On botnet behaviour analysis using GP and C4.5

Haddadi, Fariba; Runkel, Dylan; Zincir-Heywood, A. Nur; Heywood, Malcolm I.

doi:10.1145/2598394.2605435

Cited by 22 publications

(27 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Having said this, TCP flags were shown to be used by malwares in ways that were not intended for legitimate use. In our previous work [13], we showed that TCP flags are employed by Torpig botnet for communication but not by the Conficker botnet. Therefore, in this paper, we first investigate the effect of three different TCP flag representations (i.e numerical, nominal and binary representations).…”

Section: Methodsmentioning

confidence: 94%

“…This data set is analyzed and compared against other Zeus botnet data sets in [15]. Since many works in the literature employed generated botnet traffic in a sandbox environment using the public botnet binaries and toolkits, we also run a Zeus botnet toolkit version 1.2.7.19 in a controlled sandbox environment and captured the traces [13] in November 2013. This toolkit is also analyzed and employed in [8].…”

Section: Data Set Collection and Feature Set Extractionmentioning

confidence: 99%

“…To answer this question, experiments are performed on TCP flags, which are known to be used by malwares [17]. This attribute has also shown to be used for some of the botnets in ways that were not intended for legitimate use [13]. To this end, we analyzed three representations-numerical, nominal and binary-specifically for the TCP flags.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Botnet Detection System Analysis on the Effect of Botnet Evolution and Feature Representation

Haddadi

Zincir-Heywood

2015

Proceedings of the Companion Publication of the 2015 Annual Conference on Genetic and Evolutionary Computation

Self Cite

View full text Add to dashboard Cite

Botnets are known as one of the main destructive threats that have been active since 2003 in various forms. The ability to upgrade the structure and algorithms on the fly is part of what causes botnets to survive for more than a decade. Hence, one of the main concerns in designing a botnet detection system is how long such a system can be effective and useful considering the evolution of a given botnet. Furthermore, the data representation and the feature extraction components have always been an important issue in order to design a robust detection system. In this work, we employ machine learning algorithms (genetic programming and decision trees) to explore two questions: (i) How can the representation of non-numeric features effect the detection system's performance? and (ii) How long can a machine learning based detection system can perform effectively? To this end, we gathered seven Zeus botnet data sets over a period of four years and analyzed three different data representation techniques to be able to explore aforementioned questions.

show abstract

Section: Methodsmentioning

confidence: 94%

Section: Data Set Collection and Feature Set Extractionmentioning

confidence: 99%

See 1 more Smart Citation

Botnet Detection System Analysis on the Effect of Botnet Evolution and Feature Representation

Haddadi

Zincir-Heywood

2015

Proceedings of the Companion Publication of the 2015 Annual Conference on Genetic and Evolutionary Computation

Self Cite

View full text Add to dashboard Cite

show abstract

“…Kirubavathi, and Anitha [23], [24] built a classifier to detect C&C channel by extracting features from a host traffic to a destination end for a defined interval deploying various learning algorithms. Utilizing C4.5 and GP algorithms, Haddadi, et al [25] classified HTTP C&C channel traffic. Detecting botnet traffic online by monitoring a number of packets in a flow was addressed by Stevanovic and Pedersen [26].…”

Section: Related Workmentioning

confidence: 99%

Machine Learning Based Botnet Identification Traffic

Azab

Alazab

Aiash

2016

2016 IEEE Trustcom/BigDataSE/Ispa

View full text Add to dashboard Cite

“…Over the last couple of years, a number of detection approaches that rely on traffic classification have been proposed (Stevanovic et al, 2016). Some of the most prominent approaches were proposed by Strayer et al (2008), Masud et al (2008), Saad et al (2011), Zhao et al (2013), Shin et al (2012), Bilge et al (2012Bilge et al ( , 2014, Perdisci et al (2012), Haddadi et al (2014) and Antonakakis et al (2011).…”

Section: Introductionmentioning

confidence: 99%

Detecting bots using multi-level traffic analysis

Stevanovic¹,

Pedersen²

2016

IJCSA

View full text Add to dashboard Cite

Botnets, as networks of compromised "zombie" computers, represent one of the most serious security threats on the Internet today. This paper explores how machines compromised with bot malware can be identified at local and enterprise networks in accurate and time-efficient manner. The paper introduces a novel multi-level botnet detection approach that performs network traffic analysis of three protocols widely considered as the main carriers of botnet Command and Control (C&C) and attack traffic, i.e. TCP, UDP and DNS. The proposed method relies on supervised machine learning for identifying patterns of botnet network traffic. The method has been evaluated through a series of experiments using traffic traces originating from 40 different bot samples and diverse benign applications. The evaluation indicates accurate and time-efficient classification of botnet traffic for all the three protocols as well as promising performance of identifying potentially compromised machines. The future work will be devoted to the optimization of traffic analysis and correlation of findings from three analysis levels in order to increase the accuracy of identifying compromised clients within the network.

show abstract

On botnet behaviour analysis using GP and C4.5

Cited by 22 publications

References 15 publications

Botnet Detection System Analysis on the Effect of Botnet Evolution and Feature Representation

Botnet Detection System Analysis on the Effect of Botnet Evolution and Feature Representation

Machine Learning Based Botnet Identification Traffic

Detecting bots using multi-level traffic analysis

Contact Info

Product

Resources

About