基于词嵌入的双阶段僵尸网络检测方法研究

僵尸网络是由命令与控制服务器与大量感染了恶意软件的僵尸机器人构成的覆盖网络，可以接收指令发动 DDoS 攻击、端口扫描等多种恶意行为，因此被认为是当前因特网内最重大的安全威胁之一。网络服务运营商为了能高效识别域内的 僵尸网络，一直希望找到有效的检测手段。然而僵尸网络中命令与控制服务器为了躲避监管，通常只使用隐秘的小流同其控制的机器人定期通信。此外，僵尸网络会使用代码混淆等技术来隐藏自己的行为，传统的基于签名的方法也被证明不能有效检测新的僵尸网络变种。

研究者们发现机器学习在异常检测领域展现了巨大的潜力。然而，网络领域的数据有着特殊性，如 IP 地址及端口号等实体特征不具备数学上的意义，使用传统编码方式将其作为数值录入训练模型会导致其语言学意义上保留信息的遗失。自然语言处理领域的 Word2Vec 技术是一种被证明可以有效编码网络实体类特征并最大限度保留其内含的信息的词嵌入技术。

本文通过对过去僵尸网络检测技术和应用于网络领域的词嵌入技术的案例分析，提出了基于 Word2Vec 的双阶段的僵尸网络离线检测方法。第一阶段将网络数据切分为端口级的复数语料库，并使用词嵌入将 IP 地址其转化为具备数学意义的向量，然后使用无监督聚类算法对不同类型的主机实现聚类分组。第二阶段是针对第一阶段获得的可疑簇与外部设备产生的通信数据构筑语料库，通过词嵌入方法基于设备与簇距离的标准差，定位命令与控制服务器。

我们在 CIC-IDS2017 数据集上验证了我们方法的有效性，在第一阶段可以在不同端口下精准分组全部僵尸机器人设备。在第二阶段可以将 C&C 服务器的可能 范围缩减到原本的 0.083%。

[1] VORMAYR G, ZSEBY T, FABINI J. Botnet communication patterns[J]. IEEE Communications Surveys & Tutorials, 2017, 19(4): 2768-2796.
[2] VINAYAKUMAR R, ALAZAB M, SRINIVASAN S, et al. A visualized botnet detection system based deep learning for the internet of things networks of smart cities[J]. IEEE Transactions on Industry Applications, 2020, 56(4): 4436-4456.
[3] HASAN M. State of IoT 2022: Number of connected IoT devices growing 18% to 14.4 billion globally[EB/OL]. 2022
[2022-05-18]. https://iot-analytics.com/number-connected-iot-devices.
[4] ALI I, AHMED A I A, ALMOGREN A, et al. Systematic literature review on IoT-based botnet attack[J]. IEEE Access, 2020, 8: 212220-212232.
[5] ANTONAKAKIS M, APRIL T, BAILEY M, et al. Understanding the mirai botnet[C]//26th {USENIX} security symposium ({USENIX} Security 17). 2017: 1093-1110.
[6] BARRADAS D, SANTOS N, RODRIGUES L, et al. FlowLens: Enabling Efficient Flow Classification for ML-based Network Security Applications.[C]//NDSS. 2021.
[7] GARRE J T M, PÉREZ M G, RUIZ-MARTÍNEZ A. A novel Machine Learning-based approach for the detection of SSH botnet infection[J]. Future Generation Computer Systems, 2021, 115: 387-396.
[8] HOUIDI Z B, AZORIN R, GALLO M, et al. Towards a systematic multi-modal representation learning for network data[C]//The 21st ACM Workshop on Hot Topics in Networks. 2022: 181-187.
[9] WIKIPEDIA. One-hot[EB/OL]. 2023
[2023-02-25]. https://en.wikipedia.org/wiki/One-hot.
[10] JIE L, JIAHAO C, XUEQIN Z, et al. One-hot encoding and convolutional neural network based anomaly detection[J]. Journal of Tsinghua University (Science and Technology), 2019, 59(7): 523-529.
[11] RING M, SCHLÖR D, LANDES D, et al. Flow-based network traffic generation using generative adversarial networks[J]. Computers & Security, 2019, 82: 156-172.
[12] MIKOLOV T, SUTSKEVER I, CHEN K, et al. Distributed representations of words and phrases and their compositionality[C]//Advances in neural information processing systems: Vol. 26. 2013.
[13] MIKOLOV T, CHEN K, CORRADO G, et al. Efficient Estimation of Word Representations in Vector Space[M/OL]. arXiv, 2013. https://arxiv.org/abs/1301.3781.
[14] RING M, DALLMANN A, LANDES D, et al. Ip2vec: Learning similarities between ip addresses[C]//2017 IEEE International Conference on Data Mining Workshops (ICDMW). IEEE, 2017: 657-666.
[15] COHEN D, MIRSKY Y, KAMP M, et al. DANTE: A framework for mining and monitoring darknet traffic[C]//Computer Security–ESORICS 2020: 25th European Symposium on Research in Computer Security, ESORICS 2020, Guildford, UK, September 14–18, 2020, Proceedings, Part I 25. Springer, 2020: 88-109.
[16] GIOACCHINI L, VASSIO L, MELLIA M, et al. Darkvec: Automatic analysis of darknet traffic with word embeddings[C]//The 17th International Conference on emerging Networking EXperiments and Technologies. 2021: 76-89.
[17] XING Y, SHU H, ZHAO H, et al. Survey on botnet detection techniques: classification, methods, and evaluation[J]. Mathematical Problems in Engineering, 2021, 2021: 1-24.
[18] XIE Y, YU F, ACHAN K, et al. Spamming botnets: signatures and characteristics[J]. ACM SIGCOMM Computer Communication Review, 2008, 38(4): 171-182.
[19] LIU L, CHEN S, YAN G, et al. Bottracer: Execution-based bot-like malware detection[C]// Information Security: 11th International Conference, ISC 2008, Taipei, Taiwan, September 1518, 2008. Proceedings 11. Springer, 2008: 97-113.
[20] APOSTOL I, PREDA M, NILA C, et al. IoT botnet anomaly detection using unsupervised deep learning[J]. Electronics, 2021, 10(16): 1876.
[21] XING Y, SHU H, KANG F. PeerRemove: An Adaptive Node Removal Strategy for P2P Botnet Based on Deep Reinforcement Learning[J]. Computers & Security, 2023: 103129.
[22] CHOWDHURY S, KHANZADEH M, AKULA R, et al. Botnet detection using graph-based feature clustering[J]. Journal of Big Data, 2017, 4: 1-23.
[23] FRANÇOIS J, WANG S, ENGEL T, et al. BotTrack: tracking botnets using NetFlow and PageRank[C]//10th IFIP Networking Conference (NETWORKING): Part I. Springer, 2011: 1-14.
[24] ZHUANG D, CHANG J M. Peerhunter: Detecting peer-to-peer botnets through community behavior analysis[C]//2017 IEEE Conference on Dependable and Secure Computing. IEEE, 2017: 493-500.
[25] WANG J, PASCHALIDIS I C. Botnet detection based on anomaly and community detection [J]. IEEE Transactions on Control of Network Systems, 2016, 4(2): 392-404.
[26] AL SHORMAN A, FARIS H, ALJARAH I. Unsupervised intelligent system based on one class support vector machine and Grey Wolf optimization for IoT botnet detection[J]. Journal of Ambient Intelligence and Humanized Computing, 2020, 11: 2809-2825.
[27] AWS, Inc. 什么是 NLP？[EB/OL]. 2023. https://aws.amazon.com/cn/what-is/nlp.
[28] LAI S, LIU K, HE S, et al. How to generate a good word embedding[J]. IEEE Intelligent Systems, 2016, 31(6): 5-14.
[29] LIU Z, NAMKUNG H, NIKOLAIDIS G, et al. Jaqen: A High-Performance Switch-Native Approach for Detecting and Mitigating Volumetric DDoS Attacks with Programmable Switches [C]//30th USENIX Security Symposium (USENIX Security 21). Virtual Conference, 2021: 3829-3846.
[30] CRISCUOLO P J. Distributed denial of service: Trin00, tribe flood network, tribe flood network 2000, and stacheldraht ciac-2319[R]. California Univ Livermore Radiation Lab, 2000.
[31] ZARGAR S T, JOSHI J, TIPPER D. A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks[J]. IEEE communications surveys & tutorials, 2013, 15(4): 2046-2069.
[32] Cloudflare, Inc. Blockbuster DDoS attack | Largest DDoS attack ever[EB/OL]. 2023
[2023-0225]. https://www.cloudflare.com/zh-cn/learning/ddos/famous-ddos-attacks.
[33] TYAGI A K, AGHILA G. A wide scale survey on botnet[J]. International Journal of Computer Applications, 2011, 34(9): 10-23.
[34] KREBS B. Mirai Botnet Authors Avoid Jail Time[EB/OL]. 2018
[2018-09-18]. https://krebso nsecurity.com/2018/09/mirai-botnet-authors-avoid-jail-time.
[35] GRIFFIOEN H, DOERR C. Examining mirai’s battle over the internet of things[C]//The 2020 ACM SIGSAC Conference on Computer and Communications Security. 2020: 743-756.
[36] HERWIG S, HARVEY K, HUGHEY G, et al. Measurement and analysis of Hajime, a peerto-peer IoT botnet[C]//Network and Distributed Systems Security (NDSS) Symposium. San Diego, California, USA, 2019.
[37] EDWARDS S, PROFETIS I. Hajime: Analysis of a decentralized internet worm for IoT devices [J]. Rapidity Networks, 2016, 16: 1-18.
[38] CVITIĆ I, PERAKOVIĆ D, PERIŠA M, et al. Novel approach for detection of IoT generated DDoS traffic[J]. Wireless Networks, 2021, 27(3): 1573-1586.
[39] XIA H, LI L, CHENG X, et al. Modeling and analysis botnet propagation in social internet of things[J]. IEEE Internet of Things Journal, 2020, 7(8): 7470-7481.
[40] WANG A, CHANG W, CHEN S, et al. Delving into internet DDoS attacks by botnets: characterization and analysis[J]. IEEE/ACM Transactions on Networking, 2018, 26(6): 2843-2855.
[41] LASTDRAGER E, HESSELMAN C, JANSEN J, et al. Protecting home networks from insecure IoT devices[C]//NOMS 2020-2020 IEEE/IFIP Network Operations and Management Symposium. Budapest, Hungary: IEEE, 2020: 1-6.
[42] MCDERMOTT C D, MAJDANI F, PETROVSKI A V. Botnet detection in the internet of things using deep learning approaches[C]//2018 international joint conference on neural networks (IJCNN). IEEE, 2018: 1-8.
[43] ALAUTHMAN M, ASLAM N, AL-KASASSBEH M, et al. An efficient reinforcement learning-based Botnet detection approach[J]. Journal of Network and Computer Applications, 2020, 150: 102479.
[44] ZHAO Y, XIE Y, YU F, et al. Botgraph: large scale spamming botnet detection.[C]//NSDI: Vol. 9. 2009: 321-334.
[45] SÜSSTRUNK S, BUCKLEY R, SWEN S. Standard RGB color spaces[C]//Proc. IS&T;/SID 7th Color Imaging Conference: Vol. 7. 1999: 127-134.
[46] ALCOZ A G, STROHMEIER M, LENDERS V, et al. Aggregate-based congestion control for pulse-wave DDoS defense[C]//The ACM SIGCOMM 2022 Conference. 2022: 693-706.
[47] BENDER E M, GEBRU T, MCMILLAN-MAJOR A, et al. On the Dangers of Stochastic Parrots: Can Language Models Be Too Big?[C/OL]//FAccT ’21: The 2021 ACM Conference on Fairness, Accountability, and Transparency. New York, NY, USA: Association for Computing Machinery, 2021: 610–623. https://doi.org/10.1145/3442188.3445922.
[48] LIU P, YUAN W, FU J, et al. Pre-Train, Prompt, and Predict: A Systematic Survey of Prompting Methods in Natural Language Processing[J/OL]. ACM Comput. Surv., 2023, 55(9). https: //doi.org/10.1145/3560815.
[49] MENON T. Empirical analysis of cbow and skip gram nlp models[D]. Portland: Portland State University, 2020.
[50] PANDIT S, GUPTA S, et al. A comparative study on distance measuring approaches for clustering[J]. International journal of research in computer science, 2011, 2(1): 29-31.
[51] Techopedia. What Does 5-Tuple Mean?[EB/OL]. 2014
[2014-05-21]. https://www.techopedia .com/definition/28190/5-tuple.
[52] ESTER M, KRIEGEL H P, SANDER J, et al. A density-based algorithm for discovering clusters in large spatial databases with noise.[C]//kdd: Vol. 96. 1996: 226-231.
[53] BAILEY M, COOKE E, JAHANIAN F, et al. The internet motion sensor-a distributed blackhole monitoring system.[C]//NDSS. 2005.
[54] CERON J M, STEDING-JESSEN K, HOEPERS C, et al. Improving iot botnet investigation using an adaptive network layer[J]. Sensors, 2019, 19(3): 727.
[55] THE SEARCH ENGINE. About OCLC: History of Cooperation[EB/OL]. 2023
[2023-02-25]. https://www.shodan.io.
[56] ESTER M, KRIEGEL H P, SANDER J, et al. A density-based algorithm for discovering clusters in large spatial databases with noise.[C]//kdd: Vol. 96. 1996: 226-231.
[57] BLONDEL V D, GUILLAUME J L, LAMBIOTTE R, et al. Fast unfolding of communities in large networks[J]. Journal of statistical mechanics: theory and experiment, 2008, 2008(10): P10008.
[58] Enigma, Inc. Ares Botnet[EB/OL]. 2023
[2023-02-25]. https://www.enigmasoftware.com/are sbotnet-removal.
[59] 安全内参. IoT 僵尸网络 Ares 利用开放 ADB 端口感染安卓机顶盒[EB/OL]. 2019
[201908-29]. https://www.secrss.com/articles/13292.
[60] AUGUSTO R I, MARK V. Miori IoT Botnet Delivered via ThinkPH Exploit[EB/OL]. 2018
[2018-12-20]. https://www.trendmicro.com/en_us/research/18/l/with-mirai-comes-miori-iot-b otnet-delivered-via-thinkphp-remote-code-execution-exploit.html.
[61] SRISURESH P, EGEVANG K. Traditional IP network address translator (Traditional NAT)[R]. 2001.
[62] XeroBank, Inc. xB Browser is the free and open-source anonymous web browser[EB/OL]. 2023
[2023-02-25]. https://xb-browser.apponic.com.
[63] MEZQUITA Y, ALONSO R S, CASADO-VARA R, et al. A review of k-nn algorithm based on classical and quantum machine learning[C]//Distributed Computing and Artificial Intelligence, Special Sessions, 17th International Conference. Springer, 2021: 189-198.
[64] BIAU G, SCORNET E. A random forest guided tour[J]. Test, 2016, 25: 197-227.
[65] AGGARWAL C C, et al. Data mining: the textbook: Vol. 1[M]. Springer, 2015.
[66] 摘繁华. 常用端口及范围[EB/OL]. 2021
[2021-12-27]. https://cloud.tencent.com/developer/ article/1925309.
[67] TECHNOLOGIES R. gensim–Topic Modelling in Python[EB/OL]. 2023
[2023-03-03]. https: //github.com/RaRe-Technologies/gensim.
[68] CHRIS P. K Means[EB/OL]. 2013
[2012-09-01]. https://stanford.edu/~cpiech/cs221/handouts /kmeans.html.
[69] UNB. Intrusion Detection Evaluation Dataset(CICIDS2017)[EB/OL]. 2018
[2018-02-18]. http s://www.unb.ca/cic/datasets/ids-2017.html.
[70] SHARAFALDIN I, LASHKARI A H, GHORBANI A A. Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization[J]. ICISSp, 2018, 1: 108-116.
[71] SWEETSOFTWARE. Ares[EB/OL]. 2023
[2023-02-25]. https://github.com/sweetsoftware/A res.
[72] JOE T, ELIOT L, KUMIKO O. Service Name and Transport Protocol Port Number Registry [EB/OL]. 2023
[2023-04-13]. https://www.iana.org/assignments/service-names-port-numbers /service-names-port-numbers.xhtml?&page=1.
[73] BIRANT D, KUT A. ST-DBSCAN: An algorithm for clustering spatial–temporal data[J]. Data & knowledge engineering, 2007, 60(1): 208-221.
[74] ARANGANAYAGI S, THANGAVEL K. Clustering categorical data using silhouette coefficient as a relocating measure[C]//International conference on computational intelligence and multimedia applications (ICCIMA 2007): Vol. 2. IEEE, 2007: 13-17.
[75] VERLEYSEN M, FRANÇOIS D. The curse of dimensionality in data mining and time series prediction[C]//Computational Intelligence and Bioinspired Systems: 8th International WorkConference on Artificial Neural Networks, IWANN 2005, Vilanova i la Geltrú, Barcelona, Spain, June 8-10, 2005. Proceedings 8. Springer, 2005: 758-770.
[76] ZAKARIA J. A Step-by-Step Explanation of Principal Component Analysis (PCA)[EB/OL]. 2022
[2022-09-26]. https://builtin.com/data-science/step-step-explanation-principal-compone nt-analysis.
[77] VAN DER MAATEN L, HINTON G. Visualizing data using t-SNE.[J]. Journal of machine learning research, 2008, 9(11).
[78] YA L. P2P 僵尸网络：回顾·现状·持续监测[EB/OL]. 2022
[2022-11-30]. https://blog.net lab.360.com/p2p-botnet-monitor.