BotOnus: an online unsupervised method for Botnet detection

Botnets are recognized as one of the most dangerous threats to the Internet infrastructure. They are used for malicious activities such as launching distributed denial of service attacks, sending spam, and leaking personal information. Existing botnet detection methods produce a number of good ideas, but they are far from complete yet, since most of them cannot detect botnets in an early stage of their lifecycle; moreover, they depend on a particular command and control (C&C) protocol. In this paper, we address these issues and propose an online unsupervised method, called BotOnus , for botnet detection that does not require a priori knowledge of botnets. It extracts a set of flow feature vectors from the network traffic at the end of each time period, and then groups them to some flow clusters by a novel online fixed-width clustering algorithm. Flow clusters that have at least two members, and their intra-cluster similarity is above a similarity threshold, are identified as suspicious botnet clusters, and all hosts in such clusters are identified as bot infected. We demonstrate the effectiveness of BotOnus to detect various botnets including HTTP-, IRC-, and P2P-based botnets using a testbed network. The results of experiments show that it can successfully detect various botnets with an average detection rate of 94:33% and an average false alarm rate of 3:74%.

[1]  Ali A. Ghorbani,et al.  Clustering botnet communication traffic based on n-gram feature selection , 2011, Comput. Commun..

[2]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[3]  Ping Wang,et al.  An Advanced Hybrid Peer-to-Peer Botnet , 2007, IEEE Transactions on Dependable and Secure Computing.

[4]  Zhaoxin Zhang,et al.  A Novel Approach to Detect IRC-Based Botnets , 2009, 2009 International Conference on Networks Security, Wireless Communications and Trusted Computing.

[5]  Bernard J. Jansen Click Fraud , 2008, Computer.

[6]  Ian Castle,et al.  The Automatic Discovery, Identification and Measurement of Botnets , 2008, 2008 Second International Conference on Emerging Security Information, Systems and Technologies.

[7]  Wu Liu,et al.  Understanding the Construction Mechanism of Botnets , 2009, 2009 Symposia and Workshops on Ubiquitous, Autonomic and Trusted Computing.

[8]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[9]  Thorsten Holz,et al.  Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation , 2007, HotBots.

[10]  Ge Yu,et al.  Data-Adaptive Clustering Analysis for Online Botnet Detection , 2010, 2010 Third International Joint Conference on Computational Science and Optimization.

[11]  Vinod Yegneswaran,et al.  Active Botnet Probing to Identify Obscure Command and Control Channels , 2009, 2009 Annual Computer Security Applications Conference.

[12]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[13]  W. Timothy Strayer,et al.  Using Machine Learning Techniques to Identify Botnet Traffic , 2006 .

[14]  Bong-Nam Noh,et al.  The Activity Analysis of Malicious HTTP-Based Botnets Using Degree of Periodic Repeatability , 2008, 2008 International Conference on Security Technology.

[15]  Heejo Lee,et al.  BotGAD: detecting botnets by capturing group activities in network traffic , 2009, COMSWARE '09.