Usilng Machine Learning Technliques to Identify Botnet Traffic
Subhash Bagui2006, Proceedings. 2006 31st IEEE Conference on Local Computer Networks
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
To date, techniques to counter cyber-attacks have predominantly been reactive; they focus on monitoring network traffic, detecting anomalies and cyber-attack traffic patterns, and, a posteriori, combating the cyber-attacks and mitigating their effects. Contrary to such approaches, we advocate proactively detecting and identifying botnets prior to their being used as part of a cyber-attack [12]. In this paper, we present our work on using machine learning-based classification techniques to identify the command and control (C2) traffic of IRC-based botnets-compromised hosts that are collectively commanded using Internet Relay Chat (IRC). We split this task into two stages: (I) distinguishing between IRC and non-IRC traffic, and (II) distinguishing between botnet and real IRC traffic. For Stage I, we compare the performance of J48, naive Bayes, and Bayesian network classifiers, identify the features that achieve good overall classification accuracy, and determine the classification sensitivity to the training set size. While sensitive to the training data and the attributes used to characterize communication flows, machine learning-based classifiers show promise in identifying IRC traffic. Using classification in Stage II is trickier, since accurately labeling IRC traffic as botnet and non-botnet is challenging. We are currently exploring labeling flows as suspicious and non-suspicious based on telltales of hosts being compromised.
Related papers
Using Machine Learning Techniques to Identify Botnet Traffic
To date, techniques to counter cyber-attacks have predominantly been reactive; they focus on monitoring network traffic, detecting anomalies and cyber-attack traffic patterns, and, a posteriori, combating the cyber-attacks and mitigating their effects. Contrary to such approaches, we advocate proactively detecting and identifying botnets prior to their being used as part of a cyber-attack . In this paper, we present our work on using machine learning-based classification techniques to identify the command and control (C2) traffic of IRC-based botnets -compromised hosts that are collectively commanded using Internet Relay Chat (IRC). We split this task into two stages: (I) distinguishing between IRC and non-IRC traffic, and (II) distinguishing between botnet and real IRC traffic.
Machine Learning Based Botnet Identification Traffic
2016 IEEE Trustcom/BigDataSE/ISPA, 2016
Full bibliographic details must be given when referring to, or quoting from full items including the author's name, the title of the work, publication details where relevant (place, publisher, date), pagination, and for theses or dissertations the awarding institution, the degree type awarded, and the date of the award.
Botnet Command and Control Traffic Detection Challenges A Correlation based Solution
Fourth International Conference on Advances in Computing, Electronics and Communication - ACEC 2016
While high-speed computer networking and the Internet brought great convenience, a number of security challenges also emerged with these technologies. Amongst different computer network security threats, like viruses and worms, botnets have become one of the most malicious threats over the Internet. In this paper, we describe key research challenges in developing effective intrusion detection systems for botnet command and control traffic detection. Then, we outline a new approach to address such challenges, which is based on voting between intrusion detection methods to collaboratively identify command and control traffic. Each detection method analyzes the network traffic to detect one technique used for command and control communications. Four detection methods are initially investigated, these are: malicious IP address, malicious SSL certificate, domain flux and Tor connection detection. Initial analysis shows that the proposed voting-based intrusion detection significantly reduces the number of false positive alerts.
Botnet Detection by Monitoring Similar Communication Patterns
Corr, 2010
Botnet is most widespread and occurs commonly in today's cyber attacks, resulting in serious threats to our network assets and organization's properties. Botnets are collections of compromised computers (Bots) which are remotely controlled by its originator (BotMaster) under a common Command-and-Control (C&C) infrastructure. They are used to distribute commands to the Bots for malicious activities such as distributed denial-of-service (DDoS) attacks, spam and phishing. Most of the existing Botnet detection approaches concentrate only on particular Botnet command and control (C&C) protocols (e.g., IRC,HTTP) and structures (e.g., centralized), and can become ineffective as Botnets change their structure and C&C techniques. In this paper at first we provide taxonomy of Botnets C&C channels and evaluate well-known protocols which are being used in each of them. Then we proposed a new general detection framework which currently focuses on P2P based and IRC based Botnets. This proposed framework is based on definition of Botnets. Botnet has been defined as a group of bots that perform similar communication and malicious activity patterns within the same Botnet. The point that distinguishes our proposed detection framework from many other similar works is that there is no need for prior knowledge of Botnets such as Botnet signature.
The Role of Machine Learning in Botnet Detection
The Role of Machine Learning in Botnet Detection, 2016
Over the past ten to fifteen years botnets have gained the attention of researchers worldwide. A great deal of effort has been given to developing systems that would efficiently and effectively detect the presence of a botnet. This unique problem saw researchers applying machine learning (ML) to solve this problem. In this paper we provide a brief overview the different machine learning (ML) methods and the part they play in botnet detection. The main aim of this paper is to clearly define the role different ML methods play in Botnet detection. A clear understanding of these roles are critical for developing effective and efficient real-time online detection approaches and more robust models.
IRJET- BOTNET DETECTION USING MACHINE LEARNING
IRJET, 2020
The growth of internet of things leads to rise of botnet attacks. Botnet are the group of computers which connected to each other to perform n number of respective tasks to process the website to keep on working. One of the most powerful ways to pursue any computationally challenging task is to leverage the untapped processing power of a very large number of everyday end points. The idea behind the botnet is a collection of workstations and servers are distributed over the public internet, this leads to the agenda of malicious or criminal entity. The foremost target of the botnet to attack as possible as many devices along with spreading most optimistic through malicious code. The botnet attacks together with infect all kind of technology, rudimentary of internet security suites, firewall including antivirus dispense some protection. In advance we proposed dynamic analysis, looking up for sign of infection in behavioral analysis along with network and picking up unusual network traffic. The attack on botnet symptoms on individual with network levels. In this paper, performance of network dataset has been compared to predict the accuracy and anomalies on the network. The machine learning algorithms which have been used here is Logistic Regression (LR). Our experiments shows, that our approach can compare benign traffic and the junk traffic effectively and reaches the accuracy of 99.98%.
An Efficient Machine Learning Based Classification Scheme for Detecting Distributed Command & Control Traffic of P2P Botnets
—The biggest internet security threat is the rise of Botnets having modular and flexible structures. The combined power of thousands of remotely controlled computers increases the speed and severity of attacks. In this paper, we provide a comparative analysis of machine-learning based classification of botnet command & control traffic for proactive detection of Peer-to-Peer (P2P) botnets. Our simulation results shows that our method is very effective having very good test accuracy and very little training time. We compare the performances of Decision Tree (C4.5), Bayesian Network and Linear Support Vector Machines using performance metrics like accuracy, sensitivity, positive predictive value(PPV) and F-Measure. We also provide a comparative analysis of the machine learning algorithms using AUC(area under ROC curve). Our results shows that machine learning algorithms produces very promising results in identifying suspicious P2P bot flows.
Identifying, Modeling and Detecting Botnet Behaviors in the Network
Botnets are the technological backbone supporting myriad of attacks, including identity stealing, organizational spying, DoS, SPAM, government-sponsored attacks and spying of political dissidents among others. The research community works hard creating detection algorithms of botnet network traffic. These algorithms have been partially successful, but are difficult to reproduce and verify; being often commercialized. However, the advances in machine learning algorithms and the access to better botnet datasets start showing promising results. The shift of the detection techniques to behavioral-based models has proved to be a better approach to the analysis of botnet patterns. However, the current knowledge of the botnet actions and patterns does not seem to be deep enough to create adequate traffic models that could be used to detect botnets in real networks. This thesis proposes three new botnet detection methods and a new model of botnet behavior that are based in a deep understand...
On the detection and identification of botnets
Computers & Security, 2010
Traffic analysis Machine learning IT security a b s t r a c t We develop and discuss automated and self-adaptive systems for detecting and classifying botnets based on machine learning techniques and integration of human expertise. The proposed concept is purely passive and is based on analyzing information collected at three levels: (i) the payload of single packets received, (ii) observed access patterns to a darknet at the level of network traffic, and (iii) observed contents of TCP/IP traffic at the protocol level.
BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic
Botnets are now recognized as one of the most serious security threats. In contrast to previous malware, botnets have the characteristic of a command and control (C&C) channel. Botnets also often use existing common protocols, e.g., IRC, HTTP, and in protocol-conforming manners. This makes the detection of botnet C&C a challenging problem. In this paper, we propose an approach that uses network-based anomaly detection to identify botnet C&C channels in a local area network without any prior knowledge of signatures or C&C server addresses. This detection approach can identify both the C&C servers and infected hosts in the network. Our approach is based on the observation that, because of the pre-programmed activities related to C&C, bots within the same botnet will likely demonstrate spatial-temporal correlation and similarity. For example, they engage in coordinated communication, propagation, and attack and fraudulent activities. Our prototype system, BotSniffer, can capture this spatial-temporal correlation in network traffic and utilize statistical algorithms to detect botnets with theoretical bounds on the false positive and false negative rates. We evaluated BotSniffer using many real-world network traces. The results show that BotSniffer can detect real-world botnets with high accuracy and has a very low false positive rate.
Towards botnet detection through features using network traffic classification
Botnet are becoming the most significant threat to the internet world. Botnet is the automated process of attackers that interacts with network traffic and its services. Botnet are automatically updated into the compromised system to collect the authenticated information. In this paper, we present a model to extract some features which are helpful to analyze the behaviour of bot members present in the particular network traffic. On the other hand, various superior methods are evaluated to extract weather network traffic contain bot or not. In particularly, our evaluation shows that the particular traffic contain any bot member in their communication.
Botnet Attack Detection using Machine Learning
2020 14th International Conference on Innovations in Information Technology (IIT), 2020
With the advancement of computers and technology, security threats are also evolving at a fast pace. Botnets are one such security threat which requires a high level of research and focus in order to be eliminated. In this paper, we use machine learning to detect Botnet attacks. Using the Bot-IoT and University of New South Wales (UNSW) datasets, four machine learning models based on four classifiers are built: Naïve Bayes, K-Nearest Neighbor, Support Vector Machine, and Decision Trees. Using 82,000 records from UNSW-NB15 dataset, the decision trees model has yielded the best overall results with 99.89% testing accuracy, 100% precision, 100% recall, and 100% F-score in detecting botnet attacks.
A Supervised Classification Approach for Detecting Packets Originated in a HTTP-based Botnet
CLEI Electronic Journal, 2013
The possibilities that the management of a vast amount of computers and/or networks offer is attracting an increasing number of malware writers. In this document, the authors propose a methodology thought to detect malicious botnet traffic, based on the analysis of the packets that flow within the network. This objective is achieved by means of the extraction of the static characteristics of packets, which are lately analysed using supervised machine learning techniques focused on traffic labelling so as to proactively face the huge volume of information nowadays filters work with.
BotMiner: Clustering Analysis of Network Traffic for Protocol and Structure-Independent Botnet Detection
2008
Botnets are now the key platform for many Internet attacks, such as spam, distributed denial-of-service (DDoS), identity theft, and phishing. Most of the current botnet detection approaches work only on specific botnet command and control (C&C) protocols (e.g., IRC) and structures (e.g., centralized), and can become ineffective as botnets change their C&C techniques. In this paper, we present a general detection framework that is independent of botnet C&C protocol and structure, and requires no a priori knowledge of botnets (such as captured bot binaries and hence the botnet signatures, and C&C server names/addresses). We start from the definition and essential properties of botnets. We define a botnet as a coordinated group of malware instances that are controlled via C&C communication channels. The essential properties of a botnet are that the bots communicate with some C&C servers/peers, perform malicious activities, and do so in a similar or correlated way. Accordingly, our detection framework clusters similar communication traffic and similar malicious traffic, and performs cross cluster correlation to identify the hosts that share both similar communication patterns and similar malicious activity patterns. These hosts are thus bots in the monitored network. We have implemented our BotMiner prototype system and evaluated it using many real network traces. The results show that it can detect real-world botnets (IRC-based, HTTP-based, and P2P botnets including Nugache and Storm worm), and has a very low false positive rate.
Detecting Botnets with Tight Command and Control
Proceedings. 2006 31st IEEE Conference on Local Computer Networks, 2006
Systems are attempting to detect botnets by examining traffic content for IRC commands or by setting up honeynets. Our approach for detecting botnets is to examine flow characteristics such as bandwidth, duration, and packet timing looking for evidence of botnet command and control activity. We have constructed an architecture that first eliminates traffic that is unlikely to be a part of a botnet, classifies the remaining traffic into a group that is likely to be part of a botnet, then correlates the likely traffic to find common communications patterns that would suggest the activity of a botnet. Our results show that botnet evidence can be extracted from a traffic trace containing almost 9 million flows.
Utilizing Features of Aggregated Flows to Identify Botnet Network Traffic
Botnets are known to be one of the most serious threats to the security of the Internet and the future of cyberspace. To fight against the formidable force of these cyber-criminal tools, numerous research works appeared in the literature that studied detection of Botnets. One of the most promising approaches is network-based detection using machinelearning tools. These methods can possibly provide detection of new unobserved bots. Most of these methods conventionally use features directly extracted from network flows to detect infected nodes. In our study, we propose the utilization of features that are extracted from a set of network flows in a fixed-length time interval. We argue that such features could better model the behavior of a botnet, thus, providing higher detection rates and lower false alarms. Also in the study, the significant potential of our method in bot detection is demonstrated by providing results of multiple experiments and comparisons with similar methods.
Smart Approach for Botnet Detection Based on Network Traffic Analysis
Journal of Electrical and Computer Engineering, 2022
Today, botnets are the most common threat on the Internet and are used as the main attack vector against individuals and businesses. Cybercriminals have exploited botnets for many illegal activities, including click fraud, DDOS attacks, and spam production. In this article, we suggest a method for identifying the behavior of data trafc using machine learning classifers including genetic algorithm to detect botnet activities. By categorizing behavior based on time slots, we investigate the viability of detecting botnet behavior without seeing a whole network data fow. We also evaluate the efcacy of two well-known classifcation methods with reference to this data. We demonstrate experimentally, using existing datasets, that it is possible to detect botnet activities with high precision.
Botnet Detection Based on Network Behavior
Advances in Information Security, 2008
Current techniques for detecting botnets examine traffic content for IRC commands, monitor DNS for strange usage, or set up honeynets to capture live bots. Our botnet detection approach is to examine flow characteristics such as bandwidth, packet timing, and burst duration for evidence of botnet command and control activity. We have constructed an architecture that first eliminates traffic that is unlikely to be a part of a botnet, classifies the remaining traffic into a group that is likely to be part of a botnet, then correlates the likely traffic to find common communications patterns that would suggest the activity of a botnet. Our results show that botnet evidence can be extracted from a traffic trace containing over 1.3 million flows.
A Survey on Botnet Command and Control Traffic Detection
2015
Internet users have been attacked by widespread email viruses earlier, but now scenario has been changed. Now attackers are no more interested to just attract media attention by infecting a large number of computers on the network; in fact, their interest has been shifted to compromising and controlling the infected computers for their personal profits. This new attack trend brings the concept of botnets over the global network of computers. With the high reported infection rates, the vast range of illegal activities and powerful comebacks, botnets are one of the main threats against the cyber security. This paper provides the readers with a background on botnet life-cycle, architecture and malicious activities. It also classifies botnet detection techniques, reviews the recent research works on botnet traffic detection and finally indicates some challenges posed to future work on botnet detection.
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.