Detecção de botnets baseada na análise de fluxos de rede utilizando estatística inversa
Abstract
Botnet is a network of infected computers, which are remotely controlled by a cybercriminal, called botmaster, which aims to carry out massive cyberattacks, such as DDoS, SPAM and, information theft. Traditional botnet detection methods, usually signature-based, are unable to detect unknown botnets. The behavior-based analysis is promising for detecting current botnet trends, which are constantly evolving. This article proposes a botnet detection mechanism based on the analysis of network flow behavior. The technique used to detect botnets was recently developed and is called Energy-based Flow Classifier (EFC). This technique uses inverse statistics to detect anomalies. Two heterogeneous datasets, CTU-13 and ISOT HTTP were used to evaluate the efficiency of the generated model and the results were compared with several traditional classifiers, of one and two classes. The results obtained show that the EFC obtained more stable results, regardless of the domain, unlike the other tested algorithms.
References
Alauthaman, M., Aslam, N., Zhang, L., Alasem, R., and Hossain, M. A. (2018). A P2P Botnet detection scheme based on decision tree and adaptive multilayer neural networks. Neural Computing and Applications, 29(11):991–1004.
Alenazi, A., Traore, I., Ganame, K., and Woungang, I. (2017). Holistic Model for HTTP Botnet Detection Based on DNS Traffic Analysis. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 10618 LNCS:1–18.
Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J. A., Invernizzi, L., Kallitsis, M., Kumar, D., Lever, C., Ma, Z., Mason, J., Menscher, D., Seaman, C., Sullivan, N., Thomas, K., and Zhou, Y. (2017). Understanding the mirai botnet. In 26th USENIX Security Symposium (USENIX Security 17), pages 1093–1110, Vancouver, BC. USENIX Association.
Beigi, E. B., Jazi, H. H., Stakhanova, N., and Ghorbani, A. A. (2014). Towards effective feature selection in machine learning-based botnet detection approaches. 2014 IEEE Conference on Communications and Network Security, CNS 2014, pages 247–255.
Bilge, L., Balzarotti, D., Robertson, W., Kirda, E., and Kruegel, C. (2012). Disclosure: detecting botnet command and control servers through large-scale netflow analysis. In Proceedings of the 28th Annual Computer Security Applications Conference, pages 129–138.
Council to Secure the Digital Economy (2019). International Botnet and Iot Security Guide 2020.
European Union Agency for Network and Information Security (2020). Botnet - ENISA Threat Landscape 2019/20. (April).
Gadelrab, M. S., ElSheikh, M., Ghoneim, M. A., and Rashwan, M. (2018). BotCap: Machine learning approach for botnet detection based on statistical features. International Journal of Communication Networks and Information Security, 10(3):563–579.
García, S., Grill, M., Stiborek, J., and Zunino, A. (2014a). An empirical comparison of botnet detection methods. Computers and Security, 45:100–123.
García, S., Zunino, A., and Campo, M. (2014b). Survey on network-based botnet detection methods. Security and Communication Networks, 7(5):878–903.
Ibrahim, W. N. H., Anuar, S., Selamat, A., Krejcar, O., Gonzalez Crespo, R., Herrera-Viedma, E., and Fujita, H. (2021). Multilayer Framework for Botnet Detection Using Machine Learning Algorithms. IEEE Access, 9:48753–48768.
Khan, R. U., Zhang, X., Kumar, R., Sharif, A., Golilarz, N. A., and Alazab, M. (2019). An adaptive multi-layer botnet detection technique using machine learning classifiers. Applied Sciences (Switzerland), 9(11).
Lashkari, A. H., Gil, G. D., Saiful, M., Mamun, I., and Ghorbani, A. A. (2017). Characterization of Tor Traffic using Time based Features. (Cic):253–262.
Li, H., Chen, Z., Spolaor, R., Yan, Q., Zhao, C., and Yang, B. (2019). DART: Detecting Unseen Malware Variants using Adaptation Regularization Transfer Learning. IEEE International Conference on Communications, 2019-May.
Pontes, C. F., De Souza, M. M., Gondim, J. J., Bishop, M., and Marotta, M. A. (2021). A New Method for Flow-Based Network Intrusion Detection Using the Inverse Potts Model. IEEE Transactions on Network and Service Management, 18(2):1125–1136.
Saad, S., Traore, I., Ghorbani, A., Sayed, B., Zhao, D., Lu, W., Felix, J., and Hakimian, P. (2011). Detecting P2P botnets through network behavior analysis and machine learning. 2011 9th Annual International Conference on Privacy, Security and Trust, PST 2011, pages 174–180.
Shiravi, A., Shiravi, H., Tavallaee, M., and Ghorbani, A. A. (2012). Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Computers and Security, 31(3):357–374.
Silva, S. S., Silva, R. M., Pinto, R. C., and Salles, R. M. (2013). Botnets: A survey. Computer Networks, 57(2):378–403.
Vormayr, G., Zseby, T., and Fabini, J. (2017). Botnet Communication Patterns. IEEE Communications Surveys and Tutorials, 19(4):2768–2796.
Wainwright, P. and Kettani, H. (2019). An analysis of botnet models. ACM International Conference Proceeding Series, pages 116–121.
Yadav, J. and Thakur, J. (2020). BotEye: Botnet detection technique via traffic flow analysis using machine learning classifiers. PDGC 2020 2020 6th International Conference on Parallel, Distributed and Grid Computing, pages 154–159.
Zhao, D., Traore, I., Sayed, B., Lu, W., Saad, S., Ghorbani, A., and Garant, D. (2013). Botnet detection based on traffic behavior analysis and flow intervals. Computers and Security, 39(PARTA):2–16.
Zolanvari, M., Teixeira, M. A., and Jain, R. (2018). Effect of imbalanced datasets on security of industrial IoT using machine learning. 2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018, pages 112–117.
Alenazi, A., Traore, I., Ganame, K., and Woungang, I. (2017). Holistic Model for HTTP Botnet Detection Based on DNS Traffic Analysis. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 10618 LNCS:1–18.
Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J. A., Invernizzi, L., Kallitsis, M., Kumar, D., Lever, C., Ma, Z., Mason, J., Menscher, D., Seaman, C., Sullivan, N., Thomas, K., and Zhou, Y. (2017). Understanding the mirai botnet. In 26th USENIX Security Symposium (USENIX Security 17), pages 1093–1110, Vancouver, BC. USENIX Association.
Beigi, E. B., Jazi, H. H., Stakhanova, N., and Ghorbani, A. A. (2014). Towards effective feature selection in machine learning-based botnet detection approaches. 2014 IEEE Conference on Communications and Network Security, CNS 2014, pages 247–255.
Bilge, L., Balzarotti, D., Robertson, W., Kirda, E., and Kruegel, C. (2012). Disclosure: detecting botnet command and control servers through large-scale netflow analysis. In Proceedings of the 28th Annual Computer Security Applications Conference, pages 129–138.
Council to Secure the Digital Economy (2019). International Botnet and Iot Security Guide 2020.
European Union Agency for Network and Information Security (2020). Botnet - ENISA Threat Landscape 2019/20. (April).
Gadelrab, M. S., ElSheikh, M., Ghoneim, M. A., and Rashwan, M. (2018). BotCap: Machine learning approach for botnet detection based on statistical features. International Journal of Communication Networks and Information Security, 10(3):563–579.
García, S., Grill, M., Stiborek, J., and Zunino, A. (2014a). An empirical comparison of botnet detection methods. Computers and Security, 45:100–123.
García, S., Zunino, A., and Campo, M. (2014b). Survey on network-based botnet detection methods. Security and Communication Networks, 7(5):878–903.
Ibrahim, W. N. H., Anuar, S., Selamat, A., Krejcar, O., Gonzalez Crespo, R., Herrera-Viedma, E., and Fujita, H. (2021). Multilayer Framework for Botnet Detection Using Machine Learning Algorithms. IEEE Access, 9:48753–48768.
Khan, R. U., Zhang, X., Kumar, R., Sharif, A., Golilarz, N. A., and Alazab, M. (2019). An adaptive multi-layer botnet detection technique using machine learning classifiers. Applied Sciences (Switzerland), 9(11).
Lashkari, A. H., Gil, G. D., Saiful, M., Mamun, I., and Ghorbani, A. A. (2017). Characterization of Tor Traffic using Time based Features. (Cic):253–262.
Li, H., Chen, Z., Spolaor, R., Yan, Q., Zhao, C., and Yang, B. (2019). DART: Detecting Unseen Malware Variants using Adaptation Regularization Transfer Learning. IEEE International Conference on Communications, 2019-May.
Pontes, C. F., De Souza, M. M., Gondim, J. J., Bishop, M., and Marotta, M. A. (2021). A New Method for Flow-Based Network Intrusion Detection Using the Inverse Potts Model. IEEE Transactions on Network and Service Management, 18(2):1125–1136.
Saad, S., Traore, I., Ghorbani, A., Sayed, B., Zhao, D., Lu, W., Felix, J., and Hakimian, P. (2011). Detecting P2P botnets through network behavior analysis and machine learning. 2011 9th Annual International Conference on Privacy, Security and Trust, PST 2011, pages 174–180.
Shiravi, A., Shiravi, H., Tavallaee, M., and Ghorbani, A. A. (2012). Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Computers and Security, 31(3):357–374.
Silva, S. S., Silva, R. M., Pinto, R. C., and Salles, R. M. (2013). Botnets: A survey. Computer Networks, 57(2):378–403.
Vormayr, G., Zseby, T., and Fabini, J. (2017). Botnet Communication Patterns. IEEE Communications Surveys and Tutorials, 19(4):2768–2796.
Wainwright, P. and Kettani, H. (2019). An analysis of botnet models. ACM International Conference Proceeding Series, pages 116–121.
Yadav, J. and Thakur, J. (2020). BotEye: Botnet detection technique via traffic flow analysis using machine learning classifiers. PDGC 2020 2020 6th International Conference on Parallel, Distributed and Grid Computing, pages 154–159.
Zhao, D., Traore, I., Sayed, B., Lu, W., Saad, S., Ghorbani, A., and Garant, D. (2013). Botnet detection based on traffic behavior analysis and flow intervals. Computers and Security, 39(PARTA):2–16.
Zolanvari, M., Teixeira, M. A., and Jain, R. (2018). Effect of imbalanced datasets on security of industrial IoT using machine learning. 2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018, pages 112–117.
Published
2022-05-23
How to Cite
LOPES, Daniele A. G.; MAROTTA, Marcelo A.; LADEIRA, Marcelo; GONDIM, João J. C..
Detecção de botnets baseada na análise de fluxos de rede utilizando estatística inversa. In: BRAZILIAN SYMPOSIUM ON COMPUTER NETWORKS AND DISTRIBUTED SYSTEMS (SBRC), 40. , 2022, Fortaleza.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2022
.
p. 182-195.
ISSN 2177-9384.
DOI: https://doi.org/10.5753/sbrc.2022.222144.
