A Closer Look at the HTTP and P2P Based Botnets from a Detector's Perspective

Botnets are one of the main aggressive threats against cybersecurity. To evade the detection systems, recent botnets use the most common communication protocols on the Internet to hide themselves in the legitimate users traffic. From this perspective, most recent botnets are HTTP based and/or Peer-to-Peer (P2P) systems. In this work, we investigate whether such structural differences have any impact on the performance of the botnet detection systems. To this end, we studied the differences of three machine learning techniques (Decision Tree, Genetic Programming and Bayesian Networks). The investigated approaches have been previously shown effective for HTTP based botnets. We also analyze the detection models in detail to highlight any behavioural differences between these two types of botnets. In our analysis, we employed four HTTP based publicly available botnet data sets (namely Citadel, Zeus, Conficker and Virut) and four P2P based publicly available botnet data sets (namely ISOT, NSIS, ZeroAccess and Kelihos).

[1]  Ali A. Ghorbani,et al.  Towards effective feature selection in machine learning-based botnet detection approaches , 2014, 2014 IEEE Conference on Communications and Network Security.

[2]  Malcolm I. Heywood,et al.  Coevolutionary bid-based genetic programming for problem decomposition in classification , 2008, Genetic Programming and Evolvable Machines.

[3]  A. Nur Zincir-Heywood,et al.  On botnet behaviour analysis using GP and C4.5 , 2014, GECCO.

[4]  A. Nur Zincir-Heywood,et al.  On the Effectiveness of Different Botnet Detection Approaches , 2015, ISPEC.

[5]  Alejandro Zunino,et al.  An empirical comparison of botnet detection methods , 2014, Comput. Secur..

[6]  Xiapu Luo,et al.  Detecting stealthy P2P botnets using statistical traffic fingerprints , 2011, 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks (DSN).

[7]  G. Kirubavathi Venkatesh,et al.  HTTP Botnet Detection Using Adaptive Learning Rate Multilayer Feed-Forward Neural Network , 2012, WISTP.

[8]  Leyla Bilge,et al.  Automatically Generating Models for Botnet Detection , 2009, ESORICS.

[9]  Sureswaran Ramadass,et al.  A Survey of Botnet and Botnet Detection , 2009, 2009 Third International Conference on Emerging Security Information, Systems and Technologies.

[10]  Ethem Alpaydin,et al.  Introduction to machine learning , 2004, Adaptive computation and machine learning.

[11]  A. Nur Zincir-Heywood,et al.  Botnet Detection System Analysis on the Effect of Botnet Evolution and Feature Representation , 2015, GECCO.

[12]  Matthias Hollick,et al.  Information Security Theory and Practice -- Security, Privacy and Trust in Computing Systems and Ambient Intelligent Ecosystems , 2012 .

[13]  Mohammed S. Alam,et al.  Advanced Methods for Botnet Intrusion Detection Systems , 2011 .

[14]  A. Nur Zincir-Heywood,et al.  Benchmarking the Effect of Flow Exporters and Protocol Filters on Botnet Traffic Classification , 2016, IEEE Systems Journal.

[15]  Chun-Ying Huang,et al.  A fuzzy pattern-based filtering algorithm for botnet detection , 2011, Comput. Networks.

[16]  Ali A. Ghorbani,et al.  Botnet detection based on traffic behavior analysis and flow intervals , 2013, Comput. Secur..