More Web Proxy on the site http://driver.im/

research-article

A comparison of stream mining algorithms on botnet detection

Authors:

Guilherme Henrique Ribeiro,

Elaine R. de Faria Paiva,

Rodrigo Sanches MianiAuthors Info & Claims

ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security

Article No.: 62, Pages 1 - 10

https://doi.org/10.1145/3407023.3407053

Published: 25 August 2020 Publication History

Abstract

Recent botnet activities targeting IoT infrastructure and turning computing devices into cryptocurrency miners indicate an increase in the botnet attack surface and capabilities. These facts emphasize the importance of investigating alternative methods for detecting botnets. One of them is using stream mining algorithms to classify malicious network traffic. Although some initiatives seek to adopt stream mining strategies to detect botnets, several research topics still need to be discussed. Our goal is to compare the use of single and ensemble-based stream mining algorithms to identify botnet network flows. Since obtaining examples of malicious network flows could be a hassle to security managers, we also investigate whether the use of ensembles could reduce the number of labeled instances required to update the classification model. Our results indicate that the ensemble-based Ozaboost algorithm with the prequential evaluation strategy outperforms the other selected algorithms. We also found that ensemble-based algorithms and some botnet characteristics (C&C communication protocol) requires less labeled instances while maintains high performance.

References

[1]

B. Pfahringer-R. Kirkby A. Bifet, G. Holmes and R. Gavaldà. 2009. New ensemble methods for evolving data streams. Proc. 15th ACM SIGKDD Int. Conf. KDD (2009), 139--148.

[2]

G. Holmes A. Bifet and B. Pfahringer. 2010. Leveraging bagging for evolving data streams. Proc. ECML-PKDD Part I (2010), 135--150.

[3]

G. Holmes-B. Pfahringer M. Sugiyama A. Bifet, E. Frank and Q. Yang. 2010. Accurate ensembles for data streams: Combining restricted Hoeffding trees using stacking. Proc. 2nd ACML (2010), 225--240.

[4]

Dilara Acarali, Muttukrishnan Rajarajan, Nikos Komninos, and Ian Herwono. 2016. Survey of approaches and features for the identification of HTTP-based botnet traffic. Journal of Network and Computer Applications 76 (2016), 1--15.

[5]

Mohammad Alauthaman, Nauman Aslam, Li Zhang, Rafe Alasem, and M. A. Hossain. 2018. A P2P Botnet detection scheme based on decision tree and adaptive multilayer neural networks. Neural Computing and Applications 29, 11 (2018), 991--1004.

Digital Library

[6]

Kamal Alieyan, Ammar Almomani, Ahmad Manasrah, and Mohammed M. Kadhum. 2017. A survey of botnet detection based on DNS. Neural Computing and Applications 28, 7 (2017), 1541--1558.

Digital Library

[7]

Albert Bifet. 2020. Hoeffding Adaptive Tree. Retrieved February 26, 2020 from https://github.com/Waikato/moa/blob/cd7c5c6f16b320db4573ceaf5cf219a3c24e9d3e/moa/src/main/java/moa/classifiers/trees/HoeffdingAdaptiveTree.java

[8]

Albert Bifet. 2020. OzaBagAdwin. Retrieved February 26, 2020 from https://github.com/Waikato/moa/blob/cd7c5c6f16b320db4573ceaf5cf219a3c24e9d3e/moa/src/main/java/moa/classifiers/meta/OzaBagAdwin.java

[9]

Albert Bifet and Ricard Gavaldà. 2009. Adaptive learning from evolving data streams. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) 5772 LCNS (2009), 249--260.

Digital Library

[10]

A. Bifet and R. Gavaldà. 2007. Learning from time-changing data with adaptive windowing. Proc. SIAM Int. Conf. SDM (2007), 443--448.

[11]

Albert Bifet, Geoff Holmes, Richard Kirkby, and Bernhard Pfahringer. 2010. MOA: Massive Online Analysis. Journal of Machine Learning Research 11 (2010), 1601--1604. http://portal.acm.org/citation.cfm?id=1859903

Digital Library

[12]

D. Brzeziñski and J. Stefanowski. 2011. Accuracy updated ensemble for data streams with concept drift. Proc. 6th Int. Conf. HAIS Part II (2011), 155--163.

[13]

Guilherme Weigert Cassales and Albert Bifet. 2019. IDSA-IoT : An Intrusion Detection System Architecture for IoT Networks. (2019).

[14]

Weikeng Robin Chen. 2017. Exploring a Service-Based Normal Behaviour Profiling System for Botnet Detection. (2017), 947--952.

[15]

Douglas Comer. 1995. The Internet book: everything you need to know about computer networking and how the Internet works. Pearson.

[16]

Victor G. Turrisi da Costa, Bruno Bogaz Zarpelão, Rodrigo Sanches Miani, and Sylvio Barbon. 2018. Online detection of Botnets on Network Flows using Stream Mining. Anais do Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos (SBRC) 36 (2018).

[17]

Pedro Domingos. 2000. Mining High-Speed Data Streams. Sixth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining - KDD '00 (2000), 71--80.

[18]

Mustafa Amir Faisal, Student Member, Zeyar Aung, John R Williams, and Abel Sanchez. 2014. Data-Stream-Based Intrusion Detection System for Advanced Metering Infrastructure in Smart Grid : A Feasibility Study. 9, 1 (2014), 1--14.

[19]

Dewan Md Farid, Li Zhang, Alamgir Hossain, Chowdhury Mofizur Rahman, Rebecca Strachan, Graham Sexton, and Keshav Dahal. 2013. An adaptive ensemble classifier for mining concept drifting data streams. Expert Systems with Applications 40, 15 (2013), 5895--5906.

Digital Library

[20]

S. García, M. Grill, J. Stiborek, and A. Zunino. 2014. An empirical comparison of botnet detection methods. Computers and Security 45 (2014), 100--123.

Digital Library

[21]

Sebastián García, Alejandro Zunino, and Marcelo Campo. 2013. Survey on network-based botnet detection methods. SECURITY AND COMMUNICATION NETWORKS (2013) (2013).

[22]

Shree Garg, Sateesh K. Peddoju, and Anil K. Sarje. 2016. Scalable P2P bot detection system based on network data stream. Peer-to-Peer Networking and Applications 9, 6 (2016), 1209--1225.

[23]

Heitor Murilo Gomes, Jean Paul Barddal, Enembreck, Fabricio, and Albert Bifet. 2017. A survey on ensemble learning for data stream classification. Comput. Surveys 50, 2 (2017).

[24]

Geoff Hulten, Laurie Spencer, and Pedro Domingos. 2001. Mining time-changing data streams. Proceedings of the Seventh ACM SIGKDD International Conference on Knowledge Discovery and Data Mining 18 (2001), 97--106.

Digital Library

[25]

B. Pfahringer I. liobaitë, A. Bifet and G. Holmes. 2011. Active learning with evolving streaming data. Proc. ECML-PKDD Part III (2011), 597--612.

[26]

G. Castillo J. Gama, P. Medas and P. Rodrigues. 2004. Learning with drift detection. Proc. SBIA (2004), 286--295.

[27]

Xylogiannopoulos K., Karampelas P., and Alhajj R. 2014. Early DDoS detection based on data mining techniques. Proceedings of the IFIP WG 11.2 International Workshop on Information Security Theory and Practice, 2014 (2014), 190--199.

[28]

Sara Khanchi, Nur Zincir-Heywood, and Malcolm Heywood. 2018. Streaming Botnet traffic analysis using bio-inspired active learning. IEEE/IFIP Network Operations and Management Symposium: Cognitive Management in a Cyber World, NOMS 2018 (2018), 1--6.

[29]

Sara Khanchi, Nur Zincir-Heywood, and Malcolm Heywood. 2019. Network analytics for streaming traffic analysis. 2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019 (2019), 25--30.

[30]

Sheharbano Khattak, Naurin Rashid Ramay, and Syed A L I Khayam. 2014. A Taxonomy of Botnets : Features, Detection and Defense. IEEE Communications Surveys and Tutorials (2014) V (2014), 1--48.

[31]

Richard Kirkby. 2020. Hoeffding Tree. Retrieved February 26, 2020 from https://github.com/Waikato/moa/blob/master/moa/src/main/java/moa/classifiers/trees/HoeffdingTree.java

[32]

Richard Kirkby. 2020. Ozaboost. Retrieved February 26, 2020 from https://github.com/Waikato/moa/blob/master/moa/src/main/java/moa/classifiers/meta/OzaBoost.java

[33]

Bartosz Krawczyk, Leandro L. Minku, João Gama, Jerzy Stefanowski, and Michał Woźniak. 2017. Ensemble learning for data stream analysis: A survey. Information Fusion 37 (2017), 132--156.

Digital Library

[34]

R. Fidalgo A. Bifet R. Gavaldà M. Baena-Garcìa, J. D. Campo-Àvila. 2006. Early drift detection method. Proc. 4th IWKDDS (2006), 77--86.

[35]

Jelena Mirkovic and Peter Reiher. 2004. A taxonomy of DDoS attack and DDoS defense mechanisms. SIGCOMM Comput. Commun. Rev. 34, 2 (2004), 39--53.

Digital Library

[36]

Michele Nogueira. 2016. Anticipating Moves to Prevent Botnet Generated DDoS Flooding Attacks. (2016), 1--13. arXiv:1611.09983

[37]

Nikunj C. Oza and Stuart Russel. 2001. Online bagging and boosting. Artificial Intelligence and Statistics 2001 (2001), 105--112.

[38]

Abdurrahman Pektaş and Tankut Acarman. 2018. Botnet detection based on network flow summary and deep learning. International Journal of Network Management 28, 6 (2018), 1--15.

Digital Library

[39]

Dragan Peraković, Marko Periša, and Ivan Cvitić. 2015. Analysis of the IoT impact on volume of DDoS attacks. XXXIII Simpozijum o novim tehnologijama u poštanskom i telekomunikacionom saobraćaju, PosTel 2015, Beograd (2015).

[40]

Honza Stiborek Sebastian Garcia, Martin Grill and Alejandro Zunino. 2014. An empirical comparison of botnet detection methods. Computers and Security Journal, Elsevier 45 (2014), 100--123.

[41]

Sérgio S.C. Silva, Rodrigo M.P. Silva, Raquel C.G. Pinto, and Ronaldo M. Salles. 2013. Botnets: A survey. Computer Networks 57, 2 (2013), 378--403.

Digital Library

[42]

Spamhaus. 2019. Botnet Threat Report 2019. Technical Report. Spamhaus Project. http://www.spamhaus.org Accessed: 24 Jun 2020.

[43]

Muhammad Fahad Umer, Muhammad Sher, and Yaxin Bi. 2017. Flow-based intrusion detection: Techniques and challenges. Computers & Security 70 (2017), 238--254.

[44]

Eduardo Viegas, Altair Santin, Alysson Bessani, and Nuno Neves. 2019. BigFlow: Real-time and reliable anomaly-based intrusion detection for high-speed networks. Future Generation Computer Systems 93 (2019), 473--485.

Digital Library

Cited By

Saravanan SPrakash GUma Maheswari B(2023)A Real-Time P2P Bot Host Detection in a Large-Scale Network Using Statistical Network Traffic Features and Apache Spark Streaming Platform2023 IEEE 8th International Conference for Convergence in Technology (I2CT)10.1109/I2CT57861.2023.10126429(1-7)Online publication date: 7-Apr-2023
https://doi.org/10.1109/I2CT57861.2023.10126429
Olímpio GCamargos LMiani RFaria E(2023)Model Update for Intrusion Detection: Analyzing the Performance of Delayed Labeling and Active Learning StrategiesComputers & Security10.1016/j.cose.2023.103451(103451)Online publication date: Aug-2023
https://doi.org/10.1016/j.cose.2023.103451
Schwengber BVergutz APrates NNogueira M(2022)Learning From Network Data Changes for Unsupervised Botnet DetectionIEEE Transactions on Network and Service Management10.1109/TNSM.2021.310907619:1(601-613)Online publication date: Mar-2022
https://doi.org/10.1109/TNSM.2021.3109076
Show More Cited By

Index Terms

A comparison of stream mining algorithms on botnet detection
1. Computing methodologies
  1. Machine learning
    1. Machine learning algorithms
      1. Ensemble methods
        Bagging
        Boosting
    2. Machine learning approaches
      1. Classification and regression trees
      2. Instance-based learning
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Intrusion detection systems

Recommendations

Honeypot detection in advanced botnet attacks

Botnets have become one of the major attacks in the internet today due to their illicit profitable financial gain. Meanwhile, honeypots have been successfully deployed in many computer security defence systems. Since honeypots set up by security ...
Analysis of a Botnet Takeover

Botnets, networks of malware-infected machines (bots) that are controlled by an adversary, are the root cause of a large number of security problems on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program ...
An Approach to Botnet Malware Detection Using Nonparametric Bayesian Methods
ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and Security

Botnet malware, which infects Internet-connected devices and seizes control for a remote botmaster, is a long-standing threat to Internet-connected users and systems. Botnets are used to conduct DDoS attacks, distributed computing (e.g., mining bitcoins)...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security

August 2020

1073 pages

ISBN:9781450388337

DOI:10.1145/3407023

Program Chairs:
Melanie Volkamer
Karlsruhe Institute of Technologie (KIT), Competence Center for Applied Security Technology (KASTEL)
,
Christian Wressnegger
Karlsruhe Institute of Technologie (KIT), Competence Center for Applied Security Technology (KASTEL)

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 August 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Fundação de Amparo à Pesquisa do Estado de Minas Gerais

Conference

ARES 2020

ARES 2020: The 15th International Conference on Availability, Reliability and Security

August 25 - 28, 2020

Virtual Event, Ireland

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
149
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)2

Reflects downloads up to 13 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Saravanan SPrakash GUma Maheswari B(2023)A Real-Time P2P Bot Host Detection in a Large-Scale Network Using Statistical Network Traffic Features and Apache Spark Streaming Platform2023 IEEE 8th International Conference for Convergence in Technology (I2CT)10.1109/I2CT57861.2023.10126429(1-7)Online publication date: 7-Apr-2023
https://doi.org/10.1109/I2CT57861.2023.10126429
Olímpio GCamargos LMiani RFaria E(2023)Model Update for Intrusion Detection: Analyzing the Performance of Delayed Labeling and Active Learning StrategiesComputers & Security10.1016/j.cose.2023.103451(103451)Online publication date: Aug-2023
https://doi.org/10.1016/j.cose.2023.103451
Schwengber BVergutz APrates NNogueira M(2022)Learning From Network Data Changes for Unsupervised Botnet DetectionIEEE Transactions on Network and Service Management10.1109/TNSM.2021.310907619:1(601-613)Online publication date: Mar-2022
https://doi.org/10.1109/TNSM.2021.3109076
Thanh Vu SStege MEl-Habr PBang JDragoni N(2021)A Survey on Botnets: Incentives, Evolution, Detection and Current TrendsFuture Internet10.3390/fi1308019813:8(198)Online publication date: 31-Jul-2021
https://doi.org/10.3390/fi13080198
Olimpio GSilva PCamargos LMiani Rde Faria E(2021)Intrusion Detection over Network Packets using Data Stream Classification Algorithms2021 IEEE 33rd International Conference on Tools with Artificial Intelligence (ICTAI)10.1109/ICTAI52525.2021.00157(985-990)Online publication date: Nov-2021
https://doi.org/10.1109/ICTAI52525.2021.00157
Tikekar PSherekar SThakre V(2021)Features Representation of Botnet Detection Using Machine Learning Approaches2021 International Conference on Computational Intelligence and Computing Applications (ICCICA)10.1109/ICCICA52458.2021.9697320(1-5)Online publication date: 26-Nov-2021
https://doi.org/10.1109/ICCICA52458.2021.9697320

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents