Improved Detection of P2P Botnets through Network Behavior Analysis

Botnets are becoming powerful threats on the Internet because they launch targeted attacks towards organizations and the individuals. P2P botnets are resilient and more difficult to detect due to their nature of using different distributed approaches and encryption techniques. Classification based techniques proposed in the literature to detect P2P botnets, report high overall accuracy of the classifier but fail to recognize individual classes at the similar rates. Identification of non-bot traffic is equally important as that of bot classes for the reliability of the classifier. This paper proposes a model to distinguish P2P botnet command and control network traffic from normal traffic at higher rate of both the classes using ensemble of decision trees classifier named Random Forests. Further to optimize the performance, this model also addresses the problem of imbalanced nature of dataset using techniques like downsampling and cost sensitive learning. Performance analysis has been done on the proposed model and evaluation results show that true positive rate for both botnet and legitimate classes are more than 0.99 whereas false positive rate is 0.008.

[1]  Shu-Chiung Lin,et al.  A novel method of mining network flow to detect P2P botnets , 2012, Peer-to-Peer Networking and Applications.

[2]  Norbert Pohlmann,et al.  CoCoSpot: Clustering and recognizing botnet command and control channels using traffic analysis , 2013, Comput. Networks.

[3]  Mooi Choo Chuah,et al.  Detection and Classification of Different Botnet C&C Channels , 2011, ATC.

[4]  Francisco Herrera,et al.  A Review on Ensembles for the Class Imbalance Problem: Bagging-, Boosting-, and Hybrid-Based Approaches , 2012, IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews).

[5]  Chen Lu,et al.  Timing analysis in P2P botnet traffic using probabilistic context-free grammars , 2013, CSIIRW '13.

[6]  Leo Breiman,et al.  Random Forests , 2001, Machine Learning.

[7]  Chun-Ying Huang,et al.  Effective bot host detection based on network failure models , 2013, Comput. Networks.

[8]  W. Timothy Strayer,et al.  Using Machine Learning Techniques to Identify Botnet Traffic , 2006 .

[9]  Heikki Mannila,et al.  Principles of Data Mining , 2001, Undergraduate Topics in Computer Science.

[10]  Mrinal Kanti Ghose,et al.  A Framework for P2P Botnet Detection Using SVM , 2012, 2012 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery.

[11]  Sateesh K. Peddoju,et al.  Behaviour analysis of machine learning algorithms for detecting P2P botnets , 2013, 2013 15th International Conference on Advanced Computing Technologies (ICACT).

[12]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[13]  Xiapu Luo,et al.  Detecting stealthy P2P botnets using statistical traffic fingerprints , 2011, 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks (DSN).

[14]  Ali A. Ghorbani,et al.  Detecting P2P botnets through network behavior analysis and machine learning , 2011, 2011 Ninth Annual International Conference on Privacy, Security and Trust.

[15]  Radu State,et al.  BotTrack: Tracking Botnets Using NetFlow and PageRank , 2011, Networking.

[16]  Massudi Mahmuddin,et al.  An Overview of Flow-Based and Packet-Based Intrusion Detection Performance in High Speed Networks , 2011 .