Ruidong Chen,Weina Niu,Xiaosong Zhang,Zhongliu Zhuo,Fengmao Lv

DOI: https://doi.org/10.1155/2017/4934082

IF: 1.43

2017-01-01

Mathematical Problems in Engineering

Abstract:A botnet is one of the most grievous threats to network security since it can evolve into many attacks, such as Denial-of-Service (DoS), spam, and phishing. However, current detection methods are inefficient to identify unknown botnet. The high-speed network environment makes botnet detection more difficult. To solve these problems, we improve the progress of packet processing technologies such as New Application Programming Interface (NAPI) and zero copy and propose an efficient quasi-real-time intrusion detection system. Our work detects botnet using supervised machine learning approach under the high-speed network environment. Our contributions are summarized as follows: (1) Build a detection framework using PF_ RING for sniffing and processing network traces to extract flow features dynamically. (2) Use random forest model to extract promising conversation features. (3) Analyze the performance of different classification algorithms. The proposed method is demonstrated by well-known CTU13 dataset and nonmalicious applications. The experimental results show our conversation-based detection approach can identify botnet with higher accuracy and lower false positive rate than flow-based approach.

Weiming Li,Songlin Xie,Jie Luo,Xiaodong Zhu

DOI: https://doi.org/10.2991/icsem.2013.100

2013-01-01

Abstract:How to detect Botnet has become a very important problem in security network. The existent detection methods based on network traffic and host behaviors can’t handle the emergency Botnets. In this paper we present an optimized method to analyze the similarity and time period of Botnets behaviors. In the end, our method gets an effective result. Our method uses the IDS-like architecture, which develops six specific components to detect six important Botnets abnormal behaviors. And it builds correlation rules to calculate match score. Through the experiments described in the paper, we can see that our method can not only detect already known Botnets precisely, but also detect unknown Botnets to some extent. The experiments prove that our method is effective and it has some advantages compared with other methods. At last, the paper proposes the future direction and the points that need to be improved.

Jinquan Zeng,Weiwen Tang,Caiming Liu,Jianbin Hu,Lingxi Peng

DOI: https://doi.org/10.1007/978-3-642-34038-3_79

2012-01-01

Abstract:Botnet is an attack network composed of hundreds of millions of compromised computers. Botnet is emerging as the most serious threat against cyber-security and is used to launch Distributed Denial of Service (DDoS) attacks, malware dissemination, phishing, remote control, click fraud, and etc. Although botnet has posed serious security threat on Internet, the research of detecting and preventing botnet is still in its infancy. One effective technique for botnet detection is to identify botnet C&C traffic. In this paper, we present a case study of the IRC-based botnet C&C communication and then present a novel method to detect botnet C&C communications. We develop quantitative ways to assess the C&C communications between the bot and the C&C server; furthermore, we also illustrate the correlation methods within the same botnet's C&C communications to decrease the false positive rate.

Wei Wang,Yaoyao Shang,Yongzhong He,Yidong Li,Jiqiang Liu

DOI: https://doi.org/10.1016/j.ins.2019.09.024

IF: 8.1

2020-02-01

Information Sciences

Abstract:The Botnets have become one of the most serious threats to cyber infrastructure. Most existing work on detecting botnets is based on flow-based traffic analysis by mining their communication patterns. There also exists related work based on anomaly detection in communication graphs. As bots have continuously evolved and become increasingly sophisticated, only using flow-based traffic analysis or graph-based analysis for the detection would result in false negatives or false positives, or can even be evaded. In this work, we propose BotMark, an automated model that detects botnets with hybrid analysis of flow-based and graph-based network traffic behaviors. We extract 15 statistical flow-based traffic features as well as 3 graph-based features in building the detection model. For flow-based detection, we consider the similarity and stability of C-flow as measurements in the detection. In particular, we employ k-means to measure the similarity of C-flows and assign similarity scores, and calculate stability score of C-flows through the distribution of packet length within a C-flow. The graph-based detection is based on the observation that the neighborhoods of anomalous nodes significantly differ from those of normal nodes in communication graphs. In particular, we use least-square technique and Local Outlier Factor (LOF) to calculate anomaly scores that measure the differences of their neighborhoods. Our models use the scores to mark bots. BotMark performs automated botnet detection with hybrid analysis of flow-based and graph-based traffic behaviors by ensemble of the detection results based on similarity scores, stability scores and anomaly scores. We collect a very large size of network traffic by simulating 5 newly propagated botnets, including Mirai, Black energy, Zeus, Athena and Ares in a real computing environment. Extensive experimental results demonstrate the effectiveness of BotMark. It achieves 99.94% in terms of detection accuracy, outperforming any individual detector with flow-based detection or graph-based detection.

computer science, information systems

Ganesh Subramaniam,Huan Chen,Ravi Varadhan,Robert Archibald

DOI: https://doi.org/10.48550/arXiv.2108.08924

2021-08-19

Cryptography and Security

Abstract:Cybersecurity, security monitoring of malicious events in IP traffic, is an important field largely unexplored by statisticians. Computer scientists have made significant contributions in this area using statistical anomaly detection and other supervised learning methods to detect specific malicious events. In this research, we investigate the detection of botnet command and control (C&C) hosts in massive IP traffic. We use the NetFlow data, the industry standard for monitoring of IP traffic for exploratory analysis and extracting new features. Using statistical as well as deep learning models, we develop a statistical intrusion detection system (SIDS) to predict traffic traces identified with malicious attacks. Employing interpretative machine learning techniques, botnet traffic signatures are derived. These models successfully detected botnet C&C hosts and compromised devices. The results were validated by matching predictions to existing blacklists of published malicious IP addresses.

Jiazhong Lu,Fengmao Lv,Quan-Hui Liu,Malu Zhang,Xiaosong Zhang

DOI: https://doi.org/10.1109/icpr.2018.8546312

2018-01-01

Abstract:Difficult to be detected in complex network environments, botnets have been huge threats to network security. As the circumscriptions of normal traffics and botnet traffics are blurring, the commonly used botnet detection methods based on traffic analysis often result in high false positive rates. To overcome this issue, we propose an effective botnet detection method based on fuzzy association rules. The proposed method can calculate the features of botnet traffic accurately, which can be used to recognize the normal traffic and botnet. We first collect the data in the laboratory by setting different botnets in the controlled experiment. The botnet traffic features, association rules support, trust and membership are calculated by the proposed method, which are further used to distinguish the type of botnet. When our method is compared with other methods in our data set, we find the former performs better. For the generality, we also test our method on the public data set and also find the higher accuracy rates, which demonstrates the proposed method is effective in detecting the botnets.

Guangli Wu,Xingyue Wang,Qian Lu,Hanlin Zhang

DOI: https://doi.org/10.1016/j.eswa.2024.123384

IF: 8.5

2024-02-11

Expert Systems with Applications

Abstract:A botnet is a group of hijacked devices that conduct various cyberattacks, which is one of the most dangerous threats on the internet. Individuals or organizations can effectively detect botnets by analyzing abnormal behaviors in network traffic. Existing works focus on extracting the deterministic behavioral features, which highly rely on statistical features and existing botnet interaction structures, resulting in unsatisfactory detection accuracy, especially for unknown botnet traffic. The botnet detection method based on the original traffic bytes has more advantages in this regard, especially the use of mining payload information in the traffic to enhance the identification of abnormal botnet behavior is the focus of this study. In this paper, we propose a dual-mode botnet detection scheme, which takes the original traffic bytes as the object, one is to encode the implicit semantic relationship between the traffic bytes through a multi-layer Transformer encoder, and the other is the network traffic Image representation, the spatial relationship of traffic bytes is captured by a deep neural network, and then botnet detection is achieved by maximizing the mutual information between the two. We conduct comprehensive experiments with both known botnets and unknown botnets to evaluate our scheme. Experimental results show that for known botnets, our approach achieves 99.84% and 91.92% detection accuracy with CTU-13 and ISCX-2014 datasets, respectively, which is 3.04% and 2.54% more accurate compared with the state-of-art (DL). For unknown datasets, our scheme is 10.19% more accurate than the existing traffic representation.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Biao Qi,Zhixin Shi,Yan Wang,Jizhi Wang,Qiwen Wang,Jianguo Jiang

DOI: https://doi.org/10.1007/978-3-319-75160-3_23

2018-01-01

Abstract:Nowadays, malicious software and especially botnets leverage HTTP protocol as their communication and command (C&C) channels to connect to the attackers and control compromised clients. Due to its large popularity and facility across firewall, the malicious traffic can blend with legitimate traffic and remains undetected. While network signature-based detection systems and models show extraordinary advantages, such as high detection efficiency and accuracy, their scalability and automatization still need to be improved.

Qinglin He,Lihong Wang,Lin Cui,Libin Yang,Bing Luo

DOI: https://doi.org/10.3390/electronics11111771

IF: 2.9

2022-01-01

Electronics

Abstract:The explosive growth of botnets has posed an unprecedented potent threat to the internet. It calls for more efficient ways to screen influential bots, and thus precisely bring the whole botnet down beforehand. In this paper, we propose a gravity-based critical bots identification scheme to assess the influence of bots in a large-scale botnet infection. Specifically, we first model the propagation of the botnet as a Heterogeneous Bot Infection Network (HBIN). An improved SEIR model is embedded into HBIN to extract both heterogeneous spatial and temporal dependencies. Within built-up HBIN, we elaborate a gravity-based influential bots identification algorithm where intrinsic influence and infection diffusion influence are specifically designed to disclose significant bots traits. Experimental results based on large-scale sample collections from the implemented prototype system demonstrate the promising performance of our scheme, comparing it with other state-of-the-art baselines.

Jing Wang,Ioannis Ch. Paschalidis

DOI: https://doi.org/10.48550/arXiv.1503.02337

2015-03-09

Abstract:Signature-based botnet detection methods identify botnets by recognizing Command and Control (C\&C) traffic and can be ineffective for botnets that use new and sophisticate mechanisms for such communications. To address these limitations, we propose a novel botnet detection method that analyzes the social relationships among nodes. The method consists of two stages: (i) anomaly detection in an "interaction" graph among nodes using large deviations results on the degree distribution, and (ii) community detection in a social "correlation" graph whose edges connect nodes with highly correlated communications. The latter stage uses a refined modularity measure and formulates the problem as a non-convex optimization problem for which appropriate relaxation strategies are developed. We apply our method to real-world botnet traffic and compare its performance with other community detection methods. The results show that our approach works effectively and the refined modularity measure improves the detection accuracy.

Social and Information Networks,Physics and Society

Peng Hui Li,Jie Xu,Zhong Yi Xu,Su Chen,Bo Wei Niu,Jie Yin,Xiao Feng Sun,Hao Liang Lan,Lu Lu Chen

DOI: https://doi.org/10.32604/cmc.2022.029969

2022-01-01

Abstract:At present, the severe network security situation has put forward high requirements for network security defense technology. In order to automate botnet threat warning, this paper researches the types and characteristics of Botnet. Botnet has special characteristics in attributes such as packets, attack time interval, and packet size. In this paper, the attack data is annotated by means of string recognition and expert screening. The attack features are extracted from the labeled attack data, and then use K-means for cluster analysis. The clustering results show that the same attack data has its unique characteristics, and the automatic identification of network attacks is realized based on these characteristics. At the same time, based on the collection and attribute extraction of Botnet attack data, this paper uses RF, GBM, XGBOOST and other machine learning models to test the warning results, and automatically analyzes the attack by importing attack data. In the early warning analysis results, the accuracy rates of different models are obtained. Through the descriptive values of the three accuracy rates of Accuracy, Precision, and F1_Score, the early warning effect of each model can be comprehensively displayed. Among the five algorithms used in this paper, three have an accuracy rate of over 90%. The three models with the highest accuracy are used in the early warning model. The research shows that cyberattacks can be accurately predicted. When this technology is applied to the protection system, accurate early warning can be given before a network attack is launched.

computer science, information systems,materials science, multidisciplinary

Tao Cai,Futai Zou

DOI: https://doi.org/10.1109/WiCOM.2012.6478491

2012-01-01

Abstract:Botnet is a great threat of the Internet nowadays. For now, Botnet has transformed to the complex one based on HTTP, P2P protocols from the simple Botnets which based on IRC protocol. In this paper, we evaluate the key features of HTTP Botnet and design a new method to detect the HTTP Botnet based on feature analysis. The experiment result shows that our method is effective and efficient on detecting HTTP Botnet.

李翔,胡华平,刘波,陈新

DOI: https://doi.org/10.3969/j.issn.1004-373x.2010.15.041

2010-01-01

Abstract:P2P Botnet is a serious threat to Internet security.A P2P botnet detecting model is proposed based on P2P traffic detection and malicious behavior detection on the host.A structured P2P network which is composed of monitoring nodes based on Chord protocol is established,the information of the hosts which have malicious behavior and P2P traffic at the same time are reported to the monitoring nodes.The hosts which have similar maliciousact behavior belong to a P2P Botnet according to fusing and analyzing the hosts behavior of P2P Botnet.

Wei Wu,Jaime Alvarez,Chengcheng Liu,Hung-Min Sun

DOI: https://doi.org/10.1007/s00542-016-3237-0

2016-01-01

Microsystem Technologies

Abstract:This research focuses on bot detection through implementation of techniques such as traffic analysis, unsupervised machine learning, and similarity analysis between benign traffic data and bot traffic data. In this study, we tested and experimented with different clustering algorithms and recorded their accuracy with our prepared datasets. Later, the best clustering algorithm was used to proceed with the next steps of the methodology such as determination of majority clusters (cluster with most flows), removal of duplicate flows, and calculation of similarity analysis. Results were recorded for the removal of duplicate flows stage, the results indicate how many flows each majority cluster contains and how many duplicate flows were removed from this majority cluster. Next, results for similarity analysis indicate the value of the similarity coefficient for the comparisons between all datasets (bot datasets and benign dataset). With these results we can present some heuristic conclusion for determining possible bot infection in a certain host.

Jianguo Jiang,Qilei Yin,Zhixin Shi,Qiwen Wang,Wei Zhou

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2019.00090

2019-01-01

Abstract:A great many of botnet detection researches focus on recognizing and blocking its significant C&C channel. And they typically require a certain number of C&C training instances to build a behavior detection model. However, when lacking the C&C training instances for new or even unknown botnets, these methods may become inefficient or even invalid. To overcome it, we propose a new hybrid approach for network based C&C channel detection. It neither needs us to prepare the C&C training instances, nor requires deploying malicious activities monitors. It utilizes two heuristic rules to filter the non C&C traffic disobeying common C&C characteristics, and then makes the final C&C detection through a behavior based anomaly detecting model, which only requires normal traffic for training. Our approach achieved the average C&C F-measure of above 0.9 for most evaluation datasets. Moreover, the comparison result not only demonstrates our approach has significant performance advantages than the pure heuristic rule based methods, but also shows that our behavior model can profile network traffic in detail, mine more useful behavior differences than the anomaly models using traditional statistical features, and then achieve a better detection result.

王涛,余顺争

2010-01-01

Abstract:Botnet is a novel attack strategy evolved from traditional malware forms and imposes a serious threat on the network security.Especially,most of the existing botnets employ the centralized architecture which provides a simple,low-latency,anonymous and efficient real-time communication platform.The bots connect to a remote central server and wait for the commands from the botnet controller.The flows caused by the commands and the responses from the bots are generally very similar with each other and synchronous in time,because of the limited set of the commands and the programmed responses of the bots.The main contribution of this study is the development of a common detection mechanism aiming at the centralized botnets by monitoring the global correlated behaviors embedded in the command and control(CC) traffic.By conducting an experiment with real traffic data,it shows that this method is efficient in detecting the prevalent centralized botnets.

Riaz Ullah Khan,Xiaosong Zhang,Rajesh Kumar,Abubakar Sharif,Noorbakhsh Amiri Golilarz,Mamoun Alazab

DOI: https://doi.org/10.3390/app9112375

2019-01-01

Applied Sciences

Abstract:In recent years, the botnets have been the most common threats to network security since it exploits multiple malicious codes like a worm, Trojans, Rootkit, etc. The botnets have been used to carry phishing links, to perform attacks and provide malicious services on the internet. It is challenging to identify Peer-to-peer (P2P) botnets as compared to Internet Relay Chat (IRC), Hypertext Transfer Protocol (HTTP) and other types of botnets because P2P traffic has typical features of the centralization and distribution. To resolve the issues of P2P botnet identification, we propose an effective multi-layer traffic classification method by applying machine learning classifiers on features of network traffic. Our work presents a framework based on decision trees which effectively detects P2P botnets. A decision tree algorithm is applied for feature selection to extract the most relevant features and ignore the irrelevant features. At the first layer, we filter non-P2P packets to reduce the amount of network traffic through well-known ports, Domain Name System (DNS). query, and flow counting. The second layer further characterized the captured network traffic into non-P2P and P2P. At the third layer of our model, we reduced the features which may marginally affect the classification. At the final layer, we successfully detected P2P botnets using decision tree Classifier by extracting network communication features. Furthermore, our experimental evaluations show the significance of the proposed method in P2P botnets detection and demonstrate an average accuracy of 98.7%.

YIN Tao,LI Shi-cong,TUO Yu-peng,ZHANG Yong-zheng

DOI: https://doi.org/10.11959/j.issn.1000-436x.2017012

2017-01-01

Abstract:To defeat botnets and ensure cyberspace security, a novel social network-based botnet with strong de-stroy-resistance (DR-SNbot), as well as its corresponding countermeasure, was proposed. DR-SNbot constructed command and control servers (C&C-Servers) based on social network. Each C&C-Server corresponded to a unique pseudo-random nickname. The botmaster issues commanded by hiding them in diaries using information hiding techniques, and then a novel C&C channel was established. When different proportions of C&C-Servers were invalid, DR-SNbot would send out different levels of alarms to inform attackers to construct new C&C-Servers. Then, DR-SNbot could automatically repair C&C com-munication to ensure its strong destroy-resistance. Under the experimental settings, DR-SNbot could resume the C&C com-munication in a short period of time to keep 100% of the control rate even if all the current C&C-Servers were invalid. Fi-nally, a botnet nickname detecting method was proposed based on the difference of lexical features of legal nicknames and pseudo-random nicknames. Experimental results show that the proposed method can effectively (precision: 96.88%, recall: 93%) detect pseudo-random nicknames generated by social network-based botnets with customized algorithms.

Gang DONG,Yun TENG,Xinyang JIANG,Dong GUO,Qiang LI

DOI: https://doi.org/10.13413/j.cnki.jdxblxb.2017.06.26

2017-01-01

Abstract:We applied artificial immune system algorithm to the real-time detection of botnet,and proposed an online detection model based on deterministic dendritic cell algorithm.Combining the characteristics of botnets,the behavior signals were defined,and the real-time detection of the host of botnet based on the heuristic information was realized.The validity of the model was experimentally verified by using standard data sets.Experimental results show that this model has the advantages of real-time,simple behavior definition and accepting the definition of multiple kinds of heuristic information.Moreover,the false negative rate and false positive rate of detection of botnet are low.

FAN Yi-yan,WU Guo-rui,CHEN Jian-li,TANG Bo

DOI: https://doi.org/10.16208/j.issn1000-7024.2011.09.064

2011-01-01

Abstract:The contemporary IRC botnet detection methods are not suitable for botnet detection under infrequently command and control interactions.To detect small stealthy botnet,a botnet detection model based on sequential analysis is proposed,which is a complement to contemporary passive detection technologies.Several probe methods and detection algorithms are discussed considering response types of clients,and average round of detection is analyzed,only small portion of command and control interactions are observed to declare single or multiple IRC bot.The results show that botnet detection is completed in expected round under controlled false positive rate and false negative rate.