Hybrid Botnet Detection Based on Host and Network Analysis
Botnet is one of the most dangerous cyber-security issues. The botnet infects unprotected machines and keeps track of the communication with the command and control server to send and receive malicious commands. The attacker uses botnet to initiate dangerous attacks such as DDoS, fishing, data steal...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Wiley
2020-01-01
|
| Series: | Journal of Computer Networks and Communications |
| Online Access: | http://dx.doi.org/10.1155/2020/9024726 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1832568680974647296 |
|---|---|
| author | Suzan Almutairi Saoucene Mahfoudh Sultan Almutairi Jalal S. Alowibdi |
| author_facet | Suzan Almutairi Saoucene Mahfoudh Sultan Almutairi Jalal S. Alowibdi |
| author_sort | Suzan Almutairi |
| collection | DOAJ |
| description | Botnet is one of the most dangerous cyber-security issues. The botnet infects unprotected machines and keeps track of the communication with the command and control server to send and receive malicious commands. The attacker uses botnet to initiate dangerous attacks such as DDoS, fishing, data stealing, and spamming. The size of the botnet is usually very large, and millions of infected hosts may belong to it. In this paper, we addressed the problem of botnet detection based on network’s flows records and activities in the host. Thus, we propose a general technique capable of detecting new botnets in early phase. Our technique is implemented in both sides: host side and network side. The botnet communication traffic we are interested in includes HTTP, P2P, IRC, and DNS using IP fluxing. HANABot algorithm is proposed to preprocess and extract features to distinguish the botnet behavior from the legitimate behavior. We evaluate our solution using a collection of real datasets (malicious and legitimate). Our experiment shows a high level of accuracy and a low false positive rate. Furthermore, a comparison between some existing approaches was given, focusing on specific features and performance. The proposed technique outperforms some of the presented approaches in terms of accurately detecting botnet flow records within Netflow traces. |
| format | Article |
| id | doaj-art-f8fff346f0074210a904c5156997a42f |
| institution | Kabale University |
| issn | 2090-7141 2090-715X |
| language | English |
| publishDate | 2020-01-01 |
| publisher | Wiley |
| record_format | Article |
| series | Journal of Computer Networks and Communications |
| spelling | doaj-art-f8fff346f0074210a904c5156997a42f2025-02-03T00:58:41ZengWileyJournal of Computer Networks and Communications2090-71412090-715X2020-01-01202010.1155/2020/90247269024726Hybrid Botnet Detection Based on Host and Network AnalysisSuzan Almutairi0Saoucene Mahfoudh1Sultan Almutairi2Jalal S. Alowibdi3Technical and Vocational Corporation, Riyadh, Saudi ArabiaEngineering, Computing and Informatics, Dar Al‐Hekma University, Jeddah, Saudi ArabiaTechnology Control Company, Riyadh, Saudi ArabiaFaculty of Computing and Information Technology, University of Jeddah, Jeddah, Saudi ArabiaBotnet is one of the most dangerous cyber-security issues. The botnet infects unprotected machines and keeps track of the communication with the command and control server to send and receive malicious commands. The attacker uses botnet to initiate dangerous attacks such as DDoS, fishing, data stealing, and spamming. The size of the botnet is usually very large, and millions of infected hosts may belong to it. In this paper, we addressed the problem of botnet detection based on network’s flows records and activities in the host. Thus, we propose a general technique capable of detecting new botnets in early phase. Our technique is implemented in both sides: host side and network side. The botnet communication traffic we are interested in includes HTTP, P2P, IRC, and DNS using IP fluxing. HANABot algorithm is proposed to preprocess and extract features to distinguish the botnet behavior from the legitimate behavior. We evaluate our solution using a collection of real datasets (malicious and legitimate). Our experiment shows a high level of accuracy and a low false positive rate. Furthermore, a comparison between some existing approaches was given, focusing on specific features and performance. The proposed technique outperforms some of the presented approaches in terms of accurately detecting botnet flow records within Netflow traces.http://dx.doi.org/10.1155/2020/9024726 |
| spellingShingle | Suzan Almutairi Saoucene Mahfoudh Sultan Almutairi Jalal S. Alowibdi Hybrid Botnet Detection Based on Host and Network Analysis Journal of Computer Networks and Communications |
| title | Hybrid Botnet Detection Based on Host and Network Analysis |
| title_full | Hybrid Botnet Detection Based on Host and Network Analysis |
| title_fullStr | Hybrid Botnet Detection Based on Host and Network Analysis |
| title_full_unstemmed | Hybrid Botnet Detection Based on Host and Network Analysis |
| title_short | Hybrid Botnet Detection Based on Host and Network Analysis |
| title_sort | hybrid botnet detection based on host and network analysis |
| url | http://dx.doi.org/10.1155/2020/9024726 |
| work_keys_str_mv | AT suzanalmutairi hybridbotnetdetectionbasedonhostandnetworkanalysis AT saoucenemahfoudh hybridbotnetdetectionbasedonhostandnetworkanalysis AT sultanalmutairi hybridbotnetdetectionbasedonhostandnetworkanalysis AT jalalsalowibdi hybridbotnetdetectionbasedonhostandnetworkanalysis |