Abstract
The botnet is one of the most dangerous threats to the Internet. The C&C channel is an essential characteristic of the botnet and has been evolved from the C&S type to the P2P type. Distinguishing the type of C&C channel correctly and timely, and then taking appropriate countermeasures are of great importance to eliminate botnet threats.
In this paper, we raise a behavior-based method to classify the type of C&C channel. In our method, we put forward a series of features relevant to C&C behavior, apply a feature selection approach to choose the most significant features, use the Random Forest algorithm to build an inference model, and make the final type determination based on the time slot results and their temporal relationship. The experimental result shows not merely that our method can distinguish the type of C&C channel with an accuracy of 100%, but also our feature selection approach can effectively reduce the number of required features and model training time while ensuring the highest accuracy, and then bring about significant improvements in method efficiency. Moreover, the comparison with another method further manifests the advantages of our work.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Malware capture facility project. https://stratosphereips.org/category/dataset.html
Mutual information. https://en.wikipedia.org/wiki/Mutual_information
Alauthaman, M., Aslam, N., Zhang, L., Alasem, R., Hossain, M.A.: A P2P botnet detection scheme based on decision tree and adaptive multilayer neural networks. Neural Comput. Appl. 29, 1–14 (2016)
Breiman, L.: Random forests. Mach. Learn. 45(1), 5–32 (2001)
Coskun, B., Dietrich, S., Memon, N.D.: Friends of an enemy: identifying local members of peer-to-peer botnets using mutual contacts, pp. 131–140 (2010)
Dittrich, D., Dietrich, S.: P2P as botnet command and control: a deeper insight, pp. 41–48 (2008)
Douceur, J.R.: The sybil attack. In: Druschel, P., Kaashoek, F., Rowstron, A. (eds.) IPTPS 2002. LNCS, vol. 2429, pp. 251–260. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45748-8_24
Grill, M., Stiborek, J., Zunino, A.: An empirical comparison of botnet detection methods. Comput. Secur. 45, 100–123 (2014)
Gu, G., Zhang, J., Lee, W.: BotSniffer: detecting botnet command and control channels in network traffic. In: Network and Distributed System Security Symposium (2008)
Holz, T., Steiner, M., Dahl, F., Biersack, E.W., Freiling, F.C.: Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm, p. 9 (2008)
Kheir, N., Wolley, C.: BotSuer: suing stealthy P2P bots in network traffic through netflow analysis. In: Abdalla, M., Nita-Rotaru, C., Dahab, R. (eds.) CANS 2013. LNCS, vol. 8257, pp. 162–178. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-02937-5_9
Nagaraja, S., Mittal, P., Hong, C.Y., Caesar, M., Borisov, N.: BotGrep: finding P2P bots with structured graph analysis. In: USENIX Conference on Security, p. 7 (2010)
Pedregosa, F., et al.: Scikit-learn: machine learning in python. J. Mach. Learn. Res. 12(10), 2825–2830 (2013)
Rahbarinia, B., Perdisci, R., Lanzi, A., Li, K.: PeerRush: mining for unwanted P2P traffic. In: Rieck, K., Stewin, P., Seifert, J.-P. (eds.) DIMVA 2013. LNCS, vol. 7967, pp. 62–82. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39235-1_4
Sinclair, G., Nunnery, C., Kang, B.H.: The waledac protocol: the how and why. In: International Conference on Malicious and Unwanted Software, pp. 69–77 (2009)
Wang, P., Sparks, S., Zou, C.C.: An advanced hybrid peer-to-peer botnet. IEEE Trans. Dependable Secure Comput. 7(2), 113–127 (2010)
Zargar, S.T., Joshi, J.B.D., Tipper, D.: A survey of defense mechanisms against distributed denial of service (DDOS) flooding attacks. IEEE Commun. Surv. Tutor. 15(4), 2046–2069 (2013)
Zhang, J., Perdisci, R., Lee, W., Luo, X., Sarfraz, U.: Building a scalable system for stealthy P2P-botnet detection. IEEE Trans. Inf. Forensics Secur. 9(1), 27–38 (2014)
Zhang, J., Perdisci, R., Lee, W., Sarfraz, U., Luo, X.: Detecting stealthy P2P botnets using statistical traffic fingerprints. In: IEEE/IFIP International Conference on Dependable Systems & Networks, pp. 121–132 (2011)
Zhao, D., Traore, I., Ghorbani, A., Sayed, B., Saad, S., Lu, W.: Peer to peer botnet detection based on flow intervals. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IAICT, vol. 376, pp. 87–102. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30436-1_8
Zhao, D., et al.: Botnet detection based on traffic behavior analysis and flow intervals. Comput. Secur. 39(4), 2–16 (2013)
Zhu, Z., Lu, G., Chen, Y., Fu, Z.J., Roberts, P., Han, K.: Botnet research survey, pp. 967–972 (2008)
Acknowledgement
We thank the anonymous reviewers for their invaluable feedback. Our work was supported by the National Key R&D Program of China grant no. 2017YFB0801900.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Jiang, J., Yin, Q., Shi, Z., Xu, G., Kang, X. (2020). A Behavior-Based Method for Distinguishing the Type of C&C Channel. In: Wen, S., Zomaya, A., Yang, L. (eds) Algorithms and Architectures for Parallel Processing. ICA3PP 2019. Lecture Notes in Computer Science(), vol 11944. Springer, Cham. https://doi.org/10.1007/978-3-030-38991-8_41
Download citation
DOI: https://doi.org/10.1007/978-3-030-38991-8_41
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-38990-1
Online ISBN: 978-3-030-38991-8
eBook Packages: Mathematics and StatisticsMathematics and Statistics (R0)