BotCapturer: Detecting Botnets based on Two-Layered Analysis with Graph Anomaly Detection and Network Traffic Clustering

Botnets have become one of the most serious threats on the Internet. On the platform of botnets, attackers conduct series of malicious activities such as distributed denial-of-service (DDoS) or virtual currencies mining. Network traffic has been widely used as the data source for the detection of botnets. However, there are two main issues on the detection of botnets with network traffic. First, many traditional filtering methods such as whitelisting are not able to process the very large amount of traffic data in real-time due to their limited computational capability. Second, many existing detection methods, based on network traffic clustering, result in high false positive rates. In this work, we are motivated to resolve the above two issues by proposing a lightweight botnet detection system called BotCapturer, based on two-layered analysis with anomaly detection in graph and network communication traffic clustering. First, we identify anomalous nodes that correspond to C&C (Control and Command) servers with anomaly scores in a graph abstracted from the network traffic. Second, we take advantage of clustering algorithms to check whether the nodes interacting with an anomalous node share similar communication pattern. In order to minimize irrelevant traffic, we propose a traffic reduction method to reduce more than 85% background traffic. The reduction is conducted by filtering the packets that are unrelated to the hosts like C&C server. We collect a very big dataset by simulating five different botnets and mixing the collected traffic with background traffic obtained from ISP. Extensive experiments are conducted and evaluation results based on our own dataset show that BotCapturer reduces more than 85% input raw packet traces and achieves a high detection rate (100%) with a low false positive rate (0.01%), demonstrating that it is very effective and efficient in detecting latest botnets.

[1]  Xiangliang Zhang,et al.  Autonomic intrusion detection: Adaptively detecting anomalies over unlabeled audit data streams in computer networks , 2014, Knowl. Based Syst..

[2]  Xiangliang Zhang,et al.  Fast intrusion detection based on a non-negative matrix factorization model , 2009, J. Netw. Comput. Appl..

[3]  Xiangliang Zhang,et al.  Processing of massive audit data streams for real-time anomaly intrusion detection , 2008, Comput. Commun..

[4]  Xiangliang Zhang,et al.  Detecting Android malicious apps and categorizing benign apps with ensemble of classifiers , 2018, Future Gener. Comput. Syst..

[5]  G. Kirubavathi,et al.  Botnets: A Study and Analysis , 2014 .

[6]  Ali A. Ghorbani,et al.  Botnet detection based on traffic behavior analysis and flow intervals , 2013, Comput. Secur..

[7]  J. A. Hartigan,et al.  A k-means clustering algorithm , 1979 .

[8]  C. Faloutsos,et al.  Anomaly Detection in Large Graphs , 2020 .

[9]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[10]  Heejo Lee,et al.  Identifying botnets by capturing group activities in DNS traffic , 2012, Comput. Networks.

[11]  Philip S. Yu,et al.  Outlier detection in graph streams , 2011, 2011 IEEE 27th International Conference on Data Engineering.

[12]  Vinod Yegneswaran,et al.  Using Failure Information Analysis to Detect Enterprise Zombies , 2009, SecureComm.

[13]  José M. F. Moura,et al.  An efficient method to detect periodic behavior in botnet traffic by analyzing control plane traffic , 2013, Journal of advanced research.

[14]  Xiangliang Zhang,et al.  Characterizing Android apps' behavior for effective detection of malapps at large scale , 2017, Future Gener. Comput. Syst..

[15]  Xiangliang Zhang,et al.  Abstracting massive data for lightweight intrusion detection in computer networks , 2016, Inf. Sci..

[16]  Hans-Peter Kriegel,et al.  A survey on unsupervised outlier detection in high‐dimensional numerical data , 2012, Stat. Anal. Data Min..

[17]  Steven Gianvecchio,et al.  Measurement and Classification of Humans and Bots in Internet Chat , 2008, USENIX Security Symposium.

[18]  Xiangliang Zhang,et al.  Exploring Permission-Induced Risk in Android Applications for Malicious Application Detection , 2014, IEEE Transactions on Information Forensics and Security.

[19]  Emmanuel Müller,et al.  Focused clustering and outlier detection in large attributed graphs , 2014, KDD.