BotFP: FingerPrints Clustering for Bot Detection
Pages 1 - 7
Abstract
Efficient bot detection is a crucial security matter and has been widely explored in the past years. Recent approaches supplant flow-based detection techniques and exploit graph-based features, incurring however in scalability issues in terms of time and space complexity. Bots exhibit specific communication patterns: they use particular protocols, contact specific domains, hence can be identified by analyzing their communication with the outside. To simplify the communication graph, we look at frequency distributions of protocol attributes capturing the specificity of botnets behaviour. In this paper, we propose a bot detection technique named BotFP, for BotFinger-Printing, which acts by (i) characterizing hosts behaviour with at-tribute frequency distribution signatures, (ii) learning behaviour of benign hosts and bots through a clustering technique, and (iii) classifying new hosts based on distances to labelled clusters. We validate our solution on the CTU-13 dataset, which contains 13 scenarios of bot infections, connecting to a Command-and-Control (C&C) channel and launching malicious actions such as port scanning or Denial-of-Service (DDoS) attacks. Our approach applies to various bot activities and network topologies. The approach is lightweight, can handle large amounts of data, and shows better accuracy than state-of-the-art techniques.
References
[1]
9 of history’s notable botnets. [Online]. Available: https://www.whiteops.com/blog/9-of-the-most-notable-botnets
[2]
ZDnet. Avast and french police take over malware botnet and disinfect 850,000 computers. [Online]. Available: https://www.zdnet.com/article/avast-and-french-police-take-over-malware-botnet-and-disinfect-850000-computers/
[3]
Mid-year update: 2019 sonicwall cyber threat report. [Online]. Available: https://blog.sonicwall.com/en-us/2019/07/mid-year-update-2019-sonicwall-cyber-threat-report/
[4]
G. Gu, P. Porras, V. Yegneswaran, and M. Fong, “BotHunter: Detecting malware infection through ids-driven dialog correlation,” in Proceedings of the USENIX Security Symposium. USENIX Association, 2007.
[5]
G. Gu, J. Zhang, and W. Lee, “BotSniffer: Detecting botnet command and control channels in network traffic,” in Proceedings of the Network and Distributed System Security Symposium (NDSS), 2008.
[6]
S. García, M. Grill, J. Stiborek, and A. Zunino, “An empirical comparison of botnet detection methods,” Computers & Security, vol. 45, pp. 100–123, 2014.
[7]
S. Lagraa, J. Francois, A. Lahmadi, M. Miner, C. Hammerschmidt, and R. State, “BotGM: Unsupervised graph mining to detect botnets in traffic flows,” in Proceedings of the Cyber Security in Networking Conference (CSNet). IEEE, 2017.
[8]
W. Chen, X. Luo, and A. N. Zincir-Heywood, “Exploring a service-based normal behaviour profiling system for botnet detection,” in Proceedings of the IFIP/IEEE Symposium on Integrated Network and Service Management (IM). IEEE, 2017.
[9]
A. A. Daya, M. A. Salahuddin, N. Limam, and R. Boutaba, “A graph-based machine learning approach for bot detection,” in Proceedings of the IFIP/IEEE Symposium on Integrated Network and Service Management (IM), 2019.
[10]
Stratosphere Lab. The CTU-13 Dataset. A Labeled Dataset with Botnet, Normal and Background traffic. [Online]. Available: www.stratosphereips.org/datasets-ctu13
[11]
A. Lakhina, M. Crovella, and C. Diot, “Diagnosing network-wide traffic anomalies,” ACM SIGCOMM Computer Communication Review, vol. 34, no. 4, p. 219, oct 2004.
[12]
S. Chowdhury, M. Khanzadeh, R. Akula, F. Zhang, S. Zhang, H. Medal, M. Marufuzzaman, and L. Bian, “Botnet detection using graph-based feature clustering,” Journal of Big Data, vol. 4, no. 1, may 2017.
[13]
S. Nagaraja, P. Mittal, C.-Y. Hong, M. Caesar, and N. Borisov, “Botgrep: Finding p2p bots with structured graph analysis,” in Proceedings of the USENIX Security Symposium, 2010, pp. 95–110.
[14]
H. Jiang and X. Shao, “Detecting p2p botnets by discovering flow dependency in c&c traffic,” Peer-to-Peer Networking and Applications, vol. 7, no. 4, pp. 320–331, jun 2012.
[15]
F. Zou, S. Zhang, W. Rao, and P. Yi, “Detecting malware based on DNS graph mining,” International Journal of Distributed Sensor Networks, vol. 2015, pp. 1–12, 2015.
[16]
J. Wang and I. C. Paschalidis, “Botnet detection based on anomaly and community detection,” IEEE Transactions on Control of Network Systems, vol. 4, no. 2, pp. 392–404, jun 2017.
[17]
P. Kalmbach, A. Blenk, W. Kellerer, and S. Schmid, “Themis: A data-driven approach to bot detection,” in IEEE INFOCOM 2018 -IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), 2018.
[18]
(2013) Service name and transport protocol port number registry. [Online]. Available: https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
[19]
Kaspersky. DDoS attacks in Q2 2019. [Online]. Available: https://securelist.com/ddos-report-q1-2019/90792/
[20]
IANA. Internet control message protocol (icmp) parameters. [Online]. Available: https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml
[21]
M. Ester, H.-P. Kriegel, J. Sander, and X. Xu, “A density-based al-gorithm for discovering clusters in large spatial databases with noise,” in Proceedings of the Second International Conference on Knowledge Discovery and Data Mining, 1996, pp. 226–231.
[22]
R. Boutaba, M. A. Salahuddin, N. Limam, S. Ayoubi, N. Shahriar, F. Estrada-Solano, and O. M. Caicedo, “A comprehensive survey on machine learning for networking: evolution, applications and research opportunities,” Journal of Internet Services and Applications, vol. 9, no. 1, 2018.
Index Terms
- BotFP: FingerPrints Clustering for Bot Detection
Index terms have been assigned to the content through auto-classification.
Recommendations
Effective bot host detection based on network failure models
Botnet is one of the most notorious threats to Internet users. Attackers intrude into a large group of computers, install remote-controllable software, and then ask the compromised computers to launch large-scale Internet attacks, including sending spam ...
Web Bot Detection Evasion Using Deep Reinforcement Learning
ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and SecurityWeb bots are vital for the web as they can be used to automate several actions, some of which would have otherwise been impossible or very time consuming. These actions can be benign, such as website testing and web indexing, or malicious, such as ...
On-Demand Bot Detection and Archival System
WWW '17 Companion: Proceedings of the 26th International Conference on World Wide Web CompanionUnusually high correlation in activities among users in social media is an indicator of bot behavior. We have developed a system, called DeBot, that identifies such bots in Twitter network. Our system reports and archives thousands of bot accounts every ...
Comments
Information & Contributors
Information
Published In
April 2020
1311 pages
Copyright © 2020.
Publisher
IEEE Press
Publication History
Published: 01 April 2020
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 13 Jan 2025