阅读说明：本技术 僵尸网络的家族规模的异常检测方法和装置 (Method and device for detecting family-scale abnormality of botnet ) 是由 郭晶 温森浩 姚力 李友豪 张红宝 周忠义 傅强 阿曼太 梁彧 田野 王杰 杨 于 2021-07-23 设计创作，主要内容包括：本发明实施例涉及一种僵尸网络的家族规模的异常检测方法、装置、电子设备、及存储介质,具体涉及网络安全技术领域,方法包括：根据历史数据统计监控区间内僵尸网络家族在各预定单位时长内的传播源数量；根据各预定单位时长内的传播源数量生成训练样本集,根据所述训练样本集训练孤立森林模型；实时监控所述监控区间内所述僵尸网络家族在所述预定单位时长内的传播源数量,计算所述传播源数量在所述孤立森林模型中的异常值分数；根据所述异常值分数对所述僵尸网络家族的传播进行异常检测,可以实现对僵尸网络的家族规模及家族规模变化趋势进行异常检测,可以实现自动化地监控僵尸网络的发展情况。(The embodiment of the invention relates to a method and a device for detecting the family scale abnormity of a botnet, electronic equipment and a storage medium, in particular to the technical field of network security, wherein the method comprises the following steps: counting the number of propagation sources of the botnet family in each preset unit time length in the monitoring interval according to historical data; generating a training sample set according to the number of propagation sources in each preset unit time length, and training an isolated forest model according to the training sample set; monitoring the number of propagation sources of the botnet family in the preset unit time length in the monitoring interval in real time, and calculating the abnormal value fraction of the number of the propagation sources in the isolated forest model; and carrying out abnormal detection on the propagation of the botnet family according to the abnormal value scores, so that the abnormal detection on the family scale and the family scale change trend of the botnet can be realized, and the automatic monitoring on the development condition of the botnet can be realized.)

1. A method for detecting a family-scale abnormality of a botnet, comprising:

counting the number of propagation sources of the botnet family in each preset unit time length in the monitoring interval according to historical data;

generating a training sample set according to the number of propagation sources in each preset unit time length, and training an isolated forest model according to the training sample set;

monitoring the number of propagation sources of the botnet family in the preset unit time length in the monitoring interval in real time, and calculating the abnormal value fraction of the number of the propagation sources in the isolated forest model;

and carrying out abnormal detection on the propagation of the botnet family according to the abnormal value score.

2. The method of claim 1, wherein the anomaly detection of the botnet family propagation according to the outlier score comprises:

and comparing the abnormal value score with a set abnormal threshold value, and determining whether the propagation of the botnet family is abnormal or not according to a comparison result.

3. The method of claim 2, further comprising, prior to comparing the outlier score to a set outlier threshold, further comprising:

and receiving the set abnormal threshold set by the user.

4. The method of claim 1, wherein the anomaly detection of the botnet family propagation according to the outlier score comprises:

after a predetermined number of the outlier scores are obtained, anomaly detection is performed on the botnet family propagation according to a set anomaly ratio and each of the outlier scores.

5. The method of claim 4, further comprising, prior to detecting abnormalities in the botnet family propagation based on a set abnormality ratio and each of the abnormality value scores:

and receiving the set abnormal proportion set by the user.

6. The method of claim 1, wherein training an orphan forest model from the set of training samples comprises:

selecting a training sample subset from the training sample set;

training the isolated forest model according to the selected training sample subset.

7. The method of claim 1, wherein the predetermined unit time period is 1 hour.

8. An abnormality detection device for a family scale of botnet, comprising:

the history quantity acquisition unit is used for counting the quantity of the propagation sources of the botnet families in each preset unit time length in the monitoring interval according to the history data;

the model training unit is used for generating a training sample set according to the number of the propagation sources in each preset unit time length and training an isolated forest model according to the training sample set;

an abnormal value monitoring unit, configured to monitor, in real time, the number of propagation sources of the botnet family within the predetermined unit duration within the monitoring interval, and calculate an abnormal value score of the number of propagation sources in the isolated forest model;

and the abnormality judgment unit is used for carrying out abnormality detection on the propagation of the botnet family according to the abnormal value score.

9. An electronic device, comprising:

one or more processors; and

a memory to store executable instructions that, when executed by the one or more processors, cause the electronic device to perform the method of any of claims 1-7.

10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-7.

Technical Field

The embodiment of the invention relates to the technical field of network security, in particular to a method and a device for detecting family-scale abnormality of botnets, electronic equipment and a storage medium.

Background

Botnet (Botnet) refers to a one-to-many controllable network formed between a controller and an infected host by infecting a large number of hosts with bot program (Botnet) viruses using one or more propagation means.

Since the appearance of botnets, botnets increasingly become the main threat of global network security, and especially whether a botnet sample transmitted in a p2p form analysis capability of the variation of the number of the transmission sources of a botnet family can be formed through analysis of monitoring data of the botnets, effective early warning and intervention are formed on a certain botnet family which is abnormally varied, and the method is an important ring in the botnet management work.

Disclosure of Invention

In view of this, embodiments of the present invention provide a method, an apparatus, an electronic device, and a storage medium for detecting a family-scale anomaly of a botnet, so as to automatically monitor a development condition of the botnet.

Additional features and advantages of embodiments of the invention will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of embodiments of the invention.

In a first aspect of the present disclosure, an embodiment of the present invention provides a method for detecting a family-scale anomaly of a botnet, including:

counting the number of propagation sources of the botnet family in each preset unit time length in the monitoring interval according to historical data;

generating a training sample set according to the number of propagation sources in each preset unit time length, and training an isolated forest model according to the training sample set;

monitoring the number of propagation sources of the botnet family in the preset unit time length in the monitoring interval in real time, and calculating the abnormal value fraction of the number of the propagation sources in the isolated forest model;

and carrying out abnormal detection on the propagation of the botnet family according to the abnormal value score.

In one embodiment, the detecting the abnormality of the propagation of the botnet family according to the outlier score comprises: and comparing the abnormal value score with a set abnormal threshold value, and determining whether the propagation of the botnet family is abnormal or not according to a comparison result.

In one embodiment, the method further comprises, before comparing the outlier score to a set outlier threshold, further comprising: and receiving the set abnormal threshold set by the user.

In one embodiment, the detecting the abnormality of the propagation of the botnet family according to the outlier score comprises: after a predetermined number of the outlier scores are obtained, anomaly detection is performed on the botnet family propagation according to a set anomaly ratio and each of the outlier scores.

In one embodiment, before performing anomaly detection on the propagation of the botnet family according to the set anomaly ratio and each anomaly value score, the method further comprises: and receiving the set abnormal proportion set by the user.

In an embodiment, training the isolated forest model according to the training sample set includes: selecting a training sample subset from the training sample set; training the isolated forest model according to the selected training sample subset.

In one embodiment, the predetermined unit time is 1 hour.

In a second aspect of the present disclosure, an embodiment of the present invention further provides a device for detecting a family-scale abnormality of a botnet, including:

the history quantity acquisition unit is used for counting the quantity of the propagation sources of the botnet families in each preset unit time length in the monitoring interval according to the history data;

the model training unit is used for generating a training sample set according to the number of the propagation sources in each preset unit time length and training an isolated forest model according to the training sample set;

an abnormal value monitoring unit, configured to monitor, in real time, the number of propagation sources of the botnet family within the predetermined unit duration within the monitoring interval, and calculate an abnormal value score of the number of propagation sources in the isolated forest model;

and the abnormality judgment unit is used for carrying out abnormality detection on the propagation of the botnet family according to the abnormal value score.

In one embodiment, the abnormality determining unit is configured to: and comparing the abnormal value score with a set abnormal threshold value, and determining whether the propagation of the botnet family is abnormal or not according to a comparison result.

In an embodiment, the apparatus further includes an abnormality threshold receiving unit configured to receive a set abnormality threshold set by a user before comparing the abnormality value score with the set abnormality threshold.

In one embodiment, the abnormality determining unit is configured to: after a predetermined number of the outlier scores are obtained, anomaly detection is performed on the botnet family propagation according to a set anomaly ratio and each of the outlier scores.

In an embodiment, the apparatus further includes an abnormal ratio receiving unit configured to receive a set abnormal ratio set by a user before performing abnormal detection on propagation of the botnet family according to the set abnormal ratio and each abnormal value score.

In an embodiment, the training of the isolated forest model according to the training sample set by the model training unit includes: for choosing a subset of training samples from the set of training samples; training the isolated forest model according to the selected training sample subset.

In one embodiment, the predetermined unit time is 1 hour.

In a third aspect of the disclosure, an electronic device is provided. The electronic device includes: a processor; and a memory for storing executable instructions that, when executed by the processor, cause the electronic device to perform the method of the first aspect.

In a fourth aspect of the disclosure, a computer-readable storage medium is provided, on which a computer program is stored, which computer program, when being executed by a processor, carries out the method in the first aspect.

The technical scheme provided by the embodiment of the invention has the beneficial technical effects that:

according to the embodiment of the invention, the number of the propagation sources of the botnet family in each preset unit time length in the monitoring interval is counted according to the historical data; generating a training sample set according to the number of propagation sources in each preset unit time length, and training an isolated forest model according to the training sample set; monitoring the number of propagation sources of the botnet family in the preset unit time length in the monitoring interval in real time, and calculating the abnormal value fraction of the number of the propagation sources in the isolated forest model; and carrying out abnormal detection on the propagation of the botnet family according to the abnormal value score so as to carry out abnormal detection on the family scale and the family scale change trend of the botnet, and automatically monitoring the development condition of the botnet.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments of the present invention will be briefly described below, and it is obvious that the drawings in the following description are only a part of the embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the contents of the embodiments of the present invention and the drawings without creative efforts.

FIG. 1 is a schematic flow chart diagram illustrating a method for detecting a family-scale anomaly in a botnet according to an embodiment of the present invention;

FIG. 2 is a schematic flow chart diagram of another method for detecting family-scale anomalies in botnets, according to an embodiment of the present invention;

fig. 3 is a schematic structural diagram of a family-scale anomaly detection device of a botnet according to an embodiment of the present invention;

FIG. 4 is a schematic diagram of another family-scale anomaly detection apparatus for botnets according to an embodiment of the present invention;

FIG. 5 shows a schematic diagram of an electronic device suitable for use in implementing embodiments of the present invention.

Detailed Description

In order to make the technical problems solved, the technical solutions adopted and the technical effects achieved by the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be described in further detail below with reference to the accompanying drawings, and it is obvious that the described embodiments are only some embodiments, but not all embodiments, of the embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, belong to the scope of protection of the embodiments of the present invention.

It should be noted that the terms "system" and "network" are often used interchangeably herein in embodiments of the present invention. Reference to "and/or" in embodiments of the invention is intended to include any and all combinations of one or more of the associated listed items. The terms "first", "second", and the like in the description and claims of the present disclosure and in the drawings are used for distinguishing between different objects and not for limiting a particular order.

It should be further noted that, in the embodiments of the present invention, each of the following embodiments may be executed alone, or may be executed in combination with each other, and the embodiments of the present invention are not limited in this respect.

The names of messages or information exchanged between devices in the embodiments of the present disclosure are for illustrative purposes only, and are not intended to limit the scope of the messages or information.

The technical solutions of the embodiments of the present invention are further described by the following detailed description with reference to the accompanying drawings.

Fig. 1 is a schematic flow chart illustrating a method for detecting an abnormality of a family scale of a botnet according to an embodiment of the present invention, where the embodiment is applicable to a case where an abnormality of a family scale of a botnet is detected, and the method may be executed by an abnormality detection apparatus of a family scale of a botnet configured in an electronic device, as shown in fig. 1, the method for detecting an abnormality of a family scale of a botnet according to the embodiment includes:

in step S110, the number of propagation sources of the botnet family in each predetermined unit time length in the monitoring interval is counted according to the historical data.

When abnormal detection is carried out on the family scale of the botnet, a specific monitoring interval can be selected for detection, and the specific preset unit time length can be set according to needs, for example, the preset unit time length can be set to be one statistical unit per hour, and can also be set to be one statistical unit per half hour.

In step S120, a training sample set is generated according to the number of propagation sources in each predetermined unit time, and an isolated forest model is trained according to the training sample set.

And training the isolated forest model according to the training sample set, wherein all the training sample sets can be adopted for training, samples in the sample set can comprise abnormally propagated samples and normally propagated samples, and the samples are labeled accordingly. And a training sample subset can be selected from the training sample set, and the isolated forest model is trained according to the selected training sample subset to improve the prediction accuracy of the model.

The isolated forest model is a tree type integrated model consisting of more than one isolated tree; for example, given a set of n samples X ═ { X₁，x₂，…，x_nRecursion of a sample set X by randomly selecting a feature q of the data set and randomly selecting a splitting value p of the feature, thereby establishing an isolated tree; all nodes of each orphan tree have 2 children or no children.

The process of recursively building the orphan tree does not stop until one of three conditions is met: firstly, the depth of the isolated tree reaches a limited maximum value; secondly, only one sample is arranged in the node of the isolated tree after a certain recursion; after a certain recursion, the data contained in the nodes of the isolated tree have the same value.

Selecting psi sample points randomly from a propagation source training data set as a sample subset, putting the sample subset into a root node of a tree, and designating the number of propagation sources as a feature dimension; randomly generating a cut point p in the current node data, generating a hyperplane by the cut point, and then dividing the current node data space into 2 subspaces: placing data smaller than p in the specified dimension at the left child node of the current node, and placing data larger than or equal to p at the right child node of the current node; new child nodes are continuously constructed until only one piece of data in the child nodes (the cutting can not be continued) or the child nodes reach a limited height; and repeating the steps until T isolated trees are generated.

After T isolated trees are obtained, the generated IForest can be used to evaluate the propagated source test data set. For each data point x_iTraverse each isolated tree iTree, calculate point x_iAverage height h (x) in forest_i) And normalizing the average height of all the points. The formula for calculating the outlier score is as follows:

wherein the content of the first and second substances,

H(k)＝ln(k)+ξ

e [. cndot.) is the mean of t iTrees;

c (ψ) is the average length of the ψ point binary search tree;

h (k) ═ ln (k) + ξ, where ξ is the euler constant.

Where s (x) is more likely to be abnormal data closer to 1 and more likely to be a normal point closer to 0. For example, if s (x) of most data is 0.5, it indicates that the data has no abnormal value.

In step S130, monitoring the number of propagation sources of the botnet family within the predetermined unit time length in the monitoring interval in real time, and calculating an abnormal value score of the number of propagation sources in the isolated forest model.

In step S140, anomaly detection is performed on the botnet family propagation according to the outlier score.

This step may be performed in a variety of ways, such as comparing the outlier score to a set outlier threshold and determining if the botnet family propagation is abnormal based on the comparison. The set abnormal threshold value can be obtained according to user setting, and specifically, the user can set according to expert experience.

For another example, after a predetermined number of the outlier scores are obtained, anomaly detection can be performed on the botnet family propagation according to a set anomaly ratio and each of the outlier scores. The set abnormal proportion can be obtained according to user setting, and specifically, the user can set according to expert experience.

According to the embodiment, the number of the propagation sources of the botnet family in each preset unit time length in the monitoring interval is counted according to historical data; generating a training sample set according to the number of propagation sources in each preset unit time length, and training an isolated forest model according to the training sample set; monitoring the number of propagation sources of the botnet family in the preset unit time length in the monitoring interval in real time, and calculating the abnormal value fraction of the number of the propagation sources in the isolated forest model; and carrying out abnormal detection on the propagation of the botnet family according to the abnormal value score so as to carry out abnormal detection on the family scale and the family scale change trend of the botnet, and automatically monitoring the development condition of the botnet.

Fig. 2 is a schematic flow chart of another method for detecting family-scale abnormalities in botnets according to an embodiment of the present invention, which is based on the foregoing embodiment and is optimized. As shown in fig. 2, the method for detecting the family-scale abnormality of the botnet according to the present embodiment includes:

in step S210, the number of sources propagated per hour by the botnet family is counted.

In step S220, the isolated forest model is trained according to the expert experience extraction training data set.

Selecting psi sample points randomly from a propagation source training data set as a sample subset, putting the sample subset into a root node of a tree, and designating the number of propagation sources as a feature dimension; randomly generating a cut point p in the current node data, generating a hyperplane by the cut point, and then dividing the current node data space into 2 subspaces: placing data smaller than p in the specified dimension at the left child node of the current node, and placing data larger than or equal to p at the right child node of the current node; new child nodes are continuously constructed until only one piece of data in the child nodes (the cutting can not be continued) or the child nodes reach a limited height; and repeating the steps until T isolated trees are generated.

In step S230, a new data set is predicted using the trained isolated forest model.

After T isolated trees are obtained, the generated IForest can be used to evaluate the propagated source test data set. For each data point x_iTraverse each isolated tree iTree, calculate point x_iAverage height h (x) in forest_i) And normalizing the average height of all the points. The formula for calculating the outlier score is as follows:

wherein the content of the first and second substances,

H(k)＝ln(k)+ξ

e [. cndot.) is the mean of t iTrees;

c (psi) is psi point binary search tree average length;

h (k) ═ ln (k) + ξ, where ξ is the euler constant.

In step S240, an abnormal value score and an abnormal label value are calculated.

s (x) is more likely to be abnormal data as it approaches 1, and is more likely to be a normal point as it approaches 0. For example, if s (x) of most data is 0.5, it indicates that the data has no abnormal value.

In step S250, an abnormality ratio is set according to expert experience.

In step S260, an abnormal data set is obtained for manual analysis and study.

The principle of the scheme of the embodiment mainly comprises the following steps: the method has the advantages that under the scene of analyzing the number change of botnet family propagation sources, abnormal data points can be labeled by calculating the abnormal value scores of the data through the isolated forest.

As an implementation of the methods shown in the above figures, the present application provides an embodiment of a family-scale anomaly detection device for botnets, and fig. 3 shows a schematic structural diagram of a family-scale anomaly detection device for botnets provided in this embodiment, where the embodiment of the device corresponds to the embodiment of the methods shown in fig. 1 and fig. 2, and the device can be applied to various electronic devices. As shown in fig. 3, the family-scale abnormality detection apparatus of botnet according to the present embodiment includes a history number acquisition unit 310, a model training unit 320, an abnormal value monitoring unit 330, and an abnormality determination unit 340.

The history quantity obtaining unit 310 is configured to count the number of propagation sources of the botnet family in each predetermined unit time length in the monitoring interval according to the history data.

The model training unit 320 is configured to generate a training sample set according to the number of propagation sources in each predetermined unit time, and train an isolated forest model according to the training sample set;

the abnormal value monitoring unit 330 is configured to monitor the number of propagation sources of the botnet family within the monitoring interval within the predetermined unit time length in real time, and calculate the abnormal value fraction of the number of propagation sources in the isolated forest model;

the anomaly determination unit 340 is configured to detect anomalies in the propagation of the botnet family according to the outlier score.

According to one or more embodiments of the present disclosure, the anomaly determination unit 340 is configured to compare the anomaly score with a set anomaly threshold, and determine whether the propagation of the botnet family is abnormal according to the comparison result.

According to one or more embodiments of the present disclosure, the apparatus may further include an abnormality threshold receiving unit (not shown in fig. 3) configured to receive a set abnormality threshold set by a user before comparing the abnormality value score with the set abnormality threshold.

According to one or more embodiments of the present disclosure, the model training unit 320 is configured for training an isolated forest model according to the training sample set, including: for choosing a subset of training samples from the set of training samples; training the isolated forest model according to the selected training sample subset.

According to one or more embodiments of the present disclosure, the predetermined unit time period is 1 hour.

The family-scale anomaly detection device for botnets provided by the embodiment of the present disclosure can execute the family-scale anomaly detection method for botnets provided by the embodiment of the present disclosure, and has functional modules corresponding to the execution method and beneficial effects.

Fig. 4 is a schematic structural diagram illustrating another anomaly detection apparatus for a family scale of botnets according to an embodiment of the present invention, and as shown in fig. 4, the anomaly detection apparatus for a family scale of botnets according to the embodiment includes a history number acquisition unit 410, a model training unit 420, an abnormal value monitoring unit 430, an abnormal ratio receiving unit 440, and an anomaly determination unit 450.

The history quantity obtaining unit 410 is configured to count the number of propagation sources of the botnet family in each predetermined unit time length in the monitoring interval according to the history data.

The model training unit 420 is configured to generate a training sample set according to the number of propagation sources in each predetermined unit time, and train an isolated forest model according to the training sample set.

The outlier monitoring unit 430 is configured to monitor, in real time, the number of propagation sources of the botnet family within the predetermined unit time length within the monitoring interval, and calculate an outlier score of the number of propagation sources in the isolated forest model.

The abnormal ratio receiving unit 440 is configured to receive the set abnormal ratio set by a user.

The abnormality determination unit 450 is configured to perform abnormality detection on propagation of the botnet family according to the received set abnormality proportion and each of the abnormal value scores after a predetermined number of the abnormal value scores are acquired.

According to one or more embodiments of the present disclosure, the model training unit 420 is configured for training an isolated forest model according to the training sample set comprising: for choosing a subset of training samples from the set of training samples; training the isolated forest model according to the selected training sample subset.

According to one or more embodiments of the present disclosure, the predetermined unit time period is 1 hour.

The family-scale anomaly detection device for botnets provided by the embodiment of the present disclosure can execute the family-scale anomaly detection method for botnets provided by the embodiment of the present disclosure, and has functional modules corresponding to the execution method and beneficial effects.

Referring now to FIG. 5, a block diagram of an electronic device 500 suitable for use in implementing embodiments of the present invention is shown. The terminal device in the embodiment of the present invention is, for example, a mobile device, a computer, or a vehicle-mounted device built in a floating car, or any combination thereof. In some embodiments, the mobile device may include, for example, a cell phone, a smart home device, a wearable device, a smart mobile device, a virtual reality device, and the like, or any combination thereof. The electronic device shown in fig. 5 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.

As shown in fig. 5, electronic device 500 may include a processing means (e.g., central processing unit, graphics processor, etc.) 501 that may perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)502 or a program loaded from a storage means 508 into a Random Access Memory (RAM) 503. In the RAM 503, various programs and data necessary for the operation of the electronic apparatus 500 are also stored. The processing device 501, the ROM 502, and the RAM 503 are connected to each other through a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.

Generally, the following devices may be connected to the I/O interface 505: input devices 506 including, for example, a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; output devices 507 including, for example, a Liquid Crystal Display (LCD), speakers, vibrators, and the like; storage devices 508 including, for example, magnetic tape, hard disk, etc.; and a communication device 509. The communication means 509 may allow the electronic device 500 to communicate with other devices wirelessly or by wire to exchange data. While fig. 5 illustrates an electronic device 500 having various means, it is to be understood that not all illustrated means are required to be implemented or provided. More or fewer devices may alternatively be implemented or provided.

In particular, according to an embodiment of the present invention, the processes described above with reference to the flowcharts may be implemented as a computer software program. For example, embodiments of the invention include a computer program product comprising a computer program embodied on a computer-readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication means 509, or installed from the storage means 508, or installed from the ROM 502. The computer program performs the above-described functions defined in the method of the embodiment of the present invention when executed by the processing apparatus 501.

It should be noted that the computer readable medium mentioned above can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In embodiments of the invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In yet another embodiment of the invention, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.

The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device.

The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: counting the number of propagation sources of the botnet family in each preset unit time length in the monitoring interval according to historical data; generating a training sample set according to the number of propagation sources in each preset unit time length, and training an isolated forest model according to the training sample set; monitoring the number of propagation sources of the botnet family in the preset unit time length in the monitoring interval in real time, and calculating the abnormal value fraction of the number of the propagation sources in the isolated forest model; and carrying out abnormal detection on the propagation of the botnet family according to the abnormal value score.

Computer program code for carrying out operations for embodiments of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).

The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The units described in the embodiments of the present invention may be implemented by software or hardware. Where the name of a unit does not in some cases constitute a limitation of the unit itself, for example, the first retrieving unit may also be described as a "unit for retrieving at least two internet protocol addresses".

The foregoing description is only a preferred embodiment of the invention and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the disclosure in the embodiments of the present invention is not limited to the specific combinations of the above-described features, but also encompasses other embodiments in which any combination of the above-described features or their equivalents is possible without departing from the spirit of the disclosure. For example, the above features and (but not limited to) the features with similar functions disclosed in the embodiments of the present invention are mutually replaced to form the technical solution.