Benchmark-Based Reference Model for Evaluating Botnet Detection Tools Driven by Traffic-Flow Analytics

Botnets are some of the most recurrent cyber-threats, which take advantage of the wide heterogeneity of endpoint devices at the Edge of the emerging communication environments for enabling the malicious enforcement of fraud and other adversarial tactics, including malware, data leaks or denial of service. There have been significant research advances in the development of accurate botnet detection methods underpinned on supervised analysis but assessing the accuracy and performance of such detection methods requires a clear evaluation model in the pursuit of enforcing proper defensive strategies. In order to contribute to the mitigation of botnets, this paper introduces a novel evaluation scheme grounded on supervised machine learning algorithms that enable the detection and discrimination of different botnets families on real operational environments. The proposal relies on observing, understanding and inferring the behavior of each botnet family based on network indicators measured at flow-level. The assumed evaluation methodology contemplates six phases that allow building a detection model against botnet-related malware distributed through the network, for which five supervised classifiers were instantiated were instantiated for further comparisons—Decision Tree, Random Forest, Naive Bayes Gaussian, Support Vector Machine and K-Neighbors. The experimental validation was performed on two public datasets of real botnet traffic—CIC-AWS-2018 and ISOT HTTP Botnet. Bearing the heterogeneity of the datasets, optimizing the analysis with the Grid Search algorithm led to improve the classification results of the instantiated algorithms. An exhaustive evaluation was carried out demonstrating the adequateness of our proposal which prompted that Random Forest and Decision Tree models are the most suitable for detecting different botnet specimens among the chosen algorithms. They exhibited higher precision rates whilst analyzing a large number of samples with less processing time. The variety of testing scenarios were deeply assessed and reported to set baseline results for future benchmark analysis targeted on flow-based behavioral patterns.

[1]  Francesco Carlo Morabito,et al.  A novel statistical analysis and autoencoder driven intelligent intrusion detection approach , 2020, Neurocomputing.

[2]  Iqbal H. Sarker,et al.  IntruDTree: A Machine Learning Based Cyber Security Intrusion Detection Model , 2020, Symmetry.

[3]  Jun Hou,et al.  GLIDE: A Game Theory and Data-Driven Mimicking Linkage Intrusion Detection for Edge Computing Networks , 2020, Complex..

[4]  Jorge Maestre Vidal,et al.  EsPADA: Enhanced Payload Analyzer for malware Detection robust against Adversarial threats , 2020, Future Gener. Comput. Syst..

[5]  Jesus Olivares-Mercado,et al.  Synthetic Minority Oversampling Technique for Optimizing Classification Tasks in Botnet and Intrusion-Detection-System Datasets , 2020, Applied Sciences.

[6]  Jamal Bentahar,et al.  Optimal Load Distribution for the Detection of VM-Based DDoS Attacks in the Cloud , 2020, IEEE Transactions on Services Computing.

[7]  Sanmeet Kaur,et al.  Issues and challenges in DNS based botnet detection: A survey , 2019, Comput. Secur..

[8]  Jorge Maestre Vidal,et al.  Detection of economic denial of sustainability (EDoS) threats in self-organizing networks , 2019, Comput. Commun..

[9]  Marco Antonio Sotelo Monge,et al.  Framework for Anticipatory Self-Protective 5G Environments , 2019, ARES.

[10]  Mohamed Amine Ferrag,et al.  DeliveryCoin: An IDS and Blockchain-Based Delivery Framework for Drone-Delivered Services , 2019, Comput..

[11]  Jorge Maestre Vidal,et al.  Traffic-flow analysis for source-side DDoS recognition on 5G environments , 2019, J. Netw. Comput. Appl..

[12]  Noorbakhsh Amiri Golilarz,et al.  An Adaptive Multi-Layer Botnet Detection Technique Using Machine Learning Classifiers , 2019, Applied Sciences.

[13]  Qianru Zhou,et al.  Evaluation of Machine Learning Classifiers for Zero-Day Intrusion Detection - An Analysis on CIC-AWS-2018 dataset , 2019, ArXiv.

[14]  Jamal Bentahar,et al.  Resource-Aware Detection and Defense System against Multi-Type Attacks in the Cloud: Repeated Bayesian Stackelberg Game , 2019, IEEE Transactions on Dependable and Secure Computing.

[15]  Sakir Sezer,et al.  DroidFusion: A Novel Multilevel Classifier Fusion Approach for Android Malware Detection , 2019, IEEE Transactions on Cybernetics.

[16]  Parvez Faruki,et al.  Network Intrusion Detection for IoT Security Based on Learning Techniques , 2019, IEEE Communications Surveys & Tutorials.

[17]  Mohsen Rashwan,et al.  BotCap: Machine Learning Approach for Botnet Detection Based on Statistical Features , 2018, Int. J. Commun. Networks Inf. Secur..

[18]  L. Javier García-Villalba,et al.  A novel Self-Organizing Network solution towards Crypto-ransomware Mitigation , 2018, ARES.

[19]  Michele Colajanni,et al.  On the effectiveness of machine and deep learning for cyber security , 2018, 2018 10th International Conference on Cyber Conflict (CyCon).

[20]  Erdogan Dogdu,et al.  Malware classification using deep learning methods , 2018, ACM Southeast Regional Conference.

[21]  L. Javier García-Villalba,et al.  Adaptive artificial immune networks for mitigating DoS flooding attacks , 2018, Swarm Evol. Comput..

[22]  Hai Anh Tran,et al.  A LSTM based framework for handling multiclass imbalance in DGA botnet detection , 2018, Neurocomputing.

[23]  Yi-Bing Lin,et al.  Detecting P2P Botnet in Software Defined Networks , 2018, Secur. Commun. Networks.

[24]  Jian Weng,et al.  Machine Learning-Based Malicious Application Detection of Android , 2017, IEEE Access.

[25]  L. Javier García-Villalba,et al.  Entropy-Based Economic Denial of Sustainability Detection , 2017, Entropy.

[26]  Isaac Woungang,et al.  Holistic Model for HTTP Botnet Detection Based on DNS Traffic Analysis , 2017, ISDDC.

[27]  Piyush Kumar Shukla,et al.  Improved Malware Detection Technique Using Ensemble Based Classifier and Graph Theory , 2015, 2015 IEEE International Conference on Computational Intelligence & Communication Technology.

[28]  V. Mendez-Garcia,et al.  Comparative analysis of banking malware , 2014, 2014 IEEE Central America and Panama Convention (CONCAPAN XXXIV).

[29]  Leyla Bilge,et al.  Disclosure: detecting botnet command and control servers through large-scale NetFlow analysis , 2012, ACSAC '12.

[30]  Guofei Gu,et al.  Automatic generation of vaccines for malware immunization , 2012, CCS.

[31]  G. Kirubavathi Venkatesh,et al.  HTTP Botnet Detection Using Adaptive Learning Rate Multilayer Feed-Forward Neural Network , 2012, WISTP.

[32]  Stuart Cheshire,et al.  Internet Assigned Numbers Authority (IANA) Procedures for the Management of the Service Name and Transport Protocol Port Number Registry , 2011, RFC.

[33]  Amr M. Youssef,et al.  On the analysis of the Zeus botnet crimeware toolkit , 2010, 2010 Eighth International Conference on Privacy, Security and Trust.

[34]  Sureswaran Ramadass,et al.  A Survey of Botnet and Botnet Detection , 2009, 2009 Third International Conference on Emerging Security Information, Systems and Technologies.

[35]  S. Theodoridis,et al.  Pattern Recognition , 2006, Nature.

[36]  Alexander Pretschner,et al.  Leveraging Compression-Based Graph Mining for Behavior-Based Malware Detection , 2019, IEEE Transactions on Dependable and Secure Computing.

[37]  Ali A. Ghorbani,et al.  Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization , 2018, ICISSP.

[38]  Guillermo Calvo Ortega Botnets: La amenaza fantasma , 2018 .

[39]  Mourad Debbabi,et al.  Big Data Behavioral Analytics Meet Graph Theory: On Effective Botnet Takedowns , 2017, IEEE Network.

[40]  F. Zubizarreta La amenaza fantasma , 1999 .