Abstract
Botnets are one of the main aggressive threats against cybersecurity. To evade the detection systems, recent botnets use the most common communication protocols on the Internet to hide themselves in the legitimate users traffic. From this perspective, most recent botnets are HTTP based and/or Peer-to-Peer (P2P) systems. In this work, we investigate whether such structural differences have any impact on the performance of the botnet detection systems. To this end, we studied the differences of three machine learning techniques (Decision Tree, Genetic Programming and Bayesian Networks). The investigated approaches have been previously shown effective for HTTP based botnets. We also analyze the detection models in detail to highlight any behavioural differences between these two types of botnets. In our analysis, we employed four HTTP based publicly available botnet data sets (namely Citadel, Zeus, Conficker and Virut) and four P2P based publicly available botnet data sets (namely ISOT, NSIS, ZeroAccess and Kelihos).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Flow is defined as a logical equivalent for a call or a connection in association with a user specified group of elements [14]. The most common way to identify a traffic flow is to use a combination of five properties (aka 5-tuple) from the packet header, namely source/destination IP addresses and port numbers as well as the protocol.
- 2.
Network Information Management and Security: https://projects.cs.dal.ca/projectx/.
References
Tranalyzer. http://tranalyzer.com/
Alpaydin, E.: Introduction to Machine Learning. MIT Press, Cambridge (2004)
Beigi, E.B., Jazi, H., Stakhanova, N., Ghorbani, A.: Towards effective feature selection in machine learning-based botnet detection approaches. In: Communications and Network Security (CNS) (2014)
CAIDA Conficker. http://www.caida.org/data/passive/telescope-3days-conficker_dataset.xml
Feily, M., Shahrestani, A.: A survey of botnet and botnet detection emerging security information. In: Systems and Technologies (2009)
Garcia, S.: Malware capture facility project, cvut university, February 2013. https://agents.fel.cvut.cz/malware-capture-facility
Garcia, S., Grill, M., Stiborek, J., Zunino, A.: An empirical comparison of botnet detection methods. Comput. Secur. 45, 100–123 (2014)
Haddadi, F., Cong, D.L., Porter, L., Zincir-Heywood, A.N.: On the effectiveness of different botnet detection approaches. In: ISPEC (2015)
Haddadi, F., Runkel, D., Zincir-Heywood, A., Heywood, M.: On botnet behaviour analysis using GP and C4.5. In: Gecco Companion (2014)
Haddadi, F., Zincir-Heywood, A.N.: Benchmarking the effect of flow exporters and protocol filters on botnet traffic classification. IEEE Syst. J. PP(99), 1–12 (2014). doi:10.1109/JSYST.2014.2364743. http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6963332&tag=1
Haddadi, F., Zincir-Heywood, A.N.: Botnet detection system analysis on the effect of botnet evolution and feature representation. In: Gecco Companion (2015)
Kirubavathi, V., Nadarajan, R.: Http botnet detection using adaptive learning rate multilayer feed-forward neural network. In: Information Security Theory, Practice: Security, Privacy and Trust in Computing Systems and Ambient Intelligent Ecosystems (2012)
Lichodzijewski, P., Heywood, M.I.: Coevolutionary bid-based genetic programming for problem decomposition in classification. Genet. Program. Evolvable Mach. 9, 331–365 (2008)
RFC 2722, October 1999. http://tools.ietf.org/html/rfc2722
Vuong, S.T., Alam, M.S.: Advanced methods for botnet intrusion detection systems. In: Intrusion Detection Systems (2011)
Wang, K., Huang, C., Lin, S., Lin, Y.: A fuzzy pattern-based filtering algorithm for botnet detection. Comput. Netw. 55, 3275–3286 (2011)
Wurzinger, P., Bilge, L., Holz, T., Goebel, J., Kruegel, C., Kirda, E.: Automatically generating models for botnet detection. In: Backes, Michael, Ning, Peng (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 232–249. Springer, Heidelberg (2009)
Zhang, J., Perdisci, R., Lee, U.S.W., Luo, Z.: Detecting stealthy p2p botnets using statistical traffic fingerprints. In: Dependable Systems and Networks (DSN) (2011)
Zhao, D., Traore, I., Sayed, B., Lu, W., Saad, S., Ghorbani, A., Garant, D.: Botnet detection based on traffic behavior analysis and flow intervals. Comput. Secur. J. 39, 2–16 (2013). doi:10.1016/j.cose.2013.04.007. http://www.sciencedirect.com/science/article/pii/S0167404813000837. Part A
Acknowledgments
This research is supported by the Canadian Safety and Security Program(CSSP) E-Security grant. The CSSP is led by the Defense Research and Development Canada, Centre for Security Science (CSS) on behalf of the Government of Canada and its partners across all levels of government, response and emergency management organizations, nongovernmental agencies, industry and academia.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Haddadi, F., Zincir-Heywood, A.N. (2016). A Closer Look at the HTTP and P2P Based Botnets from a Detector’s Perspective. In: Garcia-Alfaro, J., Kranakis, E., Bonfante, G. (eds) Foundations and Practice of Security. FPS 2015. Lecture Notes in Computer Science(), vol 9482. Springer, Cham. https://doi.org/10.1007/978-3-319-30303-1_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-30303-1_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-30302-4
Online ISBN: 978-3-319-30303-1
eBook Packages: Computer ScienceComputer Science (R0)