Identifying malicious botnet traffic using logistic regression

An important source of cyber-attacks is malware, which proliferates in different forms such as botnets. The botnet malware typically looks for vulnerable devices across the Internet, rather than targeting specific individuals, companies or industries. It attempts to infect as many connected devices as possible, using their resources for automated tasks that may cause significant economic and social harm while being hidden to the user and device. Thus, it becomes very difficult to detect such activity. A considerable amount of research has been conducted to detect and prevent botnet infestation. In this paper, we attempt to create a foundation for an anomaly-based intrusion detection system using a statistical learning method to improve network security and reduce human involvement in botnet detection. We focus on identifying the best features to detect botnet activity within network traffic using a lightweight logistic regression model. The network traffic is processed by Bro, a popular network monitoring framework which provides aggregate statistics about the packets exchanged between a source and destination over a certain time interval. These statistics serve as features to a logistic regression model responsible for classifying malicious and benign traffic. Our model is easy to implement and simple to interpret. We characterized and modeled 8 different botnet families separately and as a mixed dataset. Finally, we measured the performance of our model on multiple parameters using F1 score, accuracy and Area Under Curve (AUC).

[1]  F. F. Etemad,et al.  Real-time Botnet command and control characterization at the host level , 2012, 6th International Symposium on Telecommunications (IST).

[2]  Martin Rehák,et al.  Malware detection using HTTP user-agent discrepancy identification , 2014, 2014 IEEE International Workshop on Information Forensics and Security (WIFS).

[3]  Christopher Krügel,et al.  BotFinder: finding bots in network traffic without deep packet inspection , 2012, CoNEXT '12.

[4]  A. Nur Zincir-Heywood,et al.  Botnet Behaviour Analysis Using IP Flows: With HTTP Filters Using Classifiers , 2014, 2014 28th International Conference on Advanced Information Networking and Applications Workshops.

[5]  Felix C. Freiling,et al.  Sandnet: network traffic analysis of malicious software , 2011, BADGERS '11.

[6]  Leyla Bilge,et al.  Disclosure: detecting botnet command and control servers through large-scale NetFlow analysis , 2012, ACSAC '12.

[7]  Futai Zou,et al.  Detecting HTTP Botnet with Clustering Network Traffic , 2012, 2012 8th International Conference on Wireless Communications, Networking and Mobile Computing.

[8]  Pablo Torres,et al.  An analysis of Recurrent Neural Networks for Botnet detection behavior , 2016, 2016 IEEE Biennial Congress of Argentina (ARGENCON).

[9]  M. Wilscy,et al.  Using entropy of traffic features to identify bot infected hosts , 2013, 2013 IEEE Recent Advances in Intelligent Computational Systems (RAICS).

[10]  Ke Li,et al.  POSTER: A Lightweight Unknown HTTP Botnets Detecting and Characterizing System , 2014, CCS.

[11]  Alejandro Zunino,et al.  An empirical comparison of botnet detection methods , 2014, Comput. Secur..

[12]  A. Nur Zincir-Heywood,et al.  On botnet behaviour analysis using GP and C4.5 , 2014, GECCO.

[13]  Chen Lu,et al.  Botnet traffic detection using hidden Markov models , 2011, CSIIRW '11.

[14]  Maryam Var Naseri,et al.  Periodicity classification of HTTP traffic to detect HTTP Botnets , 2015, 2015 IEEE Symposium on Computer Applications & Industrial Electronics (ISCAIE).