IRC botnets' homology identifying method based on dynamic time warping distance of communication feature curves

IRC botnet can be regarded as a collection of compromised computers (called Zombie computers) running software under the command-and-control infrastructure constructed by IRC server. The connection between botnet server and bots are usually very dynamic. In order to describe a botnet at a finer granularity, some work identify homologous IRC botnets based on similarity of IRC botnets. The similarity of IRC botnets are measured by multi-dimensional data obtained from the infiltrated botnets, that is, some information, such as server version, IP address of IRC server, DNS name of IRC server, IRC server/network name, and botmaster ID, can be obtained by joining the command and control channel.Because such information doesn't represent the essential characteristic of botnets, and with the upgrade of server version, obtaining the information such as botmaster ID becomes more difficult and the error ratio of the model is hard to be bounded. A method is proposed, which identifies homologous botnets by extracting communication feature curves and computs the dynamic time warping distance between the curves, distills and uses the feature points of communication curves to increase the precision, and uses improved LB_PAA to reduce calculated amount. Experiments were carried out and the error rates were evaluated and shown.