skip to main content
10.1145/2739482.2768435acmconferencesArticle/Chapter ViewAbstractPublication PagesgeccoConference Proceedingsconference-collections
research-article

Botnet Detection System Analysis on the Effect of Botnet Evolution and Feature Representation

Published:11 July 2015Publication History

ABSTRACT

Botnets are known as one of the main destructive threats that have been active since 2003 in various forms. The ability to upgrade the structure and algorithms on the fly is part of what causes botnets to survive for more than a decade. Hence, one of the main concerns in designing a botnet detection system is how long such a system can be effective and useful considering the evolution of a given botnet. Furthermore, the data representation and the feature extraction components have always been an important issue in order to design a robust detection system. In this work, we employ machine learning algorithms (genetic programming and decision trees) to explore two questions: (i) How can the representation of non-numeric features effect the detection system's performance? and (ii) How long can a machine learning based detection system can perform effectively? To this end, we gathered seven Zeus botnet data sets over a period of four years and analyzed three different data representation techniques to be able to explore aforementioned questions.

References

  1. https://labs.snort.org/papers/zeus.html.Google ScholarGoogle Scholar
  2. LBNL enterprise trace repository. http://www.icir.org/enterprise-tracing/.Google ScholarGoogle Scholar
  3. NETRESEC repository: publicly available pcap files. http://www.netresec.com/?page=PcapFiles.Google ScholarGoogle Scholar
  4. Tranalyzer. http://tranalyzer.com/.Google ScholarGoogle Scholar
  5. Zeus/zbot malware shapes up in 2013. http://blog.trendmicro.com/trendlabs-security-intelligence/zeuszbot-malware-shapes-up-in-2013/, May 2013.Google ScholarGoogle Scholar
  6. E. Alpaydin. Introduction to Machine Learning. MIT Press, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. E. B. Beigi, H. Jazi, N. Stakhanova, and A. Ghorbani. Towards effective feature selection in machine learning-based botnet detection approaches. In Communications and Network Security (CNS), 2014.Google ScholarGoogle Scholar
  8. H. Binsalleeh, T. Ormerod, A. Boukhtouta, P. Sinha, A. Youssef, M. Debbabi, and L. Wang. On the analysis of the zeus botnet crimeware toolkit. In Eighth Annual International Conference on Privacy, Security and Trust, 2010.Google ScholarGoogle ScholarCross RefCross Ref
  9. M. Brameier and W. Banzhaf. A comparison of linear genetic programming and neural networks in medical data mining. IEEE Transaction on Evolutionary Computation, 5:17--26, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Z. B. Celik, J. Raghuram, G. Kesidis, and D. J. Miller. Salting public traces with attack traffic to test flow classifiers. In Cyber Security Experimentation and Test (CSET), 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. S. Garcia. Malware capture facility project, cvut university. https://agents.fel.cvut.cz/malware-capture-facility, February 2013.Google ScholarGoogle Scholar
  12. G. Gu, R. Perdisci, J. Zhang, and W. Lee. Botminer: clustering analysis of network traffic for protocol- and structure- independent botnet detection. In 17th USNIX Security symposium, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. F. Haddadi, D. Runkel, A. Zincir-Heywood, and M. Heywood. On botnet behaviour analysis using GP and C4.5. In Gecco SecDef workshop, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. F. Haddadi and A. N. Zincir-Heywood. Analyzing string format-based classifiers for botnet detection: GP and SVM. In IEEE Congress on Evolutionary Computation (CEC), 2013.Google ScholarGoogle ScholarCross RefCross Ref
  15. F. Haddadi and A. N. Zincir-Heywood. Data confirmation for botnet traffic analysis. In FPS, 2014.Google ScholarGoogle Scholar
  16. F. Haddadi and A. N. Zincir-Heywood. Benchmarking the effect of ow exporters and protocol filters on botnet traffic classification. IEEE Systems journal, accepted for publication, 2014.Google ScholarGoogle Scholar
  17. V. Krmicek and T. Plesnik. Detecting botnets with netow. In Cert Flocon, 2011.Google ScholarGoogle Scholar
  18. P. Lichodzijewski and M. I. heywood. Coevolutionary bid-based genetic programming for problem decomposition in classification. Genetic Programming and Evolvable Machines, 9:331--365, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. P. Lichodzikewski and M. I. Heywood. Symbiosis complexification and simplicity under gp. In GECCO, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Open DNS Inc. The Role of DNS in Botnet Command Control. Witrpaper, 2012.Google ScholarGoogle Scholar
  21. RFC 2722. http://tools.ietf.org/html/rfc2722, October 1999.Google ScholarGoogle Scholar
  22. W. T. Strayer, D. Lapsely, R. Walsh, and C. Livadas. Botnet detection based on network behavior. Advances in Information Security, 36:1--24, 2008.Google ScholarGoogle Scholar
  23. K. Wang, C. Huang, S. Lin, and Y. Lin. A fuzzy pattern-based filtering algorithm for botnet detection. Computer Networks, 55:3275--3286, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Weka. http://www.cs.waikato.ac.nz/ml/wekGoogle ScholarGoogle Scholar

Index Terms

  1. Botnet Detection System Analysis on the Effect of Botnet Evolution and Feature Representation

            Recommendations

            Comments

            Login options

            Check if you have access through your login credentials or your institution to get full access on this article.

            Sign in
            • Published in

              cover image ACM Conferences
              GECCO Companion '15: Proceedings of the Companion Publication of the 2015 Annual Conference on Genetic and Evolutionary Computation
              July 2015
              1568 pages
              ISBN:9781450334884
              DOI:10.1145/2739482

              Copyright © 2015 ACM

              Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

              Publisher

              Association for Computing Machinery

              New York, NY, United States

              Publication History

              • Published: 11 July 2015

              Permissions

              Request permissions about this article.

              Request Permissions

              Check for updates

              Qualifiers

              • research-article

              Acceptance Rates

              Overall Acceptance Rate1,669of4,410submissions,38%

              Upcoming Conference

              GECCO '24
              Genetic and Evolutionary Computation Conference
              July 14 - 18, 2024
              Melbourne , VIC , Australia

            PDF Format

            View or Download as a PDF file.

            PDF

            eReader

            View online with eReader.

            eReader