The IRC botnet is the earliest and most significant botnet group that has a significant impact. Its characteristic is to control multiple zombies hosts through the IRC protocol and constructing command control channels. Relevant research analyzes the large amount of network traffic generated by command interaction between the botnet client and the C&C server. Packet capture traffic monitoring on the network is currently a more effective detection method, but this information does not reflect the essential characteristics of the IRC botnet. The increase in the amount of erroneous judgments has often occurred. To identify whether the botnet control server is a homogenous botnet, dynamic network communication characteristic curves are extracted. For unequal time series, dynamic time warping distance clustering is used to identify the homologous botnets by category, and in order to improve detection. Speed, experiments will use SAX to reduce the dimension of the extracted curve, reducing the time cost without reducing the accuracy.
[1]
Helen J. Wang,et al.
Characterizing Botnets from Email Spam Records
,
2008,
LEET.
[2]
Wenke Lee,et al.
Modeling Botnet Propagation Using Time Zones
,
2006,
NDSS.
[3]
Eamonn J. Keogh,et al.
Exact indexing of dynamic time warping
,
2002,
Knowledge and Information Systems.
[4]
Andreas Terzis,et al.
My Botnet Is Bigger Than Yours (Maybe, Better Than Yours): Why Size Estimates Remain Challenging
,
2007,
HotBots.
[5]
Dennis Shasha,et al.
Warping indexes with envelope transforms for query by humming
,
2003,
SIGMOD '03.