ABSTRACT
The use of anomaly-based classification of intrusions has increased significantly for Intrusion Detection Systems. Large number of training data samples and a good 'feature set' are two primary requirements to build effective classification models with machine learning algorithms. Since the amount of data available for malicious traffic will often be small compared to the available traces of benign traffic, extraction of 'good' features which enable detection of malicious traffic is a challenging area of work.
This research work presents preliminary results of comparison of performance of three different feature selection algorithms - Correlation based feature selection, Consistency based subset evaluation and Principal component analysis-on three different Machine learning techniques- namely Decision trees, Naïve Bayes classifier, and Bayesian Network classifier. These algorithms are evaluated for the detection of Peer-to-Peer (P2P) based botnet traffic.
- Citadel and zeus. article available online:. https://www.botnets.fr/index.php/Citadel_ZeuS_bot. Accessed on 1stJuly 2013.Google Scholar
- Open malware website:. http://http://openmalware.org/. Accessed on 10 May 2013.Google Scholar
- Wordpress botnet attack. available online at:. http://security.stackexchange.com/q/34482/9778. Accessed on 18th April 2013.Google Scholar
- M. Bailey, E. Cooke, F. Jahanian, Y. Xu, and M. Karir. A survey of botnet technology and defenses. In Conference For Homeland Security, 2009. CATCH'09. Cybersecurity Applications & Technology, pages 299--304. IEEE, 2009. Google ScholarDigital Library
- BBC. Anonymous wikileaks supporters mull change in tactics. available online:. http://www.bbc.co.uk/news/mobile/technology-11968605. Accessed on 09 June 2013.Google Scholar
- M. Bednarczyk. jnetpcap website. http://jnetpcap.com. Accessed on 7 May 2013.Google Scholar
- P. E. Berg. Behavior-based Classification of Botnet Malware. Gjøvik University College, 2011.Google Scholar
- N. Brownlee. Netramet & nemac reference manual v4. 3, 1999.Google Scholar
- S. Chebrolu, A. Abraham, and J. P. Thomas. Feature deduction and ensemble design of intrusion detection systems. Computers & Security, 24(4):295--307, 2005.Google ScholarDigital Library
- M. Dash and H. Liu. Consistency-based search in feature selection. Artificial intelligence, 151(1):155--176, 2003. Google ScholarDigital Library
- J. Finkle. Microsoft, fbi take aim at global cybercrime ring. article on citadel botnet, available online:. http://www.smh.com.au. Accessed on 09 June 2013.Google Scholar
- M. Foukarakis, D. Antoniades, S. Antonatos, and E. P. Markatos. Flexible and high-performance anonymization of netflow records using anontool. In Security and Privacy in Communications Networks and the Workshops, 2007. SecureComm 2007. Third International Conference on, pages 33--38. IEEE, 2007.Google ScholarCross Ref
- T. Greene. Zeus botnet has a new use: Stealing bank access codes via sms. available online at:. http://www.networkworld.com/news/2010/092910-zeus-botnet-sms-banks.html. Accessed on 9th June 2013.Google Scholar
- M. Hall, E. Frank, G. Holmes, B. Pfahringer, P. Reutemann, and I. H. Witten. The weka data mining software: an update. ACM SIGKDD Explorations Newsletter, 11(1):10--18, 2009. Google ScholarDigital Library
- M. A. Hall. Correlation-based feature selection for machine learning. PhD thesis, The University of Waikato, 1999.Google Scholar
- H. Hang, X. Wei, M. Faloutsos, and T. Eliassi-Rad. Entelecheia: Detecting p2p botnets in their waiting stage. In IFIP Networking, 2013.Google Scholar
- I. Jolliffe. Principal component analysis. Wiley Online Library, 2005.Google ScholarCross Ref
- J. LeClaire. Wordpress sites attacked; may be prep for ddos barrage. available online at:. http://www.cio-today.com/news/WordPress-Web-Sites-Under-Attack/story.xhtml?story_id=033003176VMR. Accessed on 18th April 2013.Google Scholar
- C. Livadas, R. Walsh, D. Lapsley, and W. T. Strayer. Using machine learning techniques to identify botnet traffic. In Local Computer Networks, Proceedings 2006 31st IEEE Conference on, pages 967--974. IEEE, 2006.Google Scholar
- M. V. Mahoney and P. K. Chan. An analysis of the 1999 darpa/lincoln laboratory evaluation data for network anomaly detection. In Recent Advances in Intrusion Detection, pages 220--237. Springer, 2003.Google ScholarCross Ref
- Mila. Contagio-dump blog. http://www.contagiodump.blogspot.in. Accessed on 10 May 2013.Google Scholar
- H. T. Nguyen, K. Franke, and S. Petrovic. Towards a generic feature-selection measure for intrusion detection. In Pattern Recognition (ICPR), 2010 20th International Conference on, pages 1529--1532. IEEE, 2010. Google ScholarDigital Library
- S.-K. Noh, J.-H. Oh, J.-S. Lee, B.-N. Noh, and H.-C. Jeong. Detecting p2p botnets using a multi-phased flow model. In Digital Society, 2009. ICDS'09. Third International Conference on, pages 247--253. IEEE, 2009. Google ScholarDigital Library
- B. Rahbarinia, R. Perdisci, A. Lanzi, and K. Li. Peerrush: Mining for unwanted p2p traffic. In Detection of Intrusions and Malware, and Vulnerability Assessment, volume 7967 of Lecture Notes in Computer Science, pages 62--82. Springer Berlin Heidelberg, 2013. Google ScholarDigital Library
- S. Saad, I. Traore, A. Ghorbani, B. Sayed, D. Zhao, W. Lu, J. Felix, and P. Hakimian. Detecting p2p botnets through network behavior analysis and machine learning. In Privacy, Security and Trust (PST), 2011 Ninth Annual International Conference on, pages 174--180. IEEE, 2011.Google ScholarCross Ref
- R. Schoof and R. Koning. Detecting peer-to-peer botnets. University of Amsterdam, 2007.Google Scholar
- A. H. Sung and S. Mukkamala. The feature selection and intrusion detection problems. In Advances in Computer Science-ASIAN 2004. Higher-Level Decision Making, pages 468--482. Springer, 2005. Google ScholarDigital Library
- P.-N. Tan et al. Introduction to data mining. Pearson Education India, 2007. Google ScholarDigital Library
- P. Van Der Putten and M. Van Someren. A bias-variance analysis of a real world learning problem: The coil challenge 2000. Machine Learning, 57(1-2):177--195, 2004. Google ScholarDigital Library
- N. Williams, S. Zander, and G. Armitage. A preliminary performance comparison of five machine learning algorithms for practical ip traffic flow classification. ACM SIGCOMM Computer Communication Review, 36(5):5--16, 2006. Google ScholarDigital Library
- I. H. Witten and E. Frank. Data Mining: Practical machine learning tools and techniques. Morgan Kaufmann, 2005. Google ScholarDigital Library
- D. Wood. The skype is no longer the limit--new ways malware keeps in touch with your friends. 2010.Google Scholar
- T.-F. Yen and M. K. Reiter. Are your hosts trading or plotting? telling p2p file-sharing and bots apart. In Distributed Computing Systems (ICDCS), 2010 IEEE 30th International Conference on, pages 241--252. IEEE, 2010. Google ScholarDigital Library
- C. York. Wordpress attacked by botnet in massive ddos onslaught. available online at:. http://www.huffingtonpost.co.uk/2013/04/15/wordpress-botnet-attack_n_3083819.html. Accessed on 18th April 2013.Google Scholar
Index Terms
- Feature selection for detection of peer-to-peer botnet traffic
Recommendations
Machine-learning approaches for P2P botnet detection using signal-processing techniques
DEBS '14: Proceedings of the 8th ACM International Conference on Distributed Event-Based SystemsThe distributed and decentralized nature of P2P botnets makes their detection a challenging task. Further, the botmasters continuously try to improve their botnets in order to evade existing detection mechanisms. Thus, although a lot of research has ...
An Advanced Hybrid Peer-to-Peer Botnet
A “botnet” consists of a network of compromised computers controlled by an attacker (“botmaster”). Recently, botnets have become the root cause of many Internet attacks. To be well prepared for future attacks, it is not enough to study how to detect and ...
Peer to peer botnet detection for cyber-security: a data mining approach
CSIIRW '08: Proceedings of the 4th annual workshop on Cyber security and information intelligence research: developing strategies to meet the cyber security and information intelligence challenges aheadBotnet is a network of compromised hosts or bots, under the control of a human attacker known as the botmaster [7, 8]. Botnets are used to perform malicious actions, such as launching DDoS attacks, sending spam or phishing emails and so on. Thus, ...
Comments