.
Optionally, described that network flow data to be detected is handled using the probabilistic neural network, it obtains to be checked
Surveying the outburst of P2P botnet corresponding to network flow data result includes:
By the network flow data to be detected according to type of data packet, it is divided into different types of data packet;
Calculate the network complexity feature of Various types of data packet;
Each network complexity feature is inputted into the probabilistic neural network, to obtain the network flow number to be detected
Result is broken out according to corresponding P2P botnet.
Optionally, described using each network complexity feature and its corresponding P2P botnet outburst result as sample
Data are trained probability neural network, and the probabilistic neural network for obtaining meeting accuracy rate requirement includes:
Using each network complexity feature and its corresponding P2P botnet outburst result as sample data, and by institute
It states sample data and is divided into training sample set and test sample collection;
The probability neural network is trained using the training sample set, obtains trained probabilistic neural
Network;
Target detection sample is inputted into the probabilistic neural network, obtains output result;The target detection sample is institute
It states test sample and concentrates any one test sample without test;
Judge whether the output result is consistent with the P2P botnet outburst result of the test sample;
The probability neural network is trained if it is not, then returning to the utilization training sample set, is obtained
The step of trained probabilistic neural network;
A test sample not after tested is chosen as target detection sample if so, concentrating from the test sample,
And described the step of target detection sample is inputted into the probabilistic neural network, obtains output result is returned, until the test
All test samples in sample set are completed to test, then using the probabilistic neural network as the probability for meeting accuracy rate requirement
Neural network.
The embodiment of the invention also provides a kind of P2P botnet based on network complexity feature and probabilistic neural network
Detection device, including acquiring unit, feature calculation unit, training unit and processing unit;
The acquiring unit, for obtaining network flow data;Wherein, the network flow data includes proper network ring
Abnormal network traffic data under border under proper network data on flows and P2P botnet network environment;
The feature calculation unit calculates each for the network flow data to be divided into different types of data packet
The network complexity feature of class data packet;
The training unit, for making each network complexity feature and its corresponding P2P botnet outburst result
For sample data, probability neural network is trained, obtains the probabilistic neural network for meeting accuracy rate requirement;
The processing unit is obtained for being handled using the probabilistic neural network network flow data to be detected
Result is broken out to P2P botnet corresponding to network flow data to be detected.
Optionally, the network flow data includes TCP data packet, UDP message packet, ICMP data packet and SMTP data
Packet.
Optionally, the network complexity feature of the Various types of data packet includes the arrangement entropy of TCP data packet, UDP message packet
Arrangement entropy, ICMP data packet arrangement entropy and SMTP data packet arrangement entropy.
Optionally, the processing unit includes classification subelement, computation subunit and output subelement;
The classification subelement, for the network flow data to be detected according to type of data packet, to be divided into difference
The data packet of type;
The computation subunit, for calculating the network complexity feature of Various types of data packet;
The output subelement, for each network complexity feature to be inputted the probabilistic neural network, to obtain
P2P botnet corresponding to the network flow data to be detected breaks out result.
Optionally, the training unit include divide subelement, training subelement, test subelement, judgment sub-unit and
Choose subelement;
The division subelement, for each network complexity feature and its corresponding P2P botnet to be broken out result
Training sample set and test sample collection are divided into as sample data, and by the sample data;
The trained subelement, for being trained using the training sample set to the probability neural network,
Obtain trained probabilistic neural network;
The test subelement obtains output result for target detection sample to be inputted the probabilistic neural network;Institute
Stating target detection sample is that the test sample concentrates any one test sample without test;
The judgment sub-unit, for judging that the P2P botnet of the output result and the test sample breaks out result
It is whether consistent;If it is not, then returning to the trained subelement;If so, triggering the selection subelement;
The selection subelement chooses a test sample not after tested as mesh for concentrating from the test sample
Test sample is marked, and returns to the test subelement, until all test samples that the test sample is concentrated are completed to test,
Then using the probabilistic neural network as the probabilistic neural network for meeting accuracy rate requirement.
It is examined the embodiment of the invention provides a kind of based on the P2P botnet of network complexity feature and probabilistic neural network
Survey device, comprising:
Memory, for storing computer program;
Processor, for executing the computer program to realize as above-mentioned based on network complexity feature and probabilistic neural
The step of P2P botnet detection method of network.
The embodiment of the invention provides a kind of computer readable storage medium, stored on the computer readable storage medium
There is computer program, is realized when the computer program is executed by processor as above-mentioned based on network complexity feature and probability mind
The step of P2P botnet detection method through network.
Network flow data is obtained it can be seen from above-mentioned technical proposal;Wherein, network flow data includes proper network
Abnormal network traffic data under environment under proper network data on flows and P2P botnet network environment;By network flow number
According to different types of data packet is divided into, the network complexity feature of Various types of data packet is calculated;By calculated permutations entropy, realize
To the quantification treatment of network flow data.Using each network complexity feature and its corresponding P2P botnet outburst result as sample
Notebook data is trained probability neural network, obtains the probabilistic neural network for meeting accuracy rate requirement.By to network
Data on flows carries out careful division according to type of data packet, can more fully excavate network flow data and P2P
Incidence relation between botnet outburst effectively improves probabilistic neural network to the accurate of P2P botnet outburst detection
Property.When needing the network environment to network flow data to be detected to analyze, then it can use probabilistic neural network and treat
Detection network flow data is handled, and the outburst result of P2P botnet corresponding to network flow data to be detected is obtained.Base
In the division of network flow data, so that the probabilistic neural network trained accuracy with higher.
Detailed description of the invention
In order to illustrate the embodiments of the present invention more clearly, attached drawing needed in the embodiment will be done simply below
It introduces, it should be apparent that, drawings in the following description are only some embodiments of the invention, for ordinary skill people
For member, without creative efforts, it is also possible to obtain other drawings based on these drawings.
Fig. 1 is a kind of P2P based on network complexity feature and probabilistic neural network provided in an embodiment of the present invention
The flow chart of botnet detection method;
Fig. 2 is a kind of P2P based on network complexity feature and probabilistic neural network provided in an embodiment of the present invention
The logic diagram of botnet detection;
Fig. 3 is a kind of detection side P2P botnet based on arrangement entropy and probabilistic neural network provided in an embodiment of the present invention
The overall flow figure of method;
Fig. 4 is a kind of P2P based on network complexity feature and probabilistic neural network provided in an embodiment of the present invention
The structural schematic diagram of botnet detection device;
Fig. 5 is a kind of P2P based on network complexity feature and probabilistic neural network provided in an embodiment of the present invention
The structural schematic diagram of botnet detection device.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, rather than whole embodiments.Based on this
Embodiment in invention, those of ordinary skill in the art are without making creative work, obtained every other
Embodiment belongs to the scope of the present invention.
In order to enable those skilled in the art to better understand the solution of the present invention, with reference to the accompanying drawings and detailed description
The present invention is described in further detail.
Next, one kind provided by the embodiment of the present invention, which is discussed in detail, is based on network complexity feature and probabilistic neural net
The P2P botnet detection method of network.Fig. 1 is provided in an embodiment of the present invention a kind of based on network complexity feature and probability mind
The flow chart of P2P botnet detection method through network, this method comprises:
S101: network flow data is obtained.
Wherein, network flow data includes proper network environment lower network data on flows and P2P botnet network environment
Under network flow data.For the ease of distinguishing, proper network environment lower network data on flows can be referred to as proper network stream
Measure data;Network flow data under P2P botnet network environment is referred to as Abnormal network traffic data.
S102: network flow data is divided into different types of data packet, calculates the network complexity of Various types of data packet
Feature.
It, can be to network flow number in order to adequately excavate the relationship between network flow data and P2P botnet outburst
According to careful division is carried out, the incidence relation between different types of data and P2P botnet outburst is analyzed.
In the concrete realization, one group of network flow data can be divided into TCP data packet, UDP message packet, ICMP data packet
With SMTP data packet.
Arranging entropy preferably can carry out correlation analysis to non-linear, non-stationary signal, and the inherence of amplification time sequence is micro-
Small variation.And without using the actual data value of time series when calculated permutations entropy, it is only necessary to element in recognition time sequence
Relative size relationship.Therefore, in embodiments of the present invention, the complexity of Various types of data packet can be measured using arrangement entropy
Spend feature.Other than arranging entropy, it can also will reflect that the hurst index of data self-similarity and a point shape are managed in fractal theory
Reflect complexity characteristics of the holder index of data local singularity as data packet in.For ease of description, in this hair
In bright embodiment, using the arrangement entropy of data packet as complexity characteristics for be unfolded explanation.
Certain known single time series { x (i), i=1,2 ..., n }, if it is H that it, which arranges entropy,p, calculation method are as follows:
(1) to obtain the potential complexity information of the time series signal, need to be reconstructed into the phase of more higher-dimension first
Space.Phase space reconfiguration is carried out to the time series using delay embedding theorems, is reconstructed into N=n- (m-1) τ subsequence
X (i):
X (i)=[x (i) x (i+ τ) ... x (i+ (m-1) τ)] (1)
M is Embedded dimensions in formula (1), and τ is delay time.
By selecting suitable delay time T and Embedded dimensions m, so that it may use the dynamic of single time series also original system
Force characteristic:
1. mutual information method is used to determine delay time T: selection is so that the work of corresponding τ when local minimum occurs in mutual information
For delay time;
2. false adjoint point method is used to determine Embedded dimensions m: selection so that pseudo- Neighbor Points percentage rapid drawdown to 0 or close to 0, and
Corresponding m is as Embedded dimensions when not increasing with dimension and changing.
(2) element in N number of subsequence X (i) is arranged according to the sequence of the non-drop of element value, if element value phase
Deng then being arranged according to sequence of the element in former time series { x (i), i=1,2 ..., n }.It may finally obtain:
X ' (i)=[x (i+ (j1-1)τ)x(i+(j2-1)τ)…x(i+(jm-1)τ)] (2)
J in formula (2)1,j2,…,jmFor the position of element in X (i), 1≤j≤m.For each subsequence X (i), can obtain
To following ordered sequence P (l):
P (l)=(j1,j2,…,jm) (3)
L=1,2 ..., k in formula (3), and k≤m!.The number of k expression ordered sequence.
(3) the arrangement entropy H of { x (i), i=1,2 ..., n } is calculatedp。
For N number of subsequence, if P (l)=(j1,j2,…,jm) occur probability be Ph, then
According to the definition of Shannon entropy, the arrangement entropy H of the k kind ordered sequence of time series { x (i), i=1,2 ..., n }p
For
Through 0≤H known to analysisp≤1.Work as HpIt indicates that time series is increasing sequence or decreasing order column when=0, works as HpIt is indicated when=1
System is completely random, it may be assumed that HpSmaller time series is more regular, HpThe complexity of bigger time series is higher.
It is above-mentioned to arrangement entropy Computing Principle be described, due to Various types of data packet arrangement entropy calculation relative at
It is ripe, it is not described in detail herein.
The complexity characteristics of network flow, network class of this feature independent of P2P botnet are measured with arrangement entropy
Type, topological structure and offensive attack type, therefore remain to protect when there are the novel botnets different from existing P2P botnet
Demonstrate,prove certain accuracy in detection.
S103: using each network complexity feature and its corresponding P2P botnet outburst result as sample data, to first
Beginning probabilistic neural network is trained, and obtains the probabilistic neural network for meeting accuracy rate requirement.
The embodiment of the present invention is primarily upon the complexity characteristics of network flow, without being analyzed packet content and examined
It surveys, it can still be detected when P2P botnet uses encryption to its data packet.And the probabilistic neural used
Network has the characteristics that pace of learning is fast, scalability is high, classification capacity is strong.
Every group of network flow data has its corresponding P2P botnet outburst result.In embodiments of the present invention, Ke Yiyong
Digital " 0 " indicates that P2P botnet is not broken out, indicates P2P botnet outburst with digital " 1 ".For proper network data on flows,
Its corresponding P2P botnet outburst result is denoted as " 0 ".For Abnormal network traffic data, corresponding P2P botnet outburst
As a result it is denoted as " 1 ".
The format of sample data as shown in table 1a,
Table 1a
For the format shown in the table 1a, for the format such as table 1b of its corresponding sample data of proper network data on flows
It is shown:
Table 1b
For the format shown in the table 1a, for its correspondence of the Abnormal network traffic data under P2P botnet network environment
Sample data format as shown in table 1c:
Table 1c
In embodiments of the present invention, each network complexity feature and its corresponding P2P botnet outburst result can be made
For sample data, and sample data is divided into training sample set and test sample collection.Using training sample set to probability
Neural network is trained, and obtains trained probabilistic neural network.Its specific training process is as follows:
(1) sample data is divided into training sample set and test sample collection.
70% in sample data is randomly selected without loss of generality as training sample set, 30% as test sample collection.
(2) topological structure, parameter configuration are determined.
Topological structure:
1. input layer: the number of plies is 1 layer, number of nodes 4.
2. mode layer: the number of plies is 1 layer, and number of nodes is identical as the number of training sample.
3. layer of summing: the number of plies is 1 layer, number of nodes 1.
4. output layer: the number of plies is 1 layer, number of nodes 1.
Parameter configuration:
The experience estimation technique of generalling use determines the smoothing factor parameter of probabilistic neural network.
(3) it determines decision rule, judges whether P2P botnet breaks out for the output according to probabilistic neural network.
It in embodiments of the present invention, can be with digital representation P2P botnet outburst as a result, digital " 1 " indicates P2P
Botnet outburst;Digital " 0 " indicates that P2P botnet is not broken out.
(4) probabilistic neural network is trained using training sample set.
(5) probabilistic neural network is tested using test sample collection.
(6) characteristic of test sample is input in probabilistic neural network, obtains the output knot of probabilistic neural network
Fruit.
Test sample is input in trained probabilistic neural network, the P2P that verifying probabilistic neural network provides
Whether the truth of botnet testing result and test sample consistent, if the two is consistent, select next test sample into
Row processing re-starts training, test after modifying parameter configuration otherwise it is assumed that test does not pass through.If current probability neural network
Concentrate the P2P botnet testing result of all test samples consistent with truth for test sample, then it is assumed that test is logical
It crosses, which can be used for subsequent P2P botnet detection.
(7) according to decision rule, the corresponding P2P botnet of the test sample is obtained according to the output result of neural network
Testing result.
In conjunction with the decision rule that step (3) determine, P2P botnet outburst is indicated when exporting result and being " 1 ";Work as output
Indicate that P2P botnet is not broken out when being as a result " 0 ".
(8) by above-mentioned detection P2P botnet testing result compared with the actual result of the test sample, if the two is consistent,
Then test sample test passes through;Otherwise, test sample test does not pass through.
(9) pass through if all test samples are tested, probabilistic neural network training finishes, at this time the probabilistic neural network
It can be used for P2P botnet detection;Otherwise, training, test are re-started after modifying parameter configuration.
S104: network flow data to be detected is handled using probabilistic neural network, obtains network flow to be detected
P2P botnet corresponding to data breaks out result.
In embodiments of the present invention, quick-fried using the network complexity feature of Various types of data packet and its corresponding P2P botnet
It is trained as sample data to send out result, therefore, when needing to analyze the network environment of network flow data to be detected, needing will be to
Detection network flow data is input to probabilistic neural network in the form of network complexity feature.
Specifically, different types of data packet can be divided by network flow data to be detected according to type of data packet;
Calculate the network complexity feature of Various types of data packet;It is to be checked to obtain by each network complexity feature input probability neural network
It surveys P2P botnet corresponding to network flow data and breaks out result.
By taking the arrangement entropy of TCP packet, the arrangement entropy of UDP packet, the arrangement entropy of ICMP packet and the arrangement entropy of SMTP packet as an example, it is based on
The logic diagram of the P2P botnet of network complexity feature and probabilistic neural network detection is as shown in Fig. 2, get to be detected
When network flow data, the arrangement entropy of Various types of data packet can be calculated, and trained general as input data input
In rate neural network, P2P botnet corresponding to available network flow data to be detected breaks out result.Botnet in Fig. 2
There is P2P botnet outburst in expression, and normal indicates that network environment is normal, i.e. P2P botnet is not broken out.
It should be noted that obtaining meeting accuracy rate requirement in embodiments of the present invention according to the operation of S101 to S103
It is subsequent to need to carry out P2P botnet outburst to network environment locating for network flow data to be detected after probabilistic neural network
When detection, directly network flow data to be detected can be analyzed and processed using the probabilistic neural network, without repeating
Training probabilistic neural network.
In the introduction above, explanation, such as Fig. 3 are expanded to the training process of probabilistic neural network and application process respectively
It show a kind of the whole of P2P botnet detection method based on arrangement entropy and probabilistic neural network provided in an embodiment of the present invention
Body flow chart, test is passed through by indicating that all test samples are tested in Fig. 3, and probabilistic neural network meets accuracy rate and wants at this time
It asks, can be used to implement P2P botnet detection.
Network flow data is obtained it can be seen from above-mentioned technical proposal;Wherein, network flow data includes proper network
Abnormal network traffic data under environment under proper network data on flows and P2P botnet network environment;By network flow number
According to different types of data packet is divided into, the network complexity feature of Various types of data packet is calculated;By calculated permutations entropy, realize
To the quantification treatment of network flow data.Using each network complexity feature and its corresponding P2P botnet outburst result as sample
Notebook data is trained probability neural network, obtains the probabilistic neural network for meeting accuracy rate requirement.By to network
Data on flows carries out careful division according to type of data packet, can more fully excavate network flow data and P2P
Incidence relation between botnet outburst effectively improves probabilistic neural network to the accurate of P2P botnet outburst detection
Property.When needing the network environment to network flow data to be detected to analyze, then it can use probabilistic neural network and treat
Detection network flow data is handled, and the outburst result of P2P botnet corresponding to network flow data to be detected is obtained.Base
In the division of network flow data, so that the probabilistic neural network trained accuracy with higher.
Fig. 4 is a kind of P2P based on network complexity feature and probabilistic neural network provided in an embodiment of the present invention
The structural schematic diagram of botnet detection device, including acquiring unit 41, feature calculation unit 42, training unit 43 and processing unit
44;
Acquiring unit 41, for obtaining network flow data;Wherein, network flow data include under proper network environment just
Abnormal network traffic data under normal network flow data and P2P botnet network environment;
Feature calculation unit 42 calculates Various types of data for network flow data to be divided into different types of data packet
The network complexity feature of packet;
Training unit 43, for using each network complexity feature and its corresponding P2P botnet outburst result as sample
Data are trained probability neural network, obtain the probabilistic neural network for meeting accuracy rate requirement;
Processing unit 44 is obtained to be checked for being handled using probabilistic neural network network flow data to be detected
It surveys P2P botnet corresponding to network flow data and breaks out result.
Optionally, network flow data includes TCP data packet, UDP message packet, ICMP data packet and SMTP data packet.
Optionally, the network complexity feature of Various types of data packet includes the row of the arrangement entropy of TCP data packet, UDP message packet
The arrangement entropy for arranging entropy and SMTP data packet of column entropy, ICMP data packet.
Optionally, processing unit includes classification subelement, computation subunit and output subelement;
Classification subelement, for network flow data to be detected according to type of data packet, to be divided into different types of number
According to packet;
Computation subunit, for calculating the network complexity feature of Various types of data packet;
Subelement is exported, is used for by each network complexity feature input probability neural network, to obtain network flow to be detected
It measures P2P botnet corresponding to data and breaks out result.
Optionally, training unit includes dividing subelement, training subelement, test subelement, judgment sub-unit and selection
Subelement;
Subelement is divided, for using each network complexity feature and its corresponding P2P botnet outburst result as sample
Data, and sample data is divided into training sample set and test sample collection;
Training subelement is obtained trained for being trained using training sample set to probability neural network
Probabilistic neural network;
Subelement is tested, for obtaining output result for target detection sample input probability neural network;Target detection sample
This is that test sample concentrates any one test sample without test;
Judgment sub-unit, for judging whether the P2P botnet outburst result for exporting result and test sample is consistent;If
It is no, then return to trained subelement;If so, subelement is chosen in triggering;
Subelement is chosen, chooses a test sample not after tested as target detection sample for concentrating from test sample
This, and test subelement is returned, until all test samples that test sample is concentrated are completed to test, then by probabilistic neural network
As the probabilistic neural network for meeting accuracy rate requirement.
The explanation of feature may refer to the related description of embodiment corresponding to Fig. 1-Fig. 3 in embodiment corresponding to Fig. 4, here
No longer repeat one by one.
Network flow data is obtained it can be seen from above-mentioned technical proposal;Wherein, network flow data includes proper network
Abnormal network traffic data under environment under proper network data on flows and P2P botnet network environment;By network flow number
According to different types of data packet is divided into, the network complexity feature of Various types of data packet is calculated;By calculated permutations entropy, realize
To the quantification treatment of network flow data.Using each network complexity feature and its corresponding P2P botnet outburst result as sample
Notebook data is trained probability neural network, obtains the probabilistic neural network for meeting accuracy rate requirement.By to network
Data on flows carries out careful division according to type of data packet, can more fully excavate network flow data and P2P
Incidence relation between botnet outburst effectively improves probabilistic neural network to the accurate of P2P botnet outburst detection
Property.When needing the network environment to network flow data to be detected to analyze, then it can use probabilistic neural network and treat
Detection network flow data is handled, and the outburst result of P2P botnet corresponding to network flow data to be detected is obtained.Base
In the division of network flow data, so that the probabilistic neural network trained accuracy with higher.
Fig. 5 is a kind of P2P based on network complexity feature and probabilistic neural network provided in an embodiment of the present invention
The hardware structural diagram of botnet detection device 50, comprising:
Memory 51, for storing computer program;
Processor 52 is based on network complexity feature and probabilistic neural net as above-mentioned to realize for executing computer program
The step of P2P botnet detection method of network.
The embodiment of the invention also provides a kind of computer readable storage medium, it is stored on computer readable storage medium
Computer program is realized when computer program is executed by processor and is based on network complexity feature and probabilistic neural network as above-mentioned
P2P botnet detection method the step of.
It is provided for the embodiments of the invention a kind of P2P based on network complexity feature and probabilistic neural network above
Botnet detection method, device and medium are described in detail.Each embodiment is described in a progressive manner in specification,
Each embodiment focuses on the differences from other embodiments, and the same or similar parts in each embodiment are mutual
Referring to.For the device disclosed in the embodiment, since it is corresponded to the methods disclosed in the examples, so the ratio of description
Relatively simple, reference may be made to the description of the method.It should be pointed out that coming for those skilled in the art
It says, without departing from the principle of the present invention, can be with several improvements and modifications are made to the present invention, these improvement and modification
It also falls within the protection scope of the claims of the present invention.
Professional further appreciates that, unit described in conjunction with the examples disclosed in the embodiments of the present disclosure
And algorithm steps, can be realized with electronic hardware, computer software, or a combination of the two, in order to clearly demonstrate hardware and
The interchangeability of software generally describes each exemplary composition and step according to function in the above description.These
Function is implemented in hardware or software actually, the specific application and design constraint depending on technical solution.Profession
Technical staff can use different methods to achieve the described function each specific application, but this realization is not answered
Think beyond the scope of this invention.
The step of method described in conjunction with the examples disclosed in this document or algorithm, can directly be held with hardware, processor
The combination of capable software module or the two is implemented.Software module can be placed in random access memory (RAM), memory, read-only deposit
Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology
In any other form of storage medium well known in field.
Claims (10)
1. a kind of P2P botnet detection method based on network complexity feature and probabilistic neural network, which is characterized in that packet
It includes:
Obtain network flow data;Wherein, the network flow data includes proper network data on flows under proper network environment
And the Abnormal network traffic data under P2P botnet network environment;
The network flow data is divided into different types of data packet, calculates the network complexity feature of Various types of data packet;
Using each network complexity feature and its corresponding P2P botnet outburst result as sample data, to probability
Neural network is trained, and obtains the probabilistic neural network for meeting accuracy rate requirement;
Network flow data to be detected is handled using the probabilistic neural network, obtains network flow data institute to be detected
Corresponding P2P botnet breaks out result.
2. the method according to claim 1, wherein the network flow data includes TCP data packet, UDP number
According to packet, ICMP data packet and SMTP data packet.
3. according to the method described in claim 2, it is characterized in that, the network complexity feature of the Various types of data packet includes
The arrangement entropy for arranging entropy and SMTP data packet for arranging entropy, ICMP data packet for arranging entropy, UDP message packet of TCP data packet.
4. the method according to claim 1, wherein described utilize the probabilistic neural network to network to be detected
Data on flows is handled, and is obtained the outburst of P2P botnet corresponding to network flow data to be detected result and is included:
By the network flow data to be detected according to type of data packet, it is divided into different types of data packet;
Calculate the network complexity feature of Various types of data packet;
Each network complexity feature is inputted into the probabilistic neural network, to obtain the network flow data institute to be detected
Corresponding P2P botnet breaks out result.
5. according to the method described in claim 4, it is characterized in that, described by each network complexity feature and its corresponding
P2P botnet breaks out result as sample data, is trained to probability neural network, obtains meeting accuracy rate requirement
Probabilistic neural network include:
Using each network complexity feature and its corresponding P2P botnet outburst result as sample data, and by the sample
Notebook data is divided into training sample set and test sample collection;
The probability neural network is trained using the training sample set, obtains trained probabilistic neural net
Network;
Target detection sample is inputted into the probabilistic neural network, obtains output result;The target detection sample is the survey
Any one test sample of sample this concentration not after tested;
Judge whether the output result is consistent with the P2P botnet outburst result of the test sample;
The probability neural network is trained if it is not, then returning to the utilization training sample set, is trained
The step of probabilistic neural network got well;
A test sample not after tested is chosen as target detection sample if so, concentrating from the test sample, and is returned
Described the step of target detection sample is inputted into the probabilistic neural network, obtains output result is returned, until the test sample
All test samples concentrated are completed to test, then using the probabilistic neural network as the probabilistic neural for meeting accuracy rate requirement
Network.
6. a kind of P2P botnet detection device based on network complexity feature and probabilistic neural network, which is characterized in that packet
Include acquiring unit, feature calculation unit, training unit and processing unit;
The acquiring unit, for obtaining network flow data;Wherein, the network flow data includes under proper network environment
Abnormal network traffic data under proper network data on flows and P2P botnet network environment;
The feature calculation unit calculates all kinds of numbers for the network flow data to be divided into different types of data packet
According to the network complexity feature of packet;
The training unit, for using each network complexity feature and its corresponding P2P botnet outburst result as sample
Notebook data is trained probability neural network, obtains the probabilistic neural network for meeting accuracy rate requirement;
The processing unit, for being handled using the probabilistic neural network network flow data to be detected, obtain to
It detects P2P botnet corresponding to network flow data and breaks out result.
7. device according to claim 6, which is characterized in that the network flow data includes TCP data packet, UDP number
According to packet, ICMP data packet and SMTP data packet.
8. device according to claim 6, which is characterized in that the processing unit includes classification subelement, calculates son list
Member and output subelement;
The classification subelement, for the network flow data to be detected according to type of data packet, to be divided into different type
Data packet;
The computation subunit, for calculating the network complexity feature of Various types of data packet;
The output subelement, it is described to obtain for each network complexity feature to be inputted the probabilistic neural network
P2P botnet corresponding to network flow data to be detected breaks out result.
9. a kind of P2P botnet detection device based on network complexity feature and probabilistic neural network, which is characterized in that packet
It includes:
Memory, for storing computer program;
Processor is realized complicated based on network as described in claim 1 to 5 any one for executing the computer program
The step of degree feature and the P2P botnet detection method of probabilistic neural network.
10. a kind of computer readable storage medium, which is characterized in that be stored with computer on the computer readable storage medium
Program is realized special based on network complexity as described in any one of claim 1 to 5 when the computer program is executed by processor
The step of sign and the P2P botnet detection method of probabilistic neural network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910429784.2A CN110099073B (en) | 2019-05-22 | 2019-05-22 | P2P botnet detection method, device and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910429784.2A CN110099073B (en) | 2019-05-22 | 2019-05-22 | P2P botnet detection method, device and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110099073A true CN110099073A (en) | 2019-08-06 |
| CN110099073B CN110099073B (en) | 2021-07-06 |
Family
ID=67448918
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910429784.2A Expired - Fee Related CN110099073B (en) | 2019-05-22 | 2019-05-22 | P2P botnet detection method, device and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110099073B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111786951A (en) * | 2020-05-28 | 2020-10-16 | 东方红卫星移动通信有限公司 | Traffic data feature extraction method, malicious traffic identification method and network system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104897403A (en) * | 2015-06-24 | 2015-09-09 | 北京航空航天大学 | Self-adaption fault diagnosis method based on permutation entropy (PE) and manifold-based dynamic time warping (MDTW) |
| CN107992112A (en) * | 2017-12-06 | 2018-05-04 | 浙江理工大学 | A kind of control loop performance estimating method and system based on arrangement entropy |
| US20190116103A1 (en) * | 2017-10-16 | 2019-04-18 | Radware, Ltd. | System and method for botnet identification |
-
2019
- 2019-05-22 CN CN201910429784.2A patent/CN110099073B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104897403A (en) * | 2015-06-24 | 2015-09-09 | 北京航空航天大学 | Self-adaption fault diagnosis method based on permutation entropy (PE) and manifold-based dynamic time warping (MDTW) |
| US20190116103A1 (en) * | 2017-10-16 | 2019-04-18 | Radware, Ltd. | System and method for botnet identification |
| CN107992112A (en) * | 2017-12-06 | 2018-05-04 | 浙江理工大学 | A kind of control loop performance estimating method and system based on arrangement entropy |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111786951A (en) * | 2020-05-28 | 2020-10-16 | 东方红卫星移动通信有限公司 | Traffic data feature extraction method, malicious traffic identification method and network system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110099073B (en) | 2021-07-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108600200B (en) | Domain name detection method and device, computer equipment and storage medium | |
| CN110505241B (en) | Network attack plane detection method and system | |
| Creech et al. | Generation of a new IDS test dataset: Time to retire the KDD collection | |
| CN111355697B (en) | Detection method, device, equipment and storage medium for botnet domain name family | |
| CN109347827A (en) | Method, apparatus, equipment and the storage medium of attack prediction | |
| EP3614645B1 (en) | Embedded dga representations for botnet analysis | |
| WO2014155051A1 (en) | Method and apparatus for detecting a multi-stage event | |
| Branch et al. | Denial of service intrusion detection using time dependent deterministic finite automata | |
| CN110300127A (en) | A kind of network inbreak detection method based on deep learning, device and equipment | |
| CN107948120A (en) | leak detection method and device | |
| Elejla et al. | Labeled flow-based dataset of ICMPv6-based DDoS attacks | |
| CN110135162A (en) | The recognition methods of the back door WEBSHELL, device, equipment and storage medium | |
| CN110545284A (en) | Domain name detection method and system for antagonistic network | |
| CN109525577A (en) | Malware detection method based on HTTP behavior figure | |
| CN109450880A (en) | Detection method for phishing site, device and computer equipment based on decision tree | |
| CN110099073A (en) | A kind of P2P botnet detection method, device and medium | |
| CN108427643A (en) | Binary program fuzz testing method based on Multiple-population Genetic Algorithm | |
| Singh et al. | Fast model-based penetration testing | |
| KR101073402B1 (en) | Method for simulating and examining traffic and network traffic analysis system | |
| CN110149331A (en) | A kind of P2P botnet detection method, device and medium | |
| Ying et al. | PFrauDetector: a parallelized graph mining approach for efficient fraudulent phone call detection | |
| Lima et al. | An empirical investigation of attribute selection techniques based on Shannon, Rényi and Tsallis entropies for network intrusion detection | |
| Said et al. | Attention-based CNN-BiLSTM deep learning approach for network intrusion detection system in software defined networks | |
| CN109995663B (en) | Network information propagation method based on length constraint and no repeated path | |
| Wang et al. | Network intrusion detection with workflow feature definition using bp neural network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20210706 |