Tracking Temporal Evolution of Network Activity for Botnet Detection

Botnets are becoming increasingly prevalent as the primary enabling technology in a variety of malicious campaigns such as email spam, click fraud, distributed denial-of-service (DDoS) attacks, and cryptocurrency mining. Botnet technology has continued to evolve rapidly making detection a very challenging problem. There is a fundamental need for robust detection methods that are insensitive to characteristics of a specific botnet and are generalizable across different botnet types. We propose a novel supervised approach to detect malicious botnet hosts by tracking a host's network activity over time using a Long Short-Term Memory (LSTM) based neural network architecture. We build a prototype to demonstrate the feasibility of our approach, evaluate it on the CTU-13 dataset, and compare our performance against existing detection methods. We show that our approach results in a more generalizable, botnet-agnostic detection methodology, is amenable to real-time implementation, and performs well compared to existing approaches, with an overall accuracy score of 96.2%.

[1]  Jing Wang,et al.  Botnet detection using social graph analysis , 2014, 2014 52nd Annual Allerton Conference on Communication, Control, and Computing (Allerton).

[2]  Yang Yu,et al.  Session-Based Network Intrusion Detection Using a Deep Learning Architecture , 2017, MDAI.

[3]  Sharath Chandra Guntuku,et al.  Real-time Peer-to-Peer Botnet Detection Framework based on Bayesian Regularized Neural Network , 2013, ArXiv.

[4]  Mohammad Marufuzzaman,et al.  Botnet detection using graph-based feature clustering , 2017, Journal of Big Data.

[5]  Seref Sagiroglu,et al.  Big data analytics for network anomaly detection from netflow data , 2017, 2017 International Conference on Computer Science and Engineering (UBMK).

[6]  Baijian Yang,et al.  A Comparative Study of Machine Learning Algorithms and Their Ensembles for Botnet Detection , 2018 .

[7]  Tomás Pevný,et al.  Reducing false positives of network anomaly detection by local adaptive multivariate smoothing , 2017, J. Comput. Syst. Sci..

[8]  Tiago P. Peixoto,et al.  The graph-tool python library , 2014 .

[9]  Mark Goadrich,et al.  The relationship between Precision-Recall and ROC curves , 2006, ICML.

[10]  Fengmao Lv,et al.  An Effective Conversation-Based Botnet Detection Method , 2017 .

[11]  Pablo Torres,et al.  An analysis of Recurrent Neural Networks for Botnet detection behavior , 2016, 2016 IEEE Biennial Congress of Argentina (ARGENCON).

[12]  Prateek Mittal,et al.  BotGrep: Finding P2P Bots with Structured Graph Analysis , 2010, USENIX Security Symposium.

[13]  Nick Feamster,et al.  Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces , 2010, NSDI.

[14]  Jürgen Schmidhuber,et al.  Long Short-Term Memory , 1997, Neural Computation.

[15]  Tomás Pevný,et al.  Learning combination of anomaly detectors for security domain , 2016, Comput. Networks.

[16]  Alejandro Zunino,et al.  An empirical comparison of botnet detection methods , 2014, Comput. Secur..

[17]  W. Timothy Strayer,et al.  Botnet Detection Based on Network Behavior , 2008, Botnet Detection.

[18]  Jens Myrup Pedersen,et al.  An efficient flow-based botnet detection using supervised machine learning , 2014, 2014 International Conference on Computing, Networking and Communications (ICNC).

[19]  A. Nur Zincir-Heywood,et al.  How to choose from different botnet detection systems? , 2016, NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium.

[20]  Masashi Fujiwara,et al.  Heuristics for Detecting Botnet Coordinated Attacks , 2010, 2010 International Conference on Availability, Reliability and Security.

[21]  José M. F. Moura,et al.  Periodic Behavior in Botnet Command and Control Channels Traffic , 2009, GLOBECOM 2009 - 2009 IEEE Global Telecommunications Conference.