Skip to main content
SpringerLink
Log in

The effects of feature selection on the classification of encrypted botnet

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

Many applications today are using an encrypted channel to secure their communication and transactions. Though, their security is often challenged by adversaries such as Botnet. Botnet leverages the encrypted channel to launch attacks and amplify the impact of attacks. The numbers of Botnet attacks over an encrypted channel are increasing and continue to cause a great loss of money. This study proposes an encrypted Botnet detection technique based on packet header analysis. This technique does not require deep packet inspection and intense traffic analysis. However, the proposed technique requires the analysis of the features taken from the packet header, which are essential for detection. The study endeavors to show that features selected can significantly affect the classification of encrypted Botnet. Therefore, in this paper, the researchers focus on the effects of feature selection on the classification of encrypted Botnet. The researchers use different classification mode (full training and 10-fold cross-validation) mainly by using seven features (7-features) and three features (3-features). Seven features are the number of features extracted from the packet header, and after the feature selection, only three features out of the seven features have weight (value). Therefore, the three features are the most significant features from the seven features that have been extracted. Generally, the result shows that classification with three most significant features provides higher true positive compared to the 7-features classification. Different machine learning algorithms have been used for the classification. Relatively, the results show that the True Positives are higher for 3-features classification than 7-features classification.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19
Fig. 20
Fig. 21

Similar content being viewed by others

References

  1. Cisco.: Enterprise Network Security - Encrypted Traffic Analytics (ETA). https://www.cisco.com/c/en/us/solutions/enterprise-networks/enterprise-network-security/eta.html#~stickynav=1 (2019). Accessed 22 March 2019

  2. Schwartz, M.J.: Police disrupt banking malware botnet but worldwide impact of ramnit takedown may prove temporary. https://www.bankinfosecurity.com/european-police-target-ramnit-botnet-a-7947 (2015). Accessed 20 March 2019

  3. CyberSecurity Malaysia.: Malaysia vs Malware. http://www.cybersecurity.my/en/knowledge_bank/news/2010/main/detail/1900/index.html (2010). Accessed 12 May 2016

  4. Cloudbric.: 3 devastating cyber attacks on banks that show how vulnerable our money is. https://www.cloudbric.com/blog/2015/09/3-devastating-cyberattacks-on-banks-that-show-how-vulnerable-our-money-is/ (2018). Accessed 21 March 2019

  5. Zelster, L.: When bots use social media for command and control. https://zeltser.com/bots-command-and-control-via-social-media/ (2015). Accessed 24 March 2019

  6. Bortolameotti, R.: C&C botnet detection over SSL. Master Thesis. https://pdfs.semanticscholar.org/5a2e/8739648c9a8a1b57c090845df28a8ffac2b6.pdf (2014)

  7. Davis, G.: Social media swamped by social botnets. https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/social-networks-but-for-botnets/ (2015). Accessed 12 Feb 2019

  8. Zilles, C.: What the heck is a social media botnet and why should i care?. https://socialmediahq.com/heck-social-media-botnet-care/ (2017). Accessed 5 March 2019

  9. Leonard, J.: Necurs botnet in new phishing attack on banks. https://www.computing.co.uk/ctg/news/3061278/necurs-botnet-in-new-phishing-attack-on-banks (2018). Accessed 20 March 2019

  10. Gooley, D.: The rise in SSL-based threats. https://www.zscaler.com/blogs/research/rise-ssl-based-threats (2017). Accessed 10 Feb 2019

  11. Desai, D.: SSL/TLS-based malware attacks. https://www.zscaler.com/blogs/research/ssltls-based-malware-attacks (2017). Accessed 20 March 2019

  12. Zhang, H., Papadopoulos, C., Massey, D.: Detecting encrypted botnet traffic. Proc. IEEE INFOCOM (2013). https://doi.org/10.1109/INFCOM.2013.6567180

    Article  Google Scholar 

  13. Tyagi, R., Paul, T., Manoj, B.S., Thanudas, B.: A novel HTTP botnet traffic detection method. In: 12th IEEE International Conference Electronics, Energy, Environment, Communication, Computer, Control: (E3-C3), INDICON 2015, pp. 1–6 (2015). https://doi.org/10.1109/INDICON.2015.7443675

  14. Sherry, J., Lan, C., Popa, R.A., Ratnasamy, S.: BlindBox: deep packet inspection over encrypted traffic. In: Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication - SIGCOMM ’15, pp. 213–226 (2015). https://doi.org/10.1145/2785956.2787502

  15. Burghouwt, P.: Detection of botnet command and control traffic in enterprise networks. Ph.D. Thesis, The Hague University of Applied Science, Netherlands (2015)

  16. Zhang, H.: Detecting advanced botnets in enterprise networks. Ph.D. Thesis, 2017, Department of Computer Science, Colorado State University, USA (2017)

  17. Tegeler, F., Fu, X., Vigna, G., Kruegel, C.: BotFinder: finding bots in network traffic without deep packet inspection. In: Proceedings of the 8th International Conference on Emerging Networking Experiments and Technologies - CoNEXT ’12, p. 349 (2012). https://doi.org/10.1145/2413176.2413217

  18. Wang, Y.: Encrypted botnet detection scheme. In: Proceedings - 2014 9th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2014, pp. 559–565 (2014). https://doi.org/10.1109/3PGCIC.2014.110

  19. Cha, S., Kim, H.: Detecting Encrypted Traffic: A Machine Learning Approach, pp. 54–65. Springer, Cham (2017)

    Google Scholar 

  20. Rossow, C., Dietrich, C.J.: ProVeX: detecting botnets with encrypted command and control channels. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), 18–19 July 2013, Berlin, Germany, pp. 21–40 (2013)

  21. Beker, J.: Botnets: detecting encrypted command and control channels via traffic analysis. Report (2005)

  22. Sorensen, N.V., Sorensen, S.B., Feuz, K.D., Kerzhner, G., Mano, C.D.: Detecting covert botnets using communication patterns (2009)

  23. Computer Economics.: Malware report: the economic impact of viruses, Spyware, Adware, Bot-Nets, and Other Malicious Code. http://www.computereconomics.com (2011). Accessed 22 March 2019

  24. Garcia, S., Grill, M., Stiborek, J., Zunino, A.: An empirical comparison of botnet detection methods. Comput. Secur. 45, 100–123 (2014)

    Article  Google Scholar 

  25. Arshad, S., Abbaspour, M., Kharrazi, M., Sanatkar, H.: An anomaly-based botnet detection approach for identifying stealthy botnets (2011)

  26. Dietrich, C.J., Rossow, C., Pohlmann, N.: CoCoSpot: clustering and recognizing botnet command and control channels using traffic analysis. Comput. Netw. 57(2), 475–486 (2013). https://doi.org/10.1016/j.comnet.2012.06.019

    Article  Google Scholar 

  27. Roshna, R.S., Ewards, V.: Botnet detection using adaptive neuro fuzzy inference. System 3(2), 1440–1445 (2013)

    Google Scholar 

  28. Bilge, L.: EXPOSURE : a passive DNS analysis service to detect and report malicious domains. ACM Trans. Inf. Syst. Secur. (TISSEC14), 4 (2011)

  29. Saad, S., Traore, I., Ghorbani, A., Sayed, B., Zhao, D., Lu, W., Hakimian, P.: Detecting P2P botnets through network behavior analysis and machine learning. In: 2011 Ninth Annual International Conference on Privacy Security and Trust, pp. 174–180 (2011). https://doi.org/10.1109/PST.2011.5971980

  30. Warmer, M.: Detection of web-based command & control channels, (November). Master Thesis, University of Twente, Netherlands. http://essay.utwente.nl/61232/ (2011)

  31. Shanti, K., Seenivasan, D.: Detection of botnet by analyzing network traffic flow characteristics using open source tools. In: 2015 IEEE 9th International Conference on Intelligent Systems and Control (ISCO), 9–10 January 2015, Andhra Pradesh, India (2015). https://doi.org/10.1109/isco.2015.7282353

  32. Richer, T.J.: Entropy-based detection of botnet command and control. In: Proceedings of the Australasian Computer Science Week Multiconference on - ACSW ’17, pp. 1–4 (2017). https://doi.org/10.1145/3014812.3014889

  33. MCFP (Malware Capture Facility Project – CTU University). https://mcfp.weebly.com/mcfp-dataset.html. Accessed 15 Aug 2018

  34. Beigi, E.B., Jazi, H.H., Stakhanova, N., Ghorbani, A.A.: Towards effective feature selection in machine learning-based botnet detection approaches. In: 2014 IEEE Conference on Communications and Network Security, pp. 247–255. IEEE (2014)

  35. Buriya, S., Patel, A.K., Yadav, S.S., Buriya, S., Patel, A.K., Yadav, S.S.: Botnet behavior analysis using Naïve Bayes classification algorithm without deep packet. Int. J. Comput. Eng. Appl. 9(8), 45–54 (2015)

    Google Scholar 

  36. Ritu, Kaushal, R.: Machine learning approach for botnets detection. In: 3rd Security and Privacy Symposium, 13–14 February 2015, IIIT – Delhi (2015)

  37. Jianguo, J., Qi, B., Zhixin, S., Wang, Y., Lv, B.: Botnet detection method analysis on the effect of feature extraction. In: 2016 IEEE Trustcom/BigDataSE/ISPA, pp. 1882–1888. IEEE

  38. Kirubavathi, G., Anitha, R.: Botnet detection via mining of traffic flow characteristics. Comput. Electr. Eng. 50, 91–101 (2016). https://doi.org/10.1016/j.compeleceng.2016.01.012

    Article  Google Scholar 

  39. NIMS (Network Information Management and Security Group - Dalhousie University), https://projects.cs.dal.ca/projectx/Download.html. Accessed 15 Aug 2018

  40. Haddadi, F., Zincir-Heywood, A.N.: Botnet detection system analysis on the effect of botnet evolution and feature representation. In: Proceedings of the Companion Publication of the 2015 Annual Conference on Genetic and Evolutionary Computation, pp. 893–900. ACM

  41. Awad, M., Khanna, R.: Support vector machines for classification. In: Efficient Learning Machines, pp. 39–66. Apress, Berkeley, CA (2015)

Download references

Acknowledgements

This research is supported by the Universiti Sains Malaysia through Research University (RUI) Grant, titled “Enhancing Botnet Detection Efficiency and Accuracy using Machine Learning Techniques” (Account Number 1001/ PKOMP/ 8014017).

Author information

Authors and Affiliations

  1. School of Computer Sciences, Universiti Sains Malaysia, George Town, Malaysia

    Zahian Ismail, Aman Jantan, Mohd. Najwadi Yusoff & Muhammad Ubale Kiru

Authors
  1. Zahian Ismail
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Aman Jantan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mohd. Najwadi Yusoff
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Muhammad Ubale Kiru
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zahian Ismail.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Ismail, Z., Jantan, A., Yusoff, M. et al. The effects of feature selection on the classification of encrypted botnet. J Comput Virol Hack Tech 17, 61–74 (2021). https://doi.org/10.1007/s11416-020-00367-7

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-020-00367-7

Keyword

Search

Navigation