[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
article

Clustering botnet communication traffic based on n-gram feature selection

Published: 01 March 2011 Publication History

Abstract

Recognized as one the most serious security threats on current Internet infrastructure, botnets can not only be implemented by existing well known applications, e.g. IRC, HTTP, or Peer-to-Peer, but also can be constructed by unknown or creative applications, which makes the botnet detection a challenging problem. Previous attempts for detecting botnets are mostly to examine traffic content for bot command on selected network links or by setting up honeypots. Traffic content, however, can be encrypted with the evolution of botnet, and as a result leading to a fail of content based detection approaches. In this paper, we address this issue and propose a new approach for detecting and clustering botnet traffic on large-scale network application communities, in which we first classify the network traffic into different applications by using traffic payload signatures, and then a novel decision tree model is used to classify those traffic to be unknown by the payload content (e.g. encrypted traffic) into known application communities where network traffic is clustered based on n-gram features selected and extracted from the content of network flows in order to differentiate the malicious botnet traffic created by bots from normal traffic generated by human beings on each specific application. We evaluate our approach with seven different traffic trace collected on three different network links and results show the proposed approach successfully detects two IRC botnet traffic traces with a high detection rate and an acceptable low false alarm rate.

References

[1]
Symantec Internet Security Threat Report. <http://www.symantec.com/business/theme.jsp?themeid=threatreport, 2008.
[2]
Taxonomy of Botnet Threats. <http://www.webbuyersguide.com/resource/white-paper/8021/Taxonomy-of-Botnet-Threats>.
[3]
K. Chiang, L. Lloyd, A case study of the rustock rootkit and spam bot, in: Proceedings of USENIX HotBots, 2007.
[4]
N. Daswani, M. Stoppelman, The anatomy of clickbot. A., in: Proceedings of USENIX HotBots, 2007.
[5]
Sinit. <http://www.secureworks.com/research/threats/sinit/>, 2008.
[6]
Phatbot. <http://www.secureworks.com/research/threats/phatbot/>, 2008.
[7]
Nugache. <http://www.securityfocus.com/news/11390/>, 2008.
[8]
Storm Worm Analysis. <http://www.secureworks.com/research/blog/index.php/2007/09/12/analysisof-storm-worm-ddos-traffic/>.
[9]
T. Holz, M. Steiner, F. Dahl, E. Biersack, F. Freiling, Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm, in: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats.
[10]
G. Gu, R. Perdisci, J. Zhang, W. Lee, BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection, in: Proceedings of the 17th USENIX Security Symposium (Security'08), 2008.
[11]
T. Strayer, D. Lapsley, R. Walsh, C. Livadas, Botnet Detection: Countering the Largest Security Threat, vol. 36, Chapter Botnet Detection Based on Network Behavior, Springer, 2008.
[12]
C. Livadas, R. Walsh, D. Lapsley, T. Strayer, Using machine learning techniques to identify botnet traffic, in: Proceedings 2006 31st IEEE Conference on Local Computer Networks, 2006, pp. 967-974.
[13]
W. Wang, B. Fang, Z. Zhang, C. Li, A novel approach to detect IRC-based botnets, in: International Conference on Networks Security, Wireless Communications and Trusted Computing, Wuhan, Hubei, 2009, pp. 408-411.
[14]
J. Goebel, T. Holz, Rishi: identify bot contaminated hosts by irc nickname evaluation, in: HotBots'07: Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets, Berkeley, CA, USA, 2007 (USENIX Association).
[15]
P. Sroufe, S. Phithakkitnukoon, R. Dantu, J. Cangussu, Email shape analysis for spam botnet detection, in: Sixth IEEE Consumer Communications and Networking Conference, Las Vegas, NV, January 2009, pp. 1-2.
[16]
A. Brodsky, D. Brodsky, A distributed content independent method for spam detection, in: Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA, 2007, p. 3.
[17]
Y. Zhao, Y.L. Xie, F. Yu, Q.F. Ke, Y. Yu, Y. Chen, E. Gillum, BotGraph: large-scale spamming botnet detection, in: Proceedings of the 6th USENIX Symposium on Networked Systems Design and Implementation, 2008, pp. 321-334.
[18]
G. Gu, J. Zhang, W. Lee, BotSniffer: Detecting botnet command and control channels in network traffic, in: Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08), 2008.
[19]
J.R. Binkley, S. Singh, An algorithm for anomaly-based botnet detection, in: USENIX SRUTI: 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet, 2006.
[20]
M.M. Masud, J. Gao, L. Khan, B. Thuraisingham, Peer to peer botnet detection for cyber-security: a data mining approach, in: Proceedings of the 4th Annual Workshop on Cyber Security and Information Intelligence Research: Developing Strategies to Meet the Cyber Security and Information Intelligence Challenges Ahead, Oak Ridge, Tennessee, 2008.
[21]
R. Villamarín-Salomón, J.C. Brustoloni, Bayesian bot detection based on DNS traffic similarity, in: Proceedings of the 2009 ACM Symposium on Applied Computing, Honolulu, Hawaii, 2009, pp. 2035-2041.
[22]
Y. Kugisaki, Y. Kasahara, Y. Hori, K. Sakurai, Bot detection based on traffic analysis, in: The 2007 International Conference on Intelligent Pervasive Computing, Jeju City, October 2007, pp. 303-306.
[23]
E. Stinson, J.C. Mitchell, Towards systematic evaluation of the evadability of bot/botnet detection methods, in: Workshop On Offensive Technologies (WOOT), San Jose, CA, USA, 2008.
[24]
H. Choi, H. Lee, H. Kim, Botnet detection by monitoring group activities in DNS traffic, in: International Conference on Computer and Information Technology, Aizu-Wakamatsu, Fukushima, 2007, pp. 715-720.
[25]
R. Villamarin-Salomon, J.C. Brustoloni, Identifying botnets using anomaly detection techniques applied to DNS traffic, in: Fifth IEEE Consumer Communications and Networking Conference, Las Vegas, NV, 2008, pp. 476-481.
[26]
IANA Port Numbers. <http://www.iana.org/assignments/port-numbers>, 2008.
[27]
Erman, J., Mahanti, A., Arlitt, M., Cohen, I. and Williamson, C., Offline/realtime traffic classification using semi-supervised learning. Performance Evaluation. v64 i9-12. 1194-1213.
[28]
Bernaille, L., Teixeira, R., Akodkenou, I., Soule, A. and Salamatian, K., Traffic classification on the fly. ACM SIGCOMM Computer Communication Review. v36 i2. 23-26.
[29]
L. Bernaille, R. Teixeira, Early recognition of encrypted applications, in: Proceedings of Passive and Active Measurement Conference (PAM 2007), Louvain-la-neuve, Belgium, 2007, pp. 165-175.
[30]
S. Sen, J. Wang, Analyzing peer-to-peer traffic across large networks, in: Proceedings of ACM SIGCOMM Internet Measurement Workshop, Marseilles, France, 2002.
[31]
A. Moore, K. Papagiannaki, Toward the accurate identification of network applications, in: Proceedings of 6th Passive and Active Measurement Workshop (PAM 2005), 2005.
[32]
T. Karagiannis, K. Papagiannaki, M. Faloutsos, BLINC: multilevel traffic classification in the dark, in: Proceedings of the 2005 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, Philadelphia, Pennsylvania, 2005, pp. 229-240.
[33]
Salgarelli, L., Gringoli, F. and Karagiannis, T., Comparing traffic classifiers. ACM SIGCOMM Computer Communication Review. v37 i3. 65-68.
[34]
Fred-eZone WiFi ISP. <http://www.fred-ezone.ca/>, 2008.
[35]
K. Wang, S. Stolfo, Anomalous payload-based network intrusion detection, in: Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID), Sophia Antipolis, France, 2004.
[36]
G.F. Gu, P. Porras, V. Yegneswaran, M. Fong, W.K. Lee, BotHunter: detecting malware infection through IDS-Driven dialog correlation, in: Proceedings of the 16th USENIX Security Symposium, Boston, MA, 2007.
[37]
Quinlan, J.R., C4.5: Programs for Machine Learning. 1993. Morgan Kaufman Publishers.
[38]
M. Akiyama, T. Kawamoto, M. Shimamura, T. Yokoyama, Y. Kadobayashi, S. Yamaguchi, A proposal of metrics for botnet detection based on its cooperative behavior, in: Proceedings of the 2007 International Symposium on Applications and the Internet Workshops, 2007, pp. 82-85.
[39]
E. Eskin, Anomaly detection over noisy data using learned probability distributions, in: Proceedings of 17th International Conference on Machine Learning, pp. 255-262.
[40]
D. Pelleg, A. Moore, X-means: extending K-means with efficient estimation of the number of clusters, in: Proceedings of the Seventeenth International Conference on Machine Learning, 2000, pp. 727-734.
[41]
Kaiten. <http://packetstormsecurity.org/distributed/indexsize.html>, 2008.
[42]
Blackenergy. <http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf>, BlackEnergy.

Cited By

View all
  • (2020)A new method to classify malicious domain name using neutrosophic sets in DGA botnet detectionJournal of Intelligent & Fuzzy Systems: Applications in Engineering and Technology10.3233/JIFS-19068138:4(4223-4236)Online publication date: 1-Jan-2020
  • (2020)BotChase: Graph-Based Bot Detection Using Machine LearningIEEE Transactions on Network and Service Management10.1109/TNSM.2020.297240517:1(15-29)Online publication date: 1-Mar-2020
  • (2020)An efficient reinforcement learning-based Botnet detection approachJournal of Network and Computer Applications10.1016/j.jnca.2019.102479150:COnline publication date: 15-Jan-2020
  • Show More Cited By
  1. Clustering botnet communication traffic based on n-gram feature selection

      Recommendations

      Comments

      Please enable JavaScript to view thecomments powered by Disqus.

      Information & Contributors

      Information

      Published In

      cover image Computer Communications
      Computer Communications  Volume 34, Issue 3
      March, 2011
      302 pages

      Publisher

      Elsevier Science Publishers B. V.

      Netherlands

      Publication History

      Published: 01 March 2011

      Author Tags

      1. Botnet detection
      2. Clustering
      3. Machine learning

      Qualifiers

      • Article

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)0
      • Downloads (Last 6 weeks)0
      Reflects downloads up to 06 Jan 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2020)A new method to classify malicious domain name using neutrosophic sets in DGA botnet detectionJournal of Intelligent & Fuzzy Systems: Applications in Engineering and Technology10.3233/JIFS-19068138:4(4223-4236)Online publication date: 1-Jan-2020
      • (2020)BotChase: Graph-Based Bot Detection Using Machine LearningIEEE Transactions on Network and Service Management10.1109/TNSM.2020.297240517:1(15-29)Online publication date: 1-Mar-2020
      • (2020)An efficient reinforcement learning-based Botnet detection approachJournal of Network and Computer Applications10.1016/j.jnca.2019.102479150:COnline publication date: 15-Jan-2020
      • (2020)Detecting botnet by using particle swarm optimization algorithm based on voting systemFuture Generation Computer Systems10.1016/j.future.2020.01.055107:C(95-111)Online publication date: 1-Jun-2020
      • (2020)A smart adaptive particle swarm optimization–support vector machine: android botnet detection applicationThe Journal of Supercomputing10.1007/s11227-020-03233-x76:12(9854-9881)Online publication date: 1-Dec-2020
      • (2020)Insights into Attacks’ Progression: Prediction of Spatio-Temporal Behavior of DDoS AttacksInformation Security Applications10.1007/978-3-030-65299-9_27(362-374)Online publication date: 26-Aug-2020
      • (2019)On the performance of intelligent techniques for intensive and stealthy DDos detectionComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2019.106906164:COnline publication date: 9-Dec-2019
      • (2018)Bot detection using unsupervised machine learningMicrosystem Technologies10.1007/s00542-016-3237-024:1(209-217)Online publication date: 1-Jan-2018
      • (2018)A P2P Botnet detection scheme based on decision tree and adaptive multilayer neural networksNeural Computing and Applications10.1007/s00521-016-2564-529:11(991-1004)Online publication date: 1-Jun-2018
      • (2018)HTTP and contact‐based features for Botnet detectionSecurity and Privacy10.1002/spy2.411:5Online publication date: 14-Oct-2018
      • Show More Cited By

      View Options

      View options

      Media

      Figures

      Other

      Tables

      Share

      Share

      Share this Publication link

      Share on social media