On the Effectiveness of Different Botnet Detection Approaches
Botnets represent one of the most significant threats against cyber security. They employ different techniques, topologies and communication protocols in different stages of their lifecycle. Hence, identifying botnets have become very challenging specifically given that they can upgrade their methodology at any time. In this work, we investigate four different botnet detection approaches based on the technique used and type of data employed. Two of them are public rule based systems (BotHunter and Snort) and the other two are data mining based techniques with different feature extraction methods (packet payload based and traffic flow based). The performance of these systems range from 0% to 100% on the five publicly available botnet data sets employed in this work. We discuss the evaluation results for these different systems, their features and the models learned by the data mining based techniques.
KeywordsFeature extraction traffic analysis botnet detection
Unable to display preview. Download preview PDF.
- 3.NETRESEC repository: publicly available pcap files, http://www.netresec.com/?page=PcapFiles.
- 4.Tranalyzer, http://tranalyzer.com/
- 5.Alpaydin, E.: Introduction to Machine Learning. MIT Press (2004)Google Scholar
- 6.Binsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M., Wang, L.: On the analysis of the zeus botnet crimeware toolkit. In: PST (2010)Google Scholar
- 7.Celik, Z.B., Raghuram, J., Kesidis, G., Miller, D.J.: Salting public traces with attack traffic to test flow classifiers. In: CSET (2011)Google Scholar
- 8.Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: Bothunter: detecting malware infection through ids-driven dialog correlation. In: 16th USENIX Security Symposium (2007)Google Scholar
- 10.Haddadi, F., Zincir-Heywood, A.N.: Benchmarking the effect of flow exporters and protocol filters on botnet traffic classification. IEEE Systems Journal, 1–12 (2014)Google Scholar
- 11.Mohaisen, A., Alrawi, O.: Unveiling Zeus. In: IW3C2 (2013)Google Scholar
- 12.Perdisci, R., Corona, I., Dagon, D., Lee, W.: Detecting malicious flux service networks through passive analysis of recursive DNS traces. In: ACSAC (2009)Google Scholar
- 13.RFC 2722 (October 1999), http://tools.ietf.org/html/rfc2722
- 14.Saad, S., Traore, I., Ghorbani, A., Sayed, B., Zhao, D., Lu, W., Fleix, J., Hakimian, P.: Detecting P2P botnets through network behavior analysis and machine learning. In: PST (2011)Google Scholar
- 15.The CAIDA USCD Network Telescope- ’Three Days of Conficker’, http://www.caida.org/data/passive/telescope-3days-conficker_dataset.xml
- 19.Zhang, J., Chen, C., Xiang, Y., Zhou, W., Vasilakos, A.: An effective network classification method with unknown flow detection. IEEE Transactions on Network and Service Management 10 (2013)Google Scholar
- 20.Zhao, D., Traore, I., Sayed, B., Lu, W., Saad, S., Ghorbani, A., Garant, D.: Botnet detection based on traffic behavior analysis and flow intervals. Computers and Security 39 (2013)Google Scholar