Congyuan Xu,Jizhong Shen,Xin Du

DOI: https://doi.org/10.1016/j.cose.2019.04.015

IF: 5.105

2019-01-01

Computers & Security

Abstract:Botnets have become one of the main threats to cyberspace security currently. More and more bots utilize the domain generation algorithm (DGA) to generate malicious domain names to communicate with Command & Control (C&C) servers. A well-designed DGA can bypass the traditional detection methods such as sinkhole and rule filtering, which raises new challenges to cyberspace security. In the field of machine learning, the n-gram is a semantic model that characterizes the relationship among neighboring morphemes while deep convolutional neural networks have a robust capability in processing information with translation-invariant properties. In this paper, we combined n-gram and a deep convolutional neural network and then proposed a novel n-gram combined character based domain classification (n-CBDC) model. The n-CBDC model runs in an end-to-end way that doesn’t require hand-extracted features or domain name system (DNS) contextual information; it only needs to input the domain name itself and can automatically estimate the probability that the domain name was generated by DGAs. Experiments on real-world data show that the proposed method can effectively detect domain names generated by DGAs with 98.69% average detection rate and 0.9829 average F-measure, and significantly outperformed the state-of-art methods in detecting pronounceable and wordlist-based DGA domain names with more than 93.89% detection rate. Therefore, the proposed detection method is robust and has a wide range of adaptability in detecting various types of domain names generated by DGAs.

Shaofang Zhou,Lanfen Lin,Junkun Yuan,Feng Wang,Zhaoting Ling,Jia Cui

DOI: https://doi.org/10.1109/isi.2019.8823200

2019-01-01

Abstract:Attackers often use domain generation algorithms (DGAs) to create various kinds of pseudorandom domains dynamically and select a part of them to connect with command and control servers, therefore it is important to automatically detect the algorithmically generated domains (AGDs). AGDs can be broken down into two categories: character-based domains and wordlist-based domains. Recently, methods based on machine learning and deep learning have been widely explored. However, much of the previous work perform well in detecting one kind of DGA families but poorly in classifying another kind. A general detection system which is applicable to both kinds of domains still remains a challenge. To address this problem, we propose a novel real-time detection method with high accuracy as well as high coverage. We first convey a domain name into a sequence of word-level or character-level components, then design a deep neural network based on temporal convolutional network to extract the implicit pattern and classify the domain into two or more categories. Our experimental results demonstrate that our model outperforms state-of-the-art approaches in both binary classification and multi-class classification, and shows a good performance in detecting different kinds of DGAs. Besides, the high training efficiency of our model makes it adjust to new malicious domains quickly.

Chunyang Song,Mairidan Wushouer,Gulanbaier Tuerho

DOI: https://doi.org/10.1109/bdicn55575.2022.00017

2022-01-01

Abstract:Aiming at the problem that traditional machine learning cannot apply learned knowledge to new tasks and has poor classification effect when dealing with unbalanced botnet detection data, This paper proposed a botnet detection method based on generative adversarial network(GAN) and Efficient Lifelong Learning Algorithm(ELLA). Firstly, the time window is used to extract the feature of the CTU-13 data set. Then, the training set and the test set are divided, and the GAN is used to expand the data of a small number of samples in the training set. The ELLA model is trained using the expanded training set. Finally, experiments are carried out on the test set. The experimental results show that compared with B-ELLA method, the average accuracy is increased by 8.15 %, and the average recall rate is increased by 14.5 %. Compared with the traditional machine learning method, GAN-ELLA can also achieve better detection results.

Xinjun Pei,Shengwei Tian,Long Yu,Huanhuan Wang,Yongfang Peng

DOI: https://doi.org/10.1007/s10922-020-09554-9

2020-01-01

Journal of Network and Systems Management

Abstract:With the development of Internet technology, botnets have become a major threat to most of the computers over the Internet. Most sophisticated bots use Domain Generation Algorithms (DGAs) to automatically generate a large number of pseudo-random domain names in Domain Name Service (DNS) domain fluxing, which can allow malware to communicate with Command and Control (C&C) server. To cope with this challenge, we built a novel Two-Stream network-based deep learning framework (named TS-ASRCaps) that uses multimodal information to reflect the properties of DGAs. Furthermore, we proposed an Attention Sliced Recurrent Neural Network (ATTSRNN) to automatically mine the underlying semantics. We also used a Capsule Network (CapsNet) with dynamic routing to model high-level visual information. Finally, we emphasized how the multimodal-based model outperforms other state-of-the-art models for the classification of domain names. To the best of our knowledge, this is the first work that the multimodal deep learning have been empirically investigated for DGA botnet detection.

Xiaodong Zang,Jianbo Cao,Xinchang Zhang,Jian Gong,Guiqing Li

DOI: https://doi.org/10.1007/s11235-023-01073-7

2024-01-01

Telecommunication Systems

Abstract:Botnets are one of the major threats to network security nowadays. To carry out malicious actions remotely, they heavily rely on Command and Control channels. DGA-based botnets use a domain generation algorithm to generate a significant number of domain names. By analyzing the linguistic distinctions between legitimate and DGA-based domain names, traditional machine learning schemes obtain great benefits. However, it is difficult to identify the ones based on wordlists or pseudo-random generated. Accordingly, this paper proposes an efficient CNN-LSTM-based detection model (BotDetector) that uses only a set of simple-to-compute, easy-to-compute character features. We evaluate our model with two open-source benchmark datasets (360 netlab, Bambenek) and real DNS traffic from the China Education and Research Network. Experimental results demonstrate that our algorithm improves by 1.6 % in terms of accuracy and F1-score and reduces the computation time by 9.4 % compared to other state-of-the-art alternatives. Remarkably, our work can identify botnet’s covert communication channels that use domain names based on word lists or pseudo-random generation without any help of reverse engineering.

Guangli Wu,Xingyue Wang,Qian Lu,Hanlin Zhang

DOI: https://doi.org/10.1016/j.eswa.2024.123384

IF: 8.5

2024-02-11

Expert Systems with Applications

Abstract:A botnet is a group of hijacked devices that conduct various cyberattacks, which is one of the most dangerous threats on the internet. Individuals or organizations can effectively detect botnets by analyzing abnormal behaviors in network traffic. Existing works focus on extracting the deterministic behavioral features, which highly rely on statistical features and existing botnet interaction structures, resulting in unsatisfactory detection accuracy, especially for unknown botnet traffic. The botnet detection method based on the original traffic bytes has more advantages in this regard, especially the use of mining payload information in the traffic to enhance the identification of abnormal botnet behavior is the focus of this study. In this paper, we propose a dual-mode botnet detection scheme, which takes the original traffic bytes as the object, one is to encode the implicit semantic relationship between the traffic bytes through a multi-layer Transformer encoder, and the other is the network traffic Image representation, the spatial relationship of traffic bytes is captured by a deep neural network, and then botnet detection is achieved by maximizing the mutual information between the two. We conduct comprehensive experiments with both known botnets and unknown botnets to evaluate our scheme. Experimental results show that for known botnets, our approach achieves 99.84% and 91.92% detection accuracy with CTU-13 and ISCX-2014 datasets, respectively, which is 3.04% and 2.54% more accurate compared with the state-of-art (DL). For unknown datasets, our scheme is 10.19% more accurate than the existing traffic representation.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Fatma Zafar,Shivank Soni

DOI: https://doi.org/10.24113/ijoscience.v10i3.513

2024-03-28

SMART MOVES JOURNAL IJOSCIENCE

Abstract:This paper presents a comprehensive approach to botnet detection in Internet of Things (IoT) networks through the development and evaluation of a Generative Adversarial Network (GAN) augmented machine learning model. The methodology encompasses a multi-step process, starting with data collection and pre-processing, including feature extraction, normalization, and handling missing values. To address the challenge of data imbalance, a novel application of GANs is proposed. For classification of network traffic into botnet and legitimate traffic is performed using xgboost. The performance of the proposed model is rigorously evaluated using the N-BaIoT dataset, demonstrating its effectiveness through high accuracy, precision, recall, and F1-score metrics. The results indicate significant improvements over existing models, showcasing the potential of the proposed methodology in enhancing IoT network security against botnet threats.

Bonan Zhang,Jingjin Li,Chao Chen,Kyungmi Lee,Ickjai Lee

DOI: https://doi.org/10.1007/978-3-030-94029-4_5

2021-01-01

Abstract:Botnet attacks have now become a major source of cyberattacks. How to detect botnet traffic quickly and efficiently is a current problem for most enterprises. To solve this, we have built a plug-and-play botnet detection system using graph neural network algorithms. The system detects botnets by identifying the network topology and is very good at detecting botnets with different structures. Moreover, the system helps researchers to visualise which nodes in the network are at risk of botnets through a graphical interface.

Jiawei Zhou,Zhiying Xu,Alexander M. Rush,Minlan Yu

DOI: https://doi.org/10.48550/arXiv.2003.06344

2020-03-13

Abstract:Botnets are now a major source for many network attacks, such as DDoS attacks and spam. However, most traditional detection methods heavily rely on heuristically designed multi-stage detection criteria. In this paper, we consider the neural network design challenges of using modern deep learning techniques to learn policies for botnet detection automatically. To generate training data, we synthesize botnet connections with different underlying communication patterns overlaid on large-scale real networks as datasets. To capture the important hierarchical structure of centralized botnets and the fast-mixing structure for decentralized botnets, we tailor graph neural networks (GNN) to detect the properties of these structures. Experimental results show that GNNs are better able to capture botnet structure than previous non-learning methods when trained with appropriate data, and that deeper GNNs are crucial for learning difficult botnet topologies. We believe our data and studies can be useful for both the network security and graph learning communities.

Cryptography and Security,Machine Learning

Wei Wang,Yaoyao Shang,Yongzhong He,Yidong Li,Jiqiang Liu

DOI: https://doi.org/10.1016/j.ins.2019.09.024

IF: 8.1

2020-02-01

Information Sciences

Abstract:The Botnets have become one of the most serious threats to cyber infrastructure. Most existing work on detecting botnets is based on flow-based traffic analysis by mining their communication patterns. There also exists related work based on anomaly detection in communication graphs. As bots have continuously evolved and become increasingly sophisticated, only using flow-based traffic analysis or graph-based analysis for the detection would result in false negatives or false positives, or can even be evaded. In this work, we propose BotMark, an automated model that detects botnets with hybrid analysis of flow-based and graph-based network traffic behaviors. We extract 15 statistical flow-based traffic features as well as 3 graph-based features in building the detection model. For flow-based detection, we consider the similarity and stability of C-flow as measurements in the detection. In particular, we employ k-means to measure the similarity of C-flows and assign similarity scores, and calculate stability score of C-flows through the distribution of packet length within a C-flow. The graph-based detection is based on the observation that the neighborhoods of anomalous nodes significantly differ from those of normal nodes in communication graphs. In particular, we use least-square technique and Local Outlier Factor (LOF) to calculate anomaly scores that measure the differences of their neighborhoods. Our models use the scores to mark bots. BotMark performs automated botnet detection with hybrid analysis of flow-based and graph-based traffic behaviors by ensemble of the detection results based on similarity scores, stability scores and anomaly scores. We collect a very large size of network traffic by simulating 5 newly propagated botnets, including Mirai, Black energy, Zeus, Athena and Ares in a real computing environment. Extensive experimental results demonstrate the effectiveness of BotMark. It achieves 99.94% in terms of detection accuracy, outperforming any individual detector with flow-based detection or graph-based detection.

computer science, information systems

Yaoyao Shang,Shuangmao Yang,Wei Wang

DOI: https://doi.org/10.1007/978-3-030-00009-7_55

2018-01-01

Abstract:Botnets have become one of the most serious threats to cyber infrastructure. Many existing botnet detection approaches become invalid due to botnet structure sophistication or encryption of payload of the traffic. In this work, we propose an effective anomaly-based botnet detection method by hybrid analysis of flow based and graph-based features of network traffic. Frist, from network traffic we extract 15 statistical aggregated flow based features as well as 7 types of graph based features, such as in degree, out degree, in degree weight, out degree weight, node betweenness centrality, local clustering coefficient and PageRank. Second, we employ K-means, k-NN and One-class SVM to detect bots based on the hybrid analysis of these two types of features. Finally, we collect a large size of network traffic in real computing environment by implementing 5 different botnets including newly propagated Mirai and others like Athena and Black energy. The extensive experimental results show that our method based on the hybrid analysis is better than the method of individual analysis in terms of detection accuracy. It achieves the best performance with 96.62% of F-score. The experimental results also demonstrate the effectiveness of our method on the detection of novel botnets like Mirai, Athena and Black energy.

Zhicheng Liu,Xiaochun Yun,Yongzheng Zhang,Yipeng Wang

DOI: https://doi.org/10.1109/TrustCom/BigDataSE.2019.00027

2019-01-01

Abstract:Botnet is a part of the most destructive threats to network security and is often used in malicious activities. DGA-based botnet, which uses Domain Generation Algorithm (DGA) to evade detection, has become the main channel to carry out online crimes. In the past, many detection mechanisms focusing on domain features are proposed, but the potential problem is that the features extracting only from the domain names are insufficient and the enemies could easily forge them to disturb detection. In this paper, we propose a novel approach named CCGA to detect DGA-based botnet by leveraging the concerted group behaviors of infected hosts on DNS traffic. The analysis of group behaviors enhances the robustness of our system irrespective of various evasion techniques, such as fake-querying, packet encryption and noise generated by normal users. The proposed scheme associates hosts together in an unsupervised way and then uses supervised learning to distinguish whether it's a botnet. Our system is evaluated in a large ISP over two days and compared with the state of art FANCI. Experimental results show that CCGA can accurately and effectively detect DGA-based botnet in a real-world network. Our system also catches 5 unknown botnet groups and provides a novel method to verify them. Therefore, the system will provide an unique perspective on the current state of globally distributed malware, particularly the ones that use DNS.

Weiming Li,Songlin Xie,Jie Luo,Xiaodong Zhu

DOI: https://doi.org/10.2991/icsem.2013.100

2013-01-01

Abstract:How to detect Botnet has become a very important problem in security network. The existent detection methods based on network traffic and host behaviors can’t handle the emergency Botnets. In this paper we present an optimized method to analyze the similarity and time period of Botnets behaviors. In the end, our method gets an effective result. Our method uses the IDS-like architecture, which develops six specific components to detect six important Botnets abnormal behaviors. And it builds correlation rules to calculate match score. Through the experiments described in the paper, we can see that our method can not only detect already known Botnets precisely, but also detect unknown Botnets to some extent. The experiments prove that our method is effective and it has some advantages compared with other methods. At last, the paper proposes the future direction and the points that need to be improved.

WU Di,FANG Binxing,CUI Xiang,LIU Qixu

DOI: https://doi.org/10.11959/j.issn.1000-436x.2018135

2018-01-01

Abstract:Machine learning technology has wide application in botnet detection.However,with the changes of the forms and command and control mechanisms of botnets,selecting features manually becomes increasingly difficult.To solve this problem,a botnet detection system called BotCatcher based on deep learning was proposed.It automatically extracted features from time and space dimension,and established classifier through multiple neural network constructions.BotCatcher does not depend on any prior knowledge which about the protocol and the topology,and works without manually selecting features.The experimental results show that the proposed model has good performance in botnet detection and has ability to accurately identify botnet traffic .

Bin Wu,Le Liu,Zhengge Dai,Xiujuan Wang,Kangfeng Zheng

DOI: https://doi.org/10.3837/tiis.2019.11.018

2019-01-01

KSII Transactions on Internet and Information Systems

Abstract:Malicious social robots, which are disseminators of malicious information on social networks, seriously affect information security and network environments. The detection of malicious social robots is a hot topic and a significant concern for researchers. A method based on classification has been widely used for social robot detection. However, this method of classification is limited by an unbalanced data set in which legitimate, negative samples outnumber malicious robots (positive samples), which leads to unsatisfactory detection results. This paper proposes the use of generative adversarial networks (GANs) to extend the unbalanced data sets before training classifiers to improve the detection of social robots. Five popular oversampling algorithms were compared in the experiments, and the effects of imbalance degree and the expansion ratio of the original data on oversampling were studied. The experimental results showed that the proposed method achieved better detection performance compared with other algorithms in terms of the F1 measure. The GAN method also performed well when the imbalance degree was smaller than 15%.

Yudong Zhang,Yuzhong Chen,Yangyang Lin,Yankun Zhang

DOI: https://doi.org/10.1007/978-981-15-1377-0_57

2019-01-01

Abstract:Domain generation algorithms (DGA) provide methods that use specific parameters as random seeds to generate a large number of random domain names for preventing malicious domain name detection, which greatly increases the difficulty of detecting and defending botnets and malware. State-of-the-art models for detecting algorithmically generated domain names are generally based on the principle of analyzing the statistical characteristics of the domain name and building a classifier to locate the algorithmically generated ones. However, most current models have problems of requiring the manual construction of feature sets for classification, as they are sensitive to the imbalance of the sample distribution in the domain name dataset and are difficult to adapt to frequent changes of the domain name algorithm. To address this issue, we propose a hybrid model that combines a convolutional neural network (CNN) and a bidirectional long-term memory network (BLSTM). First, to solve the problem of the number of domain names generated by DGAs being relatively small and the sample distribution being unbalanced, which consequently decreases detection accuracy, the borderline synthetic minority over sampling technique is employed to optimize the sample balance of the domain name dataset. Second, a hybrid deep neural network that combines CNN and BLSTM is introduced to extract the semantic and context-dependency features from the domain names. The experimental results from different domain-name datasets demonstrate that the proposed model achieves significant improvement over state-of-the-art models with regard to precision and robustness.

Yali Duan,Jianming Cui,Yungang Jia,Ming Liu

DOI: https://doi.org/10.1007/978-981-97-0801-7_3

2024-01-01

Abstract:At present, cyber attacks on vehicle network have are proliferating, one of the most significant difficulties in the current detection methods is that the malicious flows are small and discrete in the whole link. In view of the above issues, this paper proposed a detection model based on the integration of Generative Adversarial Networks (GANs) and Deep Belief Networks (DBN). In this model, GANs is first used to enhance the few malicious flow samples, and then an improved DBN is used to evaluate the effect of data generation, so as to improve the uneven distribution of samples in the data set. In the testing section, open data set CIC-IDS2017 was selected for data enhancement and evaluated the performance of the proposed model. The experimental results show that the proposed model has significantly improved the detection performance of few cyber attacks samples compared with traditional detection algorithms. In addition, compared with the method of merge-generate data set approach, the accuracy rate, recall rate, F1 value and other evaluation indexes of the proposed model for the few samples detection have been greatly improved. Therefore, it can be considered that the proposed model is effective than current methods in dealing with the uneven distribution of data sets in traditional cyber attack detection.

Wengang Ma,Yadong Zhang,Jin Guo,Kehong Li

DOI: https://doi.org/10.2991/ijcis.d.210301.003

IF: 2.259

2021-01-01

International Journal of Computational Intelligence Systems

Abstract:Complex and multidimensional network traffic features have potential redundancy. When traditional detection methods are used for training samples, the detection accuracy of the supervised classification model is affected due to small data samples. Therefore, a method based on generative adversarial networks (GANs) and feature optimization is proposed....

computer science, artificial intelligence, interdisciplinary applications

Zhicheng Liu,Shuhao Li,Yongzheng Zhang,Xiaochun Yun,Zhenyu Cheng

DOI: https://doi.org/10.1109/iscc50000.2020.9219561

2020-01-01

Abstract:With the booming of malware-based cyber-security incidents and the sophistication of attacks, previous detections based on malware sample analysis appear powerless due to time-consuming and labor-intensive analysis process. The existing detection methods based on traffic analysis rely heavily on the available traffic patterns, which hinder detecting the zero-day attacks caused by malware variants. In this paper, we propose an approach based on deep learning referred to as TrafficGAN, which analyzes (HTTP) traffic sessions to distinguish between malware-related and normal traffic. We first try to explore traffic patterns of malware variants by adding noise and category condition to the Generative Adversarial Networks (GAN), thus generating various similar but slightly different traffic. And then, we use discriminative model to seek the deviation between abnormal traffic and normal traffic by extracting the essential difference. Notablely, we increase the diversity of data by generating samples adversarially, which enhances the robustness of the system to detect zero-day attacks and highlights the lack of sensitive data in the security community. We conduct extensive experiments on the public dataset and our data collected for specific targets. The results demonstrate that our method achieves superior performance to other methods and protects specific targets from the susceptibility of malware.

Yimo Ren,Hong Li,Peipei Liu,Jie Liu,Hongsong Zhu,Limin Sun

DOI: https://doi.org/10.1016/j.cose.2023.103317

2023-06-02

Abstract:Botnets often use Domain Generation Algorithms (DGAs) to generate lots of Algorithmically Generated Domains (AGDs), which seem real, to hide their attacks. So, knowing the DGAs is very helpful for the precise and fast detection of AGDs, which is essential for network security. However, the detection of AGDs still needs further improvement due to existing problems. First, various DGAs change at any time, bringing the need for models to fit quickly in the pattern of new DGAs. Second, the mechanisms of different DGAs are divergent. Therefore, it requires a strong ability of models to learn the DGAs well. Third, most AGDs are blind to people, so models trained on available data are difficulty having generalized detection ability. To solve these problems, the paper proposes CL-GAN: A GAN-based Continual Learning Model for Generating and Detecting AGDs. CL-GAN is based on Generative Adversarial Networks (GAN) and includes three parts: a Generator to learn the DGAs, a Discriminator to detect the AGDs and a Teacher to provide existing learned knowledge. Further, CL-GAN also constructs prompt noises to enhance the ability to generate AGDs of the Generator. The paper conducts experiments on the domains from 360DGA and Alexa Top 1M. Compared with existing models, the results show the generality and effectiveness of CL-GAN and its life-long ability to detect AGDs.

computer science, information systems