BotGM: Unsupervised graph mining to detect botnets in traffic flows

Botnets are one of the most dangerous and serious cybersecurity threats since they are a major vector of large-scale attack campaigns such as phishing, distributed denial-of-service (DDoS) attacks, trojans, spams, etc. A large body of research has been accomplished on botnet detection, but recent security incidents show that there are still several challenges remaining to be addressed, such as the ability to develop detectors which can cope with new types of botnets. In this paper, we propose BotGM, a new approach to detect botnet activities based on behavioral analysis of network traffic flow. BotGM identifies network traffic behavior using graph-based mining techniques to detect botnets behaviors and model the dependencies among flows to trace-back the root causes then. We applied BotGM on a publicly available large dataset of Botnet network flows, where it detects various botnet behaviors with a high accuracy without any prior knowledge of them.

[1]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[2]  Hiroshi Esaki,et al.  Mining causes of network events in log data with causal inference , 2017, 2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM).

[3]  Prateek Mittal,et al.  BotGrep: Finding P2P Bots with Structured Graph Analysis , 2010, USENIX Security Symposium.

[4]  Qin Lin,et al.  Learning behavioral fingerprints from Netflows using Timed Automata , 2017, 2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM).

[5]  Ali A. Ghorbani,et al.  Botnet detection based on traffic behavior analysis and flow intervals , 2013, Comput. Secur..

[6]  Syed Ali Khayam,et al.  A Taxonomy of Botnet Behavior, Detection, and Defense , 2014, IEEE Communications Surveys & Tutorials.

[7]  Douglas S. Reeves,et al.  Fast malware classification by automated behavioral graph matching , 2010, CSIIRW '10.

[8]  Hiroshi Ishii,et al.  Temporal behavior analysis of malware/bot downloads using top-10 processing , 2013, 2013 International Computer Science and Engineering Conference (ICSEC).

[9]  Radu State,et al.  BotTrack: Tracking Botnets Using NetFlow and PageRank , 2011, Networking.

[10]  Ali A. Ghorbani,et al.  Towards effective feature selection in machine learning-based botnet detection approaches , 2014, 2014 IEEE Conference on Communications and Network Security.

[11]  Chia-Mei Chen,et al.  Detecting botnet by anomalous traffic , 2015, J. Inf. Secur. Appl..

[12]  Leyla Bilge,et al.  Exposure: A Passive DNS Analysis Service to Detect and Report Malicious Domains , 2014, TSEC.

[13]  Heejo Lee,et al.  BotGAD: detecting botnets by capturing group activities in network traffic , 2009, COMSWARE '09.

[14]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[15]  Ali A. Ghorbani,et al.  Real-time signature-based detection approach for SMS botnet , 2015, 2015 13th Annual Conference on Privacy, Security and Trust (PST).

[16]  Fei Wang,et al.  HERCULE: attack story reconstruction via community discovery on correlated log graph , 2016, ACSAC.

[17]  David C. Yen,et al.  A Network Behavior-Based Botnet Detection Mechanism Using PSO and K-means , 2015, TMIS.

[18]  Chun-Ying Huang,et al.  Behavior-based botnet detection in parallel , 2014, Secur. Commun. Networks.

[19]  Ranveer Chandra,et al.  What's going on?: learning communication rules in edge networks , 2008, SIGCOMM '08.

[20]  Alejandro Zunino,et al.  An empirical comparison of botnet detection methods , 2014, Comput. Secur..

[21]  Radu State,et al.  Efficient Learning of Communication Profiles from IP Flow Records , 2016, 2016 IEEE 41st Conference on Local Computer Networks (LCN).

[22]  Jérôme François,et al.  Knowledge discovery of port scans from darknet , 2017, 2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM).

[23]  Xinxin Niu,et al.  Flow-based Anomaly Detection Using Access Behavior Profiling and Time-sequenced Relation Mining , 2016, KSII Trans. Internet Inf. Syst..

[24]  Radu State,et al.  FlowRank: ranking NetFlow records , 2010, IWCMC.

[25]  Marcelo R. Campo,et al.  Survey on network-based botnet detection methods , 2014, Secur. Commun. Networks.

[26]  King-Sun Fu,et al.  A distance measure between attributed relational graphs for pattern recognition , 1983, IEEE Transactions on Systems, Man, and Cybernetics.

[27]  Heejo Lee,et al.  PsyBoG: A scalable botnet detection method for large-scale DNS traffic , 2016, Comput. Networks.

[28]  Aiko Pras,et al.  Flow Monitoring Explained: From Packet Capture to Data Analysis With NetFlow and IPFIX , 2014, IEEE Communications Surveys & Tutorials.

[29]  Horst Bunke,et al.  Inexact graph matching for structural pattern recognition , 1983, Pattern Recognit. Lett..

[30]  Xiuli Shao,et al.  Detecting P2P botnets by discovering flow dependency in C&C traffic , 2014, Peer-to-Peer Netw. Appl..