ABSTRACT
Botnets are known as one of the main destructive threats that have been active since 2003 in various forms. The ability to upgrade the structure and algorithms on the fly is part of what causes botnets to survive for more than a decade. Hence, one of the main concerns in designing a botnet detection system is how long such a system can be effective and useful considering the evolution of a given botnet. Furthermore, the data representation and the feature extraction components have always been an important issue in order to design a robust detection system. In this work, we employ machine learning algorithms (genetic programming and decision trees) to explore two questions: (i) How can the representation of non-numeric features effect the detection system's performance? and (ii) How long can a machine learning based detection system can perform effectively? To this end, we gathered seven Zeus botnet data sets over a period of four years and analyzed three different data representation techniques to be able to explore aforementioned questions.
- https://labs.snort.org/papers/zeus.html.Google Scholar
- LBNL enterprise trace repository. http://www.icir.org/enterprise-tracing/.Google Scholar
- NETRESEC repository: publicly available pcap files. http://www.netresec.com/?page=PcapFiles.Google Scholar
- Tranalyzer. http://tranalyzer.com/.Google Scholar
- Zeus/zbot malware shapes up in 2013. http://blog.trendmicro.com/trendlabs-security-intelligence/zeuszbot-malware-shapes-up-in-2013/, May 2013.Google Scholar
- E. Alpaydin. Introduction to Machine Learning. MIT Press, 2004. Google ScholarDigital Library
- E. B. Beigi, H. Jazi, N. Stakhanova, and A. Ghorbani. Towards effective feature selection in machine learning-based botnet detection approaches. In Communications and Network Security (CNS), 2014.Google Scholar
- H. Binsalleeh, T. Ormerod, A. Boukhtouta, P. Sinha, A. Youssef, M. Debbabi, and L. Wang. On the analysis of the zeus botnet crimeware toolkit. In Eighth Annual International Conference on Privacy, Security and Trust, 2010.Google ScholarCross Ref
- M. Brameier and W. Banzhaf. A comparison of linear genetic programming and neural networks in medical data mining. IEEE Transaction on Evolutionary Computation, 5:17--26, 2001. Google ScholarDigital Library
- Z. B. Celik, J. Raghuram, G. Kesidis, and D. J. Miller. Salting public traces with attack traffic to test flow classifiers. In Cyber Security Experimentation and Test (CSET), 2011. Google ScholarDigital Library
- S. Garcia. Malware capture facility project, cvut university. https://agents.fel.cvut.cz/malware-capture-facility, February 2013.Google Scholar
- G. Gu, R. Perdisci, J. Zhang, and W. Lee. Botminer: clustering analysis of network traffic for protocol- and structure- independent botnet detection. In 17th USNIX Security symposium, 2008. Google ScholarDigital Library
- F. Haddadi, D. Runkel, A. Zincir-Heywood, and M. Heywood. On botnet behaviour analysis using GP and C4.5. In Gecco SecDef workshop, 2014. Google ScholarDigital Library
- F. Haddadi and A. N. Zincir-Heywood. Analyzing string format-based classifiers for botnet detection: GP and SVM. In IEEE Congress on Evolutionary Computation (CEC), 2013.Google ScholarCross Ref
- F. Haddadi and A. N. Zincir-Heywood. Data confirmation for botnet traffic analysis. In FPS, 2014.Google Scholar
- F. Haddadi and A. N. Zincir-Heywood. Benchmarking the effect of ow exporters and protocol filters on botnet traffic classification. IEEE Systems journal, accepted for publication, 2014.Google Scholar
- V. Krmicek and T. Plesnik. Detecting botnets with netow. In Cert Flocon, 2011.Google Scholar
- P. Lichodzijewski and M. I. heywood. Coevolutionary bid-based genetic programming for problem decomposition in classification. Genetic Programming and Evolvable Machines, 9:331--365, 2008. Google ScholarDigital Library
- P. Lichodzikewski and M. I. Heywood. Symbiosis complexification and simplicity under gp. In GECCO, 2010. Google ScholarDigital Library
- Open DNS Inc. The Role of DNS in Botnet Command Control. Witrpaper, 2012.Google Scholar
- RFC 2722. http://tools.ietf.org/html/rfc2722, October 1999.Google Scholar
- W. T. Strayer, D. Lapsely, R. Walsh, and C. Livadas. Botnet detection based on network behavior. Advances in Information Security, 36:1--24, 2008.Google Scholar
- K. Wang, C. Huang, S. Lin, and Y. Lin. A fuzzy pattern-based filtering algorithm for botnet detection. Computer Networks, 55:3275--3286, 2011. Google ScholarDigital Library
- Weka. http://www.cs.waikato.ac.nz/ml/wekGoogle Scholar
Index Terms
Botnet Detection System Analysis on the Effect of Botnet Evolution and Feature Representation
Recommendations
On botnet behaviour analysis using GP and C4.5
GECCO Comp '14: Proceedings of the Companion Publication of the 2014 Annual Conference on Genetic and Evolutionary ComputationBotnets represent a destructive cyber security threat that aim to hide their malicious activities within legitimate Internet traffic. Part of what makes botnets so affective is that they often upgrade themselves over time, hence reacting to improved ...
Your botnet is my botnet: analysis of a botnet takeover
CCS '09: Proceedings of the 16th ACM conference on Computer and communications securityBotnets, networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security problems on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program that is ...
A Survey of Botnet and Botnet Detection
SECURWARE '09: Proceedings of the 2009 Third International Conference on Emerging Security Information, Systems and TechnologiesAmong the various forms of malware, botnets are emerging as the most serious threat against cyber-security as they provide a distributed platform for several illegal activities such as launching distributed denial of service attacks against critical ...
Comments