A hybrid technique to detect botnets, based on P2P traffic similarity

Riaz Ullah Khan; Rajesh Kumar; Mamoun Alazab; Xiaosong Zhang

doi:10.1109/CCC.2019.00008

A hybrid technique to detect botnets, based on P2P traffic similarity

Riaz Ullah Khan, Rajesh Kumar, Mamoun Alazab, Xiaosong Zhang

College of Engineering, IT and Environment

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper published in Proceedings › Research › peer-review

Abstract

The botnet has been one of the most common threats to the network security since it exploits multiple malicious codes like worm, Trojans, Rootkit, etc. These botnets are used to perform the attacks, send phishing links, and/or provide malicious services. It is difficult to detect Peer-to-peer (P2P) botnets as compare to IRC (Internet Relay Chat), HTTP (HyperText Transfer Protocol) and other types of botnets because of having typical features of the centralization and distribution. To solve these problems, we propose an effective two-stage traffic classification method to detect P2P botnet traffic based on both non-P2P traffic filtering mechanism and machine learning techniques on conversation features. At the first stage, we filter non-P2P packages to reduce the amount of network traffic through well-known ports, DNS query, and flow counting. At the second stage, we extract conversation features based on data flow features and flow similarity. We detected P2P botnets successfully, by using Machine Learning Classifiers. Experimental evaluations show that our two-stage detection method has a higher accuracy than traditional P2P botnet detection methods.

Original language	English
Title of host publication	Proceedings - 2019 Cybersecurity and Cyberforensics Conference, CCC 2019
Publisher	IEEE, Institute of Electrical and Electronics Engineers
Pages	136-142
Number of pages	7
ISBN (Electronic)	9781728126005
DOIs	https://doi.org/10.1109/CCC.2019.00008
Publication status	Published - 1 May 2019
Event	2019 Cybersecurity and Cyberforensics Conference, CCC 2019 - Melbourne, Australia Duration: 7 May 2019 → 8 May 2019

Publication series

Name	Proceedings - 2019 Cybersecurity and Cyberforensics Conference, CCC 2019

Conference

Conference	2019 Cybersecurity and Cyberforensics Conference, CCC 2019
Country	Australia
City	Melbourne
Period	7/05/19 → 8/05/19

Fingerprint

traffic

conversation

hypertext

chat

centralization

learning

Learning systems

Computer worms

threat

Internet

HTTP

evaluation

Network security

Botnet

Classifiers

Cite this

Khan, R. U., Kumar, R., Alazab, M., & Zhang, X. (2019). A hybrid technique to detect botnets, based on P2P traffic similarity. In Proceedings - 2019 Cybersecurity and Cyberforensics Conference, CCC 2019 (pp. 136-142). [8854561] (Proceedings - 2019 Cybersecurity and Cyberforensics Conference, CCC 2019). IEEE, Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/CCC.2019.00008

Khan, Riaz Ullah ; Kumar, Rajesh ; Alazab, Mamoun ; Zhang, Xiaosong. / A hybrid technique to detect botnets, based on P2P traffic similarity. Proceedings - 2019 Cybersecurity and Cyberforensics Conference, CCC 2019. IEEE, Institute of Electrical and Electronics Engineers, 2019. pp. 136-142 (Proceedings - 2019 Cybersecurity and Cyberforensics Conference, CCC 2019).

@inproceedings{b90b4ea45e3c4d1d8d001329fd2d4933,

title = "A hybrid technique to detect botnets, based on P2P traffic similarity",

abstract = "The botnet has been one of the most common threats to the network security since it exploits multiple malicious codes like worm, Trojans, Rootkit, etc. These botnets are used to perform the attacks, send phishing links, and/or provide malicious services. It is difficult to detect Peer-to-peer (P2P) botnets as compare to IRC (Internet Relay Chat), HTTP (HyperText Transfer Protocol) and other types of botnets because of having typical features of the centralization and distribution. To solve these problems, we propose an effective two-stage traffic classification method to detect P2P botnet traffic based on both non-P2P traffic filtering mechanism and machine learning techniques on conversation features. At the first stage, we filter non-P2P packages to reduce the amount of network traffic through well-known ports, DNS query, and flow counting. At the second stage, we extract conversation features based on data flow features and flow similarity. We detected P2P botnets successfully, by using Machine Learning Classifiers. Experimental evaluations show that our two-stage detection method has a higher accuracy than traditional P2P botnet detection methods.",

keywords = "Anomaly Detection, Botnet detection, Feature Extraction, P2P traffic identification",

author = "Khan, {Riaz Ullah} and Rajesh Kumar and Mamoun Alazab and Xiaosong Zhang",

year = "2019",

month = "5",

day = "1",

doi = "10.1109/CCC.2019.00008",

language = "English",

series = "Proceedings - 2019 Cybersecurity and Cyberforensics Conference, CCC 2019",

publisher = "IEEE, Institute of Electrical and Electronics Engineers",

pages = "136--142",

booktitle = "Proceedings - 2019 Cybersecurity and Cyberforensics Conference, CCC 2019",

address = "United States",

}

Khan, RU, Kumar, R, Alazab, M & Zhang, X 2019, A hybrid technique to detect botnets, based on P2P traffic similarity. in Proceedings - 2019 Cybersecurity and Cyberforensics Conference, CCC 2019., 8854561, Proceedings - 2019 Cybersecurity and Cyberforensics Conference, CCC 2019, IEEE, Institute of Electrical and Electronics Engineers, pp. 136-142, 2019 Cybersecurity and Cyberforensics Conference, CCC 2019, Melbourne, Australia, 7/05/19. https://doi.org/10.1109/CCC.2019.00008

A hybrid technique to detect botnets, based on P2P traffic similarity. / Khan, Riaz Ullah; Kumar, Rajesh; Alazab, Mamoun; Zhang, Xiaosong.

Proceedings - 2019 Cybersecurity and Cyberforensics Conference, CCC 2019. IEEE, Institute of Electrical and Electronics Engineers, 2019. p. 136-142 8854561 (Proceedings - 2019 Cybersecurity and Cyberforensics Conference, CCC 2019).

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper published in Proceedings › Research › peer-review

TY - GEN

T1 - A hybrid technique to detect botnets, based on P2P traffic similarity

AU - Khan, Riaz Ullah

AU - Kumar, Rajesh

AU - Alazab, Mamoun

AU - Zhang, Xiaosong

PY - 2019/5/1

Y1 - 2019/5/1

N2 - The botnet has been one of the most common threats to the network security since it exploits multiple malicious codes like worm, Trojans, Rootkit, etc. These botnets are used to perform the attacks, send phishing links, and/or provide malicious services. It is difficult to detect Peer-to-peer (P2P) botnets as compare to IRC (Internet Relay Chat), HTTP (HyperText Transfer Protocol) and other types of botnets because of having typical features of the centralization and distribution. To solve these problems, we propose an effective two-stage traffic classification method to detect P2P botnet traffic based on both non-P2P traffic filtering mechanism and machine learning techniques on conversation features. At the first stage, we filter non-P2P packages to reduce the amount of network traffic through well-known ports, DNS query, and flow counting. At the second stage, we extract conversation features based on data flow features and flow similarity. We detected P2P botnets successfully, by using Machine Learning Classifiers. Experimental evaluations show that our two-stage detection method has a higher accuracy than traditional P2P botnet detection methods.

AB - The botnet has been one of the most common threats to the network security since it exploits multiple malicious codes like worm, Trojans, Rootkit, etc. These botnets are used to perform the attacks, send phishing links, and/or provide malicious services. It is difficult to detect Peer-to-peer (P2P) botnets as compare to IRC (Internet Relay Chat), HTTP (HyperText Transfer Protocol) and other types of botnets because of having typical features of the centralization and distribution. To solve these problems, we propose an effective two-stage traffic classification method to detect P2P botnet traffic based on both non-P2P traffic filtering mechanism and machine learning techniques on conversation features. At the first stage, we filter non-P2P packages to reduce the amount of network traffic through well-known ports, DNS query, and flow counting. At the second stage, we extract conversation features based on data flow features and flow similarity. We detected P2P botnets successfully, by using Machine Learning Classifiers. Experimental evaluations show that our two-stage detection method has a higher accuracy than traditional P2P botnet detection methods.

KW - Anomaly Detection

KW - Botnet detection

KW - Feature Extraction

KW - P2P traffic identification

UR - http://www.scopus.com/inward/record.url?scp=85073869793&partnerID=8YFLogxK

U2 - 10.1109/CCC.2019.00008

DO - 10.1109/CCC.2019.00008

M3 - Conference Paper published in Proceedings

T3 - Proceedings - 2019 Cybersecurity and Cyberforensics Conference, CCC 2019

SP - 136

EP - 142

BT - Proceedings - 2019 Cybersecurity and Cyberforensics Conference, CCC 2019

PB - IEEE, Institute of Electrical and Electronics Engineers

ER -

Khan RU, Kumar R, Alazab M, Zhang X. A hybrid technique to detect botnets, based on P2P traffic similarity. In Proceedings - 2019 Cybersecurity and Cyberforensics Conference, CCC 2019. IEEE, Institute of Electrical and Electronics Engineers. 2019. p. 136-142. 8854561. (Proceedings - 2019 Cybersecurity and Cyberforensics Conference, CCC 2019). https://doi.org/10.1109/CCC.2019.00008

Access to Document

10.1109/CCC.2019.00008

Link to publication in Scopus