An adaptive multi-layer botnet detection technique using machine learning classifiers

Riaz Ullah Khan, Xiaosong Zhang, Rajesh Kumar, Abubakar Sharif, Noorbakhsh Amiri Golilarz, Mamoun Alazab

Research output: Contribution to journalArticleResearchpeer-review

5 Downloads (Pure)

Abstract

In recent years, the botnets have been the most common threats to network security since it exploits multiple malicious codes like a worm, Trojans, Rootkit, etc. The botnets have been used to carry phishing links, to perform attacks and provide malicious services on the internet. It is challenging to identify Peer-to-peer (P2P) botnets as compared to Internet Relay Chat (IRC), Hypertext Transfer Protocol (HTTP) and other types of botnets because P2P traffic has typical features of the centralization and distribution. To resolve the issues of P2P botnet identification, we propose an effective multi-layer traffic classification method by applying machine learning classifiers on features of network traffic. Our work presents a framework based on decision trees which effectively detects P2P botnets. A decision tree algorithm is applied for feature selection to extract the most relevant features and ignore the irrelevant features. At the first layer, we filter non-P2P packets to reduce the amount of network traffic through well-known ports, Domain Name System (DNS). query, and flow counting. The second layer further characterized the captured network traffic into non-P2P and P2P. At the third layer of our model, we reduced the features which may marginally affect the classification. At the final layer, we successfully detected P2P botnets using decision tree Classifier by extracting network communication features. Furthermore, our experimental evaluations show the significance of the proposed method in P2P botnets detection and demonstrate an average accuracy of 98.7%.

Original languageEnglish
Article number2375
Pages (from-to)1-22
Number of pages22
JournalApplied Sciences (Switzerland)
Volume9
Issue number11
DOIs
Publication statusPublished - 11 Jun 2019

Fingerprint

machine learning
classifiers
traffic
Learning systems
Classifiers
Decision trees
hypertext
worms
communication networks
relay
Computer worms
attack
Internet
counting
HTTP
Botnet
Network security
filters
evaluation
Telecommunication networks

Cite this

Khan, Riaz Ullah ; Zhang, Xiaosong ; Kumar, Rajesh ; Sharif, Abubakar ; Golilarz, Noorbakhsh Amiri ; Alazab, Mamoun. / An adaptive multi-layer botnet detection technique using machine learning classifiers. In: Applied Sciences (Switzerland). 2019 ; Vol. 9, No. 11. pp. 1-22.
@article{ea1a180d435d44e59d57e834c6c0941f,
title = "An adaptive multi-layer botnet detection technique using machine learning classifiers",
abstract = "In recent years, the botnets have been the most common threats to network security since it exploits multiple malicious codes like a worm, Trojans, Rootkit, etc. The botnets have been used to carry phishing links, to perform attacks and provide malicious services on the internet. It is challenging to identify Peer-to-peer (P2P) botnets as compared to Internet Relay Chat (IRC), Hypertext Transfer Protocol (HTTP) and other types of botnets because P2P traffic has typical features of the centralization and distribution. To resolve the issues of P2P botnet identification, we propose an effective multi-layer traffic classification method by applying machine learning classifiers on features of network traffic. Our work presents a framework based on decision trees which effectively detects P2P botnets. A decision tree algorithm is applied for feature selection to extract the most relevant features and ignore the irrelevant features. At the first layer, we filter non-P2P packets to reduce the amount of network traffic through well-known ports, Domain Name System (DNS). query, and flow counting. The second layer further characterized the captured network traffic into non-P2P and P2P. At the third layer of our model, we reduced the features which may marginally affect the classification. At the final layer, we successfully detected P2P botnets using decision tree Classifier by extracting network communication features. Furthermore, our experimental evaluations show the significance of the proposed method in P2P botnets detection and demonstrate an average accuracy of 98.7{\%}.",
keywords = "Anomaly detection, Botnet detection, Machine learning, Network traffic identification",
author = "Khan, {Riaz Ullah} and Xiaosong Zhang and Rajesh Kumar and Abubakar Sharif and Golilarz, {Noorbakhsh Amiri} and Mamoun Alazab",
year = "2019",
month = "6",
day = "11",
doi = "10.3390/app9112375",
language = "English",
volume = "9",
pages = "1--22",
journal = "Applied Sciences (Switzerland)",
issn = "2076-3417",
publisher = "Multidisciplinary Digital Publishing Institute",
number = "11",

}

An adaptive multi-layer botnet detection technique using machine learning classifiers. / Khan, Riaz Ullah; Zhang, Xiaosong; Kumar, Rajesh; Sharif, Abubakar; Golilarz, Noorbakhsh Amiri; Alazab, Mamoun.

In: Applied Sciences (Switzerland), Vol. 9, No. 11, 2375, 11.06.2019, p. 1-22.

Research output: Contribution to journalArticleResearchpeer-review

TY - JOUR

T1 - An adaptive multi-layer botnet detection technique using machine learning classifiers

AU - Khan, Riaz Ullah

AU - Zhang, Xiaosong

AU - Kumar, Rajesh

AU - Sharif, Abubakar

AU - Golilarz, Noorbakhsh Amiri

AU - Alazab, Mamoun

PY - 2019/6/11

Y1 - 2019/6/11

N2 - In recent years, the botnets have been the most common threats to network security since it exploits multiple malicious codes like a worm, Trojans, Rootkit, etc. The botnets have been used to carry phishing links, to perform attacks and provide malicious services on the internet. It is challenging to identify Peer-to-peer (P2P) botnets as compared to Internet Relay Chat (IRC), Hypertext Transfer Protocol (HTTP) and other types of botnets because P2P traffic has typical features of the centralization and distribution. To resolve the issues of P2P botnet identification, we propose an effective multi-layer traffic classification method by applying machine learning classifiers on features of network traffic. Our work presents a framework based on decision trees which effectively detects P2P botnets. A decision tree algorithm is applied for feature selection to extract the most relevant features and ignore the irrelevant features. At the first layer, we filter non-P2P packets to reduce the amount of network traffic through well-known ports, Domain Name System (DNS). query, and flow counting. The second layer further characterized the captured network traffic into non-P2P and P2P. At the third layer of our model, we reduced the features which may marginally affect the classification. At the final layer, we successfully detected P2P botnets using decision tree Classifier by extracting network communication features. Furthermore, our experimental evaluations show the significance of the proposed method in P2P botnets detection and demonstrate an average accuracy of 98.7%.

AB - In recent years, the botnets have been the most common threats to network security since it exploits multiple malicious codes like a worm, Trojans, Rootkit, etc. The botnets have been used to carry phishing links, to perform attacks and provide malicious services on the internet. It is challenging to identify Peer-to-peer (P2P) botnets as compared to Internet Relay Chat (IRC), Hypertext Transfer Protocol (HTTP) and other types of botnets because P2P traffic has typical features of the centralization and distribution. To resolve the issues of P2P botnet identification, we propose an effective multi-layer traffic classification method by applying machine learning classifiers on features of network traffic. Our work presents a framework based on decision trees which effectively detects P2P botnets. A decision tree algorithm is applied for feature selection to extract the most relevant features and ignore the irrelevant features. At the first layer, we filter non-P2P packets to reduce the amount of network traffic through well-known ports, Domain Name System (DNS). query, and flow counting. The second layer further characterized the captured network traffic into non-P2P and P2P. At the third layer of our model, we reduced the features which may marginally affect the classification. At the final layer, we successfully detected P2P botnets using decision tree Classifier by extracting network communication features. Furthermore, our experimental evaluations show the significance of the proposed method in P2P botnets detection and demonstrate an average accuracy of 98.7%.

KW - Anomaly detection

KW - Botnet detection

KW - Machine learning

KW - Network traffic identification

UR - http://www.scopus.com/inward/record.url?scp=85067256466&partnerID=8YFLogxK

U2 - 10.3390/app9112375

DO - 10.3390/app9112375

M3 - Article

VL - 9

SP - 1

EP - 22

JO - Applied Sciences (Switzerland)

JF - Applied Sciences (Switzerland)

SN - 2076-3417

IS - 11

M1 - 2375

ER -