A Botnet lets plenty of hosts be infected with a Bot program by using one or more propagation means, and therefore, forms a network of one-to-many control between the controller and the infected hosts. Bot is the abbreviation for the robot, and a Bot program is a program which can be executed to implement predefined functions, remotely controlled by a predefined command, and characterized by certain artificial intelligence. A Bot host is a computer with a Bot or another remote controllable program, and the Bot host can be remotely controlled by an attacker.
A Botnet is an attack platform, from which various network attacks may be launched to break down the entire infrastructure network or an important application system, steal plenty of secret information or personal privacy, or commit crimes such as network fraudulence. A Botnet may be used to launch network attacks such as Distribution Denial of Service (DDOS) attacks, send junk mails, steal secrets and abuse network resources etc. These network attacks bring serious consequences to both the entire network and the users.
At present, the topology of a Botnet is diverse. One of the Botnet topologies is a multi-level control tree, and another topology is based on an Internet Relay Chat (IRC) protocol. In an IRC-based Botnet, the controller creates a communication channel on an IRC server, and the Bot host logs in to the IRC server and joins the communication channel beforehand to wait for instructions from the controller. The controller issues instructions on the specified channel of the IRC server, and the Bot host executes an instruction to launch an attack upon receiving the instruction. Another Botnet is based on a Point-to-Point (P2P) structure.
In the conventional art, Botnet is detected in two ways. One method is to obtain a sample of the Bot program by means such as honeypot, analyze malicious codes through reverse engineering in order to obtain the hidden information required for logging in to the Botnet from the codes, and use a customized Bot program to log in the Botnet and take further actions. The other method is to research the change of network traffic of the Bot computer behaviors, and use offline and online analysis methods to identify the Botnet.
In the process of developing the present invention, the inventor finds that the conventional art does not support real-time monitoring on the Botnet and generating a topology of the Botnet.