P2P Botnet Detection Using Deep Learning Method

Document Type : Original Article

Authors

1 Ph.D. Student of Department of Computer Engineering, Shabestar Branch, Islamic Azad University, Shabestar ------------------------------------------------------ Faculty member of of Department of Computer Engineering, Khamneh Branch,

2 Associate Professor, Department of Computer, Science and Technology University, Tehran, Iran

3 Assistant Professor, Department of Computer Engineering, Shabestar Branch, Islamic Azad University, Shabestar, Iran

4 Assistant professor, Department of Computer Engineering, Shabestar Branch, Islamic Azad University, Shabestar, Iran

Abstract

A Botnet is a set of infected computers and smart devices on the Internet that are controlled remotely by a Botmaster to perform various malicious activities like distributed denial of service attacks(DDoS), sending spam, click-fraud and etc. When a Botmaster communicates with its own Bots, it generates traffic that  analyzing this traffic to detect the traffic of the Botnet can be one of the influential factors for intrusion  detection systems (IDS). In this paper, the long short term memory (LSTM) method is proposed to classify P2P Botnet activities. The proposed approach is based on the characteristics of the transfer control protocol (TCP) packets and the performance of the method is evaluated using both ISCX and ISOT datasets. The experimental results show that our proposed approach has a high capability in identifying P2P network activities based on evaluation criteria. The proposed method offers a 99.65% precision rate, a 96.32% accuracy rate and a recall rate of 99.63% with a false positive rate (FPR) of 0.67%.
 

Keywords


[1] M. Abu-Khalaf, EE 5322 Neural Networks Notes, Personal Study. [online] Arri.uta.edu /acs /abumurad /EE5322 /EE5322_NN _notes.pdf, 2004.##
[2] M. Botha, V. R. Solms, K. Perry, E. Loubser, G.Y. Port, and E. Technikon, “The utilization of Artificial Intelligence in a Hybrid Intrusion Detection System,” Annual research conference of the South African institute of computer scientists and information technologists on Enablement through technology, 2002.##
[3] V. Vapnik, “Statistical Learning Theory,” John Wiley & Sons Inc., New York, 1998.##
[4] J. Zhang, R. Perdisci, W. Lee, U. Sarfraz, and X. Luo, “Detecting stealthy P2P botnets using statistical traffic fingerprints,” 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks (DSN), Jun. 2011.##
[5] K. Ilgun, R. A. Kemmerer, and P. A. Porras, “State Transition Analysis: A Rule-Based Intrusion Detection Approach,” IEEE Trans. Soft. Eng., vol. 21, pp.      181–199, 1995.##
[6] X. Yu, X. Dong, G. Yu, Y. Qin, and D. Yue,        “Data-Adaptive Clustering Analysis for Online Botnet Detection,” 2010 Third International Joint Conference on Computational Science and Optimization, 2010.##
[7] O. Y. Al-Jarrah, O. Alhussein, P. D. Yoo, S. Muhaidat, K. Taha, and K. Kim, “Data Randomization and Cluster-Based Partitioning for Botnet Intrusion Detection,” IEEE Transactions on Cybernetics, vol. 46, no. 8, pp. 1796–1806, Aug. 2016.##
[8] W. Lu, M. Tavallaee, G. Rammidi, and A. A. Ghorbani, “BotCop: An Online Botnet Traffic Classifier,” 2009 Seventh Annual Communication Networks and Services Research Conference, May 2009.##
[9] S. Parsa, H. Mortazi, “Botnet Detection with Flow Behavior Analysis Approach,” Journal of Electronical & Cyber Defence, vol. 5, no. 4, 2017. (In Persian)##
[10] M. Razi and K. Athappilly, “A Comparative Predictive Analysis of Neural Networks (NNs), Nonlinear Regression and Classification and Regression Tree (CART) Models,” Expert Systems with Applications, vol. 29, no. 1, pp. 65–74, Jul. 2005.##
[11] M. Alauthaman, N. Aslam, L. Zhang, R. Alasem, and M. A. Hossain, “A P2P Botnet detection scheme based on decision tree and adaptive multilayer neural networks,” Neural Computing and Applications, vol. 29, no. 11, pp. 991–1004, Oct. 2016.##
[12] A. A. Obeidat, “Hybrid Approach for Botnet Detection Using K-Means and K-Medoids with Hopfield Neural Network,” International Journal of Communication Networks and Information Security (IJCNIS), vol. 9, no. 3, pp. 305-313, 2017.##
[13] W. Xianglin, J. Fan, M. Chen, A. Tarem, and A. S. K Pathan, “SMART: A Subspace bsed Malicious Peers Detection Algorithm for P2P Systems,” International Journal of Communication Networks and Information Security, vol. 5, pp. 1-9, 2013.##
[14] S. Saad, I. Traore, A. A. Ghorbani, B. Sayed, D. Zhao, Wei Lu, J. Felix, and P. Hakimian, “Detecting P2P Botnets through Network Bhavior Analysis and Machine Learning,” 2011 Ninth Annual International Conference on Privacy, Security and Trust, Jul. 2011.##
[15] N. Kheir and C. Wolley, “BotSuer: Suing Stealthy P2P Bots in Network Traffic through Netflow Analysis,” Lecture Notes in Computer Science, pp. 162–178, 2013.##
[16] J. Kang, Y-Z. Song, and J-Y. Zhang, “Accurate Detection of Peer-to-Peer Botnet using Multi-Stream Fused Scheme,” Journal of Networks, vol. 6, no. 5, May 2011.##
[17] T. Cholez, I. Chrisment, O. Festor, and G. Doyen, “Detection and Mitigation of Localized Attacks in A Widely Deployed P2P Network,” Peer-to-Peer Networking and Applications, vol. 6, no. 2, pp.       155–174, May 2012.##
[18] Y. Fan and N. Xu, “A P2P Botnet Detection Method Used On-line Monitoring and Off-line Detection,” International Journal of Security and Its Applications, vol. 8, no. 3, pp. 87–96, May 2014.##
[19] S. C. Guntuku, P. P. Narang, and C. Hota, “ Real-time Peer-to-Peer Botnet Detection Framework based on Bayesian Regularized Neural Network,” arXiv preprint arXiv:1307.7464.##
[20] H. Huy, X. Wei, M. Faloutsos, and T. Eliassi-Rad, “Entelecheia: Detecting p2p botnets in their waiting stage,” IFIP Networking Conference, IEEE, pp. 1-9, 2013.##
[21] L. Xu, X. Xu, and Y. Zhuo, “P2P Botnet Detection Using Min-Vertex Cover,” Journal of Networks, vol. 7, no. 8, Aug. 2012.##
[22] P. Narang, V. Khurana, and C. Hota,            “Machine-learning approaches for P2P botnet detection using signal-processing techniques,” Proceedings of the 8th ACM International Conference on Distributed Event-Based Systems - DEBS’14, 2014.##
[23] Y. Qiao, Y. Yang, J. He, C. Tang, and Y. Zeng, “Detecting P2P bots by mining the regional periodicity,” Journal of Zhejiang University Science C, vol. 14, no. 9, pp. 682–700, Sep. 2013.##
[24] S. García, A. Zunino, and M. Campo, “Survey on      Network-based Botnet Detection Methods,” Security and Communication Networks, vol. 7, no. 5, pp.   878–903, Jun. 2013.##
[25] A. A. Obeidat, “Analysis the P2P Botnet Detection Methods,” International Journal of Computer Science (IIJCS), vol. 4, no. (3), pp. 1-11, 2016.##
[26] W. Tarng, L-Z. Den, K-L. Ou, and M. Chen, “The Analysis and Identification of P2P Botnet's Traffic Flows,” International Journal of Communication Networks and Information Security, vol. 3, no. 2, pp. 138-148, 2011.##
[27] J. Zhang, R. Perdisci, W. Lee, X. Luo, and U. Sarfraz, “Building a Scalable System for Stealthy P2P-Botnet Detection,” IEEE Transactions on Information Forensics and Security, vol. 9, no. 1, pp. 27–38, Jan. 2014.##
[28] B. Rahbarinia, R. Perdisci, A. Lanzi, and K. Li, “PeerRush: Mining for unwanted P2P traffic,” Journal of Information Security and Applications, vol. 19, no. 3, pp. 194–208, Jul. 2014.##
[29] D. Zhao and I. Traore, “P2P Botnet Detection through Malicious Fast Flux Network Identification,” 2012 Seventh International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, Nov. 2012.##
[30] D. Zhao, I. Traore, B. Sayed, W. Lu, S. Saad, A. A. Ghorbani, and D. Garant, “Botnet detection based on traffic behavior analysis and flow intervals,” Computers & Security, vol. 39, pp. 2–16, Nov. 2013.##
[31] G. Kirubavathi Venkatesh and R. Anitha Nadarajan, “HTTP Botnet Detection Using Adaptive Learning Rate Multilayer     Feed-Forward Neural Network,” Lecture Notes in Computer Science, pp. 38–48, 2012.##
[32] K. Wang, C-Y. Huang, S-J. Lin, and Y-D. Lin, “A fuzzy pattern-based filtering algorithm for botnet detection,” Computer Networks, vol. 55, no. 15, pp. 3275–3286, Oct. 2011.##
[33] C-Y. Huang, “Effective bot host detection based on network failure models,” Computer Networks, vol. 57, no. 2, pp. 514–525, Feb. 2013.##
[34] H. Dhayal and J. Kumar, “Peer-to-Peer Botnet Detection based on Bot Behaviour,” International Journal of Advanced Research in Computer Science, vol. 8, no. 3, pp. 172-175, 2017.##
[35] R. Chen, W. Niu, X. Zhang, Z. Zhuo, and F. Lv, “An Effective Conversation-Based Botnet Detection Method,” Mathematical Problems in Engineering, vol. 2017, pp. 1–9, 2017.##
[36] Z. Yang and B. Wang, “A Feature Extraction Method for P2P Botnet Detection Using Graphic Symmetry Concept,” Symmetry, vol. 11, no. 3, p. 326, Mar. 2019##
[37] H. R. Zeidanloo, M. J. Z. Shooshtari, P. V. Amoli, M. Safari, and M. Zamani, “A Taxonomy of Botnet Detection Techniques,” 2010 3rd International Conference on Computer Science and Information Technology, Jul. 2010.##
[38] K-S. Han, K-H. Lim, and E-G. Im, “The Traffic Analysis of P2Pbased Storm Botnet Using Honeynet,” Journal of the Korea Institute of Information Security and Cryptology, vol. 19, no. 4,##
[39] S-K. Noh, J-H. Oh, J-S. Lee, B-N. Noh, and H-C. Jeong, “Detecting P2P Botnets Using a Multi-phased Flow Model,” 2009 Third International Conference on Digital Society, Feb. 2009.##
[40] C. Li, W. Jiang, and X. Zou, “Botnet: Survey and Case Study,” 2009 Fourth International Conference on Innovative Computing, Information and Control (ICICIC), Dec. 2009.##
[41] G. Sinclair, C. Nunnery, and B. B. Kang, “The Waledac Protocol: The How and Why,” 2009 4th International Conference on Malicious and Unwanted Software (MALWARE), Oct. 2009.##
[42] S. Shin, G. Gu, N. Reddy, and C. P. Lee, “A       Large-Scale Empirical Study of Conficker,” IEEE Transactions on Information Forensics and Security, vol. 7, no. 2, pp. 676–690, Apr. 2012.##
[43] T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling, “Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm,” LEET journal, vol. 8, no. 1, pp. 1-9, 2008.##
[44] H. Binsalleeh, T. Ormerod, A. Boukhtouta, P. Sinha, A. Youssef, M. Debbabi, and L. Wang, “On the analysis of the Zeus botnet crimeware toolkit,” 2010 Eighth International Conference on Privacy, Security and Trust, Aug. 2010.##
[45] G. Gu, J. Zhang, and W. Lee, “BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic,” 15th Annual Network and Distributed System Security Symposium, 2008.##
[46] G. Gu, R. Perdisci, J. Zhang, and W. Lee, “BotMiner: Clustering Analysis of Network Traffic for Protocol and  Structure-independent Botnet Detection,” USENIX security symposium, 2008.##
[47] T-F. Yen and M. K. Reiter, “Traffic Aggregation for Malware Detection,” Lecture Notes in Computer Science, pp. 207–227.##
[48] C. Livadas, R. Walsh, D. Lapsley, and W. T. Strayer, “Usilng Machine Learning Technliques to Identify Botnet Traffic,” Proceedings, 2006 31st IEEE Conference on Local Computer Networks, Nov. 2006.##
[49] P. van der Putten and M. van Someren, “A           Bias-Variance Analysis of a Real World Learning Problem: The CoIL Challenge 2000,” Machine Learning, vol. 57, no. 1/2, pp. 177–195, Oct. 2004.##
[50] S. Hochreiter and J. Schmidhuber, “Long Short-Term Memory,” Neural Computation, vol. 9, no. 8, pp. 1735–1780, 1997.##
[51] J. Woodbridge, H. S. Anderson, A. Ahuja, and D. Grant, “Predicting Domain Generation Algorithms with Long          Short-Term Memory Networks,” preprint arXiv:1611.00791, 2016.##
[52] D. Kingma and J. Ba, “Adam: A Method for Stochastic Optimization,” preprint arXiv:1412.6980, 2014.##
[53] N. Srivastava, G. E. Hinton, A. Krizhevsky, I. Sutskever, and R. Salakhutdinov, “Dropout: A Simple Way to Prevent Neural Networks from Overfitting,” Journal of Machine Learning Research, vol. 15, no. 1, pp. 1929–1958, 2014.##
[54] M. Abadi, et al, “TensorFlow: Large-scale machine learning on heterogeneous systems,” Accessed: 2017-05- 28 [Online]. Available: http://tensorflow.org/##
[55] F. Chollet, “Keras,” Accessed: 2017-05-28 [Online]. Available: https://github.com/fchollet/keras##
[56] A. Shiravi, H. Shiravi, M. Tavallaee, and A. A. Ghorbani, “Toward developing a systematic approach to generate benchmark datasets for intrusion detection,” Computers & Security, vol. 31, no. 3, pp. 357–374, May 2012.##
[57] J-D. Wang and H-C. Liu, “An approach to evaluate the fitness of one class structure via dynamic centroids,” Expert Systems with Applications, May 2011.##