Improved Detection of P2P Botnets through Network Behavior Analysis
Botnets are becoming powerful threats on the Internet because they launch targeted attacks towards organizations and the individuals. P2P botnets are resilient and more difficult to detect due to their nature of using different distributed approaches and encryption techniques. Classification based techniques proposed in the literature to detect P2P botnets, report high overall accuracy of the classifier but fail to recognize individual classes at the similar rates. Identification of non-bot traffic is equally important as that of bot classes for the reliability of the classifier. This paper proposes a model to distinguish P2P botnet command and control network traffic from normal traffic at higher rate of both the classes using ensemble of decision trees classifier named Random Forests. Further to optimize the performance, this model also addresses the problem of imbalanced nature of dataset using techniques like downsampling and cost sensitive learning. Performance analysis has been done on the proposed model and evaluation results show that true positive rate for both botnet and legitimate classes are more than 0.99 whereas false positive rate is 0.008.
KeywordsP2P botnets Random Forests Ensemble Imbalanced Problem Network flow Network Security Peer to Peer network
Unable to display preview. Download preview PDF.
- 1.Chen, L., Richard, R.B.: Timing analysis in P2P botnet traffic using probabilistic context-free grammars. In: CSIIRW 2013. ACM, Oak Ridge (2013)Google Scholar
- 2.Saad, S., Traore, I., Ghorbani, A., Sayed, B., Zhao, D., Wei, L., Felix, J., Hakimian, P.: Detecting P2P botnets through network behavior analysis and machine learning. In: 2011 Ninth Annual International Conference on Privacy, Security and Trust (PST), pp. 174–180 (2012)Google Scholar
- 3.Hand, D., Mannila, H., Smyth, P.: Principles of Data Mining. MIT Press, Cambridge (2001)Google Scholar
- 4.Livadas, C., Walsh, R., Lapsley, D., Strayer, W.T.: Usilng Machine Learning Technliques to Identify Botnet Traffic. In: Proceedings 2006 31st IEEE Conference on Local Computer Networks, pp. 967–974 (2006)Google Scholar
- 5.Guofei, G., Roberto, P., Junjie, Z., Wenke, L.: BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proceedings of the 17th Conference on Security Symposium. USENIX Association, San Jose (2008)Google Scholar
- 7.Junjie, Z., Perdisci, R., Wenke, L., Sarfraz, U., Xiapu, L.: Detecting stealthy P2P botnets using statistical traffic fingerprints. In: 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks (DSN), pp. 121–132 (2011)Google Scholar
- 8.Alaidaros, H., Mahmuddin, M., Mazari, A.A.: An Overview of Flow-based and Packet-based Intrusion Detection Performance in High Speed Networks. In: Proceedings of the International Arab Conference on Information Technology (2011)Google Scholar
- 10.Lin, S.-C., Chen, P., Chang, C.-C.: A novel method of mining network flow to detect P2P botnets. In: Peer-to-Peer Networking and Applications, pp. 1–10 (2012)Google Scholar
- 13.Garg, S., Singh, A.K., Sarje, A.K., Peddoju, S.K.: Behaviour Analysis of Machine Learning Algorithms for detecting P2P Botnets. In: International Conference on Advanced Computing Technologies (2013)Google Scholar
- 15.Chao, C., Andy, L., Leo, B.: Using Random Forest to Learn Imbalanced Data. University of California, Berkeley (2004)Google Scholar
- 16.Galar, M., Ferna, X., Ndez, A., Barrenechea, E., Bustince, H., Herrera, F.: A Review on Ensembles for the Class Imbalance Problem: Bagging-, Boosting-, and Hybrid-Based Approaches. IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews 42, 463–484 (2012)CrossRefGoogle Scholar
- 17.Barthakur, P., Dahal, M., Ghose, M.K.: A Framework for P2P Botnet Detection Using SVM. In: Cyber-Enabled Distributed Computing and Knowledge Discovery, pp. 195–200 (2012)Google Scholar