skip to main content
DOE PAGES title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: Botnet behaviour analysis: How would a data analytics-based system with minimum a priori information perform?

Abstract

Botnets, as one of the most aggressive threats, has used different techniques, topologies, and communication protocols in different stages of their lifecycle since 2003. Hence, identifying botnets has become very challenging specifically given that they can upgrade their methodology at any time. Various detection approaches have been proposed by the cyber-security researchers, focusing on different aspects of these threats. In this work, 5 different botnet detection approaches are investigated. These systems are selected based on the technique used and type of data used where 2 are public rule–based systems (BotHunter and Snort) and the other 3 use machine learning algorithm with different feature extraction methods (packet payload based and traffic flow based). On the other hand, 4 of these systems are based on a priori knowledge while one is using minimum a priori information. The objective here is to evaluate the effectiveness of these approaches under different scenarios (eg, multi-botnet and single-botnet classifications) as well as exploring how a system with minimum a priori information would perform. The goal is to investigate if a system with minimum a priori information could result in a competitive performance compared to systems using a priori knowledge. The evaluation is shown on 24 publiclymore » available botnet data sets. Results indicate that a machine learning–based system with minimum a priori information not only achieves a very high performance but also generalizes much better than the other systems evaluated on a wide range of botnet structures (from centralized to decentralized botnets).« less

Authors:
ORCiD logo [1];  [1]
  1. Dalhousie Univ., Halifax, NS (Canada). Faculty of Computer Science
Publication Date:
Research Org.:
Lawrence Berkeley National Laboratory (LBNL), Berkeley, CA (United States). National Energy Research Scientific Computing Center (NERSC)
Sponsoring Org.:
USDOE
OSTI Identifier:
1543482
Resource Type:
Accepted Manuscript
Journal Name:
International Journal of Network Management
Additional Journal Information:
Journal Volume: 27; Journal Issue: 4; Journal ID: ISSN 1055-7148
Country of Publication:
United States
Language:
English
Subject:
computer science; telecommunications; botnet behavior; data analytics; machine learning; network flow analysis

Citation Formats

Haddadi, Fariba, and Zincir-Heywood, A. Nur. Botnet behaviour analysis: How would a data analytics-based system with minimum a priori information perform?. United States: N. p., 2017. Web. doi:10.1002/nem.1977.
Haddadi, Fariba, & Zincir-Heywood, A. Nur. Botnet behaviour analysis: How would a data analytics-based system with minimum a priori information perform?. United States. doi:10.1002/nem.1977.
Haddadi, Fariba, and Zincir-Heywood, A. Nur. Tue . "Botnet behaviour analysis: How would a data analytics-based system with minimum a priori information perform?". United States. doi:10.1002/nem.1977. https://www.osti.gov/servlets/purl/1543482.
@article{osti_1543482,
title = {Botnet behaviour analysis: How would a data analytics-based system with minimum a priori information perform?},
author = {Haddadi, Fariba and Zincir-Heywood, A. Nur},
abstractNote = {Botnets, as one of the most aggressive threats, has used different techniques, topologies, and communication protocols in different stages of their lifecycle since 2003. Hence, identifying botnets has become very challenging specifically given that they can upgrade their methodology at any time. Various detection approaches have been proposed by the cyber-security researchers, focusing on different aspects of these threats. In this work, 5 different botnet detection approaches are investigated. These systems are selected based on the technique used and type of data used where 2 are public rule–based systems (BotHunter and Snort) and the other 3 use machine learning algorithm with different feature extraction methods (packet payload based and traffic flow based). On the other hand, 4 of these systems are based on a priori knowledge while one is using minimum a priori information. The objective here is to evaluate the effectiveness of these approaches under different scenarios (eg, multi-botnet and single-botnet classifications) as well as exploring how a system with minimum a priori information would perform. The goal is to investigate if a system with minimum a priori information could result in a competitive performance compared to systems using a priori knowledge. The evaluation is shown on 24 publicly available botnet data sets. Results indicate that a machine learning–based system with minimum a priori information not only achieves a very high performance but also generalizes much better than the other systems evaluated on a wide range of botnet structures (from centralized to decentralized botnets).},
doi = {10.1002/nem.1977},
journal = {International Journal of Network Management},
number = 4,
volume = 27,
place = {United States},
year = {2017},
month = {5}
}

Journal Article:
Free Publicly Available Full Text
Publisher's Version of Record

Citation Metrics:
Cited by: 3 works
Citation information provided by
Web of Science

Figures / Tables:

Table I Table I: Packet-based approach– network features.

Save / Share:

Works referenced in this record:

A fuzzy pattern-based filtering algorithm for botnet detection
journal, October 2011


An empirical comparison of botnet detection methods
journal, September 2014


Clustering botnet communication traffic based on n-gram feature selection
journal, March 2011


Machine learning algorithms for accurate flow-based network traffic classification: Evaluation and comparison
journal, June 2010


Botnet detection based on traffic behavior analysis and flow intervals
journal, November 2013


An Effective Network Traffic Classification Method with Unknown Flow Detection
journal, June 2013


Benchmarking the Effect of Flow Exporters and Protocol Filters on Botnet Traffic Classification
journal, December 2016


An Overview of IP Flow-Based Intrusion Detection
journal, January 2010


CoCoSpot: Clustering and recognizing botnet command and control channels using traffic analysis
journal, February 2013


Coevolutionary bid-based genetic programming for problem decomposition in classification
journal, July 2008

  • Lichodzijewski, Peter; Heywood, Malcolm I.
  • Genetic Programming and Evolvable Machines, Vol. 9, Issue 4
  • DOI: 10.1007/s10710-008-9067-9

    Works referencing / citing this record:

    An Adaptive Multi-Layer Botnet Detection Technique Using Machine Learning Classifiers
    journal, June 2019

    • Khan, Riaz Ullah; Zhang, Xiaosong; Kumar, Rajesh
    • Applied Sciences, Vol. 9, Issue 11
    • DOI: 10.3390/app9112375