查看文章

In a randomized DDoS attack with increasing emulation dictionary, the bots try to hide their malicious activity by disguising their traffic patterns as "normal" traffic patterns. In this work, we extend the DDoS class introduced in [1], [2] to the case of a multi-clustered botnet, whose main feature is that the emulation dictionary is split over the botnet, giving rise to multiple botnet clusters. We propose two strategies to identify the botnet in such challenging scenario, one based on cluster expurgation, the other one on a union rule. Consistency of both algorithms under ideal conditions is ascertained, while their performance is examined over real network traces.