Survey on network‐based botnet detection methods

García, Sebastián Rubio; Zunino, Alejandro; Campo, Marcelo

doi:10.1002/sec.800

Cited by 80 publications

(51 citation statements)

References 35 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…We extract 8 features associated with each network trace. The features include frequency, duration, send and received bytes, send and received packages, protocol, port range 3 . Each network trace is represented by a feature vector.…”

Section: Features Extractionmentioning

confidence: 99%

See 1 more Smart Citation

Fortifying Botnet Classification based on Venn-abers Prediction

Wang¹,

Gao²,

Zhang³

et al. 2017

dtcse

View full text Add to dashboard Cite

Abstract. Botnet is one of the most significant threats to the Internet so that many botnet detection approaches have been proposed based on machine learning techniques. But botnets evolve more and more rapidly and over 70% malware created today uses one or more evasion techniques to avoid detection. Consequently, botnet detection models based on static threshold is facing the concept drift challenge. In this paper, we introduced Venn-Abers algorithm into detection model to mitigate concept drift problem. We selected KNN and KDE as scoring classifier to build a Venn-Abers predictor. The experiments show that each prediction has a probability interval output by a Venn-Abers predictor that accurately indicate the quality of prediction. The drop of prediction quality is a signature for concept drift even when the prediction result is correct.

show abstract

Section: Features Extractionmentioning

confidence: 99%

“…Nowadays, machine learning is widely used in botnet detection system as a core component [1][2][3]. However, with financial motivation, attackers keep generating new variants and evolving their evasion schemes.…”

Section: Introductionmentioning

confidence: 99%

Fortifying Botnet Classification based on Venn-abers Prediction

Wang¹,

Gao²,

Zhang³

et al. 2017

dtcse

View full text Add to dashboard Cite

show abstract

“…In a recent survey on network-based botnet detection methods by Garcia et al [7], the authors took an in-depth look at the most widely used and researched botnet detection tools available. In this review there was a discussion which highlighted the fact that bot detection mechanisms have different requirements than botnet detection mechanisms due to the difference in detecting one machine as opposed to a group of machines.…”

Section: Related Workmentioning

confidence: 99%

Utilizing Network Science and Honeynets for Software Induced Cyber Incident Analysis

Paxton

Jang

Russell

et al. 2015

2015 48th Hawaii International Conference on System Sciences

View full text Add to dashboard Cite

Increasing situational awareness and investigating the cause of a software-induced cyber attack continues to be one of the most difficult yet important endeavors faced by network security professionals. Traditionally, these forensic pursuits are carried out by manually analyzing the malicious software agents at the heart of the incident, and then observing their interactions in a controlled environment. Both these steps are time consuming and difficult to maintain due to the ever changing nature of malicious software. In this paper we introduce a network science based framework which conducts incident analysis on a dataset by constructing and analyzing relational communities. Construction of these communities is based on the connections of topological features formed when actors communicate with each other. We evaluate our framework using a network trace of the BlackEnergy malware network, captured by our honeynet. We have found that our approach is accurate, efficient, and could prove as a viable alternative to the current status quo.

show abstract

“…While there are a lot of methods to detect them [4], there is yet a need to improve their detection performance. Since most of these methods use a behavioral model of the botnet on their algorithms and since most of them focus on the behavior of their Command and Control channels (C&C), we believe that having a better model of the behavior of these channels may help to create better detection algorithms.…”

Section: Introductionmentioning

confidence: 99%

Identifying and modeling botnet C&C behaviors

García¹,

Uhlíř²,

Řehák³

2014

Proceedings of the 1st International Workshop on Agents and CyberSecurity

Self Cite

View full text Add to dashboard Cite

Through the analysis of a long-term botnet capture, we identified and modeled the behaviors of its C&C channels. They were found and characterized by periodicity analyses and statistical representations. The relationships found between the behaviors of the UDP, TCP and HTTP C&C channels allowed us to unify them in a general model of the botnet behavior. Our behavioral analysis of the C&C channels gives a new perspective on the modeling of malware behavior, helping to better understand botnets.

show abstract

Survey on network‐based botnet detection methods

Cited by 80 publications

References 35 publications

Fortifying Botnet Classification based on Venn-abers Prediction

Fortifying Botnet Classification based on Venn-abers Prediction

Utilizing Network Science and Honeynets for Software Induced Cyber Incident Analysis

Identifying and modeling botnet C&C behaviors

Contact Info

Product

Resources

About