Abstract
Botnets have become one of the most serious threats to cyber infrastructure. Many existing botnet detection approaches become invalid due to botnet structure sophistication or encryption of payload of the traffic. In this work, we propose an effective anomaly-based botnet detection method by hybrid analysis of flow based and graph-based features of network traffic. Frist, from network traffic we extract 15 statistical aggregated flow based features as well as 7 types of graph based features, such as in degree, out degree, in degree weight, out degree weight, node betweenness centrality, local clustering coefficient and PageRank. Second, we employ K-means, k-NN and One-class SVM to detect bots based on the hybrid analysis of these two types of features. Finally, we collect a large size of network traffic in real computing environment by implementing 5 different botnets including newly propagated Mirai and others like Athena and Black energy. The extensive experimental results show that our method based on the hybrid analysis is better than the method of individual analysis in terms of detection accuracy. It achieves the best performance with 96.62% of F-score. The experimental results also demonstrate the effectiveness of our method on the detection of novel botnets like Mirai, Athena and Black energy.
The work reported in this paper was supported in part by National Key R & D Program of China, under grant 2017YFB0802805, in part by Funds of Science and Technology on Electronic Information Control Laboratory, under Grant K16GY00040, in part by the Scientific Research Foundation through the Returned Overseas Chinese Scholars, Ministry of Education of China, under Grant K14C300020, in part by the Fundamental Research funds for the central Universities of China, under grant K17JB00060 and K17JB00020, and in part by Natural Science Foundation of China, under Grant U1736114 and 61672092.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Alejandre, F.V., Cortés, N.C., Anaya, E.A.: Feature selection to detect botnets using machine learning algorithms. In: 2017 International Conference on Electronics, Communications and Computers, CONIELECOMP 2017, Cholula, Mexico, 22–24 February 2017, pp. 1–7 (2017)
Brandes, U.: A faster algorithm for betweenness centrality. J. Math. Sociol. 25(2), 163–177 (2001)
Choi, H., Lee, H., Lee, H., Kim, H.: Botnet detection by monitoring group activities in DNS traffic. In: Seventh International Conference on Computer and Information Technology (CIT 2007), University of Aizu, Fukushima, Japan, 16–19 October 2007, pp. 715–720 (2007)
Chowdhury, S., et al.: Botnet detection using graph-based feature clustering. J. Big Data 4, 14 (2017)
François, J., Wang, S., State, R., Engel, T.: BotTrack: tracking botnets using NetFlow and PageRank. In: Domingo-Pascual, J., Manzoni, P., Palazzo, S., Pont, A., Scoglio, C. (eds.) NETWORKING 2011. LNCS, vol. 6640, pp. 1–14. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20757-0_1
Garant, D., Lu, W.: Mining botnet behaviors on the large-scale web application community, pp. 185–190 (2013)
Goebel, J., Holz, T.: Rishi: identify bot contaminated hosts by IRC nickname evaluation. In: First Workshop on Hot Topics in Understanding Botnets, HotBots 2007, Cambridge, MA, USA, 10 April 2007 (2007)
Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proceedings of the 17th USENIX Security Symposium, San Jose, CA, USA, 28 July–1 August 2008, pp. 139–154 (2008)
Iliofotou, M., Kim, H.C., Faloutsos, M., Mitzenmacher, M., Pappu, P., Varghese, G.: Graption: a graph-based P2P traffic classification framework for the internet backbone. Comput. Netw. 55(8), 1909–1920 (2011)
Kheir, N., Wolley, C.: BotSuer: suing stealthy P2P bots in network traffic through netflow analysis. In: Abdalla, M., Nita-Rotaru, C., Dahab, R. (eds.) CANS 2013. LNCS, vol. 8257, pp. 162–178. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-02937-5_9
Kirubavathi, G., Anitha, R.: Botnet detection via mining of traffic flow characteristics. Comput. Electr. Eng. 50, 91–101 (2016)
Lagraa, S., François, J., Lahmadi, A., Miner, M., Hammerschmidt, C.A., State, R.: BotGM: unsupervised graph mining to detect botnets in traffic flows. In: 1st Cyber Security in Networking Conference, CSNet 2017, Rio de Janeiro, Brazil, 18–20 October 2017, pp. 1–8 (2017)
Liao, W.H., Chang, C.C.: Peer to peer botnet detection using data mining scheme. In: 2010 International Conference on Internet Technology and Applications, pp. 1–4, August 2010
Livadas, C., Walsh, R., Lapsley, D., Strayer, W.T.: Using machine learning techniques to identify botnet traffic. In: Proceedings of the 2006 31st IEEE Conference on Local Computer Networks, pp. 967–974, November 2006
Nagaraja, S., Mittal, P., Hong, C., Caesar, M., Borisov, N.: BotGrep: finding P2P bots with structured graph analysis. In: Proceedings of the 19th USENIX Security Symposium, Washington, DC, USA, 11–13 August 2010, pp. 95–110 (2010)
Rawat, R.S., Pilli, E.S., Joshi, R.C.: Survey of peer-to-peer botnets and detection frameworks. Int. J. Netw. Secur. 20(3), 547–557 (2018)
Saad, S., et al.: Detecting P2P botnets through network behavior analysis and machine learning. In: Ninth Annual Conference on Privacy, Security and Trust, PST 2011, Montreal, Québec, Canada, 19–21 July, 2011, pp. 174–180 (2011)
Samani, E.B.B., Jazi, H.H., Stakhanova, N., Ghorbani, A.A.: Towards effective feature selection in machine learning-based botnet detection approaches. In: IEEE Conference on Communications and Network Security, CNS 2014, 29–31 October 2014, San Francisco, CA, USA, pp. 247–255 (2014)
Singh, K., Guntuku, S.C., Thakur, A., Hota, C.: Big data analytics framework for peer-to-peer botnet detection using random forests. Inf. Sci. 278, 488–497 (2014)
Tegeler, F., Fu, X., Vigna, G., Kruegel, C.: BotFinder: finding bots in network traffic without deep packet inspection. In: Conference on emerging Networking Experiments and Technologies, CoNEXT 2012, Nice, France, 10–13 December 2012, pp. 349–360 (2012)
Wang, J., Paschalidis, I.C.: Botnet detection using social graph analysis. In: 52nd Annual Allerton Conference on Communication, Control, and Computing, Allerton 2014, Allerton Park & Retreat Center, Monticello, IL, 30 September–2 October 2014, pp. 393–400 (2014)
Wang, W., Fang, B., Zhang, Z., Li, C.: A novel approach to detect IRC-based botnets. In: 2009 International Conference on Networks Security, Wireless Communications and Trusted Computing, vol. 1, pp. 408–411, April 2009
Wang, W., Guan, X., Zhang, X.: Processing of massive audit data streams for real-time anomaly intrusion detection. Comput. Commun. 31(1), 58–72 (2008)
Wang, W., Guan, X., Zhang, X., Yang, L.: Profiling program behavior for anomaly intrusion detection based on the transition and frequency property of computer audit data. Comput. Secur. 25(7), 539–550 (2006)
Wang, W., Guyet, T., Quiniou, R., Cordier, M., Masseglia, F., Zhang, X.: Autonomic intrusion detection: adaptively detecting anomalies over unlabeled audit data streams in computer networks. Knowl.-Based Syst. 70, 103–117 (2014)
Wang, W., He, Y., Liu, J., Gombault, S.: Constructing important features from massive network traffic for lightweight intrusion detection. IET Inf. Secur. 9(6), 374–379 (2015)
Wang, W., Li, Y., Wang, X., Liu, J., Zhang, X.: Detecting android malicious apps and categorizing benign apps with ensemble of classifiers. Futur. Gener. Comput. Syst. 78, 987–994 (2018)
Wang, W., Liu, J., Pitsilis, G., Zhang, X.: Abstracting massive data for lightweight intrusion detection in computer networks. Inf. Sci. 433–434, 417–430 (2018)
Wang, W., Wang, X., Feng, D., Liu, J., Han, Z., Zhang, X.: Exploring permission-induced risk in android applications for malicious application detection. IEEE Trans. Inf. Forensics Secur. 9(11), 1869–1882 (2014)
Wang, W., Zhang, X., Gombault, S.: Constructing attribute weights from computer audit data for effective intrusion detection. J. Syst. Softw. 82(12), 1974–1981 (2009)
Wang, X., Wang, W., He, Y., Liu, J., Han, Z., Zhang, X.: Characterizing android apps behavior for effective detection of malapps at large scale. Futur. Gener. Comput. Syst. 75, 30–45 (2017)
Yu, X., Dong, X., Yu, G., Qin, Y., Yue, D.: Data-adaptive clustering analysis for online botnet detection. In: 2010 Third International Joint Conference on Computational Science and Optimization, vol. 1, pp. 456–460, May 2010
Zhao, D., et al.: Botnet detection based on traffic behavior analysis and flow intervals. Comput. Secur. 39, 2–16 (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Shang, Y., Yang, S., Wang, W. (2018). Botnet Detection with Hybrid Analysis on Flow Based and Graph Based Features of Network Traffic. In: Sun, X., Pan, Z., Bertino, E. (eds) Cloud Computing and Security. ICCCS 2018. Lecture Notes in Computer Science(), vol 11064. Springer, Cham. https://doi.org/10.1007/978-3-030-00009-7_55
Download citation
DOI: https://doi.org/10.1007/978-3-030-00009-7_55
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-00008-0
Online ISBN: 978-3-030-00009-7
eBook Packages: Computer ScienceComputer Science (R0)