BOTNET DETECTION USING INDEPENDENT COMPONENT ANALYSIS

Wan Nurhidayah Ibrahim; Mohd Syahid Anuar; Ali Selamat; Ondrej Krejcar

doi:10.31436/iiumej.v23i1.1789

Authors

Wan Nurhidayah Ibrahim Universiti Teknologi Malaysia https://orcid.org/0000-0001-8516-3543
Mohd Syahid Anuar Universiti Teknologi Malaysia Kuala Lumpur
Ali Selamat https://orcid.org/0000-0001-9746-8459 https://orcid.org/0000-0001-9746-8459
Ondrej Krejcar https://orcid.org/0000-0002-5992-2574

DOI:

https://doi.org/10.31436/iiumej.v23i1.1789

Keywords:

botnet detection, flow-based, machine learning, independent component analysis, traffic analysis

Abstract

Botnet is a significant cyber threat that continues to evolve. Botmasters continue to improve the security framework strategy for botnets to go undetected. Newer botnet source code runs attack detection every second, and each attack demonstrates the difficulty and robustness of monitoring the botnet. In the conventional network botnet detection model that uses signature-analysis, the patterns of a botnet concealment strategy such as encryption & polymorphic and the shift in structure from centralized to decentralized peer-to-peer structure, generate challenges. Behavior analysis seems to be a promising approach for solving these problems because it does not rely on analyzing the network traffic payload. Other than that, to predict novel types of botnet, a detection model should be developed. This study focuses on using flow-based behavior analysis to detect novel botnets, necessary due to the difficulties of detecting existing patterns in a botnet that continues to modify the signature in concealment strategy. This study also recommends introducing Independent Component Analysis (ICA) and data pre-processing standardization to increase data quality before classification. With and without ICA implementation, we compared the percentage of significant features. Through the experiment, we found that the results produced from ICA show significant improvements. The highest F-score was 83% for Neris bot. The average F-score for a novel botnet sample was 74%. Through the feature importance test, the feature importance increased from 22% to 27%, and the training model false positive rate also decreased from 1.8% to 1.7%.

ABSTRAK: Botnet merupakan ancaman siber yang sentiasa berevolusi. Pemilik bot sentiasa memperbaharui strategi keselamatan bagi botnet agar tidak dapat dikesan. Setiap saat, kod-kod sumber baru botnet telah dikesan dan setiap serangan dilihat menunjukkan tahap kesukaran dan ketahanan dalam mengesan bot. Model pengesanan rangkaian botnet konvensional telah menggunakan analisis berdasarkan tanda pengenalan bagi mengatasi halangan besar dalam mengesan corak botnet tersembunyi seperti teknik penyulitan dan teknik polimorfik. Masalah ini lebih bertumpu pada perubahan struktur berpusat kepada struktur bukan berpusat seperti rangkaian rakan ke rakan (P2P). Analisis tingkah laku ini seperti sesuai bagi menyelesaikan masalah-masalah tersebut kerana ianya tidak bergantung kepada analisis rangkaian beban muatan trafik. Selain itu, bagi menjangka botnet baru, model pengesanan harus dibangunkan. Kajian ini bertumpu kepada penggunaan analisa tingkah-laku berdasarkan aliran bagi mengesan botnet baru yang sukar dikesan pada corak pengenalan botnet sedia-ada yang sentiasa berubah dan menggunakan strategi tersembunyi. Kajian ini juga mencadangkan penggunakan Analisis Komponen Bebas (ICA) dan pra-pemprosesan data yang standard bagi meningkatkan kualiti data sebelum pengelasan. Peratusan ciri-ciri penting telah dibandingkan dengan dan tanpa menggunakan ICA. Dapatan kajian melalui eksperimen menunjukkan dengan penggunaan ICA, keputusan adalah jauh lebih baik. Skor F tertinggi ialah 83% bagi bot Neris. Purata skor F bagi sampel botnet baru adalah 74%. Melalui ujian kepentingan ciri, kepentingan ciri meningkat dari 22% kepada 27%, dan kadar positif model latihan palsu juga berkurangan dari 1.8% kepada 1.7%.

Downloads

Download data is not yet available.

Metrics

Metrics Loading ...

Author Biographies

Wan Nurhidayah Ibrahim, Universiti Teknologi Malaysia

Wan Nur Hidayah Ibrahim (Member, IEEE) received the B.S. degree in engineering (electrical) and the master’s degree in technical education (TVET) from Universiti Teknologi Tun Hussein Onn (UTHM), in 2006 and 2008, respectively. She is currently pursuing the Ph.D. degree with Universiti Teknologi Malaysia, Skudai. Her thesis focuses on detecting botnet in network traffic. From 2009 until 2015, she was a Senior Lecturer with the Department of Electrical Engineering, Polytechnic Sultan Idris Shah, Selangor, Malaysia, where she was teaching in Information and Communication Technology, from 2015 until 2017. Her research interests include machine learning, data analytics, malware, network security and generative adversarial network (GAN).

Mohd Syahid Anuar, Universiti Teknologi Malaysia Kuala Lumpur

Syahid Anuar is currently a Senior Lecturer with Universiti Teknologi Malaysia Kuala Lumpur, under Razak Faculty of Technology and Informatics. His research interests include teaching machine learning, data mining, and cloud computing subjects. He is also as a Leader in a research project named the IoT and machine learning to detect driving behavior. He is a Team Member of research project named machine learning in cybersecurity for botnet prediction.

Ali Selamat, https://orcid.org/0000-0001-9746-8459

LI SELAMAT is currently a Full Professor with Universiti Teknologi Malaysia (UTM), Malaysia. He has also been the Dean of the Malaysia Japan International Institute of Technology (MJIIT), UTM, since 2018. An academic institution established under the cooperation of the Japanese International Cooperation Agency (JICA) and the Ministry of Education Malaysia (MOE) to provide the Japanese style of education in Malaysia. He is also a Professor with the Software Engineering Department, Faculty of Computing, UTM. He has published more than 60 IF research papers. His h-index is 20, and his number of citations in WoS is over 800. His research interests include software engineering, software process improvement, software agents, web engineering, information retrievals, pattern recognition, genetic algorithms, neural networks, soft computing, computational collective intelligence, strategic management, key performance indicator, and knowledge management. He is on the Editorial Board of the journal Knowledge-Based Systems (Elsevier). He has been serving as the Chair of the IEEE Computer Society Malaysia, since 2018.

Ondrej Krejcar

ONDREJ KREJCAR is a full professor in systems engineering and informatics at the University of Hradec Kralove, Faculty of Informatics and Management, Center for Basic and Applied Research, Czech Republic; and Research Fellow at Malaysia-Japan International Institute of Technology, University Technology Malaysia, Kuala Lumpur, Malaysia. In 2008 he received his Ph.D. title in technical cybernetics at Technical University of Ostrava, Czech Republic. He is currently a vice-rector for science and creative activities of the University of Hradec Kralove from June 2020. At present, he is also a director of the Center for Basic and Applied Research at the University of Hradec Kralove. In years 2016-2020 he was vice-dean for science and research at Faculty of Informatics and Management, UHK. His h-index is 20, with more than 1300 citations received in the Web of Science, where more than 100 IF journal articles is indexed in JCR index. In 2018, he was the 14th top peer reviewer in Multidisciplinary in the World according to Publons and a Top Reviewer in the Global Peer Review Awards 2019 by Publons. Currently, he is on the editorial board of the MDPI Sensors IF journal (Q1/Q2 at JCR), and several other ESCI indexed journals. He is a Vice-leader and Management Committee member at WG4 at project COST CA17136, since 2018. He has also been a Management Committee member substitute at project COST CA16226 since 2017. Since 2019, he has been Chairman of the Program Committee of the KAPPA Program, Technological Agency of the Czech Republic as a regulator of the EEA/Norwegian Financial Mechanism in the Czech Republic (2019-2024). Since 2020, he has been Chairman of the Panel 1 (Computer, Physical and Chemical Sciences) of the ZETA Program, Technological Agency of the Czech Republic. Since 2014 until 2019, he has been Deputy Chairman of the Panel 7 (Processing Industry, Robotics, and Electrical Engineering) of the Epsilon Program, Technological Agency of the Czech Republic. At the University of Hradec Kralove, he is a guarantee of the doctoral study program in Applied Informatics, where he is focusing on lecturing on Smart Approaches to the Development of Information Systems and Applications in Ubiquitous Computing Environments.

References

Ibrahim, W.N.H., Selamat, A., Anuar, S., & Krejcar, O. (2019). Clustering botnet behavior using K-means with uncertain data, Frontiers in Artificial Intelligence and Applications vol. 318. pp.244–257.

Liang, X. & Znati, T. (2019). On the performance of intelligent techniques for intensive and stealthy DDos detection, Computer Networks vol. 164. p.106906. DOI: https://doi.org/10.1016/j.comnet.2019.106906

Gross, G. (2016). Detecting and destroying botnets, Network Security vol. 2016, no. 3. pp.7–10. DOI: https://doi.org/10.1016/S1353-4858(16)30027-7

WHITE OPS. (2018). Retrieved June 1, 2020, https://www.whiteops.com/blog/9-of-the-most-notable-botnets.

Kolias, C., Kambourakis, G., Stavrou, A., & Voas, J. (2017). DDoS in the IoT: Mirai and other botnets, Computer vol. 50, no. 7. pp.80–84. DOI: https://doi.org/10.1109/MC.2017.201

Eremin, A. (2019). Retrieved June 1, 2020, https://securelist.com/bots-and-botnets-in-2018/90091/.

Khan, R.U., Zhang, X., Kumar, R., Sharif, A., Golilarz, N.A., & Alazab, M. (2019). An adaptive multi-layer botnet detection technique using machine learning classifiers, Applied Sciences (Switzerland) vol. 9, no. 11. p.2375. DOI: https://doi.org/10.3390/app9112375

Patsakis, C., Casino, F., & Katos, V. (2020). Encrypted and covert DNS queries for botnets: Challenges and countermeasures, Computers & Security vol. 88. p.101614. DOI: https://doi.org/10.1016/j.cose.2019.101614

Bezerra, V.H., da Costa, V.G.T., Barbon Junior, S., Miani, R.S., & Zarpelão, B.B. (2019). IoTDS: A one-class classification approach to detect botnets in internet of things devices, Sensors (Switzerland) vol. 19, no. 14. p.3188. DOI: https://doi.org/10.3390/s19143188

Wang, Y.-H., Li, Z.-N., Xu, J.-W., Yu, P., Chen, T., & Ma, X.-X. (2020). Predicted Robustness as {QoS} for Deep Neural Network Models, Journal of Computer Science and Technology vol. 35, no. 5. pp.999–1015. DOI: https://doi.org/10.1007/s11390-020-0482-6

Prasad, K.M., Reddy, A.R.M., & Rao, K.V. (2020). BARTD: Bio-inspired anomaly based real time detection of under rated App-DDoS attack on web, Journal of King Saud University - Computer and Information Sciences vol. 32, no. 1. pp.73–87. DOI: https://doi.org/10.1016/j.jksuci.2017.07.004

Su, S.C., Chen, Y.R., Tsai, S.C., & Lin, Y.B. (2018). Detecting P2P Botnet in Software Defined Networks, Security and Communication Networks vol. 2018. pp.1–13. DOI: https://doi.org/10.1155/2018/4723862

Mahmoud, M., Nir, M., & Matrawy, A. (2015). A Survey on botnet architectures, detection and defences, International Journal of Network Security vol. 17, no. 3. pp.272–289.

Mathur, L., Raheja, M., & Ahlawat, P. (2018). Botnet Detection via mining of network traffic flow, Procedia Computer Science vol. 132. pp.1668–1677. DOI: https://doi.org/10.1016/j.procs.2018.05.137

Kupreev, O., Badovskaya, E., & Gutnikov, A. (2019). Retrieved June 1, 2020, https://securelist.com/ddos-report-q3-2019/94958/.

Aamir, M. & Zaidi, S.M.A. (2019). Clustering based semi-supervised machine learning for DDoS attack classification, Journal of King Saud University - Computer and Information Sciences.

Singh, M., Singh, M., & Kaur, S. (2019a). Detecting bot-infected machines using DNS fingerprinting, Digital Investigation vol. 28. pp.14–33.

Bazrafshan, Z., Hashemi, H., Fard, S.M.H., & Hamzeh, A. (2013). A survey on heuristic malware detection techniques, IKT 2013 - 2013 5th Conference on Information and Knowledge Technology no. May. pp.113–120. DOI: https://doi.org/10.1109/IKT.2013.6620049

AsSadhan, B., Bashaiwth, A., Al-Muhtadi, J., & Alshebeili, S. (2018). Analysis of P2P, IRC and HTTP traffic for botnets detection, Peer-to-Peer Networking and Applications vol. 11, no. 5. pp.848–861. DOI: https://doi.org/10.1007/s12083-017-0586-0

Alauthaman, M., Aslam, N., Zhang, L., Alasem, R., & Hossain, M.A. (2018). A P2P Botnet detection scheme based on decision tree and adaptive multilayer neural networks, Neural Computing and Applications vol. 29, no. 11. pp.991–1004. DOI: https://doi.org/10.1007/s00521-016-2564-5

Santana, D., Suthaharan, S., & Mohanty, S. (2018). What we learn from learning - Understanding capabilities and limitations of machine learning in botnet attacks.

Rauf, M.A.A.A., Asraf, S.M.H., & Idrus, S.Z.S. (2020). Malware Behaviour Analysis and Classification via Windows DLL and System Call, Journal of Physics: Conference Series vol. 1529, no. 2. DOI: https://doi.org/10.1088/1742-6596/1529/2/022097

Resende, P.A.A. & Drummond, A.C. (2018). A survey of random forest based methods for intrusion detection systems, ACM Computing Surveys vol. 51, no. 3. pp.1–36. DOI: https://doi.org/10.1145/3178582

Tobiyama, S., Yamaguchi, Y., Shimada, H., Ikuse, T., & Yagi, T. (2016). Malware Detection with Deep Neural Network Using Process Behavior, Proceedings - International Computer Software and Applications Conference vol. 2. pp.577–582. DOI: https://doi.org/10.1109/COMPSAC.2016.151

Muhtadi, A.F. & Almaarif, A. (2020). Analysis of Malware Impact on Network Traffic using Behavior-based Detection Technique, International Journal of Advances in Data and Information Systems vol. 1, no. 1. pp.17–25. DOI: https://doi.org/10.25008/ijadis.v1i1.8

Apruzzese, G. & Colajanni, M. (November 2018). Evading botnet detectors based on flows and random forest with adversarial samples. Paper presented at NCA 2018 - 2018 IEEE 17th International Symposium on Network Computing and Applications. DOI: https://doi.org/10.1109/NCA.2018.8548327

Beigi, E.B., Jazi, H.H., Stakhanova, N., & Ghorbani, A.A. (2014). Towards effective feature selection in machine learning-based botnet detection approaches, 2014 IEEE Conference on Communications and Network Security, CNS 2014 pp.247–255.

Cabeza, L.F., Solé, C., Castell, A., Oró, E., & Gil, A. (2016). Unsupervised Network Intrusion Detection Systems for Zero-Day Fast- Spreading Attacks and Botnets Payam, International Journal of Digital Content Technology and its Applications(JDCTA) vol. 10, no. 2.

Singh, M., Singh, M., & Kaur, S. (2019b). Detecting bot-infected machines using DNS fingerprinting, Digital Investigation vol. 28. pp.14–33. DOI: https://doi.org/10.1016/j.diin.2018.12.005

Malik, R. & Alankar, B. (2019). Botnet and Botnet Detection Techniques, International Journal of Computer Applications vol. 178, no. 17. pp.8–11. DOI: https://doi.org/10.5120/ijca2019918967

Koroniotis, N., Moustafa, N., Sitnikova, E., & Turnbull, B. (2019). Towards the development of realistic botnet dataset in the Internet of Things for network forensic analytics: Bot-IoT dataset, Future Generation Computer Systems vol. 100. pp.779–796. DOI: https://doi.org/10.1016/j.future.2019.05.041

Huda, S., Abawajy, J., Al-Rubaie, B., Pan, L., & Hassan, M.M. (2019). Automatic extraction and integration of behavioural indicators of malware for protection of cyber–physical networks, Future Generation Computer Systems vol. 101. pp.1247–1258. DOI: https://doi.org/10.1016/j.future.2019.07.005

Bou-Harb, E., Debbabi, M., & Assi, C. (2014). On fingerprinting probing activities, Computers and Security vol. 43, no. January 2012. pp.35–48. DOI: https://doi.org/10.1016/j.cose.2014.02.005

Palmieri, F., Fiore, U., & Castiglione, A. (2014). A distributed approach to network anomaly detection based on independent component analysis, Concurrency and Computation: Practice and Experience vol. 26, no. 5. pp.1113–1129. DOI: https://doi.org/10.1002/cpe.3061

Mao, C.-H., Lin, C.-C., Pan, J.-Y. (Tim), Chang, K.-C., Faloutsos, C., & Lee, H.-M. ( 2012). EigenBot: Foiling spamming botnets with matrix algebra. Paper presented at Proceedings of the ACM SIGKDD Workshop on Intelligence and Security Informatics - ISI-KDD ’12, New York, New York, USA. DOI: https://doi.org/10.1145/2331791.2331796

Ehsan, K. & Hamid, reza shahriari. (2018). BotRevealer: Behavioral Detection of Botnets based on Botnet Life-cycle, International Journal of Information Security vol. 10, no. 1. pp.55–61.

Stevanovic, M. & Pedersen, J.M. (2015). On the use of machine learning for identifying botnet network traffic, Journal of Cyber Security and Mobility vol. 4, nos. 2–3. pp.1–32. DOI: https://doi.org/10.13052/2245-1439.421

Fernandez Maimo, L., Perales Gomez, A.L., Garcia Clemente, F.J., Gil Perez, M., & Martinez Perez, G. (2018). A Self-Adaptive Deep Learning-Based System for Anomaly Detection in 5G Networks, IEEE Access vol. 6. pp.7700–7712. DOI: https://doi.org/10.1109/ACCESS.2018.2803446

Debashi, M. & Vickers, P. (2018). Sonification of Network Traffic for Detecting and Learning about Botnet Behavior, IEEE Access vol. 6. pp.33826–33839. DOI: https://doi.org/10.1109/ACCESS.2018.2847349

Gezer, A., Warner, G., Wilson, C., & Shrestha, P. (2019). A flow-based approach for Trickbot banking trojan detection, Computers and Security vol. 84. pp.179–192. DOI: https://doi.org/10.1016/j.cose.2019.03.013

Garg, S., Peddoju, S.K., & Sarje, A.K. (2016). Scalable P2P bot detection system based on network data stream, Peer-to-Peer Networking and Applications vol. 9, no. 6. pp.1209–1225. DOI: https://doi.org/10.1007/s12083-016-0440-9

Garcia, S., Zunino, A., & Campo, M. (2014). "Identifying, Modeling and Detecting Botnet Behaviors in the Network".

Han, W., Xue, J., Wang, Y., Liu, Z., & Kong, Z. (2019). MalInsight: A systematic profiling based malware detection framework, Journal of Network and Computer Applications vol. 125, no. October 2018. pp.236–250. DOI: https://doi.org/10.1016/j.jnca.2018.10.022

Garcia, S. (2015). Modelling the Network Behaviour of Malware To Block Malicious Patterns . The Stratosphere Project?: a Behavioural Ips, Virus Bulletin no. September. pp.1–8.

Kozik, R. (2018). Distributing extreme learning machines with Apache Spark for NetFlow-based malware activity detection, Pattern Recognition Letters vol. 101. pp.14–20. DOI: https://doi.org/10.1016/j.patrec.2017.11.004

Wang, J. & Paschalidis, I.C. (2017). Botnet Detection Based on Anomaly and Community Detection, IEEE Transactions on Control of Network Systems vol. 4, no. 2. pp.392–404. DOI: https://doi.org/10.1109/TCNS.2016.2532804