Abstract-Biggest internet security threat is the rise of Botnets having modular and flexible structures. The combined power of thousands of remotely controlled computers increases the speed and severity of attacks. In this paper, we provide a comparative analysis of machine-learning based classification of botnet command & control(C&C) traffic for proactive detection of Peer-toPeer (P2P) botnets. We combine some of selected botnet C&C traffic flow features with that of carefully selected botnet behavioral characteristic features for better classification using machine learning algorithms. Our simulation results show that our method is very effective having very good test accuracy and very little training time. We compare the performances of Decision Tree (C4.5), Bayesian Network and Linear Support Vector Machines using performance metrics like accuracy, sensitivity, positive predictive value(PPV) and F-Measure. We also provide a comparative analysis of our predictive models using AUC (area under ROC curve). Finally, we propose a rule induction algorithm from original C4.5 algorithm of Quinlan. Our proposed algorithm produces better accuracy than the original decision tree classifier.
Abstract-Botnets are responsible for most of the security threats in the Internet. Botnet attacks often leverage on their coordinated structures among bots spread over a vast geographical area. In this paper, we propose CluSiBotHealer, a novel framework for detection of Peer-to-Peer (P2P) botnets through data mining technique. P2P botnets are more resilient structure of botnets (re)designed to overcome single point of failure of centralized botnets. Our proposed system is based on clustering of C&C flows within a monitored network for suspected bots. Leveraging on similarity of packet structures and flow structures of frequently exchanged C&C flows within a P2P botnet, our proposed system initially uses clustering of flows and then Jaccard similarity coefficient on sample sets derived from clusters for accurate detection of bots. Ours is a very effective and novel framework which can be used for proactive detection of P2P bots within a monitored network. We empirically validated our model on traces collected from three different P2P botnets namely Nugache, Waledac and P2P Zeus.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.