BotFP: FingerPrints Clustering for Bot Detection

Efficient bot detection is a crucial security matter and has been widely explored in the past years. Recent approaches supplant flow-based detection techniques and exploit graph-based features, incurring however in scalability issues in terms of time and space complexity. Bots exhibit specific communication patterns: they use particular protocols, contact specific domains, hence can be identified by analyzing their communication with the outside. To simplify the communication graph, we look at frequency distributions of protocol attributes capturing the specificity of botnets behaviour. In this paper, we propose a bot detection technique named BotFP, for BotFinger-Printing, which acts by (i) characterizing hosts behaviour with at-tribute frequency distribution signatures, (ii) learning behaviour of benign hosts and bots through a clustering technique, and (iii) classifying new hosts based on distances to labelled clusters. We validate our solution on the CTU-13 dataset, which contains 13 scenarios of bot infections, connecting to a Command-and-Control (C&C) channel and launching malicious actions such as port scanning or Denial-of-Service (DDoS) attacks. Our approach applies to various bot activities and network topologies. The approach is lightweight, can handle large amounts of data, and shows better accuracy than state-of-the-art techniques.

[1]  Wolfgang Kellerer,et al.  Poster abstract: Themis: A data-driven approach to bot detection , 2018, IEEE INFOCOM 2018 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[2]  Stuart Cheshire,et al.  Internet Assigned Numbers Authority (IANA) Procedures for the Management of the Service Name and Transport Protocol Port Number Registry , 2011, RFC.

[3]  Raouf Boutaba,et al.  A Graph-Based Machine Learning Approach for Bot Detection , 2019, 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM).

[4]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[5]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[6]  Mohammad Marufuzzaman,et al.  Botnet detection using graph-based feature clustering , 2017, Journal of Big Data.

[7]  Mark Crovella,et al.  Diagnosing network-wide traffic anomalies , 2004, SIGCOMM '04.

[8]  Xiuli Shao,et al.  Detecting P2P botnets by discovering flow dependency in C&C traffic , 2014, Peer-to-Peer Netw. Appl..

[9]  Prateek Mittal,et al.  BotGrep: Finding P2P Bots with Structured Graph Analysis , 2010, USENIX Security Symposium.

[10]  Raouf Boutaba,et al.  A comprehensive survey on machine learning for networking: evolution, applications and research opportunities , 2018, Journal of Internet Services and Applications.

[11]  Jing Wang,et al.  Botnet Detection Based on Anomaly and Community Detection , 2017, IEEE Transactions on Control of Network Systems.

[12]  Radu State,et al.  BotGM: Unsupervised graph mining to detect botnets in traffic flows , 2017, 2017 1st Cyber Security in Networking Conference (CSNet).

[13]  A. Nur Zincir-Heywood,et al.  Exploring a service-based normal behaviour profiling system for botnet detection , 2017, 2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM).

[14]  Futai Zou,et al.  Detecting Malware Based on DNS Graph Mining , 2015, Int. J. Distributed Sens. Networks.

[15]  Hans-Peter Kriegel,et al.  A Density-Based Algorithm for Discovering Clusters in Large Spatial Databases with Noise , 1996, KDD.

[16]  Alejandro Zunino,et al.  An empirical comparison of botnet detection methods , 2014, Comput. Secur..