Browse > Article
http://dx.doi.org/10.3837/tiis.2020.10.014

B-Corr Model for Bot Group Activity Detection Based on Network Flows Traffic Analysis  

Hostiadi, Dandy Pramana (Department of Informatics, Institut Teknologi Sepuluh Nopember)
Wibisono, Waskitho (Department of Informatics, Institut Teknologi Sepuluh Nopember)
Ahmad, Tohari (Department of Informatics, Institut Teknologi Sepuluh Nopember)
Publication Information
KSII Transactions on Internet and Information Systems (TIIS) / v.14, no.10, 2020 , pp. 4176-4197 More about this Journal
Abstract
Botnet is a type of dangerous malware. Botnet attack with a collection of bots attacking a similar target and activity pattern is called bot group activities. The detection of bot group activities using intrusion detection models can only detect single bot activities but cannot detect bots' behavioral relation on bot group attack. Detection of bot group activities could help network administrators isolate an activity or access a bot group attacks and determine the relations between bots that can measure the correlation. This paper proposed a new model to measure the similarity between bot activities using the intersections-probability concept to define bot group activities called as B-Corr Model. The B-Corr model consisted of several stages, such as extraction feature from bot activity flows, measurement of intersections between bots, and similarity value production. B-Corr model categorizes similar bots with a similar target to specify bot group activities. To achieve a more comprehensive view, the B-Corr model visualizes the similarity values between bots in the form of a similar bot graph. Furthermore, extensive experiments have been conducted using real botnet datasets with high detection accuracy in various scenarios.
Keywords
Bot group activity; bot activity flows; similar intersection; network security; intrusion detection system;
Citations & Related Records
연도 인용수 순위
  • Reference
1 J. Alvarez Cid-Fuentes, C. Szabo, and K. Falkner, "An adaptive framework for the detection of novel botnets," Comput. Secur., vol. 79, pp. 148-161, 2018.   DOI
2 C. Y. Wang et al., "BotCluster: A session-based P2P botnet clustering system on NetFlow," Comput. Networks, vol. 145, pp. 175-189, 2018.   DOI
3 K. Alieyan, A. Almomani, A. Manasrah, and M. M. Kadhum, "A survey of botnet detection based on DNS," Neural Comput. Appl., vol. 28, no. 7, pp. 1541-1558, 2017.   DOI
4 M. Eslahi, W. Z. Abidin, and M. V. Naseri, "Correlation-based HTTP Botnet detection using network communication histogram analysis," in Proc. of 2017 IEEE Conf. Appl. Inf. Netw. Secur. AINS 2017, pp. 7-12, 2017.
5 S. Chowdhury et al., "Botnet detection using graph-based feature clustering," J. Big Data, vol. 4, no. 1, 2017.
6 T. S. Wang, H. T. Lin, W. T. Cheng, and C. Y. Chen, "DBod: Clustering and detecting DGA-based botnets using DNS traffic analysis," Comput. Secur., vol. 64, pp. 1-15, 2017.   DOI
7 C. Hung and H. Sun, "A Botnet Detection System Based on Machine-Learning using Flow-Based Features," Securware, vol. The Twelft, no. c, pp. 122-127, 2018.
8 X. Hoang and Q. Nguyen, "Botnet Detection Based On Machine Learning Techniques Using DNS Query Data," Futur. Internet, vol. 10, no. 5, p. 43, 2018.   DOI
9 R. F. M. Dollah, M. A. Faizal, F. Arif, M. Z. Mas'ud, and L. K. Xin, "Machine learning for HTTP botnet detection using classifier algorithms," J. Telecommun. Electron. Comput. Eng., vol. 10, no. 1-7, pp. 27-30, 2018.
10 S. Salah, G. Macia-Fernandez, and J. E. Diaz-Verdejo, "A model-based survey of alert correlation techniques," Comput. Networks, vol. 57, no. 5, pp. 1289-1317, 2013.   DOI
11 A. Ahmadian, M. Amini, and R. Ebrahimi, "RTECA : Real time episode correlation algorithm for multi-step attack scenarios detection," Comput. Secur., vol. 49, pp. 206-219, 2015.   DOI
12 M. Ghasemigol and A. Ghaemi-bafghi, "E-correlator : an entropy-based alert correlation system," security and communication networks, vol. 8, no. 5, pp. 822-836, 2015.   DOI
13 J. Kwon, J. Kim, J. Lee, H. Lee, and A. Perrig, "PsyBoG: Power spectral density analysis for detecting botnet groups," in Proc. of 9th IEEE Int. Conf. Malicious Unwanted Software, MALCON 2014, pp. 85-92, 2014.
14 G. Khehra, "BotScoop : Scalable detection of DGA based botnets using DNS traffic," in Proc. of 2018 9th Int. Conf. Comput. Commun. Netw. Technol., pp. 1-6, 2018.
15 H. Choi, H. Lee, H. Lee, and H. Kim, "Botnet detection by monitoring group activities in DNS traffic," in Proc. of CIT 2007 7th IEEE Int. Conf. Comput. Inf. Technol., pp. 715-720, 2007.
16 H. Choi, H. Lee, and H. Kim, "BotGAD: detecting botnets by capturing group activities in network traffic," in Proc. of Fourth Int. ICST Conf. Commun. Syst. Softw. Middlew., pp. 1-8, 2009.
17 B. Zhu and A. A. Ghorbani, "Alert correlation for extracting attack strategies," Int. J. Netw. Secur., vol. 3, no. 3, pp. 244-258, 2006.
18 L. Mathur, M. Raheja, and P. Ahlawat, "Botnet Detection via mining of network traffic flow," Procedia Comput. Sci., vol. 132, pp. 1668-1677, 2018.   DOI
19 S. Garcia, "Identifying, Modeling and Detecting Botnet Behaviors in the Network Universidad Nacional del Centro de la Provincia de Buenos Aires Doctoral Thesis Identifying, Modeling and Detecting Botnet Behaviors in the Network," 2015.
20 S. Garcia, "Modelling the Network Behaviour of Malware To Block Malicious Patterns. The Stratosphere Project : a Behavioural Ips," in Proc. of Virus Bull., pp. 1-8, 2015.
21 S. Garcia, A. Zunino, and M. Campo, "Survey on Network-based Botnet Detection Methods," Sec. Commun. Netw., vol. 7, no. 5, pp. 878-903, May 2014.   DOI
22 S. Garc, M. Grill, J. Stiborek, and A. Zunino, "An empirical comparison of botnet detection methods," Comput. Secur., vol. 45, pp. 100-123, 2014.   DOI
23 M. Rigaki and S. Garcia, "Bringing a GAN to a knife-fight: Adapting malware communication to avoid detection," in Proc. of - 2018 IEEE Symp. Secur. Priv. Work. SPW 2018, pp. 70-75, 2018.
24 E. B. Beigi, H. H. Jazi, N. Stakhanova, and A. A. Ghorbani, "Towards Effective Feature Selection in Machine Learning-Based Botnet Detection Approaches," in Proc. of 2014 IEEE Conf. Commun. Netw. Secur., pp. 247-255, 2014.