Abstract: Network attacks, especially APT attacks, generally use the captured devices as a springboard, and use the subordinate controlled devices to carry out attacks, while the attacker’s identity is hidden in the network. Botnets led by Mirai usually use C&C servers to control bots. There are often multilevel control relations among bots, so the anomaly detection of a single node is often difficult to solve the problem. This paper proposes a botnet visualization analysis system of multilevel control relations, which filtrates the control nodes through the flow characteristics, sorts out the control behaviors, and exports the relational data through the graph database to realize visualization, so as to intuitively find the multilevel control relations between nodes, find out the springboard nodes, so as to trace the botnet and find out the hidden botmaster nodes.Key words botnet; network flow; behavior analysis; multilevel control relations; visualization

Key words: botnet, network flow, behavior analysis, multi-level control relations, visualization

摘要： 网络攻击尤其是APT攻击普遍使用被攻陷设备作为跳板，利用下级被控设备执行攻击行为，攻击者身份则隐藏于网络之中.以Mirai为首的僵尸网络通常采用C&C服务器控制受感染的机器人，机器人之间常常存在多级控制关系，因此单个节点的异常检测往往难以解决问题.提出一种僵尸网络多级控制关系可视化分析系统，主要通过流特征筛选控制节点，梳理控制行为，通过图数据库将关系数据导出实现可视化，从而直观发现节点间的多级控制关系，找出跳板节点，从而溯源僵尸网络，找出隐藏的主机节点.关键词僵尸网络；流数据；行为分析；多级控制关系；可视化

关键词: 僵尸网络, 流数据, 行为分析, 多级控制关系, 可视化