CAJ | 학술논문

　　目前主流的僵尸网络检测方法主要利用网络流量分析技术，这往往需要数据包的内部信息，或者依赖于外部系统提供的信息或僵尸主机的恶意行为，并且大多数方法不能自动存储僵尸网络的流量特征，不具有联想记忆功能。为此提出了一种基于 BP 神经网络的僵尸网络检测方法，通过大量的僵尸网络和正常流量样本训练 BP 神经网络分类器，使其学会辨认僵尸网络的流量，自动记忆僵尸流量特征，从而有效检测出被感染的主机。该神经网络分类器以主机对为分析对象，提取2个主机间通信的流量特征，将主机对的特征向量作为输入，有效地区分出正常主机和僵尸主机。实验表明，该方法的检测率达到99％，误报率在1％以下，具有良好的性能。
　　목전주류적강시망락검측방법주요이용망락류량분석기술，저왕왕수요수거포적내부신식，혹자의뢰우외부계통제공적신식혹강시주궤적악의행위，병차대다수방법불능자동존저강시망락적류량특정，불구유련상기억공능。위차제출료일충기우 BP 신경망락적강시망락검측방법，통과대량적강시망락화정상류량양본훈련 BP 신경망락분류기，사기학회변인강시망락적류량，자동기억강시류량특정，종이유효검측출피감염적주궤。해신경망락분류기이주궤대위분석대상，제취2개주궤간통신적류량특정，장주궤대적특정향량작위수입，유효지구분출정상주궤화강시주궤。실험표명，해방법적검측솔체도99％，오보솔재1％이하，구유량호적성능。
The most current botnet detection algorithm are typically based on network traffic analyzing technologies that usually need packet payload .The botnet detection algorithm also relies on information obtained by external sys -tems or malicious behaviors of bots that do not automatically store the features of botnet traffic and do not have the ability of associative memory.As a result, this paper proposes a botnet detection algorithm based on BP neural net -work which trains the BP neural network classifier through a lot of botnet and normal traffic samples and allows it to learn how to identify botnet traffic and automatically remember the features of botnet traffic and therefore , detect the infected hosts effectively.The neural network classifier takes the host -pairs as analysis objects, extracts the traffic features of communications between two hosts and takes the feature vectors of host -pairs as input, thus, effectively distinguishing the normal hosts and bots .The experimental results show that the detection rate of our algorithm can achieve to 99% and the false positive rate is below 1% and the algorithm has a good performance .