Analysis of Network Traffic Flows for Centralized Botnet Detection
Keywords:
Botnet Detection, Centralized Botnet, Data Clustering, Netflow Protocol, Rule-Based Classification,Abstract
At present, the Internet users are facing the most serious threats considering the malwares have become a powerful tool for attackers. Botnets are one of the most significant malwares. A Bot is an intelligent program run by worms, Trojans or other malicious codes that could perform a group of cyber-attacks on the Internet. Botnets are used for attacks such as stealing data, spam, denial-of-service, phishing etc. A variety of methods and algorithms have been proposed to detect botnets, in which each of them has an emphasis on specific data or methods. Using Netflow data is an effective and agile method compared to other methods in detecting botnets. This research focuses on centralized and HTTP botnets. In the proposed method, we used the hierarchical clustering, XMeans clustering, and rule-based classification. The methods helped to achieve fast and accurate recognition. Hierarchical clustering improved the speed and accuracy rate in the process of separating the flows. The X-Means algorithm led to the highest cohesion inside the clusters and the maximum distance between clusters by choosing optimal K. Using rule-based classification, each cluster with the similar flow is placed in a bot cluster, a semi-bot cluster or a normal cluster. By performing network traffic flow analysis for the proposed method, sets of botnets have been evaluated and the results indicated that more than 95% accuracy in detection. By a minimum overhead, this approach can provide botnet detection with high accuracy and speed.References
CenturyLink 2018 Threat Report [Online], https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&c d=1&cad=rja&uact=8&ved=2ahUKEwi0_8b41ZvhAhVLZ1AKHe27 AXEQFjAAegQIAxAC&url=https%3A%2F%2Fwww.centurylink.co m%2Fasset%2Fbusiness%2Fenterprise%2Freport%2F2018-threatresearch-report.pdf&usg=AOvVaw2vXFoX1ZenSdUMDUOiukir.
Number of the year: Kaspersky Lab is detecting 315,000 new malicious files every day. [Online], http://www.kaspersky.com/about/news/virus/2013/number-of-theyear.
D. Plohmann, E. Gerhards-Padilla, “Case study of the miner botnet,” In Proceedings of the 4th International Conference on Cyber Conflict (CYCON), IEEE, Tallinn, Estonia, 2012, pp. 1-16.
S. N. Prabhu, D. Shanthi, “A survey on anomaly detection of botnet in network,” International Journal of Advance Research in Computer Science and Management Studies, vol. 2, no. 1, 2014, pp. 552-558.
R. Borgaonkar, “An analysis of the asprox botnet,” In Proceedings of the 4th International Conference on Emerging Security Information Systems and Technologies (SECURWARE), IEEE, Venice/Mestre, Italy, 2010, pp. 148-153.
A. Karim, R. B. Salleh, M. Shiraz, S. A. A. Shah, I. Awan, N. B. Anuar, “Botnet detection techniques: review, future trends and issues,” Journal of Zhejiang University-SCIENCE C, vol. 15, no. 11, 2014, pp. 943-983.
A. Bijalwan, V. K. Solanki, E. S. Pilli, “Botnet Forensic: Issues, Challenges and Good Practices,” Network Protocols and Algorithms, vol. 10, no. 2, 2018.
R. S. Rawat, E. S. Pilli, R. C. Joshi, “Survey of Peer-to-Peer Botnets and Detection Frameworks,” International Journal of Network Security, vol. 20, no. 3, 2018, pp. 547-557.
B. Li, J. Springer, G. Bebis, M. H. Gunes, “A survey of network flow application,” Journal of Network and Computer Application, vol. 36, issue 2, 2013, pp. 567-581.
T. S. Hyslip, J. M. Pittman, “A survey of botnet detection techniques by command and control infrastructure,” Journal of Digital Forensics, Security and Law, vol. 10, no. 1, article 2, 2015, pp. 1-21.
D. Zhou, Z. Yan, Y. Fu, and Z. Yao, “A survey on network data collection,” Journal of Network and Computer Applications, vol. 116, 2018, pp. 9-23.
M. A. Rajab, J. Zarfoss, F. Monrose, A. Terzis, “A multifaceted approach to understanding the botnet phenomenon,” In Proceedings of the 6th Conference on Internet Measurement, ACM, Rio de Janeiro, Brazil, 2006, pp. 41-52.
S. Yadav, A. K. K. Reddy, A. N. Reddy, S. Ranjan, “Detecting algorithmically generated domain-flux attacks with DNS traffic analysis,” IEEE/ACM Transactions on Networking, vol. 20, no. 5, 2012, pp. 1663-1677.
G. Vliek, “Detecting spam machines, a Netfow-data based approach,” M.Sc. Dissertation, University of Twente, Netherlands, 2009.
A. L. Buczak, E. Guven, “A survey of data mining and machine learning methods for cyber security intrusion detection,” IEEE Communications Surveys & Tutorials, vol. 18, no. 2, 2016, pp. 1153- 1176.
P. Amini, M. A. Araghizadeh, R. Azmi, “A survey on Botnet: Classification, detection and defense,” In Proceedings of the 17th International Electronics Symposium (IES), IEEE, Surabaya, Indonesia, 2015, pp. 233-238.
W. T. Strayer, D. Lapsely, R. Walsh, C. Livadas, “Botnet detection based on network behavior,” Botnet Detection, Springer US, vol. 36, 2008, pp. 1-24.
L. Bilge, D. Balzarotti, W. Robertson, E. Kirda, C. Kruegel, “Disclosure: detecting botnet command and control servers through large-scale netflow analysis,” In Proceedings of the 28th Annual Computer Security Applications Conference, ACM, Florida, USA, 2012, pp. 129-138.
S. Chowdhury, M. Khanzadeh, R. Akula, F. Zhang, S. Zhang, H. Medal, M. Marufuzzaman, L. Bian, “Botnet detection using graphbased feature clustering,” Journal of Big Data, vol. 4, no. 1, article 14, 2017, pp. 1-23.
G. Kirubavathi, R. Anitha, “Botnet detection via mining of traffic flow characteristics,” Computers and Electrical Engineering, vol. 50, 2016, pp. 91-101.
J. Goebel, T. Holz, “Rishi: Identify bot contaminated hosts by IRC nickname evaluation,” In Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, California, USA, 2007, pp. 1-12.
C. M. Chen, H. C. Lin, “Detecting botnet by anomalous traffic,” Journal of Information Security and Applications, vol. 21, 2015, pp.42-51.
J. Francois, S. Wang, R. State, T. Engel, “BotTrack: Tracking Botnets using NetFlow and PageRank,” In Proceedings of the 10th International Conference on Research in Networking, Valencia, Spain, 2011, pp. 1-14.
P. Amini, R., Azmi M. A. Araghizadeh, M., “Botnet detection using NetFlow and clustering,” Advances in Computer Science: An International Journal, vol. 3, no.2, 2014, pp.139-149.
F. H. Hsu, C. W. Ou, Y. L. Hwang, Y. C. Chang, P. C. Lin, “Detecting Web-Based Botnets Using Bot Communication Traffic Features,” Security and Communication Networks, Volume 2017, Article ID 5960307, 2017, pp. 1-11.
R. F. M. Dollah, M. A. Faizal, F. Arif, M. Z. Mas’ud, L. K. Xin, L.K., “Machine learning for HTTP botnet detection using classifier algorithms,” Journal of Telecommunication, Electronic and Computer Engineering (JTEC), vol. 10, no. 1-7, 2018, pp.27-30.
A. Karasaridis, B. Rexroad, D. Hoeflin, ‘Wide-scale botnet detection and characterization,” In Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, California, USA, 2007, pp. 1-8.
Y. Meidan, M. Bohadana, Y. Mathov, Y. Mirsky, A. Shabtai, D. Breitenbacher, Y. Elovici, “N-BaIoT—Network-Based Detection of IoT Botnet Attacks Using Deep Autoencoders,” IEEE Pervasive Computing, vol. 17, issue 3, 2018, pp.12-22.
L. F. Maimó, A. H. Celdrán, M. G. Pérez, F. J. G. Clemente, G. M. Pérez, “Dynamic management of a deep learning-based anomaly detection system for 5G networks,” Journal of Ambient Intelligence and Humanized Computing, 2018, pp.1-15.
J. Gardiner, Sh. Nagaraja, “On the security of machine learning in malware C&C detection: a survey,” ACM Computing Surveys, vol. 49, no. 3, article 59, 2016, pp. 1-39.
M. W. Lucas, Network Flow Analysis, No Starch Press, San Francisco, USA, 2010.
F. Haddadi, A. N. Zincir-Heywood, “Benchmarking the Effect of Flow Exporters and Protocol Filters on Botnet Traffic Classification,” IEEE Systems Journal, vol. 10, issue 4, 2016, pp. 1390-1401.
G. Gu, J. Zhang, W. Lee, “BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic,” In Proceedings of the 15th Annual Network and Distributed System Security Symposium, California, USA, 2008.
D. Pelleg, A. W. Moore, “X-means: extending K-means with efficient estimation of the number of clusters,” In Proceedings of the 17th International Conference on Machine Learning, California, USA, 2000, pp. 727-734.
N. Hourdakis, “Design and evaluation of clustering approaches for large document collections, the BIC-Means method,” M.Sc. Thesis, Technical University of Crete, Greece, 2016.
G. Nychis, V. Sekar, D. G. Andersen, H. Kim, H. Zhang, “An empirical evaluation of entropy-based traffic anomaly detection,” In Proceedings of the 8th SIGCOMM Conference on Internet Measurement, ACM, Vouliagmeni, Greece, 2008, pp. 151-156.
Top Banking Botnets of 2013 [Online], http://www.secureworks.com/cyber-threat-intelligence/threats/topbanking-botnets-of-2013.
Publicly available PCAP files [Online], http://www.netresec.com/?page=PcapFiles.
Special Dataset CTU [Online], https://stratosphereips.org/category/dataset.html.
S. García, V. Uhlíř, M. Rehak, “Identifying and modeling botnet C&C behaviors,” In Proceedings of the 1st International Workshop on Agents and CyberSecurity. ACM, New York, USA, 2014, pp. 1-15.
S. Garcia, M. Grill, J. Stiborek, A. Zunino, “An empirical comparison of botnet detection methods,” Computers & Security, vol. 45, 2014, pp. 100-123.
S. García, A. Zunino, M. Campo, “Botnet behavior detection using network synchronism,” Privacy, Intrusion Detection and Response: Technologies for Protecting Networks: 2011, pp. 1-23.
Identifying Malware Traffic with Bro and the Collective Intelligence Framework (CIF) [Online], https://blog.opensecurityresearch.com/2014/03/identifying-malwaretraffic-with-bro.html.
Downloads
Published
How to Cite
Issue
Section
License
TRANSFER OF COPYRIGHT AGREEMENT
The manuscript is herewith submitted for publication in the Journal of Telecommunication, Electronic and Computer Engineering (JTEC). It has not been published before, and it is not under consideration for publication in any other journals. It contains no material that is scandalous, obscene, libelous or otherwise contrary to law. When the manuscript is accepted for publication, I, as the author, hereby agree to transfer to JTEC, all rights including those pertaining to electronic forms and transmissions, under existing copyright laws, except for the following, which the author(s) specifically retain(s):
- All proprietary right other than copyright, such as patent rights
- The right to make further copies of all or part of the published article for my use in classroom teaching
- The right to reuse all or part of this manuscript in a compilation of my own works or in a textbook of which I am the author; and
- The right to make copies of the published work for internal distribution within the institution that employs me
I agree that copies made under these circumstances will continue to carry the copyright notice that appears in the original published work. I agree to inform my co-authors, if any, of the above terms. I certify that I have obtained written permission for the use of text, tables, and/or illustrations from any copyrighted source(s), and I agree to supply such written permission(s) to JTEC upon request.