An Active and Dynamic Botnet Detection Approach to Track Hidden Concept Drift

  • Zhi Wang
  • Meiqi Tian
  • Chunfu Jia
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10631)


Nowadays, machine learning has been widely used as a core component in botnet detection systems. However, the assumption of machine learning algorithm is that the underlying botnet data distribution is stable for training and testing, which is vulnerable to well-crafted concept drift attacks, such as mimicry attacks, gradient descent attacks, poisoning attacks and so on. In this paper we present an active and dynamic learning approach to mitigate botnet hidden concept drift attacks. Instead of passively waiting for false negative, this approach could actively find the trend of hidden concept drift attacks using statistical p-values before performance starts to degenerate. And besides periodically retraining, this approach could dynamically reweight predictive features to track the trend of underlying concept drift. We test this approach on the public CTU botnet captures provided by malware capture facility project. The experiment results show that this approach could actively get insights of botnet hidden concept drift, and dynamically evolve to avoid model aging.


Malware Botnet detection Concept drift Model aging horizontal correlation 



This material is based upon the work supported by the National Natural Science Foundation of China under the Grant No. 61300242 and No. 61772291, and by the Tianjin Research Program of Application Foundation and Advanced Technology under the Grant No. 15JCQNJC41500 and No. 17JCZDJC30500, and by the Open Project Foundation of Information Security Evaluation Center of Civil Aviation, Civil Aviation University of China under the Grant No. CAAC-ISECCA-201701 and No. CAAC-ISECCA-201702, and by the National Key Basic Research Program of China under the Grant No. 2013CB834204.


  1. 1.
    Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J.A., Invernizzi, L., Kallitsis, M., Kumar, D., Lever, C., Ma, Z., Mason, J., Menscher, D., Seaman, C., Sullivan, N., Thomas, K., Zhou, Y.: Understanding the mirai botnet. In: 26th USENIX Security Symposium (USENIX Security 2017), Vancouver, BC. USENIX Association, August 2017Google Scholar
  2. 2.
    AV-Test: Malware statistics, September 2017.
  3. 3.
    Demontis, A., Melis, M., Biggio, B., Maiorca, D., Arp, D., Rieck, K., Corona, I., Giacinto, G., Roli, F.: Yes, machine learning can be more secure! A case study on android malware detection. IEEE Trans. Dependable Secure Comput. (2017)Google Scholar
  4. 4.
    Garca, S., Grill, M., Stiborek, J., Zunino, A.: An empirical comparison of botnet detection methods. Comput. Secur. 45, 100–123 (2014)CrossRefGoogle Scholar
  5. 5.
    Garca, S., Zunino, A., Campo, M.: Survey on network-based botnet detection methods. Secur. Commun. Netw. 7, 878–903 (2014)CrossRefGoogle Scholar
  6. 6.
    Ye, Y., Li, T., Adjeroh, D., Iyengar, S.S.: A survey on malware detection using data mining techniques. ACM Comput. Surv. 50, 41:1–41:40 (2017)CrossRefGoogle Scholar
  7. 7.
    Zeng, Y., Shin, K.G., Hu, X.: Design of SMS commanded-and-controlled and P2P-structured mobile botnets. In: Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, WISEC 2012, New York, NY, USA, pp. 137–148. ACM (2012)Google Scholar
  8. 8.
    Singh, K., Sangal, S., Jain, N., Traynor, P., Lee, W.: Evaluating Bluetooth as a medium for botnet command and control. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 61–80. Springer, Heidelberg (2010). Scholar
  9. 9.
    Krombholz, K., Hobel, H., Huber, M., Weippl, E.: Advanced social engineering attacks. J. Inf. Secur. Appl. 22, 113–122 (2015). Special Issue on Security of Information and NetworksGoogle Scholar
  10. 10.
    Yin, T., Zhang, Y., Li, S.: DR-SNBOT: a social network-based botnet with strong destroy-resistance. In: IEEE International Conference on Networking, Architecture, and Storage, pp. 191–199 (2014)Google Scholar
  11. 11.
    Kartaltepe, E.J., Morales, J.A., Xu, S., Sandhu, R.: Social network-based botnet command-and-control: emerging threats and countermeasures. In: Proceedings of Applied Cryptography and Network Security, International Conference, ACNS 2010, Beijing, China, 22–25 June 2010, pp. 511–528 (2010)CrossRefGoogle Scholar
  12. 12.
    Šrndic, N., Laskov, P.: Practical evasion of a learning-based classifier: a case study. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP 2014, Washington, DC, USA, pp. 197–211. IEEE Computer Society (2014)Google Scholar
  13. 13.
    Biggio, B., Pillai, I., Rota Bulò, S., Ariu, D., Pelillo, M., Roli, F.: Is data clustering in adversarial settings secure? In: Proceedings of the 2013 ACM Workshop on Artificial Intelligence and Security, AISec 2013, New York, NY, USA, pp. 87–98. ACM (2013)Google Scholar
  14. 14.
    Biggio, B., Rieck, K., Ariu, D., Wressnegger, C., Corona, I., Giacinto, G., Roli, F.: Poisoning behavioral malware clustering. In: Proceedings of the 2014 Workshop on Artificial Intelligent and Security Workshop, AISec 2014, New York, NY, USA, pp. 27–36. ACM (2014)Google Scholar
  15. 15.
    Tramèr, F., Zhang, F., Juels, A., Reiter, M.K., Ristenpart, T.: Stealing machine learning models via prediction APIs. In: 25th USENIX Security Symposium (USENIX Security 16), Austin, TX, pp. 601–618. USENIX Association (2016)Google Scholar
  16. 16.
    Kantchelian, A., Afroz, S., Huang, L., Islam, A.C., Miller, B., Tschantz, M.C., Greenstadt, R., Joseph, A.D., Tygar, J.D.: Approaches to adversarial drift. In: Proceedings of the 2013 ACM Workshop on Artificial Intelligence and Security, AISec 2013, New York, NY, USA, pp. 99–110. ACM (2013)Google Scholar
  17. 17.
    Srndic, N., Laskov, P.: Practical evasion of a learning-based classifier: a case study. In: Proceedings of the 35th IEEE Symposium on Security and Privacy (S&P), San Jose, CA, May 2014Google Scholar
  18. 18.
    Arce, I.: The weakest link revisited. IEEE Secur. Priv. 1, 72–76 (2003)CrossRefGoogle Scholar
  19. 19.
    Singh, K., Srivastava, A., Giffin, J., Lee, W.: Evaluating emails feasibility for botnet command and control. In: IEEE International Conference on Dependable Systems and Networks with FTCS and DCC, Anchorage, AK, pp. 376–385. IEEE, June 2008Google Scholar
  20. 20.
    Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, New York, NY, USA, pp. 255–264. ACM (2002)Google Scholar
  21. 21.
    Smutz, C., Stavrou, A.: Malicious PDF detection using metadata and structural features. In: Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC 2012, New York, NY, USA, pp. 239–248. ACM (2012)Google Scholar
  22. 22.
    Deo, A., Dash, S.K., Suarez-Tangil, G., Vovk, V., Cavallaro, L.: Prescience: probabilistic guidance on the retraining conundrum for malware detection. In: Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security, AISec 2016, New York, NY, USA, pp. 71–82. ACM (2016)Google Scholar
  23. 23.
    Jordaney, R., Sharad, K., Dash, S.K., Wang, Z., Papini, D., Nouretdinov, I., Cavallaro, L.: Transcend: detecting concept drift in malware classification models. In: Proceedings of the 26th USENIX Security Symposium (USENIX Security 2017) (2017)Google Scholar
  24. 24.
    Tegeler, F., Fu, X., Vigna, G., Kruegel, C.: Botfinder: finding bots in network traffic without deep packet inspection. In: Proceedings of the 8th International Conference on Emerging Networking Experiments and Technologies (CoNEXT 2012), France, pp. 349–360. ACM, New York, December 2012Google Scholar
  25. 25.
    van der Maaten, L., Hinton, G.: Visualizing data using t-SNE. J. Mach. Learn. Res. 9, 2579–2605 (2008)zbMATHGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.College of Computer and Control EngineeringNankai UniversityTianjinChina

Personalised recommendations