| ¡¡ | Chinese Journal of Computers Full Text |
| Title | IRC Botnet Detection Based on Host Behavior |
| Authors | WANG Wei1),2) FANG Bin-Xing1),2) CUI Xiang2) |
| Address | 1)(Research Center of Computer Network and Information Security, Harbin Institute of Technology, Harbin 150001) 2)(Research Center of Information Security, Institute of Computing Technology, Chinese Academy of Sciences, Beijing 100190) |
| Year | 2009 |
| Issue | No.10(1980¡ª1988) |
| Abstract & Background | Abstract There are two problems in current algorithms for IRC botnets detection. One is that detection algorithms require some prior knowledge of botnets to generate matching patterns. The other is that algorithms can not perform detection online. To solve these problems, this paper proposes two IRC botnet detection algorithms based on host behavior. Three attributes, LCS_rate, compositive distance and RN_dice coefficient, are discussed to quantify the similarity of nicknames from three aspects: content, composition and structure. To detect IRC botnets online, extended TRW algorithm based on the similarity of nicknames is proposed. This paper also proposes a detection algorithm based on the command sequence of IRC clients. Evaluations of these algorithms indicate that the two algorithms are correct and valid. At last, detection algorithms are used in large-scale network to detect IRC botnets and detect 162 bot channels within two weeks. Keywords botnet; IRC nickname; command sequence; similarity measurement |