BOTNET DETECTION USING INDEPENDENT COMPONENT ANALYSIS
DOI:
https://doi.org/10.31436/iiumej.v23i1.1789Keywords:
botnet detection, flow-based, machine learning, independent component analysis, traffic analysisAbstract
Botnet is a significant cyber threat that continues to evolve. Botmasters continue to improve the security framework strategy for botnets to go undetected. Newer botnet source code runs attack detection every second, and each attack demonstrates the difficulty and robustness of monitoring the botnet. In the conventional network botnet detection model that uses signature-analysis, the patterns of a botnet concealment strategy such as encryption & polymorphic and the shift in structure from centralized to decentralized peer-to-peer structure, generate challenges. Behavior analysis seems to be a promising approach for solving these problems because it does not rely on analyzing the network traffic payload. Other than that, to predict novel types of botnet, a detection model should be developed. This study focuses on using flow-based behavior analysis to detect novel botnets, necessary due to the difficulties of detecting existing patterns in a botnet that continues to modify the signature in concealment strategy. This study also recommends introducing Independent Component Analysis (ICA) and data pre-processing standardization to increase data quality before classification. With and without ICA implementation, we compared the percentage of significant features. Through the experiment, we found that the results produced from ICA show significant improvements. The highest F-score was 83% for Neris bot. The average F-score for a novel botnet sample was 74%. Through the feature importance test, the feature importance increased from 22% to 27%, and the training model false positive rate also decreased from 1.8% to 1.7%.
ABSTRAK: Botnet merupakan ancaman siber yang sentiasa berevolusi. Pemilik bot sentiasa memperbaharui strategi keselamatan bagi botnet agar tidak dapat dikesan. Setiap saat, kod-kod sumber baru botnet telah dikesan dan setiap serangan dilihat menunjukkan tahap kesukaran dan ketahanan dalam mengesan bot. Model pengesanan rangkaian botnet konvensional telah menggunakan analisis berdasarkan tanda pengenalan bagi mengatasi halangan besar dalam mengesan corak botnet tersembunyi seperti teknik penyulitan dan teknik polimorfik. Masalah ini lebih bertumpu pada perubahan struktur berpusat kepada struktur bukan berpusat seperti rangkaian rakan ke rakan (P2P). Analisis tingkah laku ini seperti sesuai bagi menyelesaikan masalah-masalah tersebut kerana ianya tidak bergantung kepada analisis rangkaian beban muatan trafik. Selain itu, bagi menjangka botnet baru, model pengesanan harus dibangunkan. Kajian ini bertumpu kepada penggunaan analisa tingkah-laku berdasarkan aliran bagi mengesan botnet baru yang sukar dikesan pada corak pengenalan botnet sedia-ada yang sentiasa berubah dan menggunakan strategi tersembunyi. Kajian ini juga mencadangkan penggunakan Analisis Komponen Bebas (ICA) dan pra-pemprosesan data yang standard bagi meningkatkan kualiti data sebelum pengelasan. Peratusan ciri-ciri penting telah dibandingkan dengan dan tanpa menggunakan ICA. Dapatan kajian melalui eksperimen menunjukkan dengan penggunaan ICA, keputusan adalah jauh lebih baik. Skor F tertinggi ialah 83% bagi bot Neris. Purata skor F bagi sampel botnet baru adalah 74%. Melalui ujian kepentingan ciri, kepentingan ciri meningkat dari 22% kepada 27%, dan kadar positif model latihan palsu juga berkurangan dari 1.8% kepada 1.7%.
Downloads
Metrics
References
Ibrahim, W.N.H., Selamat, A., Anuar, S., & Krejcar, O. (2019). Clustering botnet behavior using K-means with uncertain data, Frontiers in Artificial Intelligence and Applications vol. 318. pp.244–257.
Liang, X. & Znati, T. (2019). On the performance of intelligent techniques for intensive and stealthy DDos detection, Computer Networks vol. 164. p.106906. DOI: https://doi.org/10.1016/j.comnet.2019.106906
Gross, G. (2016). Detecting and destroying botnets, Network Security vol. 2016, no. 3. pp.7–10. DOI: https://doi.org/10.1016/S1353-4858(16)30027-7
WHITE OPS. (2018). Retrieved June 1, 2020, https://www.whiteops.com/blog/9-of-the-most-notable-botnets.
Kolias, C., Kambourakis, G., Stavrou, A., & Voas, J. (2017). DDoS in the IoT: Mirai and other botnets, Computer vol. 50, no. 7. pp.80–84. DOI: https://doi.org/10.1109/MC.2017.201
Eremin, A. (2019). Retrieved June 1, 2020, https://securelist.com/bots-and-botnets-in-2018/90091/.
Khan, R.U., Zhang, X., Kumar, R., Sharif, A., Golilarz, N.A., & Alazab, M. (2019). An adaptive multi-layer botnet detection technique using machine learning classifiers, Applied Sciences (Switzerland) vol. 9, no. 11. p.2375. DOI: https://doi.org/10.3390/app9112375
Patsakis, C., Casino, F., & Katos, V. (2020). Encrypted and covert DNS queries for botnets: Challenges and countermeasures, Computers & Security vol. 88. p.101614. DOI: https://doi.org/10.1016/j.cose.2019.101614
Bezerra, V.H., da Costa, V.G.T., Barbon Junior, S., Miani, R.S., & Zarpelão, B.B. (2019). IoTDS: A one-class classification approach to detect botnets in internet of things devices, Sensors (Switzerland) vol. 19, no. 14. p.3188. DOI: https://doi.org/10.3390/s19143188
Wang, Y.-H., Li, Z.-N., Xu, J.-W., Yu, P., Chen, T., & Ma, X.-X. (2020). Predicted Robustness as {QoS} for Deep Neural Network Models, Journal of Computer Science and Technology vol. 35, no. 5. pp.999–1015. DOI: https://doi.org/10.1007/s11390-020-0482-6
Prasad, K.M., Reddy, A.R.M., & Rao, K.V. (2020). BARTD: Bio-inspired anomaly based real time detection of under rated App-DDoS attack on web, Journal of King Saud University - Computer and Information Sciences vol. 32, no. 1. pp.73–87. DOI: https://doi.org/10.1016/j.jksuci.2017.07.004
Su, S.C., Chen, Y.R., Tsai, S.C., & Lin, Y.B. (2018). Detecting P2P Botnet in Software Defined Networks, Security and Communication Networks vol. 2018. pp.1–13. DOI: https://doi.org/10.1155/2018/4723862
Mahmoud, M., Nir, M., & Matrawy, A. (2015). A Survey on botnet architectures, detection and defences, International Journal of Network Security vol. 17, no. 3. pp.272–289.
Mathur, L., Raheja, M., & Ahlawat, P. (2018). Botnet Detection via mining of network traffic flow, Procedia Computer Science vol. 132. pp.1668–1677. DOI: https://doi.org/10.1016/j.procs.2018.05.137
Kupreev, O., Badovskaya, E., & Gutnikov, A. (2019). Retrieved June 1, 2020, https://securelist.com/ddos-report-q3-2019/94958/.
Aamir, M. & Zaidi, S.M.A. (2019). Clustering based semi-supervised machine learning for DDoS attack classification, Journal of King Saud University - Computer and Information Sciences.
Singh, M., Singh, M., & Kaur, S. (2019a). Detecting bot-infected machines using DNS fingerprinting, Digital Investigation vol. 28. pp.14–33.
Bazrafshan, Z., Hashemi, H., Fard, S.M.H., & Hamzeh, A. (2013). A survey on heuristic malware detection techniques, IKT 2013 - 2013 5th Conference on Information and Knowledge Technology no. May. pp.113–120. DOI: https://doi.org/10.1109/IKT.2013.6620049
AsSadhan, B., Bashaiwth, A., Al-Muhtadi, J., & Alshebeili, S. (2018). Analysis of P2P, IRC and HTTP traffic for botnets detection, Peer-to-Peer Networking and Applications vol. 11, no. 5. pp.848–861. DOI: https://doi.org/10.1007/s12083-017-0586-0
Alauthaman, M., Aslam, N., Zhang, L., Alasem, R., & Hossain, M.A. (2018). A P2P Botnet detection scheme based on decision tree and adaptive multilayer neural networks, Neural Computing and Applications vol. 29, no. 11. pp.991–1004. DOI: https://doi.org/10.1007/s00521-016-2564-5
Santana, D., Suthaharan, S., & Mohanty, S. (2018). What we learn from learning - Understanding capabilities and limitations of machine learning in botnet attacks.
Rauf, M.A.A.A., Asraf, S.M.H., & Idrus, S.Z.S. (2020). Malware Behaviour Analysis and Classification via Windows DLL and System Call, Journal of Physics: Conference Series vol. 1529, no. 2. DOI: https://doi.org/10.1088/1742-6596/1529/2/022097
Resende, P.A.A. & Drummond, A.C. (2018). A survey of random forest based methods for intrusion detection systems, ACM Computing Surveys vol. 51, no. 3. pp.1–36. DOI: https://doi.org/10.1145/3178582
Tobiyama, S., Yamaguchi, Y., Shimada, H., Ikuse, T., & Yagi, T. (2016). Malware Detection with Deep Neural Network Using Process Behavior, Proceedings - International Computer Software and Applications Conference vol. 2. pp.577–582. DOI: https://doi.org/10.1109/COMPSAC.2016.151
Muhtadi, A.F. & Almaarif, A. (2020). Analysis of Malware Impact on Network Traffic using Behavior-based Detection Technique, International Journal of Advances in Data and Information Systems vol. 1, no. 1. pp.17–25. DOI: https://doi.org/10.25008/ijadis.v1i1.8
Apruzzese, G. & Colajanni, M. (November 2018). Evading botnet detectors based on flows and random forest with adversarial samples. Paper presented at NCA 2018 - 2018 IEEE 17th International Symposium on Network Computing and Applications. DOI: https://doi.org/10.1109/NCA.2018.8548327
Beigi, E.B., Jazi, H.H., Stakhanova, N., & Ghorbani, A.A. (2014). Towards effective feature selection in machine learning-based botnet detection approaches, 2014 IEEE Conference on Communications and Network Security, CNS 2014 pp.247–255.
Cabeza, L.F., Solé, C., Castell, A., Oró, E., & Gil, A. (2016). Unsupervised Network Intrusion Detection Systems for Zero-Day Fast- Spreading Attacks and Botnets Payam, International Journal of Digital Content Technology and its Applications(JDCTA) vol. 10, no. 2.
Singh, M., Singh, M., & Kaur, S. (2019b). Detecting bot-infected machines using DNS fingerprinting, Digital Investigation vol. 28. pp.14–33. DOI: https://doi.org/10.1016/j.diin.2018.12.005
Malik, R. & Alankar, B. (2019). Botnet and Botnet Detection Techniques, International Journal of Computer Applications vol. 178, no. 17. pp.8–11. DOI: https://doi.org/10.5120/ijca2019918967
Koroniotis, N., Moustafa, N., Sitnikova, E., & Turnbull, B. (2019). Towards the development of realistic botnet dataset in the Internet of Things for network forensic analytics: Bot-IoT dataset, Future Generation Computer Systems vol. 100. pp.779–796. DOI: https://doi.org/10.1016/j.future.2019.05.041
Huda, S., Abawajy, J., Al-Rubaie, B., Pan, L., & Hassan, M.M. (2019). Automatic extraction and integration of behavioural indicators of malware for protection of cyber–physical networks, Future Generation Computer Systems vol. 101. pp.1247–1258. DOI: https://doi.org/10.1016/j.future.2019.07.005
Bou-Harb, E., Debbabi, M., & Assi, C. (2014). On fingerprinting probing activities, Computers and Security vol. 43, no. January 2012. pp.35–48. DOI: https://doi.org/10.1016/j.cose.2014.02.005
Palmieri, F., Fiore, U., & Castiglione, A. (2014). A distributed approach to network anomaly detection based on independent component analysis, Concurrency and Computation: Practice and Experience vol. 26, no. 5. pp.1113–1129. DOI: https://doi.org/10.1002/cpe.3061
Mao, C.-H., Lin, C.-C., Pan, J.-Y. (Tim), Chang, K.-C., Faloutsos, C., & Lee, H.-M. ( 2012). EigenBot: Foiling spamming botnets with matrix algebra. Paper presented at Proceedings of the ACM SIGKDD Workshop on Intelligence and Security Informatics - ISI-KDD ’12, New York, New York, USA. DOI: https://doi.org/10.1145/2331791.2331796
Ehsan, K. & Hamid, reza shahriari. (2018). BotRevealer: Behavioral Detection of Botnets based on Botnet Life-cycle, International Journal of Information Security vol. 10, no. 1. pp.55–61.
Stevanovic, M. & Pedersen, J.M. (2015). On the use of machine learning for identifying botnet network traffic, Journal of Cyber Security and Mobility vol. 4, nos. 2–3. pp.1–32. DOI: https://doi.org/10.13052/2245-1439.421
Fernandez Maimo, L., Perales Gomez, A.L., Garcia Clemente, F.J., Gil Perez, M., & Martinez Perez, G. (2018). A Self-Adaptive Deep Learning-Based System for Anomaly Detection in 5G Networks, IEEE Access vol. 6. pp.7700–7712. DOI: https://doi.org/10.1109/ACCESS.2018.2803446
Debashi, M. & Vickers, P. (2018). Sonification of Network Traffic for Detecting and Learning about Botnet Behavior, IEEE Access vol. 6. pp.33826–33839. DOI: https://doi.org/10.1109/ACCESS.2018.2847349
Gezer, A., Warner, G., Wilson, C., & Shrestha, P. (2019). A flow-based approach for Trickbot banking trojan detection, Computers and Security vol. 84. pp.179–192. DOI: https://doi.org/10.1016/j.cose.2019.03.013
Garg, S., Peddoju, S.K., & Sarje, A.K. (2016). Scalable P2P bot detection system based on network data stream, Peer-to-Peer Networking and Applications vol. 9, no. 6. pp.1209–1225. DOI: https://doi.org/10.1007/s12083-016-0440-9
Garcia, S., Zunino, A., & Campo, M. (2014). "Identifying, Modeling and Detecting Botnet Behaviors in the Network".
Han, W., Xue, J., Wang, Y., Liu, Z., & Kong, Z. (2019). MalInsight: A systematic profiling based malware detection framework, Journal of Network and Computer Applications vol. 125, no. October 2018. pp.236–250. DOI: https://doi.org/10.1016/j.jnca.2018.10.022
Garcia, S. (2015). Modelling the Network Behaviour of Malware To Block Malicious Patterns . The Stratosphere Project?: a Behavioural Ips, Virus Bulletin no. September. pp.1–8.
Kozik, R. (2018). Distributing extreme learning machines with Apache Spark for NetFlow-based malware activity detection, Pattern Recognition Letters vol. 101. pp.14–20. DOI: https://doi.org/10.1016/j.patrec.2017.11.004
Wang, J. & Paschalidis, I.C. (2017). Botnet Detection Based on Anomaly and Community Detection, IEEE Transactions on Control of Network Systems vol. 4, no. 2. pp.392–404. DOI: https://doi.org/10.1109/TCNS.2016.2532804
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2021 IIUM Press
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.