Bots are more frequently involved in interactions

This preview shows page 3 - 4 out of 17 pages.

Bots are more frequently involved in interactions that occur on Seg2 and Seg3. C&C and bots connects together either to receive commands or to update status (Seg2). Bots also interacts with each other in P2P botnets or with any other node outside the botnet to carry out malicious activities on Seg3. Thus, in case of centralized botnets (e.g., IRC or HTTP), a detection method based on C&C activities in Seg1&2 could be more appropriate because it may help in discovering connected bots as well as their botmaster. In case of P2P botnets, the concept of dedicated centralized C&C server does not exist. Therefore, communications in Seg3 are more appropriate where interactions and activities between individual bots take place. Figure 1. Botnet Communication Segmentation The system that we describe hereafter uses network-flow information. This choice eliminates the need to inspect packet payloads, which has several advantages. First, no processing overhead of deep packet inspection, which improves system performance. Second, no inspecting packet contents means implicitly no privacy violation. Finally, the system becomes more resilient to encrypted traffic. Besides that, our approach concentrates on botnet traffic that is related to maintenance/control messages that may be exchanged on segment Seg2 in case of centralized botnets or Seg3, in case of peer-2-peer. This enables the detection of dormant bots that do not send significant quantity of traffic, for example to spam or to carry out DDoS attacks. More precisely, we focus on TCP/IP network flow, which is a set of packets between any communicating pair that have 5 features in common: ScrIP, ScrPort, DstIP, DstPort and Protocol. Using this 5-tuple features as a flow identifier makes each flow unique in the network segment. The flow can be bidirectional like TCP flows or unidirectional like UDP flows. Figure 2 illustrates a typical example of client- server flow where the 5-tuples are: ScrIP=192.168.1.1, SrcPort=2012, DstIP=173.194.116.112, DstPort=80 and Protocol = TCP, HTTP application uses TCP as transport layer protocol. TCP/IP Trace or traffic trace for simplicity, is an aggregation of TCP/IP flows between any client-server pair during a certain period of time. The flows are aggregated based on their values of 3-tuple (SrcIP, DstIP, and DstPort). The approach consists simply of analyzing a set of statistical features of traffic traces to identify signs of bot communication in terms of similarity and regularity or repetitiveness. To implement this approach in BotCap, we have to go through two essential stages: 1. Feature Selection: in this part, we analyzed a lot of statistical features of traffic traces to pick up and define an initial set of distinctive features that seems to be helpful in botnet detection. 2. Building ML detection model: in this part, we deal with ML model creation process. We employ J48, which is a variation of C4.5 algorithm [5] and different SVM kernels [6], [7] to identify a feature set that gives good detection results for the same ML algorithm. Then, we
Image of page 3

Subscribe to view the full document.

Image of page 4
  • Summer '17
  • SIR AZHAR
  • Machine Learning, Peer-to-peer, Internet bot, International Journal of Communication Networks, IJCNIS

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern