research-article

A Survey Leading to a New Evaluation Framework for Network-based Botnet Detection

Authors:

Arash Habibi Lashkari,

Gerard Draper Gil,

Jonathan Edward Keenan,

Kenneth Fon Mbah, and

Ali A. GhorbaniAuthors Info & Claims

ICCNS '17: Proceedings of the 2017 7th International Conference on Communication and Network Security

November 2017

Pages 59 - 66

https://doi.org/10.1145/3163058.3163059

Published: 24 November 2017 Publication History

Abstract

During the last decade, botnet emerged as one of the most serious malware which possess a serious threat to the Internet. Due to significant research effort in this domain there are many different detection methods based on diverse technical principles. Of these, detection based-on network traffic analysis is one of the noninvasive and resilient detection techniques. There are several survey papers published on the detection methods, but either they didn't mention the analysis of the proposed methods or they just demonstrated a few different dimensions or did not have dimensions at all. Therefore, a complete evaluation framework for assessing the proposed methods is vital. In this paper, we first provide a comprehensive overview of this field by summarizing current significant methods and gathers all related network traffic features followed by a new evaluation framework with fourteen dimensions and the analysis of the existing detection methods to identify their characteristics, limitations, and performances.

References

[1]

I. Incapsula, "Global annual bot traffic report," Imperva Incapsula's annual Bot Traffic Report, 2015.

[2]

B. AsSadhan and J. M. Moura, "An efficient method to detect periodic behavior in botnet traffic by analyzing control plane traffic," Journal of Advanced Research (cybersecurity), vol. 5, no. 4, pp. 435--448, 2014.

[3]

W. Lu, M. Tavallaee, G. Rammidi, and A. A. Ghorbani, "Botcop: An online botnet traffic classifier," in CNSR '09. Seventh Annual, pp. 70--77, May 2009.

Digital Library

[4]

R. p. sergio silva, rodrigo silva, "Botnets a survey," Computer Networks, vol. 57, no. 2, pp. 378--403, 2013.

Digital Library

[5]

T. Hyslip and J. Pittman, "A survey of botnet detection techniques by command and control infrastructure," JDFSL, vol. 10, no. 1, pp. 7--26, 2015.

[6]

S. R. Sonawane, "A review on botnet and botnet detection methods," International Journal of Computer Science and Innovation, vol. 2016, no. 1, pp. 107--116, 2016.

[7]

M. Feily, A. Shahrestani, and S. Ramadass, "A survey of botnet and botnet detection", Intern. Conf. on Emerging Security Information, Systems and Tech., pp. 268--273, 2009.

Digital Library

[8]

K. Alieyan, A. ALmomani, A. Manasrah, and M. M. Kadhum, "A survey of botnet detection based on DNS," pp. 1--18, 2015.

[9]

S. L. Ruchi Dhole, "A survey of botnet detection techniques and research challenges," vol. 4, 2014.

[10]

V. P. Ibrahim Ghafir, Jakub Svoboda, "Int. j. of advances in computer networks and its security ijcns," vol. 5, no. 2, 2015.

[11]

H. R. Zeidanloo, M. J. Z. Shooshtari, P. V. Amoli, M. Safari, and M. Zamani, "A taxonomy of botnet detection techniques," in ICCSIT10, vol. 2, pp. 158--162, 2010.

[12]

R. Sommer and V. Paxson, "Outside the closed world: On using machine learning for network intrusion detection," IEEE Symp. on Security and Privacy, pp. 305--316, 2010.

Digital Library

[13]

C. Livadas, R. Walsh, D. Lapsley, and W. T. Strayer, "Usilng machine learning technliques to identify botnet traffic," in Proc. of the 31st IEEE Conference on Local Computer Networks, pp. 967--974, 2006.

[14]

M. Bailey, E. Cooke, F. Jahanian, Y. Xu, and M. Karir, "A survey of botnet technology and defenses," in CATCH '09, pp. 299--304, 2009.

Digital Library

[15]

S. Garca, A. Zunino, and M. Campo, "Survey on networkbased botnet detection methods," Security and Communication Networks, vol. 7, no. 5, pp. 878--903, 2013.

Digital Library

[16]

Stevanovic, Matija and Pedersen, Jens Myrup. "Machine learning for identifying botnet network traffic," Aalborg University, Denmark, 2013.

[17]

Atef A. Obeidat and Mohmmad J. Bawaneh, "Survey of the p2p botnet detection methods," International Journal of Emerging Trends & Technology in Computer Science (IJETTCS), olume 5, Issue 2, 2016.

[18]

J. Kline, S. Nam, P. Barford, D. Plonka, and A. Ron, "Traffic anomaly detection at fine time scales with bayes nets," in ICIMP '08, pp. 37--46, June 2008.

Digital Library

[19]

G. Nychis, V. Sekar, D. G. Andersen, H. Kim, and H. Zhang, "An empirical evaluation of entropy-based traffic anomaly detection," ACM SIGCOMM, pp. 151--156, ACM, 2008.

Digital Library

[20]

M. M. Masud, T. Al-khateeb, L. Khan, B. Thuraisingham, and K. W. Hamlen, "Flow-based identification of botnet traffic by mining multiple log files," in DFMA08, pp. 200--206, 2008.

[21]

R. Villamarín-Salomón and J. C. Brustoloni, "Identifying botnets using anomaly detection techniques applied to dns traffic," in CCNC08, pp. 476--481, IEEE, 2008.

[22]

W. T. Strayer, D. Lapsely, R. Walsh, and C. Livadas, "Botnet detection based on network behavior, " in Botnet Detection, pp. 1--24, Springer, 2008.

[23]

S. K. Noh, J. H. Oh, J. S. Lee, B. N. Noh, and H. C. Jeong, "Detecting p2p botnets using a multi-phased flow model," in ICDS '09, pp. 247--253, 2009.

Digital Library

[24]

A. Nogueira, P. Salvador, and F. Blessa, "A botnet detection system based on neural networks," in ICDT '10, (Washington, DC, USA), pp. 57--62, IEEE Computer Society, 2010.

Digital Library

[25]

W.-H. Liao and C.-C. Chang, "Peer to peer botnet detection using data mining scheme," ICITA10, pp. 1--4, IEEE, 2010.

[26]

D. Liu, Y. Li, Y. Hu, and Z. Liang, "A p2p-botnet detection model and algorithms based on network streams analysis," in FITME10, vol. 1, pp. 55--58, Oct 2010.

[27]

C. M. Chen, Y. H. Ou, and Y. C. Tsai, "Web botnet detection based on flow information," in ICS10, pp. 381--384, 2010.

[28]

Y. Zeng, X. Hu, and K. G. Shin, "Detection of botnets using combined host- and network-level information, " in IEEE/IFIP (DSN), pp. 291--300, June 2010.

[29]

X. Yu, X. Dong, G. Yu, Y. Qin, and D. Yue, "Data-adaptive clustering analysis for online botnet detection, " in CSO10, vol. 1, pp. 456--460, May 2010.

Digital Library

[30]

C. Yin and A. A. Ghorbani, "P2p botnet detection based on association between common network behaviors and host behaviors," in ICMT11, pp. 5010--5012, July 2011.

[31]

J. Zhang, R. Perdisci, W. Lee, U. Sarfraz, and X. Luo, "Detecting stealthy p2p botnets using statistical traffic fingerprints, " in IEEE/IFIP DSN, pp. 121--132, June 2011.

Digital Library

[32]

S. Saad, I. Traore, A. Ghorbani, B. Sayed, D. Zhao, W. Lu, J. Felix, and P. Hakimian, "Detecting p2p botnets through network behavior analysis and machine learning, " in PST2011, pp. 174--180, IEEE, 2011.

[33]

M. Antonakakis, R. Perdisci, Y. Nadji, N. Vasiloglou, S. Abu-Nimeh, W. Lee, and D. Dagon, "From throw-away traffic to bots: Detecting the rise of dga-based malware, " in USENIX 12, WA, pp. 491--506, 2012.

Digital Library

[34]

L. Bilge, D. Balzarotti, W. Robertson, E. Kirda, and C. Kruegel, "Disclosure: Detecting botnet command and control servers through largescale netflow analysis, " in ACSAC '12, USA, pp. 129--138, ACM, 2012.

Digital Library

[35]

S. Shin, Z. Xu, and G. Gu, "Effort: Efficient and effective bot malware detection, " in INFOCOM12, pp. 2846--2850, March 2012.

[36]

P. Casas, J. Mazel, and P. Owezarski, "Unsupervised network intrusion detection systems: Detecting the unknown without knowledge, " Computer Communication vol. 35, pp. 772--783, Apr. 2012.

Digital Library

[37]

D. Zhao, I. Traore, B. Sayed, W. Lu, S. Saad, A. Ghorbani, and D. Garant, "Botnet detection based on traffic behavior analysis and flow intervals, " Computer Security, vol. 39, pp. 2--16, Nov. 2013.

Digital Library

[38]

D. Zhao, I. Traore, A. Ghorbani, B. Sayed, S. Saad, and W. Lu, "Peer to peer botnet detection based on flow intervals, " in IFIP12, pp. 87--102, Springer, 2012.

[39]

P. Narang, J. M. Reddy, and C. Hota, "Feature selection for detection of peer-to-peer botnet traffic, " in the 6th ACM Compute '13, USA, pp. 16:1--16:9, ACM, 2013.

Digital Library

[40]

B. AsSadhana, Jose M.F. Mourab, "An efficient method to detect periodic behavior in botnet traffic by analyzing control plane traffic," in Journal of Advanced Research, vol. 5, no. 4, pp. 435--448, 2014.

[41]

C. J. Dietrich, C. Rossow, and N. Pohlmann, "Cocospot: Clustering and recognizing botnet command and control channels using traffic analysis," in Computer Networks, vol. 57, no. 2, pp. 475--486, 2013.

Digital Library

[42]

S. Garcia, V. Uhlr, and M. Rehak, "Identifying and modeling botnet c&c behaviors," in Proceedings of the 1st International Workshop on Agents and CyberSecurity, ACySE'14, (New York, NY, USA), pp. 1:1--1:8, ACM, 2014.

Digital Library

[43]

X. Liu, G. He, X. Wu, and D. Yu, "An abnormal network behavior detection system based on compound session," in Intelligent Human-Machine Systems and Cybernetics (IHMSC), 2014 Sixth International Conference on, vol. 2, pp. 34--37, Aug 2014.

Digital Library

[44]

E. B. Beigi, H. H. Jazi, N. Stakhanova, and A. A. Ghorbani, "Towards effective feature selection in machine learningbased botnet detection approaches," in CNS14, IEEE, pp. 247--255, Oct 2014.

[45]

M. Sheikhan and Z. Jadidi, "Flow-based anomaly detection in high-speed links using modified gsa-optimized neural network," Neural Computing and Applications, vol. 24, no. 3--4, pp. 599--611, 2014.

[46]

K. Singh, S. C. Guntuku, A. Thakur, and C. Hota, "Big data analytics framework for peer-to-peer botnet detection using random forests," Information Sciences, vol. 278, no. Complete, pp. 488--497, 2014.

[47]

S.-C. Lin, P. S. Chen, and C.-C. Chang, "A novel method of mining network ow to detect p2p botnets," Peer-to-Peer Networking and Applications, vol. 7, no. 4, pp. 645--654, 2014.

[48]

S. Garca, M. Grill, J. Stiborek, A. Zunino, "An empirical comparison of botnet detection methods," Computers and Security, Volume 45, Pages 100--123, ISSN 0167--4048, 2014

Digital Library

[49]

K. Shanthi and D. Seenivasan, "Detection of botnet by analyzing network traffic ow characteristics using open source tools," in ISCO15, IEEE, pp. 1--5, Jan 2015.

[50]

M. Stevanovic and J. M. Pedersen, "An analysis of network traffic classification for botnet detection," in CyberSA15, pp. 1--8, June 2015.

[51]

K. Kalaivani and C. Suguna, "Efficient botnet detection based on reputation model and content auditing in p2p networks," in ISCO15, IEEE, pp. 1--4, Jan 2015.

[52]

Karim, R. Salleh, and M. K. Khan, "Smartbot: A behavioral analysis framework augmented with machine learning to identify mobile botnet applications," PLoSONE, vol. 11, pp. 1--35, 03 2016.

[53]

Udaya Wijesinghe, Udaya Tupakula, "An enhanced model for network ow based botnet detection," in ACSC 2015, pp. 101--110, 2015.

[54]

A. B. Anushah Khan, Chanchal Ahlawat, "A unified botnet detection framework," International Journal of advances in electronics and Computer Science, vol. 2, pp. 81--87, 2015.

Cited By

Gehri LMeier RHulliger DLenders V(2023)Towards Generalizing Machine Learning Models to Detect Command and Control Attack Traffic2023 15th International Conference on Cyber Conflict: Meeting Reality (CyCon)10.23919/CyCon58705.2023.10182001(253-271)Online publication date: 29-May-2023
https://doi.org/10.23919/CyCon58705.2023.10182001
Minkevics VKampars J(2021)Artificial intelligence and big data driven IS security management solution with applications in higher education organizations2021 17th International Conference on Network and Service Management (CNSM)10.23919/CNSM52442.2021.9615575(340-344)Online publication date: 25-Oct-2021
https://doi.org/10.23919/CNSM52442.2021.9615575
Asadi MJabraeil Jamali MParsa SMajidnezhad V(2020)Detecting botnet by using particle swarm optimization algorithm based on voting systemFuture Generation Computer Systems10.1016/j.future.2020.01.055107:C(95-111)Online publication date: 1-Jun-2020
https://dl.acm.org/doi/10.1016/j.future.2020.01.055
Show More Cited By

Index Terms

A Survey Leading to a New Evaluation Framework for Network-based Botnet Detection
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation

Recommendations

A Survey of Botnet and Botnet Detection
SECURWARE '09: Proceedings of the 2009 Third International Conference on Emerging Security Information, Systems and Technologies

Among the various forms of malware, botnets are emerging as the most serious threat against cyber-security as they provide a distributed platform for several illegal activities such as launching distributed denial of service attacks against critical ...
Read More
A survey of botnet detection based on DNS

Botnet is a thorny and a grave problem of today's Internet, resulting in economic damage for organizations and individuals. Botnet is a group of compromised hosts running malicious software program for malicious purposes, known as bots. It is also worth ...
Read More
Issues and challenges in DNS based botnet detection: A survey
Abstract
Cybercrimes are evolving on a regular basis and as such these crimes are becoming a greater threat day by day. Earlier these threats were very general and unorganized. In the last decade, these attacks have become highly sophisticated ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ICCNS '17: Proceedings of the 2017 7th International Conference on Communication and Network Security

November 2017

125 pages

ISBN:9781450353496

DOI:10.1145/3163058

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

University of Electronic Science and Technology of China: University of Electronic Science and Technology of China

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 November 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ICCNS 2017

ICCNS 2017: 2017 the 7th International Conference on Communication and Network Security

November 24 - 26, 2017

Tokyo, Japan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
436
Total Downloads

Downloads (Last 12 months)11
Downloads (Last 6 weeks)1

Other Metrics

View Author Metrics

Citations

Cited By

Gehri LMeier RHulliger DLenders V(2023)Towards Generalizing Machine Learning Models to Detect Command and Control Attack Traffic2023 15th International Conference on Cyber Conflict: Meeting Reality (CyCon)10.23919/CyCon58705.2023.10182001(253-271)Online publication date: 29-May-2023
https://doi.org/10.23919/CyCon58705.2023.10182001
Minkevics VKampars J(2021)Artificial intelligence and big data driven IS security management solution with applications in higher education organizations2021 17th International Conference on Network and Service Management (CNSM)10.23919/CNSM52442.2021.9615575(340-344)Online publication date: 25-Oct-2021
https://doi.org/10.23919/CNSM52442.2021.9615575
Asadi MJabraeil Jamali MParsa SMajidnezhad V(2020)Detecting botnet by using particle swarm optimization algorithm based on voting systemFuture Generation Computer Systems10.1016/j.future.2020.01.055107:C(95-111)Online publication date: 1-Jun-2020
https://dl.acm.org/doi/10.1016/j.future.2020.01.055
Kanzig NMeier RGambazzi LLenders VVanbever L(2019)Machine Learninģ-based Detection of C&C Channels with a Focus on the Locked Shields Cyber Defense Exercise2019 11th International Conference on Cyber Conflict (CyCon)10.23919/CYCON.2019.8756814(1-19)Online publication date: May-2019
https://doi.org/10.23919/CYCON.2019.8756814
Gonzalez-Cuautle DCorral-Salinas USanchez-Perez GPerez-Meana HToscano-Medina KHernandez-Suarez A(2019)An Efficient Botnet Detection Methodology using Hyper-parameter Optimization Trough Grid-Search Techniques2019 7th International Workshop on Biometrics and Forensics (IWBF)10.1109/IWBF.2019.8739208(1-6)Online publication date: May-2019
https://doi.org/10.1109/IWBF.2019.8739208
Faraji Daneshgar FAbbaspour M(2019)On the resilience of P2P botnet footprints in the presence of legitimate P2P trafficInternational Journal of Communication Systems10.1002/dac.397332:13Online publication date: Jul-2019
https://doi.org/10.1002/dac.3973

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents