Detecting bots using multi-level traffic analysis

Research output: Contribution to journalJournal articleResearchpeer-review

Abstract

Botnets, as networks of compromised “zombie” computers, represent one of the most serious security threats on the Internet today. This paper explores how machines compromised with bot malware can be identified at local and enterprise networks in accurate and time-efficient manner. The paper introduces a novel multi-level botnet detection approach that performs network traffic analysis of three protocols widely considered as the main carriers of botnet Command and Control (C&C) and attack traffic, i.e. TCP, UDP and DNS. The proposed method relies on supervised machine learning for identifying patterns of botnet network traffic. The method has been evaluated through a series of experiments using traffic traces originating from 40 different bot samples and diverse benign applications. The evaluation indicates accurate and time-efficient classification of botnet traffic for all the three protocols as well as promising performance of identifying potentially compromised machines. The future work will be devoted to the optimization of traffic analysis and correlation of findings from three analysis levels in order to increase the accuracy of identifying compromised clients within the network.
Original languageEnglish
JournalInternational Journal On Cyber Situational Awareness (IJCSA)
Volume1
Issue number1
Number of pages27
ISSN2057-2182
Publication statusPublished - 2016

Fingerprint

Network protocols
Internet
Botnet
Experiments
Malware

Keywords

  • Botnet
  • Botnet Detection
  • Traffic Analysis
  • Traffic Classification
  • MLAs
  • Random Forests
  • Client analysis

Cite this

@article{c05de3050341495994a68825f9edc719,
title = "Detecting bots using multi-level traffic analysis",
abstract = "Botnets, as networks of compromised “zombie” computers, represent one of the most serious security threats on the Internet today. This paper explores how machines compromised with bot malware can be identified at local and enterprise networks in accurate and time-efficient manner. The paper introduces a novel multi-level botnet detection approach that performs network traffic analysis of three protocols widely considered as the main carriers of botnet Command and Control (C&C) and attack traffic, i.e. TCP, UDP and DNS. The proposed method relies on supervised machine learning for identifying patterns of botnet network traffic. The method has been evaluated through a series of experiments using traffic traces originating from 40 different bot samples and diverse benign applications. The evaluation indicates accurate and time-efficient classification of botnet traffic for all the three protocols as well as promising performance of identifying potentially compromised machines. The future work will be devoted to the optimization of traffic analysis and correlation of findings from three analysis levels in order to increase the accuracy of identifying compromised clients within the network.",
keywords = "Botnet, Botnet Detection, Traffic Analysis, Traffic Classification, MLAs, Random Forests, Client analysis",
author = "Matija Stevanovic and Pedersen, {Jens Myrup}",
year = "2016",
language = "English",
volume = "1",
journal = "International Journal On Cyber Situational Awareness (IJCSA)",
issn = "2057-2182",
publisher = "Centre for Multidisciplinary Research, Innovation and Collaboration (C-MRiC.ORG) London, UK",
number = "1",

}

Detecting bots using multi-level traffic analysis. / Stevanovic, Matija; Pedersen, Jens Myrup.

In: International Journal On Cyber Situational Awareness (IJCSA), Vol. 1, No. 1, 2016.

Research output: Contribution to journalJournal articleResearchpeer-review

TY - JOUR

T1 - Detecting bots using multi-level traffic analysis

AU - Stevanovic, Matija

AU - Pedersen, Jens Myrup

PY - 2016

Y1 - 2016

N2 - Botnets, as networks of compromised “zombie” computers, represent one of the most serious security threats on the Internet today. This paper explores how machines compromised with bot malware can be identified at local and enterprise networks in accurate and time-efficient manner. The paper introduces a novel multi-level botnet detection approach that performs network traffic analysis of three protocols widely considered as the main carriers of botnet Command and Control (C&C) and attack traffic, i.e. TCP, UDP and DNS. The proposed method relies on supervised machine learning for identifying patterns of botnet network traffic. The method has been evaluated through a series of experiments using traffic traces originating from 40 different bot samples and diverse benign applications. The evaluation indicates accurate and time-efficient classification of botnet traffic for all the three protocols as well as promising performance of identifying potentially compromised machines. The future work will be devoted to the optimization of traffic analysis and correlation of findings from three analysis levels in order to increase the accuracy of identifying compromised clients within the network.

AB - Botnets, as networks of compromised “zombie” computers, represent one of the most serious security threats on the Internet today. This paper explores how machines compromised with bot malware can be identified at local and enterprise networks in accurate and time-efficient manner. The paper introduces a novel multi-level botnet detection approach that performs network traffic analysis of three protocols widely considered as the main carriers of botnet Command and Control (C&C) and attack traffic, i.e. TCP, UDP and DNS. The proposed method relies on supervised machine learning for identifying patterns of botnet network traffic. The method has been evaluated through a series of experiments using traffic traces originating from 40 different bot samples and diverse benign applications. The evaluation indicates accurate and time-efficient classification of botnet traffic for all the three protocols as well as promising performance of identifying potentially compromised machines. The future work will be devoted to the optimization of traffic analysis and correlation of findings from three analysis levels in order to increase the accuracy of identifying compromised clients within the network.

KW - Botnet

KW - Botnet Detection

KW - Traffic Analysis

KW - Traffic Classification

KW - MLAs

KW - Random Forests

KW - Client analysis

M3 - Journal article

VL - 1

JO - International Journal On Cyber Situational Awareness (IJCSA)

JF - International Journal On Cyber Situational Awareness (IJCSA)

SN - 2057-2182

IS - 1

ER -