Online Botnet Detection Based on Incremental Discrete Fourier Transform

Yu, Xiaocong; Dong, Xueyi; Yu, Guanding; Qin, Yuhai; Yue, Dejun; Zhao, Yan

doi:10.4304/jnw.5.5.568-576

Cited by 17 publications

(19 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Dynamic malware analysis systems like Anubis [8], CWSandbox [50] and others [16,22,27,36,42] have proven invaluable in generating ground truth characterizations of malware behavior. The anti-malware community regularly applies these ground truths in scientific experiments, for example to evaluate malware detection technologies [2,10,17,19,24,26,30,33,44,48,[52][53][54], to disseminate the results of large-scale malware experiments [6,11,42], to identify new groups of malware [2,5,38,41], or as training datasets for machine learning approaches [20,34,35,38,40,41,47,55]. However, while analysis of malware execution clearly holds importance for the community, the data collection and subsequent analysis processes face numerous potential pitfalls.…”

Section: Introductionmentioning

confidence: 99%

Prudent Practices for Designing Malware Experiments: Status Quo and Outlook

Rossow

Dietrich²,

Grier

et al. 2012

2012 IEEE Symposium on Security and Privacy

165

124

View full text Add to dashboard Cite

Malware researchers rely on the observation of malicious code in execution to collect datasets for a wide array of experiments, including generation of detection models, study of longitudinal behavior, and validation of prior research. For such research to reflect prudent science, the work needs to address a number of concerns relating to the correct and representative use of the datasets, presentation of methodology in a fashion sufficiently transparent to enable reproducibility, and due consideration of the need not to harm others.In this paper we study the methodological rigor and prudence in 36 academic publications from 2006-2011 that rely on malware execution. 40% of these papers appeared in the 6 highest-ranked academic security conferences. We find frequent shortcomings, including problematic assumptions regarding the use of execution-driven datasets (25% of the papers), absence of description of security precautions taken during experiments (71% of the articles), and oftentimes insufficient description of the experimental setup. Deficiencies occur in top-tier venues and elsewhere alike, highlighting a need for the community to improve its handling of malware datasets. In the hope of aiding authors, reviewers, and readers, we frame guidelines regarding transparency, realism, correctness, and safety for collecting and using malware datasets.

show abstract

Section: Introductionmentioning

confidence: 99%

Prudent Practices for Designing Malware Experiments: Status Quo and Outlook

Rossow

Dietrich²,

Grier

et al. 2012

2012 IEEE Symposium on Security and Privacy

165

124

View full text Add to dashboard Cite

show abstract

“…Although most existing researches evaluated their bot detection solution using self-made or limited number of bot samples, we used 250 real bot samples to evaluate BBDP. The proposed solution performs better than compared solutions except Yu's et al work [10]. However, their work was only evaluated by four self-made bots.…”

Section: Discussionmentioning

confidence: 79%

“…Comparison of the proposed solution against other previous works.The proposed solution (BBDP)Park et al[9] Yu et al[10] Wang et al[8] BBDP, behavior-based botnet detection in parallel; IRC, Internet Relay Chat; HTTP, hypertext transfer protocol.…”

mentioning

confidence: 99%

Behavior‐based botnet detection in parallel

Wang

Huang

Tsai

et al. 2013

Security Comm Networks

View full text Add to dashboard Cite

Botnet has become one major Internet security issue in recent years. Although signature-based solutions are accurate, it is not possible to detect bot variants in real-time. In this paper, we propose behavior-based botnet detection in parallel (BBDP). BBDP adopts a fuzzy pattern recognition approach to detect bots. It detects a bot based on anomaly behavior in domain name service (DNS) queries and transmission control protocol (TCP) requests. With the design objectives of being efficient and accurate, a bot is detected using the proposed five-stage process, including: (i) traffic reduction, which shrinks an input trace by deleting unnecessary packets; (ii) feature extraction, which extracts features from a shrunk trace; (iii) data partitioning, which divides features into smaller pieces; (iv) DNS detection phase, which detects bots based on DNS features; and (v) TCP detection phase, which detects bots based on TCP features. The detection phases, which consume approximately 90% of the total detection time, can be dispatched to multiple servers in parallel and make detection in realtime. The large scale experiments with the Windows Azure cloud service show that BBDP achieves a high true positive rate (95%+) and a low false positive rate ( 3%). Meanwhile, experiments also show that the performance of BBDP can scale up linearly with the number of servers used to detect bots.

show abstract

“…Yu et al [24] proposed online botnet detection based on an incremental discrete Fourier transform approach. They used "feature streams" to describe raw network traffic, and then the feature streams originated from different hosts are compared with the known feature streams.…”

Section: Related Workmentioning

confidence: 99%

Parallel botnet detection system by using GPU

Hung

Wang

2014

2014 IEEE/ACIS 13th International Conference on Computer and Information Science (ICIS)

View full text Add to dashboard Cite

In recent years, botnet is one of the major threats to network security. Many approaches have been proposed to detect botnets by comparing bot features. Usually, these approaches adopt traffic reduction strategy as first step to reduce the flow to following strategies by filtering packets. With the rapid development of network hardware and software the network speed has reached to multi-gigabit. However, analyzing header and payload of every packet consumes huge amount of computational resources and is not suitable for many realistic situations. Although signaturebased solutions are accurate, it is not possible to detect bot variants in real-time. In this study, we proposed a GPU-based botnet detection approach. The experimental results show that the network traffic reduction stage on GPU can achieve about 8x times over CPU based botnet detection tool. The proposed algorithm can used to improve the performance of botnet detection tools efficiently.

show abstract

Online Botnet Detection Based on Incremental Discrete Fourier Transform

Cited by 17 publications

References 12 publications

Prudent Practices for Designing Malware Experiments: Status Quo and Outlook

Prudent Practices for Designing Malware Experiments: Status Quo and Outlook

Behavior‐based botnet detection in parallel

Parallel botnet detection system by using GPU

Contact Info

Product

Resources

About