HTTP Botnet Detection Using Adaptive Learning Rate Multilayer Feed-Forward Neural Network

Botnets have become a rampant platform for malicious attacks, which poses a significant threat to internet security. The recent botnets have begun using common protocols such as HTTP which makes it even harder to distinguish their communication patterns. Most of the HTTP bot communications are based on TCP connections. In this work some TCP related features have been identified for the detection of HTTP botnets. With these features a Multi-Layer Feed Forward Neural Network training model using Bold Driver Back-propagation learning algorithm is created. The algorithm has the advantage of dynamically changing the learning rate parameter during weight updation process. Using this approach, Spyeye and Zeus botnets are efficiently identified. A comparison of the actively trained neural network model with a C4.5 Decision Tree, Random Forest and Radial Basis Function indicated that the actively learned neural network model has better identification accuracy with less false positives.

[1]  R. Valadas,et al.  Classification of Internet users using discriminant analysis and neural networks , 2005, Next Generation Internet Networks, 2005.

[2]  Chia-Mei Chen,et al.  Web botnet detection based on flow information , 2010, 2010 International Computer Symposium (ICS2010).

[3]  Hervé Debar,et al.  A neural network component for an intrusion detection system , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[4]  Michaël Rusinowitch,et al.  Protocol analysis in intrusion detection using decision tree , 2004, International Conference on Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004..

[5]  Thorsten Holz,et al.  Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation , 2007, HotBots.

[6]  Kevin W. Hamlen,et al.  Flow-based identification of botnet traffic by mining multiple log files , 2008, 2008 First International Conference on Distributed Framework and Applications.

[7]  Suresh Singh,et al.  An Algorithm for Anomaly-based Botnet Detection , 2006, SRUTI.

[8]  Christina L. Hennessey ACM Digital Library , 2012 .

[9]  Paulo Salvador,et al.  A Botnet Detection System Based on Neural Networks , 2010, 2010 Fifth International Conference on Digital Telecommunications.

[10]  Zbigniew Kotulski,et al.  Analysis of different architectures of neural networks for application in Intrusion Detection Systems , 2008, 2008 International Multiconference on Computer Science and Information Technology.

[11]  Paulo Salvador,et al.  Framework for Zombie Detection Using Neural Networks , 2009, 2009 Fourth International Conference on Internet Monitoring and Protection.

[12]  Feng Liu,et al.  Modeling Connections Behavior for Web-Based Bots Detection , 2010, 2010 2nd International Conference on E-business and Information System Security.

[13]  Felix C. Freiling,et al.  Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks , 2005, ESORICS.

[14]  Zyad Shaaban,et al.  Normalization as a Preprocessing Engine for Data Mining and the Approach of Preference Matrix , 2006, 2006 International Conference on Dependability of Computer Systems.

[15]  Dieter Gollmann,et al.  Computer Security - ESORICS 2005, 10th European Symposium on Research in Computer Security, Milan, Italy, September 12-14, 2005, Proceedings , 2005, ESORICS.

[16]  Dake He,et al.  DDoS Attack Detection Based on RLT Features , 2007 .

[17]  Donald C. Wunsch,et al.  Intrusion detection using radial basis function network on sequences of system calls , 2003, Proceedings of the International Joint Conference on Neural Networks, 2003..

[18]  Mohamed S. Kamel,et al.  RBF-based real-time hierarchical intrusion detection systems , 2003, Proceedings of the International Joint Conference on Neural Networks, 2003..

[19]  Mohammad Zulkernine,et al.  Random-Forests-Based Network Intrusion Detection Systems , 2008, IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews).

[20]  Amr M. Youssef,et al.  On the analysis of the Zeus botnet crimeware toolkit , 2010, 2010 Eighth International Conference on Privacy, Security and Trust.

[21]  Brian Rexroad,et al.  Wide-Scale Botnet Detection and Characterization , 2007, HotBots.

[22]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[23]  Chunlin Zhang,et al.  Comparison of BPL and RBF Network in Intrusion Detection System , 2003, RSFDGrC.

[24]  Xin Lin,et al.  A Novel Trust Community Based on Direct Certifying for Pervasive Computing Systems , 2007 .

[25]  Dilip Sarkar,et al.  Methods to speed up error back-propagation learning algorithm , 1995, CSUR.