Skip to main content
SpringerLink
Log in

A review on graph-based approaches for network security monitoring and botnet detection

  • Survey
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

This survey paper provides a comprehensive overview of recent research and development in network security that uses graphs and graph-based data representation and analytics. The paper focuses on the graph-based representation of network traffic records and the application of graph-based analytics in intrusion detection and botnet detection. The paper aims to answer several questions related to graph-based approaches in network security, including the types of graphs used to represent network security data, the approaches used to analyze such graphs, the metrics used for detection and monitoring, and the reproducibility of existing works. The paper presents a survey of graph models used to represent, store, and visualize network security data, a survey of the algorithms and approaches used to analyze such data, and an enumeration of the most important graph features used for network security analytics for monitoring and botnet detection. The paper also discusses the challenges and limitations of using graph-based approaches in network security and identifies potential future research directions. Overall, this survey paper provides a valuable resource for researchers and practitioners in the field of network security who are interested in using graph-based approaches for analyzing and detecting malicious activities in networks.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

Research data policy and data availability

Data sharing is not applicable to this article as no datasets were generated or analyzed during the current study.

Notes

  1. https://grasec.uni.lu/.

  2. https://www.fvv.um.si/eicc2022/cnacys.html.

  3. A network is said to be assortative when high degree nodes are, on average, connected to other nodes with high degree and low degree nodes are, on average, connected to other nodes with low degree [85].

References

  1. Akoglu, L., Tong, H., Koutra, D.: Graph based anomaly detection and description: a survey. Data Min. Knowl. Disc. 29(3), 626–688 (2014)

    Article  MathSciNet  Google Scholar 

  2. Amini, P., Araghizadeh, M.A., Azmi, R.: A survey on botnet: classification, detection and defense. In: International Electronics Symposium (IES), pp. 233–238 (2015)

  3. Amrouche, F., Lagraa, S., Kaiafas, G., State, R.: Graph-based malicious login events investigation. In: IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 63–66 (2019)

  4. Apache Software Foundation: Apache Spark. https://spark.apache.org/. Accessed 1 Nov 2021

  5. Apache Software Foundation: Apache TinkerPop. https://tinkerpop.apache.org/. Accessed 1 Nov 2021

  6. Apache Software Foundation: GraphX. https://spark.apache.org/graphx/. Accessed 1 Nov 2021

  7. Apruzzese, G., Pierazzi, F., Colajanni, M., Marchetti, M.: Detection and threat prioritization of pivoting attacks in large networks. IEEE Trans. Emerg. Top. Comput. 8(2), 404–415 (2020)

    Article  Google Scholar 

  8. ArrangoDB. https://www.arangodb.com. Accessed 1 Nov 2021

  9. Bai, J., Shi, Q., Mu, S.: A malware and variant detection method using function call graph isomorphism. Secur. Commun. Netw. 2019, 1043,794:1-1043,794:12 (2019)

    Article  Google Scholar 

  10. Berger, A., D’Alconzo, A., Gansterer, W.N., Pescapé, A.: Mining agile DNS traffic using graph analysis for cybercrime detection. Comput. Netw. 100, 28–44 (2016)

    Article  Google Scholar 

  11. Böhm, F., Menges, F., Pernul, G.: Graph-based visual analytics for cyber threat intelligence. Cybersecurity 1(1), 16 (2018)

    Article  Google Scholar 

  12. Bou-Harb, E., Debbabi, M., Assi, C.: Big data behavioral analytics meet graph theory: on effective botnet takedowns. IEEE Netw. 31(1), 18–26 (2017)

    Article  Google Scholar 

  13. Bowman, B., Laprade, C., Ji, Y., Huang, H.H.: Detecting lateral movement in enterprise computer networks with unsupervised graph AI. In: 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020), pp. 257–268 (2020)

  14. Bowman, B., Huang, H.H.: Towards next-generation cybersecurity with graph AI. SIGOPS Oper. Syst. Rev. 55(1), 61–67 (2021)

    Article  Google Scholar 

  15. Bunke, H., Allerman, G.: Inexact graph matching for structural pattern recognition. Pattern Recognit. Lett. 1(4), 245–253 (1983)

    Article  Google Scholar 

  16. Caswell, B., Foster, J.C., Russell, R., Beale, J., Posluns, J.: Snort 2.0 Intrusion Detection. Syngress Publishing, Oxford (2003)

    Google Scholar 

  17. Cayley. https://cayley.io. Accessed 1 Nov 2021

  18. Čermák, M., Šrámková, D.: GRANEF: utilization of a graph database for network forensics. In: Proceedings of the 18th International Conference on Security and Cryptography, pp. 785–790. SCITEPRESS (2021)

  19. CESNET and Masaryk University: SABU. https://sabu.cesnet.cz/en/start. Accessed 1 Nov 2021

  20. Chowdhury, S., Khanzadeh, M., Akula, R., Zhang, F., Zhang, S., Medal, H., Marufuzzaman, M., Bian, L.: Botnet detection using graph-based feature clustering. J. Big Data 4(1), 14 (2017)

    Article  Google Scholar 

  21. CISCO: global—2021 forecast highlights. https://www.cisco.com/c/dam/m/en_us/solutions/service-provider/vni-forecast-highlights/pdf/Global_2021_Forecast_Highlights.pdf (2021)

  22. Data Collection, C., Sharing. https://www.caida.org/data/. Accessed 1 Nov 2021

  23. Daya, A.A., Salahuddin, M.A., Limam, N., Boutaba, R.: A graph-based machine learning approach for bot detection. In: IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 144–152 (2019)

  24. Daya, A.A., Salahuddin, M.A., Limam, N., Boutaba, R.: BotChase: graph-based bot detection using machine learning. IEEE Trans. Netw. Serv. Manag. 17(1), 15–29 (2020)

    Article  Google Scholar 

  25. DGraph. https://dgraph.io. Accessed 1 Nov 2021

  26. Essawy, B.T., Goodall, J.L., Voce, D., Morsy, M.M., Sadler, J.M., Choi, Y.D., Tarboton, D.G., Malik, T.: A taxonomy for reproducible and replicable research in environmental modelling. Environ. Model. Softw. 134, 104,753 (2020)

    Article  Google Scholar 

  27. Evrard, L., François, J., Colin, J.: Attacker behavior-based metric for security monitoring applied to darknet analysis. In: IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 89–97 (2019)

  28. Fitch, J.A., III., Hoffman, L.J.: A shortest path network security model. Comput. Secur. 12(2), 169–189 (1993). https://doi.org/10.1016/0167-4048(93)90100-J

    Article  Google Scholar 

  29. Fredj, O.B.: A realistic graph-based alert correlation system. SEC Commun. Netw. 8(15), 2477–2493 (2015)

    Article  Google Scholar 

  30. Gamachchi, A., Boztas, S.: Insider threat detection through attributed graph clustering. In: IEEE Trustcom/BigDataSE/ICESS, pp. 112–119 (2017)

  31. Gamachchi, A., Sun, L., Boztas, S.: Graph based framework for malicious insider threat detection. In: 50th Hawaii International Conference on System Sciences, HICSS, pp. 1–10 (2017)

  32. García, S., Grill, M., Stiborek, J., Zunino, A.: An empirical comparison of botnet detection methods. Comput. Secur. 45, 100–123 (2014)

    Article  Google Scholar 

  33. García, S., Zunino, A., Campo, M.: Survey on network-based botnet detection methods. Secur. Commun. Netw. 7(5), 878–903 (2014)

    Article  Google Scholar 

  34. Gligor, V.D.: A note on denial-of-service in operating systems. IEEE Trans. Softw. Eng. SE–10(3), 320–324 (1984). https://doi.org/10.1109/TSE.1984.5010241

    Article  Google Scholar 

  35. Grover, A., Leskovec, J.: node2vec: scalable feature learning for networks. In: Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, San Francisco, CA, USA, pp. 855–864 (2016)

  36. Haas, S., Fischer, M.: GAC: graph-based alert correlation for the detection of distributed multi-step attacks. In: Proceedings of the 33rd Annual ACM Symposium on Applied Computing, SAC ’18, pp. 979–988. Association for Computing Machinery (2018)

  37. Haas, S., Wilkens, F., Fischer, M.: Efficient attack correlation and identification of attack scenarios based on network-motifs. In: 2019 IEEE 38th International Performance Computing and Communications Conference (IPCCC) (2019). https://doi.org/10.1109/IPCCC47392.2019.8958734

  38. Haas, S., Fischer, M.: On the alert correlation process for the detection of multi-step attacks and a graph-based realization. SIGAPP Appl. Comput. Rev. 19(1), 5–19 (2019)

    Article  Google Scholar 

  39. Hochreiter, S., Schmidhuber, J.: Long short-term memory. Neural Comput. 9(8), 1735–1780 (1997)

    Article  Google Scholar 

  40. Husák, M., Čermák, M.: A graph-based representation of relations in network security alert sharing platforms. In: 2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM), pp. 891–892 (2017)

  41. Husák, M., Komárková, J., Bou-Harb, E., Celeda, P.: Survey of attack projection, prediction, and forecasting in cyber security. IEEE Commun. Surv. Tutor. 21(1), 640–660 (2019)

    Article  Google Scholar 

  42. Jaikumar, P., Kak, A.C.: A graph-theoretic framework for isolating botnets in a network. Secur. Commun. Netw. 8(16), 2605–2623 (2015)

    Article  Google Scholar 

  43. JanusGraph. http://janusgraph.org. Accessed 1 Nov 2021

  44. Kaiafas, G., Varisteas, G., Lagraa, S., State, R., Nguyen, C.D., Ries, T., Ourdane, M.: Detecting malicious authentication events trustfully. In: 2018 IEEE/IFIP Network Operations and Management Symposium (NOMS) (2018)

  45. Kao, M.Y.: Encyclopedia of Algorithms. Springer, New York (2007)

    Google Scholar 

  46. Kaynar, K.: A taxonomy for attack graph generation and usage in network security. J. Inf. Secur. Appl. 29, 27–56 (2016)

    Google Scholar 

  47. Kent, A.D.: Comprehensive, Multi-Source Cyber-Security Events. Los Alamos National Laboratory (2015). https://doi.org/10.17021/1179829

  48. Kiouche, A.E., Lagraa, S., Amrouche, K., Seba, H.: A simple graph embedding for anomaly detection in a stream of heterogeneous labeled graphs. Pattern Recognit. 112, 107,746 (2021)

    Article  Google Scholar 

  49. Lagraa, S., François, J., Lahmadi, A., Minier, M., Hammerschmidt, C.A., State, R.: BotGM: unsupervised graph mining to detect botnets in traffic flows. In: Cyber Security in Networking Conference, CSNet (2017)

  50. Lagraa, S., François, J.: Knowledge discovery of port scans from darknet. In: 2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM), pp. 935–940 (2017)

  51. Lagraa, S., State, R.: What database do you choose for heterogeneous security log events analysis? In: 2021 IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 812–817. IEEE (2021)

  52. Lagraa, S., Chen, Y., François, J.: Deep mining port scans from darknet. Int. J. Netw. Manag. 29(3), e2065 (2019)

    Article  Google Scholar 

  53. Lal, M.: Neo4J Graph Data Modeling. Packt Publishing, Birmingham (2015)

    Google Scholar 

  54. Lallie, H.S., Debattista, K., Bal, J.: A review of attack graph and attack tree visual syntax in cyber security. Comput. Sci. Rev. 35, 100,219 (2020)

    Article  MathSciNet  Google Scholar 

  55. Leichtnam, L., Totel, E., Prigent, N., Mé, L.: Sec2graph: network attack detection based on novelty detection on graph structured data. In: Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 238–258. Springer (2020)

  56. Li, Z., Chen, Q.A., Yang, R., Chen, Y., Ruan, W.: Threat detection and investigation with system-level provenance graphs: a survey. Comput. Secur. 106, 102,282 (2021)

    Article  Google Scholar 

  57. Li, S., Zhou, Q., Zhou, R., Lv, Q.: Intelligent malware detection based on graph convolutional network. J. Supercomput. 78(3), 4182–4198 (2022)

    Article  Google Scholar 

  58. Liu, L., De Vel, O., Han, Q., Zhang, J., Xiang, Y.: Detecting and preventing cyber insider threats: a survey. IEEE Commun. Surv. Tutor. 20(2), 1397–1417 (2018)

    Article  Google Scholar 

  59. Neo4j. https://neo4j.com/. Accessed 1 Nov 2021

  60. Neo4j: cypher query language. https://neo4j.com/developer/cypher/. Accessed 1 Nov 2021

  61. Newman, M.E.: Modularity and community structure in networks. Proc. Natl. Acad. Sci. USA 103, 8577–8582 (2006)

    Article  Google Scholar 

  62. Noel, S., Harley, E., Tam, K.H., Gyor, G.: Big-Data Architecture for Cyber Attack Graphs Representing Security Relationships in NoSQL Graph Databases (2015)

  63. Noel, S., Harley, E., Tam, K.H., Limiero, M., Share, M.: CyGraph: graph-based analytics and visualization for cybersecurity. In: Handbook of Statistics, vol. 35, pp. 117–167. Elsevier (2016)

  64. Noel, S.: A Review of Graph Approaches to Network Security Analytics, pp. 300–323. Springer, New York (2018)

    Google Scholar 

  65. OrientDB. https://orientdb.org. Accessed 1 Nov 2021

  66. Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23–24), 2435–2463 (1999)

    Article  Google Scholar 

  67. Perozzi, B., Al-Rfou, R., Skiena, S.: DeepWalk: Online Learning of Social Representations, pp. 701–710. ACM (2014)

  68. Quiña Mera, A., Fernandez, P., García, J.M., Ruiz-Cortés, A.: GraphQL: a systematic mapping study. ACM Comput. Surv. 55(10), 25 (2023). https://doi.org/10.1145/3561818

    Article  Google Scholar 

  69. Roussinov, D.G., Chen, H.: A scalable self-organizing map algorithm for textual classification: a neural network approach to thesaurus generation (1998)

  70. Sadreazami, H., Mohammadi, A., Asif, A., Plataniotis, K.N.: Distributed-graph-based statistical approach for intrusion detection in cyber-physical systems. IEEE Trans. Signal Inf. Process. Netw. 4(1), 137–147 (2018)

    MathSciNet  Google Scholar 

  71. Sanfeliu, A., Fu, K.: A distance measure between attributed relational graphs for pattern recognition. IEEE Trans. Syst. Man Cybern. B 13(3), 353–363 (1983)

    Article  Google Scholar 

  72. SANS Internet Storm Center: DShield. https://secure.dshield.org/. Accessed 1 Nov 2021

  73. Shang, Y., Yang, S., Wang, W.: Botnet detection with hybrid analysis on flow based and graph based features of network traffic. In: Cloud Computing and Security, pp. 612–621. Springer (2018)

  74. Sharafaldin, I., Lashkari, A.H., Ghorbani, A.A.: Toward generating a new intrusion detection dataset and intrusion traffic characterization. In: Proceedings of the 4th International Conference on Information Systems Security and Privacy (ICISSP 2018), pp. 108–116 (2018)

  75. Shevchenko, S., Zhdanova, Y., Skladannyi, P., Spasiteleva, S.: Mathematical methods in cybersecurity: graphs and their application in information and cybersecurity. Cybersecur. Educ. Sci. Tech. 1, 25 (2021). https://doi.org/10.28925/2663-4023.2021.13.133144

    Article  Google Scholar 

  76. Sinha, K., Viswanathan, A., Bunn, J.: Tracking temporal evolution of network activity for botnet detection (2019). https://doi.org/10.48550/ARXIV.1908.03443. arXiv:1908.03443

  77. Stratosphere Lab: The CTU-13 Dataset. A Labeled Dataset with Botnet, Normal and Background traffic. https://www.stratosphereips.org/datasets-ctu13. Accessed 1 Nov 2021

  78. Tiddi, I., Schlobach, S.: Knowledge graphs as tools for explainable machine learning: a survey. Artif. Intell. 103627 (2021)

  79. Umer, M.F., Sher, M., Bi, Y.: Flow-based intrusion detection: techniques and challenges. Comput. Secur. 70, 238–254 (2017)

    Article  Google Scholar 

  80. Venkatesh, B., Choudhury, S.H., Nagaraja, S., Balakrishnan, N.: BotSpot: fast graph based identification of structured P2P bots. J. Comput. Virol. Hack. Tech. 11(4), 247–261 (2015)

    Article  Google Scholar 

  81. Wang, J., Paschalidis, I.C.: Botnet detection using social graph analysis. In: 2014 52nd Annual Allerton Conference on Communication, Control, and Computing (Allerton), pp. 393–400 (2014)

  82. Wang, J., Paschalidis, I.C.: Botnet detection based on anomaly and community detection. IEEE Trans. Control Netw. Syst. 4(2), 392–404 (2017)

    Article  MathSciNet  Google Scholar 

  83. Wang, W., Shang, Y., He, Y., Li, Y., Liu, J.: BotMark: automated botnet detection with hybrid analysis of flow-based and graph-based traffic behaviors. Inf. Sci. 511, 284–296 (2020)

    Article  Google Scholar 

  84. Wüchner, T., Ochoa, M., Pretschner, A.: Malware detection with quantitative data flow graphs. In: 9th ACM Symposium on Information, Computer and Communications Security, pp. 271–282. ACM (2014)

  85. Yang, R.: Adjusting assortativity in complex networks. In: Proceedings of the 2014 ACM Southeast Regional Conference, Kennesaw, GA, USA, pp. 2:1–2:5 (2014)

  86. Zeek: Zeek Network Security Monitor tool. https://zeek.org/. Accessed 1 Nov 2021

Download references

Funding

For the research leading to these results, Hamida Seba received funding from Agence National de la Recherche (ANR) under Grant Agreement No. ANR-20-CE39-0008, Radu State received funding from Fonds National de la Recherche (FNR) for CAFFE project. Martin Husák was supported by ERDF “CyberSecurity, CyberCrime, and Critical Information Infrastructures Center of Excellence” (No. CZ.02.1.01/0.0/0.0/16_019/0000822).

Author information

Authors and Affiliations

  1. Fujitsu Luxembourg, Capellen, Luxembourg

    Sofiane Lagraa & Moussa Ouedraogo

  2. Institute of Computer Science, Masaryk University, Brno, Czech Republic

    Martin Husák

  3. Univ Lyon, UCBL, CNRS, INSA Lyon, LIRIS, UMR5205, 69622, Villeurbanne, France

    Hamida Seba

  4. Citibank, Dublin, Ireland

    Satyanarayana Vuppala

  5. SnT, University of Luxembourg, Esch-sur-Alzette, Luxembourg

    Radu State

Authors
  1. Sofiane Lagraa
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Martin Husák
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hamida Seba
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Satyanarayana Vuppala
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Radu State
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Moussa Ouedraogo
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

All authors contributed to the study conception and design. The first draft of the manuscript was written by SL, and all authors commented on previous versions of the manuscript. All authors read and approved the final manuscript. Here are the details. SL and MH, as experts in network security and machine learning at Fujitsu and Masaryk University, respectively, wrote the main manuscript text and figures. HS, as an expert in graph theory, contributed to and wrote a machine learning and graph theory part with a machine learning point of view. SV, as a cyber security expert at Citibank, provided a security overview by reviewing each step of the writing process. RS, as an expert in network and cybersecurity, reviewed the manuscript text, by providing a cybersecurity and machine learning point of view. MO as an expert and head of cybersecurity at Fujitsu, reviewed the manuscript text by providing a cybersecurity point of view. All authors reviewed the manuscript.

Corresponding author

Correspondence to Sofiane Lagraa.

Ethics declarations

Conflict of interest

All authors certify that they have no affiliations with or involvement in any organization or entity with any financial interest or non-financial interest in the subject matter or materials discussed in this manuscript.

Ethical approval

All authors declare that they adhere to the ethical principles of the journal.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Lagraa, S., Husák, M., Seba, H. et al. A review on graph-based approaches for network security monitoring and botnet detection. Int. J. Inf. Secur. 23, 119–140 (2024). https://doi.org/10.1007/s10207-023-00742-7

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-023-00742-7

Keywords

Search

Navigation