ENGINEERING
and TECHNOLOGY RESEARCH

Botnets communicate with legal protocols, it is difficult to directly capture botnet packets in the context of large traffic, high-speed network. Therefore, this paper analyzed the data stream to judge the botnets' activities. First of all, we set mirror port in the network core equipment to view the network data flow information, through the capture tool we could get and format data packet relevant information. Secondly, for the data flow of different unit time, different survival rates could be obtained by life table analysis. Mantel-COX analysis was then used to test the survival rates. Because botnets must inform all bots before launching attack, we could detect the presence of abnormal condition before a cyber attack taken place.

botnet, survival analysis, life table, Mantel-COX