More Web Proxy on the site http://driver.im/

article

A P2P Botnet detection scheme based on decision tree and adaptive multilayer neural networks

Authors:

Mohammad Alauthaman,

M. A. HossainAuthors Info & Claims

Neural Computing and Applications, Volume 29, Issue 11

Pages 991 - 1004

https://doi.org/10.1007/s00521-016-2564-5

Published: 01 June 2018 Publication History

Abstract

In recent years, Botnets have been adopted as a popular method to carry and spread many malicious codes on the Internet. These malicious codes pave the way to execute many fraudulent activities including spam mail, distributed denial-of-service attacks and click fraud. While many Botnets are set up using centralized communication architecture, the peer-to-peer (P2P) Botnets can adopt a decentralized architecture using an overlay network for exchanging command and control data making their detection even more difficult. This work presents a method of P2P Bot detection based on an adaptive multilayer feed-forward neural network in cooperation with decision trees. A classification and regression tree is applied as a feature selection technique to select relevant features. With these features, a multilayer feed-forward neural network training model is created using a resilient back-propagation learning algorithm. A comparison of feature set selection based on the decision tree, principal component analysis and the ReliefF algorithm indicated that the neural network model with features selection based on decision tree has a better identification accuracy along with lower rates of false positives. The usefulness of the proposed approach is demonstrated by conducting experiments on real network traffic datasets. In these experiments, an average detection rate of 99.08 % with false positive rate of 0.75 % was observed.

References

[1]

Silva SRSC, Silva RMP, Pinto RCG, Salles RM (2013) Botnets: a survey. Comput Netw 57(2):378---403

Digital Library

[2]

Rodríguez-Gómez RA, Maciá-Fernández G, García-Teodoro P (2013) Survey and taxonomy of botnet research through life-cycle. ACM Comput Surv 45:1---33

Digital Library

[3]

Lu W, Rammidi G, Ghorbani AA (2011) Clustering botnet communication traffic based on n-gram feature selection. Comput Commun 34:502---514

Digital Library

[4]

Zeidanloo HR, Manaf AB, Vahdani P, Tabatabaei F, Zamani M (2010) Botnet detection based on traffic monitoring. Presented at the international conference on networking and information technology (ICNIT), Manila

[5]

Han K-S, Im E (2012) A survey on P2P Botnet detection. In: Kim KJ, Ahn SJ (eds) Proceedings of the international conference on IT convergence and security 2011, vol 120. Springer, The Netherlands, pp 589---593

[6]

Ludl C, McAllister S, Kirda E, Kruegel C (2007) On the effectiveness of techniques to detect phishing sites. In: Hämmerli B, Sommer R (eds) Detection of intrusions and malware, and vulnerability assessment, vol 4579. Springer, Berlin, pp 20---39

Digital Library

[7]

Felix J, Joseph C, Ghorbani A (2012) Group behavior metrics for P2P Botnet detection. In: Chim T, Yuen T (eds) Information and communications security, vol 7618. Springer, Berlin, pp 93---104

Digital Library

[8]

Davis CR, Fernandez JM, Neville S (2009) Optimising sybil attacks against P2P-based botnets. Presented at the the 4th international conference on malicious and unwanted software, Montreal, QC

[9]

Chao L, Wei J, Xin Z (2009) Botnet: survey and case study. Presented at the fourth international conference on innovative computing, information and control (ICICIC), Kaohsiung

[10]

Holz T, Steiner M, Dahl F, Biersack E, Freiling FC (2008) Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. LEET 8:1---9

Digital Library

[11]

Feily M, Shahrestani A, Ramadass S (2009) A survey of Botnet and Botnet detection. In: Third international conference on emerging security information, systems and technologies, SECURWARE `09, pp 268---273

Digital Library

[12]

Zeidanloo HR, Shooshtari MJZ, Amoli PV, Safari M, Zamani M (2010) A taxonomy of Botnet detection techniques. Presented at the 3rd IEEE international conference on computer science and information technology (ICCSIT), Chengdu

[13]

Babak R, Roberto P, Andrea L, Kang L (2014) PeerRush: mining for unwanted P2P traffic. J Inf Secur Appl 19:194---208

Digital Library

[14]

D. TAX (2001) One-class classification. Ph.D. thesis, TU Delft University

[15]

Garg S, Singh AK, Sarje AK, Peddoju SK (2013) Behaviour analysis of machine learning algorithms for detecting P2P botnets. In: 15th International Conference on advanced computing technologies (ICACT), pp 1---4

[16]

Jiang H, Shao X (2014) Detecting P2P botnets by discovering flow dependency in C&C traffic. Peer-to-Peer Netw Appl 7(4):320---331

[17]

Li H, Hu G, Yang Y (2012) Research on P2P Botnet network behaviors and modeling. In: Liu C, Wang L, Yang A (eds) Information computing and applications, vol 307. Springer, Berlin, pp 82---89

[18]

Seungwon S, Zhaoyan X, Guofei G (2012) EFFORT: efficient and effective bot malware detection. Presented at the INFOCOM Proceedings IEEE, Orlando, FL

[19]

Masud MM, Al-khateeb T, Khan L, Thuraisingham B, Hamlen KW (2008) Flow-based identification of botnet traffic by mining multiple log files. Presented at the first international conference on distributed framework and applications, Penang

[20]

Witten IH, Frank E (2005) Data mining: practical machine learning tools and techniques, 2nd edn. Morgan Kaufmann, San Francisco

Digital Library

[21]

Junjie Z, Perdisci R, Wenke L, Sarfraz U, Xiapu L (2011) Detecting stealthy P2P botnets using statistical traffic fingerprints. Presented at the IEEE/IFIP 41st international conference on dependable systems and networks (DSN), Hong Kong

Digital Library

[22]

Jain AK, Murty MN, Flynn PJ (1999) Data clustering: a review. ACM Comput Surv 31:264---323

Digital Library

[23]

Zhang T, Ramakrishnan R, Livny M (1997) BIRCH: a new data clustering algorithm and its applications. Data Min Knowl Discov 1:141---182

Digital Library

[24]

Wen-Hwa L, Chia-Ching C (2010) Peer to Peer Botnet detection using data mining scheme. Presented at the the international conference on internet technology and applications, Wuhan

[25]

Fedynyshyn G, Chuah M, Tan G (2011) Detection and Classification of Different Botnet C&C Channels. In: Calero JA, Yang L, Mármol F, García Villalba L, Li A, Wang Y (eds) Autonomic and trusted computing, vol 6906. Springer, Berlin, pp 228---242

Digital Library

[26]

Zhang J, Perdisci R, Lee W, Luo X, Sarfraz U (2014) Building a scalable system for stealthy P2P-botnet detection. IEEE Trans Inf Forensics Secur 9:27---38

Digital Library

[27]

Zhao D, Traore I (2012) P2P botnet detection through malicious fast flux network identification. In: Seventh international conference on P2P, parallel, grid, cloud and internet computing (3PGCIC), pp 170---175

Digital Library

[28]

Breiman L, Friedman JH, Olshen RA, Stone CJ (1984) Classification and regression trees. Wadsworth Inc., Belmont, California

[29]

Riedmiller M, Braun H (1993) A direct adaptive method for faster backpropagation learning: the RPROP algorithm. Presented at the IEEE international conference on neural networks, San Francisco

[30]

Han K-S, Lim K-H, Im E-G (2009) The traffic analysis of P2P-based storm botnet using honeynet. J Korea Inst Inf Secur Cryptol 19:51---61

[31]

Sang-Kyun N, Joo-Hyung O, Jae-Seo L, Bong-Nam N, Hyun-Cheol J (2009) Detecting P2P botnets using a multi-phased flow model. Presented at the third international conference on digital society, Cancun

Digital Library

[32]

Wang K, Huang C-Y, Tsai L-Y, Lin Y-D (2014) Behavior-based botnet detection in parallel. Secur Commun Netw 7:1849---1859

Digital Library

[33]

Sinclair G, Nunnery C, Kang BB (2009) The waledac protocol: the how and why. In: 4th International conference on malicious and unwanted software (MALWARE), pp 69---77

[34]

Holz T, Steiner M, Dahl F, Biersack E, Freiling F (2008) Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. Presented at the proceedings of the 1st Usenix workshop on large-scale exploits and emergent threats, San Francisco, California

Digital Library

[35]

Shin S, Gu G, Reddy N, Lee CP (2012) A large-scale empirical study of conficker. IEEE Trans Inf Forensics Secur 7:676---690

Digital Library

[36]

Binsalleeh H, Ormerod T, Boukhtouta A, Sinha P, Youssef A, Debbabi M et al (2010) On the analysis of the Zeus botnet crimeware toolkit. In: Eighth annual international conference on privacy security and trust (PST), pp 31---38

[37]

Marnerides AK, Mauthe AU (2016) Analysis and characterisation of botnet scan traffic. In: 2016 International conference on computing, networking and communications (ICNC), pp 1---7

[38]

Gu G, Zhang J, Lee W (2008) BotSniffer: detecting botnet command and control channels in network traffic. Presented at the 15th annual network and distributed system security symposium, San Diego

[39]

Gu G, Perdisci R, Zhang J, Lee W (2008) BotMiner: clustering analysis of network traffic for protocol-and structure-independent botnet detection. In: USENIX security symposium, pp 139---154

Digital Library

[40]

Goebel J, Holz T (2007) Rishi: identify bot contaminated hosts by IRC nickname evaluation. In: Proceedings of USENIX HotBots Cambridge, MA, pp 8---8

Digital Library

[41]

Yen T-F, Reiter MK (2008) Traffic aggregation for malware detection. Presented at the proceedings of the 5th international conference on detection of intrusions and malware, and vulnerability assessment, Paris

Digital Library

[42]

Jun L, Shunyi Z, Yanqing L, Junrong Y (2008) Real-time P2P traffic identification. Presented at the IEEE global telecommunications conference, New Orleans

[43]

Wang P, Wu L, Aslam B, Zou C (2015) Analysis of Peer-to-Peer botnet attacks and defenses. In: Król D, Fay D, Gabryś B (eds) Propagation phenomena in real world networks, vol 85. Springer, Berlin, pp 183---214

[44]

Xiaomei D, Fei L, Xiaohua L, Xiaocong Y (2010) A novel Bot detection algorithm based on API call correlation. Presented at the seventh international conference on fuzzy systems and knowledge discovery (FSKD), Yantai, Shandong

[45]

Dan L, Yichao L, Yue H, Zongwen L (2010) A P2P-botnet detection model and algorithms based on network streams analysis. Presented at the international conference on future information technology and management engineering (FITME), Changzhou

[46]

Perdisci R, Guofei G, Wenke L (2006) Using an ensemble of one-class SVM classifiers to harden payload-based anomaly detection systems. Presented at the sixth international conference on data mining (ICDM), Hong Kong

Digital Library

[47]

Nguyen H, Petrović S, Franke K (2010) A comparison of feature-selection methods for intrusion detection. In: Kotenko I, Skormin V (eds) Computer network security, vol 6258. Springer, Berlin, pp 242---255

Digital Library

[48]

Livadas C, Walsh R, Lapsley D, Strayer WT (2006) Usilng machine learning technliques to identify botnet traffic. Presented at the proceedings 31st IEEE conference on local computer networks, Tampa, FL

[49]

Van der Putten P, Van Someren M (2004) A bias-variance analysis of a real world learning problem: the CoIL challenge 2000. Mach Learn 57:177---195

Digital Library

[50]

Kira K, Rendell LA (1992) The feature selection problem: traditional methods and a new algorithm. Presented at the proceedings of the tenth national conference on artificial intelligence, San Jose, California

Digital Library

[51]

Robnik-?ikonja M, Kononenko I (2003) Theoretical and empirical analysis of ReliefF and RReliefF. Mach Learn 53:23---69

Digital Library

[52]

Jolliffe I (2005) Principal component analysis. Wiley Online Library

[53]

Tan P-N, Steinbach M, Kumar V (2006) Introduction to data mining. Pearson, London, UK

[54]

Hall M, Frank E, Holmes G, Pfahringer B, Reutemann P, Witten IH (2009) The WEKA data mining software: an update. SIGKDD Explor Newsl 11:10---18

Digital Library

[55]

Nigrin A (1994) Book review: neural networks for pattern recognition, vol 5. MIT Press, New York

Digital Library

[56]

Tsai C-F, Hsu Y-F, Lin C-Y, Lin W-Y (2009) Intrusion detection by machine learning: a review. Expert Syst Appl 36:11994---12000

Digital Library

[57]

Razi MA, Athappilly K (2005) A comparative predictive analysis of neural networks (NNs), nonlinear regression and classification and regression tree (CART) models. Expert Syst Appl 29:65---74

Digital Library

[58]

Saad S, Traore I, Ghorbani A, Sayed B, Zhao D, Lu W, Felix J, Hakimian P (2011) Detecting P2P botnets through network behavior analysis and machine learning. Presented at the ninth annual international conference on privacy, security and trust (PST), Montreal, QC

[59]

Shiravi A, Shiravi H, Tavallaee M, Ghorbani AA (2012) Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Comput Secur 31:357---374

Digital Library

[60]

Yen T-F, Reiter M (2008) Traffic aggregation for malware detection. Presented at the 5th international conference on detection of intrusions and malware, and vulnerability assessmen, Paris

Digital Library

[61]

Gu G, Porras P, Yegneswaran V, Fong M, Lee W (2007) BotHunter: detecting malware infection through IDS-driven dialog correlation. Presented at the proceedings of 16th USENIX security symposium on USENIX security symposium, Boston, MA

Digital Library

[62]

Dries A, Rückert U (2009) Adaptive concept drift detection. Stat Anal Data Min 2:311---327

Digital Library

Cited By

Asadi MJamali MHeidari ANavimipour N(2024)Botnets UnveiledTransactions on Emerging Telecommunications Technologies10.1002/ett.505635:11Online publication date: 20-Oct-2024
https://dl.acm.org/doi/10.1002/ett.5056
Almomani AAlauthman MShatnawi MAlweshah MAlrosan AAlomoush WGupta BGupta BGupta B(2022)Phishing Website Detection With Semantic Features Based on Machine Learning ClassifiersInternational Journal on Semantic Web & Information Systems10.4018/IJSWIS.29703218:1(1-24)Online publication date: 23-Feb-2022
https://dl.acm.org/doi/10.4018/IJSWIS.297032
Manzano CMeneses CLeger PFukuda H(2022)An Empirical Evaluation of Supervised Learning Methods for Network Malware Identification Based on Feature SelectionComplexity10.1155/2022/67609202022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/6760920
Show More Cited By

A P2P Botnet detection scheme based on decision tree and adaptive multilayer neural networks

Recommendations

Detecting HTTP-Based Botnet Based on Characteristic of the C & C Session Using by SVM
ASIAJCIS '13: Proceedings of the 2013 Eighth Asia Joint Conference on Information Security

With the spread of computer, the increase of malwareis a serious problem. In some malware, damage caused by bot net is a serious problem. Botnets perform the attack by remote control. The purpose of the present work is to suppress the bot net activity ...
Dynamic construction of multilayer neural networks for classification
ISNN'11: Proceedings of the 8th international conference on Advances in neural networks - Volume Part I

There are several drawbacks of multilayer neural networks (MLNNs) including the difficulty of determining the number of hidden nodes and their black box nature. We propose a new dynamic construction mechanism for MLNNs to overcome such inherent ...
Dynamic Construction of Multilayer Neural Networks for Classification
8th International Symposium on Advances in Neural Networks --- ISNN 2011 - Volume 6675

There are several drawbacks of multilayer neural networks MLNNs including the difficulty of determining the number of hidden nodes and their black box nature. We propose a new dynamic construction mechanism for MLNNs to overcome such inherent drawbacks. ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Neural Computing and Applications

Neural Computing and Applications Volume 29, Issue 11

June 2018

289 pages

ISSN:0941-0643

EISSN:1433-3058

Issue’s Table of Contents

Copyright © Copyright © 2018 The Natural Computing Applications Forum.

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 01 June 2018

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

19
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 02 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Asadi MJamali MHeidari ANavimipour N(2024)Botnets UnveiledTransactions on Emerging Telecommunications Technologies10.1002/ett.505635:11Online publication date: 20-Oct-2024
https://dl.acm.org/doi/10.1002/ett.5056
Almomani AAlauthman MShatnawi MAlweshah MAlrosan AAlomoush WGupta BGupta BGupta B(2022)Phishing Website Detection With Semantic Features Based on Machine Learning ClassifiersInternational Journal on Semantic Web & Information Systems10.4018/IJSWIS.29703218:1(1-24)Online publication date: 23-Feb-2022
https://dl.acm.org/doi/10.4018/IJSWIS.297032
Manzano CMeneses CLeger PFukuda H(2022)An Empirical Evaluation of Supervised Learning Methods for Network Malware Identification Based on Feature SelectionComplexity10.1155/2022/67609202022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/6760920
Liang JZhao SChen S(2022)A Protocol-Independent Botnet Detection Method Using Flow SimilaritySecurity and Communication Networks10.1155/2022/31611432022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/3161143
Joshi CRanjan RBharti V(2022)A Fuzzy Logic based feature engineering approach for Botnet detection using ANNJournal of King Saud University - Computer and Information Sciences10.1016/j.jksuci.2021.06.01834:9(6872-6882)Online publication date: 1-Oct-2022
https://dl.acm.org/doi/10.1016/j.jksuci.2021.06.018
Jemili F(2022)Intelligent intrusion detection based on fuzzy Big Data classificationCluster Computing10.1007/s10586-022-03769-y26:6(3719-3736)Online publication date: 17-Oct-2022
https://dl.acm.org/doi/10.1007/s10586-022-03769-y
Waqas MTu SHalim ZRehman SAbbas GAbbas Z(2022)The role of artificial intelligence and machine learning in wireless networks security: principle, practice and challengesArtificial Intelligence Review10.1007/s10462-022-10143-255:7(5215-5261)Online publication date: 1-Oct-2022
https://dl.acm.org/doi/10.1007/s10462-022-10143-2
Shojarazavi TBarati HBarati A(2022)A wrapper method based on a modified two-step league championship algorithm for detecting botnets in IoT environmentsComputing10.1007/s00607-022-01070-9104:8(1753-1774)Online publication date: 1-Aug-2022
https://dl.acm.org/doi/10.1007/s00607-022-01070-9
Rincy N TGupta R(2021)Design and Development of an Efficient Network Intrusion Detection System Using Machine Learning TechniquesWireless Communications & Mobile Computing10.1155/2021/99742702021Online publication date: 1-Jan-2021
https://dl.acm.org/doi/10.1155/2021/9974270
Salim MSingh SPark J(2021)Securing Smart Cities using LSTM algorithm and lightweight containers against botnet attacksApplied Soft Computing10.1016/j.asoc.2021.107859113:PAOnline publication date: 1-Dec-2021
https://dl.acm.org/doi/10.1016/j.asoc.2021.107859
Show More Cited By

View Options

View options

Figures

Tables

Media

View Issue’s Table of Contents