BotCluster: A session-based P2P botnet clustering system on NetFlow

Wang, Chun Yu; Ou, Chi Lung; Zhang, Yu En; Cho, Feng Min; Chen, Pin Hao; Chang, Jyh Biau; Shieh, Ce Kuen

doi:10.1016/j.comnet.2018.08.014

Cited by 39 publications

(13 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Network traffic has a network header. Let Netflow traffic be set as group records, and Netflow traffic be denoted as FT in the model as : (2) where rk was a collection of suspected bot activities records, K was an index of records activity with natural numbers. Each record (rk) has a network header (∂ ) and was defined as (3) where SIP ={sIPm}m=1,…,n was a set collection of source IP addresses, DIP ={dIPm}m=1,…,n was a set collection of destination IP address, Sport ={sportm}m=1,…,n was a set collection of source port address, Dport ={dportm}m=1,…,n was a set collection of destination port address, P ={pm}m=1,…,n was a set collection of protocol and Tpkts ={tpktsm}m=1,…,n was a set collection of total packets.…”

Section: Definition and Notation Of B-corr Modelmentioning

confidence: 99%

“…Bot activities have a characteristic that differed from other malware characteristics. Botnet consists of a collection of infected computers called as bots and controlled by botmaster [2]. Bot would then attack a 'victim' computer based on the bot master's command transmitted to all bot clients.…”

Section: Introductionmentioning

confidence: 99%

“…General approaches of botnet activity detection could be performed in the following ways [3]: detection based on signatures, detection with honeypot/honeynet, detection by monitoring DNS traffic from each bot, and detection based on analysis of bot behavior. These approaches usually involve data processing techniques such as histograms [4], clustering approaches [2], [5,6], and classification approaches [7 -9]. In the bot activity detection model, the discussion regarding similarities to determine the relationship between the bot attack and the capability to detect the bot preparators were relatively few and incomprehensive.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

B-Corr Model for Bot Group Activity Detection Based on Network Flows Traffic Analysis

Hostiadi¹,

Wibisono²,

Ahmad³

2020

KSII TIIS

View full text Add to dashboard Cite

Botnet is a type of dangerous malware. Botnet attack with a collection of bots attacking a similar target and activity pattern is called bot group activities. The detection of bot group activities using intrusion detection models can only detect single bot activities but cannot detect bots' behavioral relation on bot group attack. Detection of bot group activities could help network administrators isolate an activity or access a bot group attacks and determine the relations between bots that can measure the correlation. This paper proposed a new model to measure the similarity between bot activities using the intersections-probability concept to define bot group activities called as B-Corr Model. The B-Corr model consisted of several stages, such as extraction feature from bot activity flows, measurement of intersections between bots, and similarity value production. B-Corr model categorizes similar bots with a similar target to specify bot group activities. To achieve a more comprehensive view, the B-Corr model visualizes the similarity values between bots in the form of a similar bot graph. Furthermore, extensive experiments have been conducted using real botnet datasets with high detection accuracy in various scenarios.

show abstract

Section: Definition and Notation Of B-corr Modelmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

B-Corr Model for Bot Group Activity Detection Based on Network Flows Traffic Analysis

Hostiadi¹,

Wibisono²,

Ahmad³

2020

KSII TIIS

View full text Add to dashboard Cite

show abstract

“…Deste modo, qualquer botnet que não utilize a arquitetura C&C tende a não ser identificada. O trabalho de Wang et al (2018) utiliza uma abordagem similar, onde o objetivoé agrupar as sessões P2P dos dispositivos infectados. Diferentemente, para o sistema ANTE, a arquitetura da botnet nãó e um pré-requisito para que a antecipação seja feita com sucesso, ou seja, nosso sistema independe do tipo do ataque.…”

Section: Trabalhos Relacionadosunclassified

Identificação Antecipada de Botnets por Aprendizagem de Máquina

Neira¹,

Medeiro²,

Nogueira³

2020

Anais XXXVIII Simpósio Brasileiro De Redes De Computadores E Sistemas Distribuídos (SBRC 2020)

View full text Add to dashboard Cite

O envio de spam, o roubo de dados pessoais e o ataque de negação de serviço são exemplos de ações resultantes da exploração de vulnerabilidades em dispositivos inseguros conectados à Internet. A constante evolução dos ataques, o aumento na quantidade de dispositivos vulneráveis devido à Internet das Coisas (IoT) e os elevados custos com os danos causados reforçam a necessidade de antecipar a ação de redes de dispositivos infectados (bots) geradoras de ataques. Neste contexto, os algoritmos de aprendizagem de máquina são relevantes para identificar essas redes, pois oferecem adaptação e tratamento de uma quantidade massiva de dados. Este trabalho apresenta o sistema ANTE, identificação ANTecipada de botnEts com base em algoritmos de aprendizagem de máquina. Instanciamos o sistema e comparamos os resultados obtidos de diferentes cenários e sob a análise de dados, como as bases de dados CTU-13 (cenários 10 e 11), CICDDoS2019, ISOT HTTP Botnet, CAIDA DDoS Attack 2007 e CSE-CIC-IDS2018. Embora as instâncias do sistema sejam capazes de identificar os bots, não existe uma única capaz de atender todos os cenários.

show abstract

“…removing approved DNS addresses via white-listing based on Alexa [17,39] or other rule based exclusion criteria (e.g. [5,36,46]). It is unclear whether the obtained results are due to the analysis or filtering steps.…”

Section: Related Workmentioning

confidence: 99%

Hybrid Connection and Host Clustering for Community Detection in Spatial-Temporal Network Data

Roeling

Nadeem

Verwer

2020

ECML PKDD 2020 Workshops

View full text Add to dashboard Cite

Network data clustering and sequential data mining are large fields of research, but how to combine them to analyze spatial-temporal network data remains a technical challenge. This study investigates a novel combination of two sequential similarity methods (Dynamic Time Warping and N-grams with Cosine distances), with two state-of-the-art unsupervised network clustering algorithms (Hierarchical Density-based Clustering and Stochastic Block Models). A popular way to combine such methods is to first cluster the sequential network data, resulting in connection types. The hosts in the network can then be clustered conditioned on these types. In contrast, our approach clusters nodes and edges in one go, i.e., without giving the output of a first clustering step as input for a second step. We achieve this by implementing sequential distances as covariates for host clustering. While being fully unsupervised, our method outperforms many existing approaches. To the best of our knowledge, the only approaches with comparable performance require manual filtering of connections and feature engineering steps. In contrast, our method is applied to raw network traffic. We apply our pipeline to the problem of detecting infected hosts (network nodes) from logs of unlabelled network traffic (sequential data). On data from the Stratosphere IPS project (CTU-Malware-Capture-Botnet-91), which includes malicious (Conficker botnet) as well as benign hosts, we show that our method perfectly detects peripheral, benign, and malicious hosts in different clusters. We replicate our results in the well-known ISOT dataset (Storm, Waledac, Zeus botnets) with comparable performance: conjointly, 99.97% of nodes were categorized correctly.

show abstract

BotCluster: A session-based P2P botnet clustering system on NetFlow

Cited by 39 publications

References 10 publications

B-Corr Model for Bot Group Activity Detection Based on Network Flows Traffic Analysis

B-Corr Model for Bot Group Activity Detection Based on Network Flows Traffic Analysis

Identificação Antecipada de Botnets por Aprendizagem de Máquina

Hybrid Connection and Host Clustering for Community Detection in Spatial-Temporal Network Data

Contact Info

Product

Resources

About