Advertisement

On the Effectiveness of Different Botnet Detection Approaches

  • Fariba Haddadi
  • Duc Le Cong
  • Laura Porter
  • A. Nur Zincir-Heywood
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9065)

Abstract

Botnets represent one of the most significant threats against cyber security. They employ different techniques, topologies and communication protocols in different stages of their lifecycle. Hence, identifying botnets have become very challenging specifically given that they can upgrade their methodology at any time. In this work, we investigate four different botnet detection approaches based on the technique used and type of data employed. Two of them are public rule based systems (BotHunter and Snort) and the other two are data mining based techniques with different feature extraction methods (packet payload based and traffic flow based). The performance of these systems range from 0% to 100% on the five publicly available botnet data sets employed in this work. We discuss the evaluation results for these different systems, their features and the models learned by the data mining based techniques.

Keywords

Feature extraction traffic analysis botnet detection 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
  2. 2.
  3. 3.
    NETRESEC repository: publicly available pcap files, http://www.netresec.com/?page=PcapFiles.
  4. 4.
  5. 5.
    Alpaydin, E.: Introduction to Machine Learning. MIT Press (2004)Google Scholar
  6. 6.
    Binsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M., Wang, L.: On the analysis of the zeus botnet crimeware toolkit. In: PST (2010)Google Scholar
  7. 7.
    Celik, Z.B., Raghuram, J., Kesidis, G., Miller, D.J.: Salting public traces with attack traffic to test flow classifiers. In: CSET (2011)Google Scholar
  8. 8.
    Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: Bothunter: detecting malware infection through ids-driven dialog correlation. In: 16th USENIX Security Symposium (2007)Google Scholar
  9. 9.
    Haddadi, F., Kayacik, H.G., Zincir-Heywood, A.N., Heywood, M.I.: Malicious automatically generated domain name detection using stateful-SBB. In: Esparcia-Alcázar, A.I. (ed.) EvoApplications 2013. LNCS, vol. 7835, pp. 529–539. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  10. 10.
    Haddadi, F., Zincir-Heywood, A.N.: Benchmarking the effect of flow exporters and protocol filters on botnet traffic classification. IEEE Systems Journal, 1–12 (2014)Google Scholar
  11. 11.
    Mohaisen, A., Alrawi, O.: Unveiling Zeus. In: IW3C2 (2013)Google Scholar
  12. 12.
    Perdisci, R., Corona, I., Dagon, D., Lee, W.: Detecting malicious flux service networks through passive analysis of recursive DNS traces. In: ACSAC (2009)Google Scholar
  13. 13.
    RFC 2722 (October 1999), http://tools.ietf.org/html/rfc2722
  14. 14.
    Saad, S., Traore, I., Ghorbani, A., Sayed, B., Zhao, D., Lu, W., Fleix, J., Hakimian, P.: Detecting P2P botnets through network behavior analysis and machine learning. In: PST (2011)Google Scholar
  15. 15.
    The CAIDA USCD Network Telescope- ’Three Days of Conficker’, http://www.caida.org/data/passive/telescope-3days-conficker_dataset.xml
  16. 16.
    Wang, K., Huang, C., Lin, S., Lin, Y.: A fuzzy pattern-based filtering algorithm for botnet detection. Computer Networks 55, 3275–3286 (2011)CrossRefGoogle Scholar
  17. 17.
  18. 18.
    Wurzinger, P., Bilge, L., Holz, T., Goebel, J., Kruegel, C., Kirda, E.: Automatically generating models for botnet detection. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 232–249. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  19. 19.
    Zhang, J., Chen, C., Xiang, Y., Zhou, W., Vasilakos, A.: An effective network classification method with unknown flow detection. IEEE Transactions on Network and Service Management 10 (2013)Google Scholar
  20. 20.
    Zhao, D., Traore, I., Sayed, B., Lu, W., Saad, S., Ghorbani, A., Garant, D.: Botnet detection based on traffic behavior analysis and flow intervals. Computers and Security 39 (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Fariba Haddadi
    • 1
  • Duc Le Cong
    • 1
  • Laura Porter
    • 1
  • A. Nur Zincir-Heywood
    • 1
  1. 1.Faculty of Computer ScienceDalhousie UniversityHalifaxCanada

Personalised recommendations