Abstract
Botnets are becoming powerful threats on the Internet because they launch targeted attacks towards organizations and the individuals. P2P botnets are resilient and more difficult to detect due to their nature of using different distributed approaches and encryption techniques. Classification based techniques proposed in the literature to detect P2P botnets, report high overall accuracy of the classifier but fail to recognize individual classes at the similar rates. Identification of non-bot traffic is equally important as that of bot classes for the reliability of the classifier. This paper proposes a model to distinguish P2P botnet command and control network traffic from normal traffic at higher rate of both the classes using ensemble of decision trees classifier named Random Forests. Further to optimize the performance, this model also addresses the problem of imbalanced nature of dataset using techniques like downsampling and cost sensitive learning. Performance analysis has been done on the proposed model and evaluation results show that true positive rate for both botnet and legitimate classes are more than 0.99 whereas false positive rate is 0.008.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Chen, L., Richard, R.B.: Timing analysis in P2P botnet traffic using probabilistic context-free grammars. In: CSIIRW 2013. ACM, Oak Ridge (2013)
Saad, S., Traore, I., Ghorbani, A., Sayed, B., Zhao, D., Wei, L., Felix, J., Hakimian, P.: Detecting P2P botnets through network behavior analysis and machine learning. In: 2011 Ninth Annual International Conference on Privacy, Security and Trust (PST), pp. 174–180 (2012)
Hand, D., Mannila, H., Smyth, P.: Principles of Data Mining. MIT Press, Cambridge (2001)
Livadas, C., Walsh, R., Lapsley, D., Strayer, W.T.: Usilng Machine Learning Technliques to Identify Botnet Traffic. In: Proceedings 2006 31st IEEE Conference on Local Computer Networks, pp. 967–974 (2006)
Guofei, G., Roberto, P., Junjie, Z., Wenke, L.: BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proceedings of the 17th Conference on Security Symposium. USENIX Association, San Jose (2008)
Fedynyshyn, G., Chuah, M.C., Tan, G.: Detection and classification of different botnet C&C channels. In: Calero, J.M.A., Yang, L.T., Mármol, F.G., García Villalba, L.J., Li, A.X., Wang, Y. (eds.) ATC 2011. LNCS, vol. 6906, pp. 228–242. Springer, Heidelberg (2011)
Junjie, Z., Perdisci, R., Wenke, L., Sarfraz, U., Xiapu, L.: Detecting stealthy P2P botnets using statistical traffic fingerprints. In: 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks (DSN), pp. 121–132 (2011)
Alaidaros, H., Mahmuddin, M., Mazari, A.A.: An Overview of Flow-based and Packet-based Intrusion Detection Performance in High Speed Networks. In: Proceedings of the International Arab Conference on Information Technology (2011)
François, J., Wang, S., State, R., Engel, T.: BotTrack: Tracking Botnets Using NetFlow and PageRank. In: Domingo-Pascual, J., Manzoni, P., Palazzo, S., Pont, A., Scoglio, C. (eds.) NETWORKING 2011, Part I. LNCS, vol. 6640, pp. 1–14. Springer, Heidelberg (2011)
Lin, S.-C., Chen, P., Chang, C.-C.: A novel method of mining network flow to detect P2P botnets. In: Peer-to-Peer Networking and Applications, pp. 1–10 (2012)
Dietrich, C.J., Rossow, C., Pohlmann, N.: CoCoSpot: Clustering and recognizing botnet command and control channels using traffic analysis. Comput. Netw. 57, 475–486 (2013)
Huang, C.-Y.: Effective bot host detection based on network failure models. Computer Networks 57, 514–525 (2013)
Garg, S., Singh, A.K., Sarje, A.K., Peddoju, S.K.: Behaviour Analysis of Machine Learning Algorithms for detecting P2P Botnets. In: International Conference on Advanced Computing Technologies (2013)
Breiman, L.: Random Forests. Machine Learning 45, 5–32 (2001)
Chao, C., Andy, L., Leo, B.: Using Random Forest to Learn Imbalanced Data. University of California, Berkeley (2004)
Galar, M., Ferna, X., Ndez, A., Barrenechea, E., Bustince, H., Herrera, F.: A Review on Ensembles for the Class Imbalance Problem: Bagging-, Boosting-, and Hybrid-Based Approaches. IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews 42, 463–484 (2012)
Barthakur, P., Dahal, M., Ghose, M.K.: A Framework for P2P Botnet Detection Using SVM. In: Cyber-Enabled Distributed Computing and Knowledge Discovery, pp. 195–200 (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Garg, S., Sarje, A.K., Peddoju, S.K. (2014). Improved Detection of P2P Botnets through Network Behavior Analysis. In: Martínez Pérez, G., Thampi, S.M., Ko, R., Shu, L. (eds) Recent Trends in Computer Networks and Distributed Systems Security. SNDS 2014. Communications in Computer and Information Science, vol 420. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-54525-2_30
Download citation
DOI: https://doi.org/10.1007/978-3-642-54525-2_30
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-54524-5
Online ISBN: 978-3-642-54525-2
eBook Packages: Computer ScienceComputer Science (R0)