Detecção de botnets baseada na análise de fluxos de rede utilizando estatística inversa
Resumo
Botnet é uma rede de computadores infectados, os quais são controlados remotamente por um cibercriminoso, denominado botmaster e que tem como objetivo realizar ataques cibernéticos massivos, como DDoS, SPAM e roubo de informações. Os métodos tradicionais de detecção de botnets, normalmente baseados em assinatura, são incapazes de detectar botnets desconhecidas. A análise baseada em comportamento tem sido promissora para a detecção de tendências atuais de botnets, as quais estão em constante evolução. Este artigo propõe um mecanismo de detecção de botnet baseado na análise do comportamento de fluxo de rede. A técnica utilizada para detecção de botnets foi recentemente desenvolvida e é denominada Energy-based Flow Classifier (EFC). Essa técnica utiliza estatística inversa para detecção de anomalias. Dois conjuntos de dados heterogêneos, CTU-13 e ISOT HTTP foram utilizados para avaliar a eficiência do modelo gerado e os resultados foram comparados com diversos classificadores tradicionais, de uma e de duas classes. Os resultados obtidos mostram que o EFC obteve resultados mais estáveis, independente do domínio, ao contrário dos demais algoritmos testados.
Referências
Alenazi, A., Traore, I., Ganame, K., and Woungang, I. (2017). Holistic Model for HTTP Botnet Detection Based on DNS Traffic Analysis. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 10618 LNCS:1–18.
Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J. A., Invernizzi, L., Kallitsis, M., Kumar, D., Lever, C., Ma, Z., Mason, J., Menscher, D., Seaman, C., Sullivan, N., Thomas, K., and Zhou, Y. (2017). Understanding the mirai botnet. In 26th USENIX Security Symposium (USENIX Security 17), pages 1093–1110, Vancouver, BC. USENIX Association.
Beigi, E. B., Jazi, H. H., Stakhanova, N., and Ghorbani, A. A. (2014). Towards effective feature selection in machine learning-based botnet detection approaches. 2014 IEEE Conference on Communications and Network Security, CNS 2014, pages 247–255.
Bilge, L., Balzarotti, D., Robertson, W., Kirda, E., and Kruegel, C. (2012). Disclosure: detecting botnet command and control servers through large-scale netflow analysis. In Proceedings of the 28th Annual Computer Security Applications Conference, pages 129–138.
Council to Secure the Digital Economy (2019). International Botnet and Iot Security Guide 2020.
European Union Agency for Network and Information Security (2020). Botnet - ENISA Threat Landscape 2019/20. (April).
Gadelrab, M. S., ElSheikh, M., Ghoneim, M. A., and Rashwan, M. (2018). BotCap: Machine learning approach for botnet detection based on statistical features. International Journal of Communication Networks and Information Security, 10(3):563–579.
García, S., Grill, M., Stiborek, J., and Zunino, A. (2014a). An empirical comparison of botnet detection methods. Computers and Security, 45:100–123.
García, S., Zunino, A., and Campo, M. (2014b). Survey on network-based botnet detection methods. Security and Communication Networks, 7(5):878–903.
Ibrahim, W. N. H., Anuar, S., Selamat, A., Krejcar, O., Gonzalez Crespo, R., Herrera-Viedma, E., and Fujita, H. (2021). Multilayer Framework for Botnet Detection Using Machine Learning Algorithms. IEEE Access, 9:48753–48768.
Khan, R. U., Zhang, X., Kumar, R., Sharif, A., Golilarz, N. A., and Alazab, M. (2019). An adaptive multi-layer botnet detection technique using machine learning classifiers. Applied Sciences (Switzerland), 9(11).
Lashkari, A. H., Gil, G. D., Saiful, M., Mamun, I., and Ghorbani, A. A. (2017). Characterization of Tor Traffic using Time based Features. (Cic):253–262.
Li, H., Chen, Z., Spolaor, R., Yan, Q., Zhao, C., and Yang, B. (2019). DART: Detecting Unseen Malware Variants using Adaptation Regularization Transfer Learning. IEEE International Conference on Communications, 2019-May.
Pontes, C. F., De Souza, M. M., Gondim, J. J., Bishop, M., and Marotta, M. A. (2021). A New Method for Flow-Based Network Intrusion Detection Using the Inverse Potts Model. IEEE Transactions on Network and Service Management, 18(2):1125–1136.
Saad, S., Traore, I., Ghorbani, A., Sayed, B., Zhao, D., Lu, W., Felix, J., and Hakimian, P. (2011). Detecting P2P botnets through network behavior analysis and machine learning. 2011 9th Annual International Conference on Privacy, Security and Trust, PST 2011, pages 174–180.
Shiravi, A., Shiravi, H., Tavallaee, M., and Ghorbani, A. A. (2012). Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Computers and Security, 31(3):357–374.
Silva, S. S., Silva, R. M., Pinto, R. C., and Salles, R. M. (2013). Botnets: A survey. Computer Networks, 57(2):378–403.
Vormayr, G., Zseby, T., and Fabini, J. (2017). Botnet Communication Patterns. IEEE Communications Surveys and Tutorials, 19(4):2768–2796.
Wainwright, P. and Kettani, H. (2019). An analysis of botnet models. ACM International Conference Proceeding Series, pages 116–121.
Yadav, J. and Thakur, J. (2020). BotEye: Botnet detection technique via traffic flow analysis using machine learning classifiers. PDGC 2020 2020 6th International Conference on Parallel, Distributed and Grid Computing, pages 154–159.
Zhao, D., Traore, I., Sayed, B., Lu, W., Saad, S., Ghorbani, A., and Garant, D. (2013). Botnet detection based on traffic behavior analysis and flow intervals. Computers and Security, 39(PARTA):2–16.
Zolanvari, M., Teixeira, M. A., and Jain, R. (2018). Effect of imbalanced datasets on security of industrial IoT using machine learning. 2018 IEEE International Conference on Intelligence and Security Informatics, ISI 2018, pages 112–117.