BotCapturer: Detecting botnets based on two-layered analysis with graph anomaly detection and network traffic clustering

被引:0
作者
Wang W. [1 ,2 ]
Wang Y. [1 ]
Tan X. [1 ]
Liu Y. [1 ]
Yang S. [2 ]
机构
[1] Beijing Key Laboratory of Security and Privacy in Intelligent Transportation, Beijing Jiaotong University, Beijing
[2] Science and Technology on Electronic Information Control Laboratory, Chengdu
来源
Wang, Wei (wangwei1@bjtu.edu.cn) | 2018年 / Totem Publishers Ltd卷 / 14期
基金
中国国家自然科学基金; 国家重点研发计划;
关键词
Anomaly detection; Botnet detection; Intrusion detection; Network flows;
D O I
10.23940/ijpe.18.05.p24.10501059
中图分类号
学科分类号
摘要
Botnets have become one of the most serious threats on the Internet. On the platform of botnets, attackers conduct series of malicious activities such as distributed denial-of-service (DDoS) or virtual currencies mining. Network traffic has been widely used as the data source for the detection of botnets. However, there are two main issues on the detection of botnets with network traffic. First, many traditional filtering methods such as whitelisting are not able to process the very large amount of traffic data in real-time due to their limited computational capability. Second, many existing detection methods, based on network traffic clustering, result in high false positive rates. In this work, we are motivated to resolve the above two issues by proposing a lightweight botnet detection system called BotCapturer, based on two-layered analysis with anomaly detection in graph and network communication traffic clustering. First, we identify anomalous nodes that correspond to C&C (Control and Command) servers with anomaly scores in a graph abstracted from the network traffic. Second, we take advantage of clustering algorithms to check whether the nodes interacting with an anomalous node share similar communication pattern. In order to minimize irrelevant traffic, we propose a traffic reduction method to reduce more than 85% background traffic. The reduction is conducted by filtering the packets that are unrelated to the hosts like C&C server. We collect a very big dataset by simulating five different botnets and mixing the collected traffic with background traffic obtained from ISP. Extensive experiments are conducted and evaluation results based on our own dataset show that BotCapturer reduces more than 85% input raw packet traces and achieves a high detection rate (100%) with a low false positive rate (0.01%), demonstrating that it is very effective and efficient in detecting latest botnets. © 2018 Totem Publisher, Inc. All rights reserved.
引用
收藏
页码:1050 / 1059
页数:9
相关论文
共 21 条
  • [1] AsSadhan B., Moura J.M., An efficient method to detect periodic behavior in botnet traffic by analyzing control plane traffic, Journal of Advanced Research, 5, 4, pp. 435-448, (2014)
  • [2] Aggarwal C.C., Zhao Y., Yu P.S., Outlier detection in graph streams, International Conference on Data Engineering, 6791, pp. 399-409, (2011)
  • [3] Akoglu L., Mcglohon M., Faloutsos C., Anomaly detection in large graphs, Cmu-Cs-09-173-Technical Report, (2009)
  • [4] Choi H., Lee H., Identifying botnets by capturing group activities in dns traffic, Elsevier North-Holland, 56, 1, pp. 20-33, (2012)
  • [5] Gu G., Perdisci R., Perdisci R., Zhang J., Lee W., Botminer: Clustering analysis of network traffic for protocol- and structure-independent botnet detection, Proceedings of The 17th Usenix Security Symposium, pp. 139-154, (2008)
  • [6] Gianvecchio S., Xie M., Wu Z., Wang H., Measurement and classification of humans and bots in internet chat, Usenix Security Symposium, pp. 155-170, (2009)
  • [7] Guan X., Wang W., Zhang X., Fast intrusion detection based on a non-negative matrix factorization model, J. Network and Computer Applications, 32, 1, pp. 31-44, (2009)
  • [8] Hartigan J.A., Wong M.A., A k-means clustering algorithm, Journal of The Royal Statistical Society. Series C (Applied Statistics), 28, 1, pp. 100-108, (1979)
  • [9] Kirubavathi G., Anitha R., Botnets: A study and analysis, Computational Intelligence, Cyber Security and Computational Models, pp. 203-214, (2014)
  • [10] Perozzi B., Akoglu L., Focused clustering and outlier detection in large attributed graphs, Proceedings of The 20th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 1346-1355, (2014)
123