Exploring a swarm intelligence methodology to identify command and control flow

Botnet poses a significant threat to the Internet today. Reactive techniques that try to detect such an attack and throttle down malicious traffic prevail today but seem not to be very effective. In this paper we present an approach to Botnet detection that is based on the methodology of swarm intelligence. Specifically, particle swarm optimization, a robust stochastic evolutionary algorithm based on the movement and intelligence of swarms, is applied to track the remote controls activities, namely C&C. There exist in literature a few papers in which PSO is used to face the optimization problem. However, no paper exists showing the effectiveness of PSO on this problem. Therefore, PSO is examined in this paper to face the identification of C&C flow. Comparing with other classification techniques, PSO performs a high accuracy.

[1]  Andrew W. Moore,et al.  Internet traffic classification using bayesian analysis techniques , 2005, SIGMETRICS '05.

[2]  Shigeo Abe DrEng Pattern Classification , 2001, Springer London.

[3]  Matthew Roughan,et al.  Class-of-service mapping for QoS: a statistical signature-based approach to IP traffic classification , 2004, IMC '04.

[4]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[5]  Anja Feldmann,et al.  An analysis of Internet chat systems , 2003, IMC '03.

[6]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[7]  Felix C. Freiling,et al.  Learning More about the Underground Economy: A Case-Study of Keyloggers and Dropzones , 2009, ESORICS.

[8]  Ian H. Witten,et al.  Data mining: practical machine learning tools and techniques, 3rd Edition , 1999 .

[9]  David G. Stork,et al.  Pattern Classification , 1973 .

[10]  Oliver Spatscheck,et al.  Accurate, scalable in-network identification of p2p traffic using application signatures , 2004, WWW '04.

[11]  Yue Shi,et al.  A modified particle swarm optimizer , 1998, 1998 IEEE International Conference on Evolutionary Computation Proceedings. IEEE World Congress on Computational Intelligence (Cat. No.98TH8360).

[12]  Nick Feamster,et al.  Understanding the network-level behavior of spammers , 2006, SIGCOMM.

[13]  Thorsten Holz,et al.  Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation , 2007, HotBots.

[14]  Guofei Gu,et al.  A Taxonomy of Botnet Structures , 2007, ACSAC.

[15]  Brian Rexroad,et al.  Wide-Scale Botnet Detection and Characterization , 2007, HotBots.

[16]  W. Timothy Strayer,et al.  Using Machine Learning Techniques to Identify Botnet Traffic , 2006 .

[17]  Stefan Saroiu,et al.  Measurement and Analysis of Spyware in a University Environment , 2004, NSDI.