Machine learning for identifying botnet network traffic

During the last decade, a great scientific effort has been invested in the development of methods that could provide efficient and effective detection of botnets. As a result, various detection methods based on diverse technical principles and various aspects of botnet phenomena have been defined. Due to promise of non-invasive and resilient detection, botnet detection based on network traffic analysis has drawn a special attention of the research community. Furthermore, many authors have turned their attention to the use of machine learning algorithms as the mean of inferring botnet-related knowledge from the monitored traffic. This paper presents a review of contemporary botnet detection methods that use machine learning as a tool of identifying botnet-related traffic. The main goal of the paper is to provide a comprehensive overview on the field by summarizing current scientific efforts. The contribution of the paper is three-fold. First, the paper provides a detailed insight on the existing detection methods by investigating which bot-related heuristic were assumed by the detection systems and how different machine learning techniques were adapted in order to capture botnet-related knowledge. Second, the paper compares the existing detection methods by outlining their characteristics, performances, and limitations. Special attention is placed on the practice of experimenting with the methods and the methodologies of performance evaluation. Third, the study indicates limitations and challenges of using machine learning for identifying botnet traffic and outlines possibilities for the future development of machine learning-based botnet detection systems.