Botnet Host Detection Based on Heartbeat Association

Abstract

As a common means of communication, heartbeat is often used by the network applications. Hosts with the same heartbeat tend to have the same applications and thus share the homogenous vulnerabilities. Based on the detected heartbeat, the paper designs the heartbeat network, the heartbeat associated graph and an attribute propagation algorithm based on the heartbeat associated graph. The paper takes the distributed denial of service (DDoS) malicious host information provided by the intrusion detection system (IDS) deployed on the boundary of China education and research network (CERNET) Nanjing master node network as attribution, and constructs the associated graph based on the user datagram protocol (UDP) heartbeat detection result at the same location. The attribute propagation algorithm was tested for 17 days. And The result shows that the method can effectively detect DDoS malicious hosts that are not located by IDS.