Jiawei Zhou,Zhiying Xu,Alexander M. Rush,Minlan Yu

DOI: https://doi.org/10.48550/arXiv.2003.06344

2020-03-13

Abstract:Botnets are now a major source for many network attacks, such as DDoS attacks and spam. However, most traditional detection methods heavily rely on heuristically designed multi-stage detection criteria. In this paper, we consider the neural network design challenges of using modern deep learning techniques to learn policies for botnet detection automatically. To generate training data, we synthesize botnet connections with different underlying communication patterns overlaid on large-scale real networks as datasets. To capture the important hierarchical structure of centralized botnets and the fast-mixing structure for decentralized botnets, we tailor graph neural networks (GNN) to detect the properties of these structures. Experimental results show that GNNs are better able to capture botnet structure than previous non-learning methods when trained with appropriate data, and that deeper GNNs are crucial for learning difficult botnet topologies. We believe our data and studies can be useful for both the network security and graph learning communities.

Cryptography and Security,Machine Learning

Jing Wang,Ioannis Ch. Paschalidis

DOI: https://doi.org/10.48550/arXiv.1503.02337

2015-03-09

Abstract:Signature-based botnet detection methods identify botnets by recognizing Command and Control (C\&C) traffic and can be ineffective for botnets that use new and sophisticate mechanisms for such communications. To address these limitations, we propose a novel botnet detection method that analyzes the social relationships among nodes. The method consists of two stages: (i) anomaly detection in an "interaction" graph among nodes using large deviations results on the degree distribution, and (ii) community detection in a social "correlation" graph whose edges connect nodes with highly correlated communications. The latter stage uses a refined modularity measure and formulates the problem as a non-convex optimization problem for which appropriate relaxation strategies are developed. We apply our method to real-world botnet traffic and compare its performance with other community detection methods. The results show that our approach works effectively and the refined modularity measure improves the detection accuracy.

Social and Information Networks,Physics and Society

Shuhan Chen,Congqi Shen,Danrui Yu,Yuqin Wu,Chunming Wu

DOI: https://doi.org/10.1109/isncc52172.2021.9615889

2021-01-01

Abstract:Botnets provide a fundamental infrastructure for various kinds of network attacks, such as DDoS attack, etc. Detecting DDoS attack in botnet is a long-standing challenge. In this paper, we propose a novel method to detect DDoS attack in botnet through the analysis of packet forwarding and network traffic. The primary idea is to collect features from both overall network traffic and packet to describe the attack pattern and conduct a detection model with high accuracy. Firstly, apart from overall network traffic, we calculate several statistics related to looking up functions of flow tables during packet forwarding on switches to describe attack pattern. Secondly, these features are put into a deep learning model to detect DDoS attack. We perform evaluations under Software Defined Networking (SDN) paradigm. In particular, we compare the proposed method with traditional methods. The experimental results demonstrate that the proposed method is meaningful in improving the accuracy of DDoS attack detection by adding packet-level features extracted from packet forwarding.

Pedro Camelo,Joao Moura,Ludwig Krippahl

DOI: https://doi.org/10.48550/arXiv.1410.8747

2014-10-31

Cryptography and Security

Abstract:Botnets represent a global problem and are responsible for causing large financial and operational damage to their victims. They are implemented with evasion in mind, and aim at hiding their architecture and authors, making them difficult to detect in general. These kinds of networks are mainly used for identity theft, virtual extortion, spam campaigns and malware dissemination. Botnets have a great potential in warfare and terrorist activities, making it of utmost importance to take action against. We present CONDENSER, a method for identifying data generated by botnet activity. We start by selecting appropriate the features from several data feeds, namely DNS non-existent domain responses and live communication packages directed to command and control servers that we previously sinkholed. By using machine learning algorithms and a graph based representation of data, then allows one to identify botnet activity, helps identifying anomalous traffic, quickly detect new botnets and improve activities of tracking known botnets. Our main contributions are threefold: first, the use of a machine learning classifier for classifying domain names as being generated by domain generation algorithms (DGA); second, a clustering algorithm using the set of selected features that groups network communication with similar patterns; third, a graph based knowledge representation framework where we store processed data, allowing us to perform queries.

Wei Wang,Yaoyao Shang,Yongzhong He,Yidong Li,Jiqiang Liu

DOI: https://doi.org/10.1016/j.ins.2019.09.024

IF: 8.1

2020-02-01

Information Sciences

Abstract:The Botnets have become one of the most serious threats to cyber infrastructure. Most existing work on detecting botnets is based on flow-based traffic analysis by mining their communication patterns. There also exists related work based on anomaly detection in communication graphs. As bots have continuously evolved and become increasingly sophisticated, only using flow-based traffic analysis or graph-based analysis for the detection would result in false negatives or false positives, or can even be evaded. In this work, we propose BotMark, an automated model that detects botnets with hybrid analysis of flow-based and graph-based network traffic behaviors. We extract 15 statistical flow-based traffic features as well as 3 graph-based features in building the detection model. For flow-based detection, we consider the similarity and stability of C-flow as measurements in the detection. In particular, we employ k-means to measure the similarity of C-flows and assign similarity scores, and calculate stability score of C-flows through the distribution of packet length within a C-flow. The graph-based detection is based on the observation that the neighborhoods of anomalous nodes significantly differ from those of normal nodes in communication graphs. In particular, we use least-square technique and Local Outlier Factor (LOF) to calculate anomaly scores that measure the differences of their neighborhoods. Our models use the scores to mark bots. BotMark performs automated botnet detection with hybrid analysis of flow-based and graph-based traffic behaviors by ensemble of the detection results based on similarity scores, stability scores and anomaly scores. We collect a very large size of network traffic by simulating 5 newly propagated botnets, including Mirai, Black energy, Zeus, Athena and Ares in a real computing environment. Extensive experimental results demonstrate the effectiveness of BotMark. It achieves 99.94% in terms of detection accuracy, outperforming any individual detector with flow-based detection or graph-based detection.

computer science, information systems

Xianyang Qi,Jiashu Pu,Shiwei Zhao,Runze Wu,Jianrong Tao

DOI: https://doi.org/10.1007/978-3-031-05936-0_25

2022-01-01

Abstract:Game bots are automated programs that assist cheating players in obtaining huge superiority in Massively Multiplayer Online Role-Playing Games (MMORPGs), which has led to an imbalance in the gaming ecosystem and a collapse of interest among normal players. Game bot detection aims to identify cheating behaviors to ensure fair competition for MMORPGs. Due to the high practical value, there is much research on game bot detection at present. One main existing method is conventional machine learning algorithms, which require extensive feature engineering and get limited performance. The other main existing method is the recurrent neural network, but it fails to capture the complex behavioral patterns of players. To tackle the above problems, we propose a novel graph neural network-enhanced game bot detection model, namely GB-GNN. In the proposed model, we model players' trajectories as graph-structured data to capture the player's complex behavioral patterns that are difficult to reveal by traditional sequential methods. Extensive experiments on three real-world datasets show that GB-GNN outperforms the previous methods.

Muhammad Qasim,Muhammad Waleed,Tai-Won Um,Peyman Pahlevani,Jens Myrup Pedersen,Asif Masood

DOI: https://doi.org/10.1109/access.2024.3367122

IF: 3.9

2024-03-02

IEEE Access

Abstract:Cyberspace faces unparalleled threats due to the rapid rise in botnet attacks and their profound repercussions. Utilizing AI-assisted systems emerges as a potent solution for detecting and neutralizing such attacks. Existing research on botnet attack detection revolves around dataset creation, amplifying the detection methods' efficacy and precision via sophisticated machine learning models, and a behaviour-centric analysis. A discerning review of current datasets reveals their limitations: the obsolescence of some datasets, their limited relevance to certain attack types, and an imperative lack of ground truth. Addressing these gaps, we introduce a ground truth, the BotLab-DS1 dataset, featuring 5,279 real-world active botnet samples spanning 12 botnet families and 3,000 benign instances. This paper's core is threefold; initially, we delineate a thorough review of existing datasets and their inherent shortcomings. Subsequently, we unfold a holistic data creation strategy and leverage advanced feature engineering methods on static, behavioural, and network-centric attributes. Finally, the research involves training diverse machine learning algorithms using the BotLab-DS1 dataset for enhanced botnet detection. Our empirical findings underline that BotLab-DS1, when paired with the random forest algorithm, attains 98.6% accuracy and 99.0% precision. In contrast, gradient boosting trails closely, registering 96.34% accuracy and 96.0% precision. We believe our study will pioneer new pathways for dataset formulation and algorithmic scrutiny, enriching the research landscape and backing the global initiative to thwart botnet incursions effectively.

computer science, information systems,telecommunications,engineering, electrical & electronic

Lihua Yin,Weizhe Chen,Xi Luo,Hongyu Yang

DOI: https://doi.org/10.3390/math12091315

IF: 2.4

2024-04-26

Mathematics

Abstract:In recent years, with the rapid development of the Internet of Things, large-scale botnet attacks have occurred frequently and have become an important challenge to network security. As artificial intelligence technology continues to evolve, intelligent detection solutions for botnets are constantly emerging. Although graph neural networks are widely used for botnet detection, directly handling large-scale botnet data becomes inefficient and challenging as the number of infected hosts increases and the network scale expands. Especially in the process of node level learning and inference, a large number of nodes and edges need to be processed, leading to a significant increase in computational complexity and posing new challenges to network security. This paper presents a novel approach that can accurately identify diverse intricate botnet architectures in extensive IoT networks based on the aforementioned circumstance. By utilizing GraphSAINT to process large-scale IoT botnet graph data, efficient and unbiased subgraph sampling has been achieved. In addition, a solution with enhanced information representation capability has been developed based on the Graph Isomorphism Network (GIN) for botnet detection. Compared with the five currently popular graph neural network (GNN) models, our approach has been tested on C2, P2P, and Chord datasets, and higher accuracy has been achieved.

mathematics

Yao Zhao,Yinglian Xie,Fang Yu,Qifa Ke,Yuan Yu,Yan Chen,Eliot Gillum

2009-01-01

Abstract:Network security applications often require analyzing huge volumes of data to identify abnormal patterns or activities. The emergence of cloud-computing models opens up new opportunities to address this challenge by leveraging the power of parallel computing. In this paper, we design and implement a novel system called BotGraph to detect a new type of botnet spamming attacks targeting major Web email providers. Bot-Graph uncovers the correlations among botnet activities by constructing large user-user graphs and looking for tightly connected subgraph components. This enables us to identify stealthy botnet users that are hard to detect when viewed in isolation. To deal with the huge data volume, we implement BotGraph as a distributed application on a computer cluster, and explore a number of performance optimization techniques. Applying it to two months of Hotmail log containing over 500 million users, BotGraph successfully identified over 26 million botnet-created user accounts with a low false positive rate. The running time of constructing and analyzing a 220GB Hot-mail log is around 1.5 hours with 240 machines. We believe both our graph-based approach and our implementations are generally applicable to a wide class of security applications for analyzing large datasets.

ZOU Futai,TAN Yue,WANG Lin,JIANG Yongkang

DOI: https://doi.org/10.11959/j.issn.1000-436x.2021082

2021-01-01

Abstract:In order to solve the problems of botnets’ strong concealment and difficulty in identification, and improve the detection accuracy of botnets, a botnet detection method based on generative adversarial networks was proposed.By reorganizing the data packets in the botnet traffic into streams, the traffic statistics characteristics in the time dimension and the traffic image characteristics in the space dimension were extracted respectively.Then with the botnet traffic feature generation algorithm based on generative adversarial network, botnet feature samples were produced in the two dimensions.Finally combined with the application of deep learning in botnet detection scenarios, a botnet detection model based on DCGAN and a botnet detection model based on BiLSTM-GAN were proposed.Experiments show that the proposed model improves the botnet detection ability and generalization ability.

Ruidong Chen,Weina Niu,Xiaosong Zhang,Zhongliu Zhuo,Fengmao Lv

DOI: https://doi.org/10.1155/2017/4934082

IF: 1.43

2017-01-01

Mathematical Problems in Engineering

Abstract:A botnet is one of the most grievous threats to network security since it can evolve into many attacks, such as Denial-of-Service (DoS), spam, and phishing. However, current detection methods are inefficient to identify unknown botnet. The high-speed network environment makes botnet detection more difficult. To solve these problems, we improve the progress of packet processing technologies such as New Application Programming Interface (NAPI) and zero copy and propose an efficient quasi-real-time intrusion detection system. Our work detects botnet using supervised machine learning approach under the high-speed network environment. Our contributions are summarized as follows: (1) Build a detection framework using PF_ RING for sniffing and processing network traces to extract flow features dynamically. (2) Use random forest model to extract promising conversation features. (3) Analyze the performance of different classification algorithms. The proposed method is demonstrated by well-known CTU13 dataset and nonmalicious applications. The experimental results show our conversation-based detection approach can identify botnet with higher accuracy and lower false positive rate than flow-based approach.

Jun Zhao,Xudong Liu,Qiben Yan,Bo Li,Minglai Shao,Hao Peng

DOI: https://doi.org/10.1016/j.ins.2020.03.113

IF: 8.1

2020-10-01

Information Sciences

Abstract:<p>Bot detection is a fundamental and crucial task for tracing and mitigating cyber threats in the Internet. This paper aims to address two major limitations of current bot detection systems. First, existing flow-based bot detection approaches ignore structural information of botnets, which lead to false detection. Second, they cannot identify the interactive behavioral patterns among heterogeneous botnet objects. In this paper, we propose a novel bot detection framework, namely Bot-AHGCN, which models fine-grained network flow objects (e.g., IP, response) as a multi-attributed heterogeneous graph and transforms bot detection problem into a semi-supervised node classification task on the graph. Particularly, we first build a multi-attributed heterogeneous information network (AHIN) to model the interdependent relationships among botnet objects. Second, we present a weight-learning based node embedding method, which learns the interactive behavioral patterns among bots and integrates them into weighted similarity graphs. Finally, we perform graph convolution on the learned similarity graphs to characterize more comprehensive and discriminative features of bots, and feed them into a forward neural network to identify bots. The overall experimental results on two real-world datasets confirm that Bot-AHGCN outperforms the existing state-of-the-art approaches, and presents better interpretability by introducing meaningful meta-paths and meta-graphs.</p>

computer science, information systems

Guangli Wu,Xingyue Wang,Qian Lu,Hanlin Zhang

DOI: https://doi.org/10.1016/j.eswa.2024.123384

IF: 8.5

2024-02-11

Expert Systems with Applications

Abstract:A botnet is a group of hijacked devices that conduct various cyberattacks, which is one of the most dangerous threats on the internet. Individuals or organizations can effectively detect botnets by analyzing abnormal behaviors in network traffic. Existing works focus on extracting the deterministic behavioral features, which highly rely on statistical features and existing botnet interaction structures, resulting in unsatisfactory detection accuracy, especially for unknown botnet traffic. The botnet detection method based on the original traffic bytes has more advantages in this regard, especially the use of mining payload information in the traffic to enhance the identification of abnormal botnet behavior is the focus of this study. In this paper, we propose a dual-mode botnet detection scheme, which takes the original traffic bytes as the object, one is to encode the implicit semantic relationship between the traffic bytes through a multi-layer Transformer encoder, and the other is the network traffic Image representation, the spatial relationship of traffic bytes is captured by a deep neural network, and then botnet detection is achieved by maximizing the mutual information between the two. We conduct comprehensive experiments with both known botnets and unknown botnets to evaluate our scheme. Experimental results show that for known botnets, our approach achieves 99.84% and 91.92% detection accuracy with CTU-13 and ISCX-2014 datasets, respectively, which is 3.04% and 2.54% more accurate compared with the state-of-art (DL). For unknown datasets, our scheme is 10.19% more accurate than the existing traffic representation.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Shuhao Li,Xiaochun Yun,Zhiyu Hao,Yongzheng Zhang,Xiang Cui,Yipeng Wang

DOI: https://doi.org/10.1007/978-3-642-30436-1_22

2012-01-01

Abstract:In recent years, widely spreading botnets in social networks are becoming a major security threat to both social networking services and the privacy of their users. In order to have a better understanding of the dynamics of these botnets, defenders should model the process of their propagation. However, previous studies on botnet propagation model have tended to focus solely on characterizing the vulnerability propagation on one infection domain, and left two key properties (cross-domain mobility and user dynamics) untouched. In this paper, we formalize a new propagation model to reveal the general infection process of social engineering botnets in multiple social networks. This proposed model is based on stochastic process, and investigates two important factors involved in botnet propagation: (i) bot spreading across multiple domains, and (ii) user behaviors in social networks. Furthermore, with statistical data obtained from four real-world social networks, a botnet simulation platform is built based on OMNeT++ to test the validity of our model. The experimental results indicate that our model can accurately predict the infection process of these new advanced botnets with less than 5% deviation.

Ta-Chun Lo,Jyh-Biau Chang,Shao-Hsuan Lo,Bai-Jun Kao,Ce-Kuen Shieh

DOI: https://doi.org/10.1109/access.2024.3401853

IF: 3.9

2024-05-24

IEEE Access

Abstract:Botnets pose a significant challenge to network security but are difficult to detect because of their dynamic and evolving nature, which limits the effectiveness of conventional supervised neural network detection methods. To address this problem, the present study proposes a novel neural network-based self-training framework for botnet detection, in which pseudo-labels are generated from unlabeled data by a trained classifier, which is iteratively refined over time using a combined dataset containing both training and pseudo-labeled data. Although not all of the generated pseudo-labels are applicable to every botnet, the self-training framework can label unseen botnets with behaviors similar to those of known botnets with high confidence. Several strategies are proposed for enhancing the robustness of the classification performance by minimizing the number of incorrect pseudo-labels, mitigating the effects of erroneous pseudo-labels on the overall performance of the network, and optimizing the proportion of unlabeled data for labeling. Experiments conducted on both synthetic datasets confirm the superiority of the proposed method over the base model, particularly when the training data constitutes only a small portion of the total amount dataset. Subsequent experiments also demonstrate the efficacy of the framework in successfully detecting unseen botnet variants and its commendable performance in real-world campus network traffic.

computer science, information systems,telecommunications,engineering, electrical & electronic

Meng Xiaoyuan,Lang bo,Yanxi Liu,Yuhao Yan

2024-03-25

Abstract:Nowadays, botnets have become one of the major threats to cyber security. The characteristics of botnets are mainly reflected in bots network behavior and their intercommunication relationships. Existing botnet detection methods use flow features or topology features individually, which overlook the other type of feature. This affects model performance. In this paper, we propose a botnet detection model which uses graph convolutional network (GCN) to deeply fuse flow features and topology features for the first time. We construct communication graphs from network traffic and represent nodes with flow features. Due to the imbalance of existing public traffic flow datasets, it is impossible to train a GCN model on these datasets. Therefore, we use a balanced public communication graph dataset to pretrain a GCN model, thereby guaranteeing its capacity for identify topology features. We then feed the communication graph with flow features into the pretrained GCN. The output from the last hidden layer is treated as the fusion of flow and topology features. Additionally, by adjusting the number of layers in the GCN network, the model can effectively detect botnets under both C2 and P2P structures. Validated on the public ISCX2014 dataset, our approach achieves a remarkable recall rate 92.90% and F1-score 92.76% for C2 botnets, alongside recall rate 94.66% and F1-score of 92.35% for P2P botnets. These results not only demonstrate the effectiveness of our method, but also outperform the performance of the currently leading detection models.

Cryptography and Security

Weiming Li,Songlin Xie,Jie Luo,Xiaodong Zhu

DOI: https://doi.org/10.2991/icsem.2013.100

2013-01-01

Abstract:How to detect Botnet has become a very important problem in security network. The existent detection methods based on network traffic and host behaviors can’t handle the emergency Botnets. In this paper we present an optimized method to analyze the similarity and time period of Botnets behaviors. In the end, our method gets an effective result. Our method uses the IDS-like architecture, which develops six specific components to detect six important Botnets abnormal behaviors. And it builds correlation rules to calculate match score. Through the experiments described in the paper, we can see that our method can not only detect already known Botnets precisely, but also detect unknown Botnets to some extent. The experiments prove that our method is effective and it has some advantages compared with other methods. At last, the paper proposes the future direction and the points that need to be improved.

Binbin Wang,Zhitang Li,Dong Li,Feng Liu,Hao Chen

DOI: https://doi.org/10.1109/EBISS.2010.5473532

2010-01-01

Abstract:Botnet has become a prevalent platform for malicious attacks, which poses a significant threat to Internet security. Recently, botnets are inclined to utilize HTTP to route their command and control (C&C) communication instead of using the protocol Internet Relay Chat (IRC). And these web-based C&C bots try to blend into normal HTTP traffic, which makes them more difficult to be identified. In this work, we propose an automatic approach to identify web-based C&C bots by modeling the essential network behavior of web-based bots in supervised network. Experimental results show the proposed approach is very efficient and can detect web-base bots with low false positive ratio.

Peng Hui Li,Jie Xu,Zhong Yi Xu,Su Chen,Bo Wei Niu,Jie Yin,Xiao Feng Sun,Hao Liang Lan,Lu Lu Chen

DOI: https://doi.org/10.32604/cmc.2022.029969

2022-01-01

Abstract:At present, the severe network security situation has put forward high requirements for network security defense technology. In order to automate botnet threat warning, this paper researches the types and characteristics of Botnet. Botnet has special characteristics in attributes such as packets, attack time interval, and packet size. In this paper, the attack data is annotated by means of string recognition and expert screening. The attack features are extracted from the labeled attack data, and then use K-means for cluster analysis. The clustering results show that the same attack data has its unique characteristics, and the automatic identification of network attacks is realized based on these characteristics. At the same time, based on the collection and attribute extraction of Botnet attack data, this paper uses RF, GBM, XGBOOST and other machine learning models to test the warning results, and automatically analyzes the attack by importing attack data. In the early warning analysis results, the accuracy rates of different models are obtained. Through the descriptive values of the three accuracy rates of Accuracy, Precision, and F1_Score, the early warning effect of each model can be comprehensively displayed. Among the five algorithms used in this paper, three have an accuracy rate of over 90%. The three models with the highest accuracy are used in the early warning model. The research shows that cyberattacks can be accurately predicted. When this technology is applied to the protection system, accurate early warning can be given before a network attack is launched.

computer science, information systems,materials science, multidisciplinary

Zhicheng Liu,Xiaochun Yun,Yongzheng Zhang,Yipeng Wang

DOI: https://doi.org/10.1109/TrustCom/BigDataSE.2019.00027

2019-01-01

Abstract:Botnet is a part of the most destructive threats to network security and is often used in malicious activities. DGA-based botnet, which uses Domain Generation Algorithm (DGA) to evade detection, has become the main channel to carry out online crimes. In the past, many detection mechanisms focusing on domain features are proposed, but the potential problem is that the features extracting only from the domain names are insufficient and the enemies could easily forge them to disturb detection. In this paper, we propose a novel approach named CCGA to detect DGA-based botnet by leveraging the concerted group behaviors of infected hosts on DNS traffic. The analysis of group behaviors enhances the robustness of our system irrespective of various evasion techniques, such as fake-querying, packet encryption and noise generated by normal users. The proposed scheme associates hosts together in an unsupervised way and then uses supervised learning to distinguish whether it's a botnet. Our system is evaluated in a large ISP over two days and compared with the state of art FANCI. Experimental results show that CCGA can accurately and effectively detect DGA-based botnet in a real-world network. Our system also catches 5 unknown botnet groups and provides a novel method to verify them. Therefore, the system will provide an unique perspective on the current state of globally distributed malware, particularly the ones that use DNS.