International Journal On Cyber Situational Awareness (IJCSA)
ISSN: (Print) 2057-2182 ISSN: (Online) 2057-2182
Published Semi-annually. Est. 2014
Dr Cyril Onwubiko, Chair – Cyber Security & Intelligence, E-Security Group, Research Series, London, UK; IEEE UK & Ireland Section Secretary
Professor Frank Wang, Head of School / Professor of Future Computing, Chair IEEE Computer Society, UK&RI, School of Computing, University of Kent, Canterbury, UK
Dr Thomas Owens, Senior Lecturer & Director of Quality, Department of Electronic and Computer Engineering, Brunel University, London, UK
Detecting Bots using Multi-Level Traffic Analysis
Matija Stevanovic and Jens Myrup Pedersen
Botnets, as networks of compromised “zombie” computers, represent one of the most serious security threats on the Internet today. This paper explores how machines compromised with bot malware can be identified at local and enterprise networks in accurate and time-efficient manner. The paper introduces a novel multi-level botnet detection approach that performs network traffic analysis of three protocols widely considered as the main carriers of botnet Command and Control (C&C) and attack traffic, i.e. TCP, UDP and DNS. The proposed method relies on supervised machine learning for identifying patterns of botnet network traffic. The method has been evaluated through a series of experiments using traffic traces originating from 40 different bot samples and diverse benign applications. The evaluation indicates accurate and time-efficient classification of botnet traffic for all the three protocols as well as promising performance of identifying potentially compromised machines. The future work will be devoted to the optimization of traffic analysis and correlation of findings from three analysis levels in order to increase the accuracy of identifying compromised clients within the network.
Keywords: Botnet, Botnet Detection, Traffic Analysis, Traffic Classification, MLAs, Random Forests, Client analysis.
Volume 1. No. 1
Date: Nov. 2016
Reference to this paper should be made as follows: Stevanovic, M. & Pedersen JM. (2016). Detecting bots using multi-level traffic analysis. International Journal on Cyber Situational Awareness, Vol. 1, No. 1, pp182-209.