朱禹,沈海斌,周喜川

DOI: https://doi.org/10.3969/j.issn.1005-9490.2008.06.060

2008-01-01

Abstract:Comparing to the common anti-virus tools,we propose a new host-based approach for detecting unknown computer worms based on the measurement of computer behaviors,rather than recognizing specific instances of worms.We collected 323 features in order to reflect the computer behaviors and used a new feature selection method to reduce classified features.In the experiment,Bayesian Network theorem was applied on the several feature subsets to deduce the rule.We performed several experiments to evaluate the detection system,focusing on computer worms being injected in the computer while running several programs in order to simulate different background statuses.The average accuracy we achieved was above 80% for unknown worms sample and for known worms even above 99%.

Weiming Li,Songlin Xie,Jie Luo,Xiaodong Zhu

DOI: https://doi.org/10.2991/icsem.2013.100

2013-01-01

Abstract:How to detect Botnet has become a very important problem in security network. The existent detection methods based on network traffic and host behaviors can’t handle the emergency Botnets. In this paper we present an optimized method to analyze the similarity and time period of Botnets behaviors. In the end, our method gets an effective result. Our method uses the IDS-like architecture, which develops six specific components to detect six important Botnets abnormal behaviors. And it builds correlation rules to calculate match score. Through the experiments described in the paper, we can see that our method can not only detect already known Botnets precisely, but also detect unknown Botnets to some extent. The experiments prove that our method is effective and it has some advantages compared with other methods. At last, the paper proposes the future direction and the points that need to be improved.

JIN Jiandong,YANG Jia,ZHOU Changling,LI Xiaonan,MA Hao

DOI: https://doi.org/10.3724/sp.j.1249.2020.99078

2020-01-01

Abstract:Using botnet to send spam is a common attack method of cyber blackmailers and extortionist. In recent years, with the widespread application of blockchain, a new type of extortion scam spam using bitcoin to achieve anonymous transfer have gradually emerged, which poses a great threat to cyber security. This paper aims to a university email system for spam botnet detection. We design a network forensics framework, which can identify extortion scam email and spam-sending botnet. Furthermore, this framework can also analyze the bitcoin money laundering network used by attacker. Experiment on real-world datasets shows that compared to some classic spam filtering models, our method has a higher recall rate on extortion scam email, while provides further analysis on botnet cluster and money laundering network.

Riaz Ullah Khan,Rajesh Kumar,Mamoun Alazab,Xiaosong Zhang

DOI: https://doi.org/10.1109/ccc.2019.00008

2019-01-01

Abstract:The botnet has been one of the most common threats to the network security since it exploits multiple malicious codes like worm, Trojans, Rootkit, etc. These botnets are used to perform the attacks, send phishing links, and/or provide malicious services. It is difficult to detect Peer-to-peer (P2P) botnets as compare to IRC (Internet Relay Chat), HTTP (HyperText Transfer Protocol) and other types of botnets because of having typical features of the centralization and distribution. To solve these problems, we propose an effective two-stage traffic classification method to detect P2P botnet traffic based on both non-P2P traffic filtering mechanism and machine learning techniques on conversation features. At the first stage, we filter non-P2P packages to reduce the amount of network traffic through well-known ports, DNS query, and flow counting. At the second stage, we extract conversation features based on data flow features and flow similarity. We detected P2P botnets successfully, by using Machine Learning Classifiers. Experimental evaluations show that our two-stage detection method has a higher accuracy than traditional P2P botnet detection methods.

臧天宁,云晓春,张永铮,门朝光

DOI: https://doi.org/10.13203/j.whugis2012.02.001

2012-01-01

Abstract:An approach for analyzing the relationship among botnets was presented.Several botnet communication characteristics were extracted,including the amount of data flows within a botnet,the number of packets per data flow,the payload of communication and data packets in the master hosts.Statistical similarity functions of botnet characteristics were defined.Based on the cloud model and the defined statistical similarity functions,the analysis model of botnet relationship was build,and the similarities of botnet characteristics were synthetically evaluated.The analysis experiments were conducted based on a simulation network environment.The experimental results show that the presented method was valid and efficient,even in the case of encrypted botnet communication messages.The result is better than the research production in the report on the interrelated research achievements.

XIN Yi,FANG Bin-xing,HE Long-tao,YUN Xiao-chun,LI Zhi-dong

DOI: https://doi.org/10.3321/j.issn:1000-436x.2007.12.001

2007-01-01

Abstract:Worm detection and signature extraction was presented based on analysis of similar communication character-istics,which identifies the distinct communication pattern of worm spread,and evaluates the similarity metric of commu-nication characteristic sets,and detects worms by detecting their infectivity with higher detection precision,generality and adaptability.Based on this,a heuristic detection framework is designed,which eliminates non-worm traffic from protocol,sequence,and content in three levels via blind,intent and lock track,then filters out worm packets and extracts signatures.The technique reduces data collection volume and analysis cost dramatically,and can detection worm and ex-tract signature quickly in the environment with high strength background noise.

NIU Wei-na,ZHANG Xiao-song,SUN En-bo,YANG Guo-wu,ZHAO Ling-yuan

DOI: https://doi.org/10.3969/j.issn.1001-0548.2017.06.019

2017-01-01

Abstract:The botnet has been one of the most common threats to the network security since it exploits multiple malicious codes like worm, Trojans, Rootkit, etc. toperform thedenial-of-service attack, send phishing links, and provide malicious services. Peer-to-peer (P2P) botnet is more difficult to be detected compared with IRC, HTTP and other types of botnets because it has typical features of the centralization and distribution. To solve these problems, we propose an effective two-stage traffic classification method to detect P2P botnet traffic based on both non-P2P traffic filtering mechanism and machine learning techniques on conversation features. At the first stage, the non-P2P packages are filtered to reduce the amount of network traffic, according to well-known ports, DNS query, and flow counting. At the second stage, the conversation features based on data flow features and flow similarity are extracted. Finally, the P2P botnet is detected by using Random Forest based on the decision tree model. Experimental evaluations on UNB ISCX botnet dataset shows that our two-stage detection method has a higher accuracy than traditional P2P botnet detection methods.

Dong Wang,Shuangmao Yang,Jiazhong Lu,Ruidong Chen,Xiaosong Zhang

DOI: https://doi.org/10.1109/compcomm.2016.7925130

2016-01-01

Abstract:The internet has quickly become one of the primary means of communication in our society. Various types of network applications more and more, it also increases the risk of security of internet users. Botnets also one of the security risks, in order to prevent this danger or threat, we have to detect them and prevention. In this study, we use fuzzy algorithm to identify botnet, this algorithm is simple and has high testing speed and efficiency. In the experiment, we consider the various types of botnet attacks, the development of appropriate classification blur detection algorithm, the final evaluation.

Binbin Wang,Zhitang Li,Dong Li,Feng Liu,Hao Chen

DOI: https://doi.org/10.1109/EBISS.2010.5473532

2010-01-01

Abstract:Botnet has become a prevalent platform for malicious attacks, which poses a significant threat to Internet security. Recently, botnets are inclined to utilize HTTP to route their command and control (C&C) communication instead of using the protocol Internet Relay Chat (IRC). And these web-based C&C bots try to blend into normal HTTP traffic, which makes them more difficult to be identified. In this work, we propose an automatic approach to identify web-based C&C bots by modeling the essential network behavior of web-based bots in supervised network. Experimental results show the proposed approach is very efficient and can detect web-base bots with low false positive ratio.

Yao Zhao,Yinglian Xie,Fang Yu,Qifa Ke,Yuan Yu,Yan Chen,Eliot Gillum

2009-01-01

Abstract:Network security applications often require analyzing huge volumes of data to identify abnormal patterns or activities. The emergence of cloud-computing models opens up new opportunities to address this challenge by leveraging the power of parallel computing. In this paper, we design and implement a novel system called BotGraph to detect a new type of botnet spamming attacks targeting major Web email providers. Bot-Graph uncovers the correlations among botnet activities by constructing large user-user graphs and looking for tightly connected subgraph components. This enables us to identify stealthy botnet users that are hard to detect when viewed in isolation. To deal with the huge data volume, we implement BotGraph as a distributed application on a computer cluster, and explore a number of performance optimization techniques. Applying it to two months of Hotmail log containing over 500 million users, BotGraph successfully identified over 26 million botnet-created user accounts with a low false positive rate. The running time of constructing and analyzing a 220GB Hot-mail log is around 1.5 hours with 240 machines. We believe both our graph-based approach and our implementations are generally applicable to a wide class of security applications for analyzing large datasets.

Jinquan Zeng,Weiwen Tang,Caiming Liu,Jianbin Hu,Lingxi Peng

DOI: https://doi.org/10.1007/978-3-642-34038-3_79

2012-01-01

Abstract:Botnet is an attack network composed of hundreds of millions of compromised computers. Botnet is emerging as the most serious threat against cyber-security and is used to launch Distributed Denial of Service (DDoS) attacks, malware dissemination, phishing, remote control, click fraud, and etc. Although botnet has posed serious security threat on Internet, the research of detecting and preventing botnet is still in its infancy. One effective technique for botnet detection is to identify botnet C&C traffic. In this paper, we present a case study of the IRC-based botnet C&C communication and then present a novel method to detect botnet C&C communications. We develop quantitative ways to assess the C&C communications between the bot and the C&C server; furthermore, we also illustrate the correlation methods within the same botnet's C&C communications to decrease the false positive rate.

Zhitang Li,Jun Hu,Zhengbing Hu,Bingbing Wang,Liang Tang,Xin Yi

DOI: https://doi.org/10.4304/jnw.5.1.98-105

2010-01-01

Journal of Networks

Abstract:Botnets have become one of the most serious threats to the Internet. They are now the key platform for many Internet attacks, such as spa m, distributed denial-of-service(DDoS), and we call these attacks “the second character of bots”. I n this paper, we focus on characterizing spamming botnets by leveraging both spam payload and spam nodes traffic properties. M easurement of botnets is an important and challenging work. H owever, most existing approaches work only o n specific botnet command and control (c&c) protocols (e.g., IRC) and structures (e.g., centralized). I n this paper, we present two measurement frameworks (MFNL and MFAL) that based on the second character of bots to measure the size of the botnet. W e have easily implemented our prototype system and evaluated it using many real network traces , and we also compare these two app r oaches from several points.

Tao Cai,Futai Zou

DOI: https://doi.org/10.1109/WiCOM.2012.6478491

2012-01-01

Abstract:Botnet is a great threat of the Internet nowadays. For now, Botnet has transformed to the complex one based on HTTP, P2P protocols from the simple Botnets which based on IRC protocol. In this paper, we evaluate the key features of HTTP Botnet and design a new method to detect the HTTP Botnet based on feature analysis. The experiment result shows that our method is effective and efficient on detecting HTTP Botnet.

Hao Tu,Zhi-Tang Li,Bin Liu

DOI: https://doi.org/10.1007/978-3-540-71549-8_40

2007-01-01

Abstract:Botnet is a new trend in Internet attacks. Because the propagation of botnets will not cause large traffic like worm, it is often difficult to detect it. Till now, the most common method to detect botnets is to use honeynets. Although previous work has described an active detection technique using DNS hijacking technique[1], there are little information about how to detect the domain names which botnets used. Some researchers also use DNS based method to detect botnets[2,3], but all of them use simple signature or statistical method which require much prior knowledge.

Yeqin Shao,Quan Shi,Yanghua Xiao,Nik Bessis,Peter Norrington

DOI: https://doi.org/10.6138/jit.2017.18.3.20140403

2017-01-01

Abstract:The various forms and tremendous number of spam emails have brought great challenges to accurate email classification. In this paper, we present a behavior- and time-feature-based email classification method. Based on email logs, email social networks are built through the extraction of entities and relations from the email records using the MapReduce model. By combining behavior features from social networks and time features from email sending intervals, we adopt a Support Vector Machine based classifier to identify spammers and non-spammers. Compared with the current email classification methods, the advantages of our method are: (1) in addition to the behavior-based features, our method integrates the time feature to facilitate email classification; (2) to efficiently handle the vast number of emails, we employ the MapReduce model to extract the behavior- and time-based features on the email social network. Experiments on real email data of three years show that the proposed method achieves better classification accuracy.

Ko‐Tsung Chu,Hua‐Ting Hsu,Jyh‐Jian Sheu,Wei‐Pang Yang,Cheng‐Chi Lee

DOI: https://doi.org/10.1049/iet-net.2019.0191

2020-11-01

IET Networks

Abstract:In recent years, hazardous e‐mails arose, such as the e‐mails infected with ‘viruses’ or ‘worms’ spreading destructive programs and the ‘Phishing Mails’ defrauding e‐mail accounts of the users. The number of spams continue to grow. With the related problems of spam coming to be more severe, the spam topics have become significant in various research domains. The common filtering methods include black/white list, rule learning, and those based on text classification, such as Naïve Bayes, support vector machine, and boosting trees, multi‐agent and genetic algorithm. Among these, the methods based on text classification are most widely applied. Moreover, some efficient methods were proposed to consider only the e‐mail's header section, based on which both operating efficiency and classification efficiency could be improved. By applying machine learning technique and decision tree data mining algorithm C4.5, this study aims to propose an efficient spam filtering method with the following features: (i) proposing a two‐phase filtering mechanism to scan mainly e‐mail's header and auxiliary content. (ii) Reducing the problem of false positive. The experimental results show that the authors’ method has a considerably high accuracy rate of 98.76%. Compared with some other methods of using the same spam data sets or of deep learning‐based, their method obviously has an excellent performance.

Jiazhong Lu,Fengmao Lv,Quan-Hui Liu,Malu Zhang,Xiaosong Zhang

DOI: https://doi.org/10.1109/icpr.2018.8546312

2018-01-01

Abstract:Difficult to be detected in complex network environments, botnets have been huge threats to network security. As the circumscriptions of normal traffics and botnet traffics are blurring, the commonly used botnet detection methods based on traffic analysis often result in high false positive rates. To overcome this issue, we propose an effective botnet detection method based on fuzzy association rules. The proposed method can calculate the features of botnet traffic accurately, which can be used to recognize the normal traffic and botnet. We first collect the data in the laboratory by setting different botnets in the controlled experiment. The botnet traffic features, association rules support, trust and membership are calculated by the proposed method, which are further used to distinguish the type of botnet. When our method is compared with other methods in our data set, we find the former performs better. For the generality, we also test our method on the public data set and also find the higher accuracy rates, which demonstrates the proposed method is effective in detecting the botnets.

Ruidong Chen,Weina Niu,Xiaosong Zhang,Zhongliu Zhuo,Fengmao Lv

DOI: https://doi.org/10.1155/2017/4934082

IF: 1.43

2017-01-01

Mathematical Problems in Engineering

Abstract:A botnet is one of the most grievous threats to network security since it can evolve into many attacks, such as Denial-of-Service (DoS), spam, and phishing. However, current detection methods are inefficient to identify unknown botnet. The high-speed network environment makes botnet detection more difficult. To solve these problems, we improve the progress of packet processing technologies such as New Application Programming Interface (NAPI) and zero copy and propose an efficient quasi-real-time intrusion detection system. Our work detects botnet using supervised machine learning approach under the high-speed network environment. Our contributions are summarized as follows: (1) Build a detection framework using PF_ RING for sniffing and processing network traces to extract flow features dynamically. (2) Use random forest model to extract promising conversation features. (3) Analyze the performance of different classification algorithms. The proposed method is demonstrated by well-known CTU13 dataset and nonmalicious applications. The experimental results show our conversation-based detection approach can identify botnet with higher accuracy and lower false positive rate than flow-based approach.

Riaz Ullah Khan,Xiaosong Zhang,Rajesh Kumar,Abubakar Sharif,Noorbakhsh Amiri Golilarz,Mamoun Alazab

DOI: https://doi.org/10.3390/app9112375

2019-01-01

Applied Sciences

Abstract:In recent years, the botnets have been the most common threats to network security since it exploits multiple malicious codes like a worm, Trojans, Rootkit, etc. The botnets have been used to carry phishing links, to perform attacks and provide malicious services on the internet. It is challenging to identify Peer-to-peer (P2P) botnets as compared to Internet Relay Chat (IRC), Hypertext Transfer Protocol (HTTP) and other types of botnets because P2P traffic has typical features of the centralization and distribution. To resolve the issues of P2P botnet identification, we propose an effective multi-layer traffic classification method by applying machine learning classifiers on features of network traffic. Our work presents a framework based on decision trees which effectively detects P2P botnets. A decision tree algorithm is applied for feature selection to extract the most relevant features and ignore the irrelevant features. At the first layer, we filter non-P2P packets to reduce the amount of network traffic through well-known ports, Domain Name System (DNS). query, and flow counting. The second layer further characterized the captured network traffic into non-P2P and P2P. At the third layer of our model, we reduced the features which may marginally affect the classification. At the final layer, we successfully detected P2P botnets using decision tree Classifier by extracting network communication features. Furthermore, our experimental evaluations show the significance of the proposed method in P2P botnets detection and demonstrate an average accuracy of 98.7%.

Peng Hui Li,Jie Xu,Zhong Yi Xu,Su Chen,Bo Wei Niu,Jie Yin,Xiao Feng Sun,Hao Liang Lan,Lu Lu Chen

DOI: https://doi.org/10.32604/cmc.2022.029969

2022-01-01

Abstract:At present, the severe network security situation has put forward high requirements for network security defense technology. In order to automate botnet threat warning, this paper researches the types and characteristics of Botnet. Botnet has special characteristics in attributes such as packets, attack time interval, and packet size. In this paper, the attack data is annotated by means of string recognition and expert screening. The attack features are extracted from the labeled attack data, and then use K-means for cluster analysis. The clustering results show that the same attack data has its unique characteristics, and the automatic identification of network attacks is realized based on these characteristics. At the same time, based on the collection and attribute extraction of Botnet attack data, this paper uses RF, GBM, XGBOOST and other machine learning models to test the warning results, and automatically analyzes the attack by importing attack data. In the early warning analysis results, the accuracy rates of different models are obtained. Through the descriptive values of the three accuracy rates of Accuracy, Precision, and F1_Score, the early warning effect of each model can be comprehensively displayed. Among the five algorithms used in this paper, three have an accuracy rate of over 90%. The three models with the highest accuracy are used in the early warning model. The research shows that cyberattacks can be accurately predicted. When this technology is applied to the protection system, accurate early warning can be given before a network attack is launched.

computer science, information systems,materials science, multidisciplinary