Botnet detection based on network flow summary and deep learning
Corresponding Author
Abdurrahman Pektaş
Computer Engineering Department, Galatasaray University, Istanbul, Turkey
Correspondence
Abdurrahman Pektaş, Computer Engineering Department, Galatasaray University, Ortaköy, TR-34349 Istanbul, Turkey.
Email: [email protected]
Search for more papers by this authorTankut Acarman
Computer Engineering Department, Galatasaray University, Istanbul, Turkey
Search for more papers by this authorCorresponding Author
Abdurrahman Pektaş
Computer Engineering Department, Galatasaray University, Istanbul, Turkey
Correspondence
Abdurrahman Pektaş, Computer Engineering Department, Galatasaray University, Ortaköy, TR-34349 Istanbul, Turkey.
Email: [email protected]
Search for more papers by this authorTankut Acarman
Computer Engineering Department, Galatasaray University, Istanbul, Turkey
Search for more papers by this authorSummary
A botnet is a group of compromised Internet-connected devices controlled remotely by cyber criminals to launch coordinated attacks and to perform various malicious activities. Since botnets continuously adapt themselves to the evolving countermeasures introduced by both network and host-based detection mechanism, the traditional approaches do not provide adequate protection to botnet threat. On the one hand, behavioral analysis of network traffic can play a key role to detect botnets. For instance, behavioral analysis can be applied to observe and discover communication patterns that botnets operate during their life cycle. On the other hand, deep learning has been successfully applied to various classification tasks, and it is also a promising solution for botnet discovery. In this paper, we apply deep neural network to detect botnet by modeling network traffic flow. The performance of the proposed method is evaluated with publicly available large-scale communication traces. The experimental results illustrate that deep learning is an efficient and effective method for identifying botnet traffic with a high true positive rate (attack detection rate) and low false positive alarm rate.
REFERENCES
- 1Catania CA, Garino CG. Automatic network intrusion detection: current techniques and open issues. Comput Electr Eng. 2012; 38(5): 1062-1072.
- 2Bou-Harb E, Debbabi M, Assi C. Big data behavioral analytics meet graph theory: on effective botnet takedowns. IEEE Network. 2017; 31(1): 18-26.
- 3Garcıa S. Identifying, modeling and detecting botnet behaviors in the network. Ph.D. Thesis. Tandil - Buenos Aires - Argentina: Universidad Nacional del Centro de la Provincia de Buenos Aires; 2014.
- 4Kudo T, Kimura T, Inoue Y, Aman H, Hirata K. Behavior analysis of self-evolving botnets; 2016: 1-5.
- 5malwaredomains.com. Malware domain blocklist. http://malwaredomains.lehigh.edu/files/domains.zip. Accessed April 15, 2017.
- 6iplistsfireholorg. All cybercrime IP feeds. http://iplists.firehol.org/.Accessed April 15, 2017.
- 7Rieck K, Schwenk G, Limmer T, Holz T, Laskov P. Botzilla: detecting the phoning home of malicious software. In: Proceedings of the 2010 ACM Symposium on Applied Computing. ACM; 2010: 1978-1984.
- 8Goebel J, Holz T. Rishi: identify bot contaminated hosts by irc nickname evaluation. HotBots. 2007; 7: 8-8.
- 9 Emerging Threats Open Snort Ruleset. 2017. http://www.emergingthreats.net/. Accessed April 15, 2017.
- 10Haddadi F, Zincir-Heywood AN. Botnet behaviour analysis: how would a data analytics-based system with minimum a priori information perform? Int J Network Manage. 2017; 27(4): 1-19.
- 11Drašar M, Vizváry M, Vykopal J. Similarity as a central approach to flow-based anomaly detection. Int J Network Manage. 2014; 24(4): 318-336.
- 12Wang J, Paschalidis IC. Botnet detection based on anomaly and community detection. IEEE Trans Control Network Syst. 2016; 4(2): 392-404.
- 13Schmock U. Large deviations techniques and applications. J Am Stat Assoc. 2000; 95(452): 1380-1380.
10.2307/2669805 Google Scholar
- 14Garcia S, Grill M, Stiborek J, Zunino A. An empirical comparison of botnet detection methods. Comput Secur. 2014; 45: 100-123.
- 15Stevanovic M, Pedersen JM. An efficient flow-based botnet detection using supervised machine learning. In: IEEE International Conference on Computing, Networking and Communications (ICNC); 2014; Piscataway, New Jersey. 797-801.
- 16Saad Sherif, Traore Issa, Ghorbani Ali, et al. Detecting P2P botnets through network behavior analysis and machine learning. In: IEEE International Conference on Privacy, Security and Trust(PST), 2011 Ninth Annual; 2011; Piscataway, New Jersey. 174-180.
- 17Chen R, Niu W, Zhang X, Zhuo Z, Lv F. An effective conversation-based botnet detection method. Math Prob Eng. 2017; 2017: 9.
- 18Kirubavathi G, Anitha R. Botnet detection via mining of traffic flow characteristics. Comput Electr Eng. 2016; 50: 91-101.
- 19Nogueira A, Salvador P, Blessa F. A botnet detection system based on neural networks. In: 2010 fifth International Conference on Digital Telecommunications(ICDT). Piscataway, New Jersey: IEEE; 2010: 57-62.
- 20Salvador P, Nogueira A, Franca U, Valadas R. Framework for zombie detection using neural networks. In: Fourth International Conference on Internet Monitoring and Protection, ICIMP'09. Piscataway, New Jersey: IEEE; 2009: 14-20.
- 21Guntuku SC, Narang P, Hota C. Real-time peer-to-peer botnet detection framework based on bayesian regularized neural network. arXiv preprint arXiv:1307.7464; 2013.
- 22Oujezsky V, Horvath T, Skorpil V. Botnet c&c traffic and flow lifespans using survival analysis. Int J Adv Telecommun, Electrotech, Signals Syst. 2017; 6(1): 38-44.
- 23Qiu Z, Miller DJ, Kesidis G. Flow based botnet detection through semi-supervised active learning. In: 2017 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). Piscataway, New Jersey: IEEE; 2017: 2387-2391.
- 24Alejandre FV, Cortés NC, Anaya EA. Feature selection to detect botnets using machine learning algorithms. In: 2017 International Conference on Electronics, Communications and Computers (CONIELECOMP). IEEE; 2017: 1-7.
- 25Pektas A, Tankut A. Effective feature selection for botnet detection based on network flow analysis. In: 2017 International Conference on UTOMATICS AND INFORMATICS; 2017; Sofia, Bulgaria. 1-4.
- 26Torres P, Catania C, Garcia S, Garino CG. An analysis of recurrent neural networks for botnet detection behavior. In: 2016 IEEE Biennial Congress of Argentina (ARGENCON). IEEE; 2016: 1-6.
- 27Stevanovic M, Pedersen JM. Machine learning for identifying botnet network traffic. In: 2016 IEEE Trustcom/BigDataSE/ISPA; 2013; Tianjin, China. http://vbn.aau.dk/ws/files/75720938/paper.pdf.
- 28Visin F. Deep recurrent neural networks for visual scene understanding. Ph.D. Thesis. Milano, Italy: Politecnico Di Milano; 2017.
- 29LeCun Y, Bengio Y, Hinton G. Deep learning. Nature. 2015; 521: 436-444.
- 30 ARGUS- Auditing Network Activity. https://qosient.com/argus/. Accessed October 6, 2017.
- 31Micro T. W32/Neris Description. https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_neeris.a. Accessed October 6, 2017.
- 32Labs F-Secure. W32/RBot Description. https://www.f-secure.com/v-descs/rbot.shtml. Accessed October 6 2017.
- 33Labs F-Secure. W32/Virut Description. https://www.f-secure.com/v-descs/virus_w32_virut.shtml. Accessed October 6 2017.
- 34Sophos. Troj/Menti Analysis. https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Menti-A/detailed-analysis.aspx. Accessed October 6 2017.
- 35Corp M. Win32/Sogou Analysis. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Program$%$3AWin32$%$2FSogou. Online; Accessed: 2017-10-06.
- 36Corp M. Win32/Murlo.S. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/Murlo.S. Accessed October 6 2017.
- 37ThreatExpert. Win32.NSIS.ay Report. http://www.threatexpert.com/report.aspx?md5=eaf85db9898d3c9101fd5fcfa4ac80e4. Accessed October 6 2017.
- 38Tenebro G. W32.Waledac Threat Analysis. https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/W32_Waledac.pdf. Accessed October 6 2017.
- 39Jang D, Kim M, Jung HC, Noh BN. Analysis of HTTP2P botnet: case study waledac. In: 2009 IEEE 9th Malaysia International Conference on Communications (MICC). Piscataway, New Jersey: IEEE; 2009: 409-412.
- 40Andriesse D, Stone-Gross B, Plohmann D, Bos H. Highly resilient peer-to-peer botnets are here: an analysis of gameover zeus. In: 2013 8th International Conference on Malicious and Unwanted Software: "The Americas"(MALWARE). Mountain View, CA: IEEE; 2013: 116-123.
- 41Corp G. TensorFlow: an open-source software library for Machine Intelligence. https://www.tensorflow.org/. Accessed May 1, 2017.
