DOE PAGES title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: Botnet behaviour analysis: How would a data analytics-based system with minimum a priori information perform?

Journal Article · · International Journal of Network Management
DOI: https://doi.org/10.1002/nem.1977 · OSTI ID:1543482

Botnets, as one of the most aggressive threats, has used different techniques, topologies, and communication protocols in different stages of their lifecycle since 2003. Hence, identifying botnets has become very challenging specifically given that they can upgrade their methodology at any time. Various detection approaches have been proposed by the cyber-security researchers, focusing on different aspects of these threats. In this work, 5 different botnet detection approaches are investigated. These systems are selected based on the technique used and type of data used where 2 are public rule–based systems (BotHunter and Snort) and the other 3 use machine learning algorithm with different feature extraction methods (packet payload based and traffic flow based). On the other hand, 4 of these systems are based on a priori knowledge while one is using minimum a priori information. The objective here is to evaluate the effectiveness of these approaches under different scenarios (eg, multi-botnet and single-botnet classifications) as well as exploring how a system with minimum a priori information would perform. The goal is to investigate if a system with minimum a priori information could result in a competitive performance compared to systems using a priori knowledge. The evaluation is shown on 24 publicly available botnet data sets. Results indicate that a machine learning–based system with minimum a priori information not only achieves a very high performance but also generalizes much better than the other systems evaluated on a wide range of botnet structures (from centralized to decentralized botnets).

Research Organization:
Lawrence Berkeley National Laboratory (LBNL), Berkeley, CA (United States). National Energy Research Scientific Computing Center (NERSC)
Sponsoring Organization:
USDOE
OSTI ID:
1543482
Journal Information:
International Journal of Network Management, Vol. 27, Issue 4; ISSN 1055-7148
Country of Publication:
United States
Language:
English
Citation Metrics:
Cited by: 7 works
Citation information provided by
Web of Science

References (12)

A fuzzy pattern-based filtering algorithm for botnet detection journal October 2011
An empirical comparison of botnet detection methods journal September 2014
Botnet Detection Based on Network Behavior book January 2008
Machine learning algorithms for accurate flow-based network traffic classification: Evaluation and comparison journal June 2010
Benchmarking the Effect of Flow Exporters and Protocol Filters on Botnet Traffic Classification journal December 2016
An Overview of IP Flow-Based Intrusion Detection journal January 2010
CoCoSpot: Clustering and recognizing botnet command and control channels using traffic analysis journal February 2013
On the Effectiveness of Different Botnet Detection Approaches book January 2015
Clustering botnet communication traffic based on n-gram feature selection journal March 2011
Botnet detection based on traffic behavior analysis and flow intervals journal November 2013
An Effective Network Traffic Classification Method with Unknown Flow Detection journal June 2013
Coevolutionary bid-based genetic programming for problem decomposition in classification journal July 2008

Cited By (4)

Botnet detection based on network flow summary and deep learning journal July 2018
Deep learning to detect botnet via network flow summaries journal July 2018
A novel network virtualization based on data analytics in connected environment journal October 2018
An Adaptive Multi-Layer Botnet Detection Technique Using Machine Learning Classifiers journal June 2019

Figures / Tables (15)