Botnet risk assessment method and device

Abstract

The invention provides a botnet risk assessment method. The botnet risk assessment method comprises the following steps of a, performing data cleaning on client data, and substituting the client data into Camp; the method comprises the following steps of: obtaining a domain name risk suspicion degree Pc, a domain name threat probability Pd and a threat degree probability Pf associated with an output result in a relation graph fastflux model, a C model, a deep learning DGA model and a relation graph fastflux model; b, at least the associated domain name risk suspicion degree Pc, the domain name threat probability Pd, the threat degree probability Pf and a marked sample y value are input into a traditional machine learning model LR, a comprehensive threat score is determined, the marked sample y is determined at least through a public data sample and a black sample of enterprise internal basic security data, and then customer data is substituted into Camp; before the C model, at least the client data is subjected to feature engineering processing to determine a plurality of derivative variables, and the feature engineering processing at least comprises calculation of a beacon score, a transverse UA (Unified Architecture) probability degree and a longitudinal UA probability degree. The method is simple in process and convenient to use, and has extremely high commercial value.

Description

technical field [0001] The invention belongs to the technical field of network security, and in particular relates to a botnet risk assessment method and device. Background technique [0002] A botnet consists of a series of malware-infected hosts that are remotely controlled by a host known as a botmaster. Botnets can be used to perform a range of malicious activities, such as distributed denial of service attacks, sending spam, stealing personal information, performing distributed computing tasks, and more. Botnet communication methods mainly include central, P2P and mixed methods. In central, zombie hosts (bots) communicate through legal communication channels, generally using IRC (Internet RelayChat) communication methods. When a host is infected, it establishes a connection with the IRC server. The botmaster will establish an IRC command and control (C&C) channel to control the zombie host, and implement instructions such as issuing intrusion commands and updating the...

AI Technical Summary

Problems solved by technology

[0004] In the existing methods for responding to botnet risks, there are mainly two types of C&C identification and detection technologies in this field: one is feature matching detection based on rule engines, such as detecting HTTP traffic header information, attack characteristics, etc. , but rule-based matching tends to produce a high false positive rate and it is difficult to detect new types of attacks; while the other is to analyze and detect artificial abnormal traffic based on network capture, which is not efficient, especially for encrypted traffic It is very difficult to process, but also has a high false positive rate

[0005] At the same time, in the existing technology, there are mainly various defects such as simple detection scenarios, single means, low efficiency, high false alarm rate, and insufficient early prediction ability for new types of detection. At the same time, there is also a lack of an automated platform for this This kind of detection technology is implemented, and a closed-loop system is provided for decision support, threat warning and intervention

[0006] At present, there is no technical solution that can solve the above technical problems, specifically, there is no method and device for botnet risk assessment

Images