Abstract
Botnets are networks that are composed with a set of compromised machines called bots that are remotely controlled by a botmaster. They pose a threatening remark to network communications and applications. A botnet relies on its command and control communication channel for performing attacks. C2 traffic occurs prior to any attack; hence, the detection of botnet’s traffic helps in detecting the bots before any real attack happens. Recently, the HTTP based Botnet threat has become a serious challenge for security experts as Bots can be distributed quickly and stealthily. The HTTP Bots periodically connect to particular web pages or URLs to get commands and updates from the Botmaster. In fact, this identifiable periodic connection pattern has been used to detect HTTP Botnets. This paper proposes an idea for identifying bots that exhibit non periodic nature as well normal traffic that exhibit periodic nature. The proposed method reduces the false positive rate as well as increases the detection rate. For that a set of traffic features are taken from many detection methods and feature selection is made on these features. Feature selection helps in enhancing the detection rate of the bot traffic in the network. For performing feature selection Principal Components Analysis is chosen. Top ranked features from PCA are added to existing work. Result shows improvement in detection rate and reduction in false positive rate.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Khattak, S., Ramay, N.R., Khan, K.R., Syed, A.A., Khayam, S.A.: A taxonomy of botnet behavior, detection and defense. IEEE J. Commun. Surv. Tutorials 16(2), 898–924 (2013)
Moura, J.M.F.: An efficient method to detect periodic behavior in botnet traffic by analyzing control plane traffic. J. Adv. Res. 5, 435–448 (2014)
Eslahi, M., et al.: Periodicity classification of HTTP traffic to detect HTTP Botnets. In: 2015 IEEE Symposium on Computer Applications & Industrial Electronics (ISCAIE). IEEE (2015)
Zhao, D., Traore, I., Sayed, B., Lu, W., Saad, S., Ghorbani, A., Garant, D.: Botnet detection based on traffic behavior analysis and flow intervals. Comput. Secur. 39, 2–16 (2013). Elsevier
Bacher, P., Holz, T., Kotter, M., Wicherski, G.: Know your enemy: tracking botnets (using honeynets to learn more about bots). Technical report, The Honeynet Project (2008)
Goebel, J., Holz, T.: Rishi: identify bot contaminated hosts by IRC nickname evaluation. In: Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets, Berkeley, CA, USA, p. 8. USENIX Association
Estévez-Tapiador, J.M., GarcÃa-Teodoro, P., DÃaz-Verdejo, J.E.: Anomaly detection methods in wired networks: a survey and taxonomy. Comput. Netw. 27(16), 1569–1584 (2004)
Choi, H., Lee, H., Lee, H., Kim, H.: Botnet detection by monitoring group activities in DNS traffic. In: 7th IEEE International Conference on Computer and Information Technology, CIT 2007, pp. 715–720, October 2007
Binsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M., Wang, L.: On the analysis of the Zeus botnet crimeware toolkit. In: 2010 Eighth Annual International Conference on Proceedings of the Privacy Security and Trust (PST), pp. 31–38 (2010)
Li, C., Jiang, W., Zou, X.: Botnet: survey and case study. IEEE (2009). ISBN 978–0- 7695-38730
Weisstein, E.W.: Absolute frequency (2015). http://mathworld.wolfram.com/AbsoluteFrequency.html
Wei, L., Tavallaee, M., Rammidi, G., Ghorbani, A.A.: BotCop: an online botnet traffic classifier. In: Proceedings of the Communication Networks and Services Research Conference, CNSR 2009, Seventh Annual, pp. 70–77 (2009)
Shah, C.: Periodic connections to control server offer new way to detect botnets (2013). http://blogs.mcafee.com/mcafee-labs/periodiclinks-to-control-server-offer-new-way-to-detect-botnets
Dray, S.: On the number of principal components: a test of dimensionality based on measurements of similarity between matrices. Comput. Stat. Data Anal. 52, 2228–2237 (2008)
Garcia, S., Grill, M., Stiborek, H., Zunino, A.: An empirical comparison of botnet detection methods. Comput. Secur. J. 45, 100–123 (2014). Elsevier
Livadas, C., Walsh, R., Lapsley, D., Timothy Strayer, W.: Using machine learning techniques to identify botnet traffic. Project report (2007)
Tegeler, F., Fu, X., Vigna, G., Kruegel, C.: BotFinder: finding bots in network traffic without deep packet inspection. Proceedings (2012)
Gu, G., Zhang, J., Lee, W.: BotSniffer – detecting botnet command and control channels in network traffic. In: Proceedings of the Internet Society (ISOC), San Diego (2008)
Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: detecting malware infection through IDS-driven dialog correlation. In: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium (2007)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Harsha, T., Asha, S., Soniya, B. (2016). Feature Selection for Effective Botnet Detection Based on Periodicity of Traffic. In: Ray, I., Gaur, M., Conti, M., Sanghi, D., Kamakoti, V. (eds) Information Systems Security. ICISS 2016. Lecture Notes in Computer Science(), vol 10063. Springer, Cham. https://doi.org/10.1007/978-3-319-49806-5_26
Download citation
DOI: https://doi.org/10.1007/978-3-319-49806-5_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-49805-8
Online ISBN: 978-3-319-49806-5
eBook Packages: Computer ScienceComputer Science (R0)