Effective Botnet Detection Through Neural Networks on Convolutional Features

Botnet is one of the major threats on the Internet for committing cybercrimes, such as DDoS attacks, stealing sensitive information, spreading spams, etc. It is a challenging issue to detect modern botnets that are continuously improving for evading detection. In this paper, we propose a machine learning based botnet detection system that is shown to be effective in identifying P2P botnets. Our approach extracts convolutional version of effective flow-based features, and trains a classification model by using a feed-forward artificial neural network. The experimental results show that the accuracy of detection using the convolutional features is better than the ones using the traditional features. It can achieve 94.7% of detection accuracy and 2.2% of false positive rate on the known P2P botnet datasets. Furthermore, our system provides an additional confidence testing for enhancing performance of botnet detection. It further classifies the network traffic of insufficient confidence in the neural network. The experiment shows that this stage can increase the detection accuracy up to 98.6% and decrease the false positive rate up to 0.5%.

[1]  Ali A. Ghorbani,et al.  Detecting P2P botnets through network behavior analysis and machine learning , 2011, 2011 Ninth Annual International Conference on Privacy, Security and Trust.

[2]  Stefano Zanero,et al.  Phoenix: DGA-Based Botnet Tracking and Intelligence , 2014, DIMVA.

[3]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[4]  Heejo Lee,et al.  PsyBoG: A scalable botnet detection method for large-scale DNS traffic , 2016, Comput. Networks.

[5]  David C. Yen,et al.  A Network Behavior-Based Botnet Detection Mechanism Using PSO and K-means , 2015, TMIS.

[6]  Sureswaran Ramadass,et al.  Detecting Botnet Activities Based on Abnormal DNS traffic , 2009, ArXiv.

[7]  Muttukrishnan Rajarajan,et al.  Survey of approaches and features for the identification of HTTP-based botnet traffic , 2016, J. Netw. Comput. Appl..

[8]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[9]  Ronaldo M. Salles,et al.  Botnets: A survey , 2013, Comput. Networks.

[10]  Shachar Siboni,et al.  Botnet identification via universal anomaly detection , 2014, 2014 IEEE International Workshop on Information Forensics and Security (WIFS).

[11]  Alejandro Zunino,et al.  An empirical comparison of botnet detection methods , 2014, Comput. Secur..

[12]  Qiang Li,et al.  BotCatch: leveraging signature and behavior for bot detection , 2015, Secur. Commun. Networks.

[13]  Brent ByungHoon Kang,et al.  Tumbling Down the Rabbit Hole: Exploring the Idiosyncrasies of Botmaster Systems in a Multi-Tier Botnet Infrastructure , 2010, LEET.

[14]  Thorsten Holz,et al.  Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation , 2007, HotBots.

[15]  R. Anitha,et al.  Botnet detection via mining of traffic flow characteristics , 2016, Comput. Electr. Eng..

[16]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[17]  Heejo Lee,et al.  Botnet Detection by Monitoring Group Activities in DNS Traffic , 2007, 7th IEEE International Conference on Computer and Information Technology (CIT 2007).

[18]  Ali A. Ghorbani,et al.  Towards effective feature selection in machine learning-based botnet detection approaches , 2014, 2014 IEEE Conference on Communications and Network Security.

[19]  V. N. Venkatakrishnan,et al.  PeerShark: flow-clustering and conversation-generation for malicious peer-to-peer traffic identification , 2014, EURASIP J. Inf. Secur..

[20]  Felix C. Freiling,et al.  Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm , 2008, LEET.

[21]  Ali A. Ghorbani,et al.  Peer to Peer Botnet Detection Based on Flow Intervals , 2012, SEC.

[22]  Chin-Tser Huang,et al.  Using anomaly detection based techniques to detect HTTP-based botnet C&C traffic , 2016, 2016 IEEE International Conference on Communications (ICC).

[23]  Márk Jelasity,et al.  Towards Automated Detection of Peer-to-Peer Botnets: On the Limits of Local Approaches , 2009, LEET.

[24]  Brian Rexroad,et al.  Wide-Scale Botnet Detection and Characterization , 2007, HotBots.

[25]  Wen-Hwa Liao,et al.  Peer to Peer Botnet Detection Using Data Mining Scheme , 2010, 2010 International Conference on Internet Technology and Applications.

[26]  Heejo Lee,et al.  Identifying botnets by capturing group activities in DNS traffic , 2012, Comput. Networks.

[27]  Kang Li,et al.  PeerRush: Mining for unwanted P2P traffic , 2013, J. Inf. Secur. Appl..

[28]  Leyla Bilge,et al.  Automatically Generating Models for Botnet Detection , 2009, ESORICS.

[29]  Linh Giang Nguyen,et al.  DGA Botnet detection using Collaborative Filtering and Density-based Clustering , 2015, SoICT.

[30]  Geoffrey E. Hinton,et al.  ImageNet classification with deep convolutional neural networks , 2012, Commun. ACM.

[31]  Yoshua Bengio,et al.  Gradient-based learning applied to document recognition , 1998, Proc. IEEE.

[32]  Michalis Faloutsos,et al.  Entelecheia: Detecting P2P botnets in their waiting stage , 2013, 2013 IFIP Networking Conference.

[33]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[34]  Gerald Penn,et al.  Convolutional Neural Networks for Speech Recognition , 2014, IEEE/ACM Transactions on Audio, Speech, and Language Processing.

[35]  Suresh Singh,et al.  An Algorithm for Anomaly-based Botnet Detection , 2006, SRUTI.

[36]  Ping Wang,et al.  An Advanced Hybrid Peer-to-Peer Botnet , 2007, IEEE Transactions on Dependable and Secure Computing.

[37]  Yao Zheng,et al.  PeerClean: Unveiling peer-to-peer botnets through dynamic group behavior analysis , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).