Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Synopsis viva presentation
1. ANALYSIS AND DETECTION OF BOTNETS
USING DATA MINING TECHNIQUES
Candidate : G.Kirubavathi
Reg No : 71010112041
Guide : Dr.R.Anitha
Associate Professor
Department of Applied Mathematics and
Computational Sciences
PSG College of Technology
2. Outline
Introduction
Botnet Lifecycle
Botnet Attacks
Botnets : A study and analysis
HTTP botnet detection using HsMM model with SNMP
MIB variables
HTTP botnet detection using Adaptive Learning rate ML-
FF NN
Botnet detection via mining of traffic flow characteristics
Structural analysis and detection of Android botnets
using machine learning techniques
Conclusion
Future work
References
3. Introduction
• Bot is a self propagating application that infects
vulnerable host through direct exploitation or Trojan
insertion.
• A Botnet consists of a network of compromised
computers (“bots”) controlled by an attacker
(“botmaster”)
4. What is the need for Botnet Detection?
Aug 4 2010 - Zeus v2 Botnet that owned 100,000 UK
PCs taken out
Aug 12 2010 - Zeus v3 botnet raid on UK bank accounts
In 2013, Chameleon Botnet' takes $6-million-a-month
in ad money
Word press hit by large scale botnet attack 5th April
2013.
4
5. Botnets: Current Single largest
Internet Threat
“Attack of zombie computers is growing threat”
(New York Times)
“Why we are losing the botnet battle”
(Network World)
“Botnet could eat the internet”
(Silicon.com)
“25% of Internet PCs are part of a botnet”
(Vint Cerf)
6. Bot
The term 'bot' comes from 'robot'.
In computing paradigm, 'bot' usually refers to
an automated process.
There are good bots and bad bots.
Example of good bots:
Google bot
Game bot
Example of bad bots:
Malicious software that steals information
7. What is a botnet
Virus: Self reproduce quickly in one computer
Trojan horse: Hide themselves as safe files
Worm: Propagate through internet quickly
Remote Control Software: Legal, desktop user
Botnet: Integration of all above
8. Botnet
Bot is a self propagating application that infects
vulnerable host through direct exploitation or Trojan
insertion.
A Botnet consists of a network of compromised
computers (“bots”) controlled by an attacker
(“botmaster”)
Botnets are classified as,
IRC Botnet
HTTP Botnet
P2P Botnet
based on the communication protocol,
12. 12
botmaster
192.168.3.203
Reflection Server
huigezi.3322.org
192.168.2.55
Download bot
192.168.4.201
huigezi.3322.org
192.168.4.202 192.168.4.203 192.168.4.204 192.168.4.205 192.168.4.206 192.168.4.207 192.168.4.208 192.168.4.209
All zombies are waiting for control command from botmaster!
huigezi.3322.org
Download bot
Scan Scan
Scanning
Scan Scan Scan Scan Scan Scan
Command
Attack
Connection
Victim
Wire
Botnet DDoS Attack Scenario
Browse malicious
website
Webpage
Trojan
Server DNS Server
202.117.0.20
Domain Name Provider
www.3322.org
Update bot
192.168.2.55
192.168.2.55
ftp://192.168.2.55/ip.txt
192.168.3.203
Log in
Update ip.txt
Update domain name
Scan
13.
14.
15. Classification of Botnet Detection
Techniques
Honey nets
Intrusion Detection System
Signature Based Anomaly Based
Host Based Network Based
Active Monitoring Passive Monitoring
16. HTTP Botnet Detection using
Adaptive Learning Rate MLFF-NN
Recent botnets have begun using common
protocols such as HTTP
HTTP bot communications are based on TCP
connections
TCP related features have been identified for the
detection of HTTP botnets
18. Traces of different Web-based
Bonets
Bot Family Trace Size Packets Number
Zeus-1 5.85 MB 53,220
Zeus -2 4.13 MB 37,252
Spyeye -1 25.17 MB 1,75,870
Spyeye -2 3.90 MB 35,180
19. Identification accuracy of web
botnet traffic profiles
Traffic Traces # neurons in
the ip layer
# neurons in
the hidden
layer
Correct
Identification
Spyeye -1 6 18 99.03%
Spyeye- 2 6 18 99.02%
Zeus -1 6 18 99.01%
Zeus -2 6 18 99.04%
20. Performance Measures of Spyeye
Botnet
Method Precision Recall F-Measure Accuracy
Decision Tree 0.968 0.931 0.949 96.5333
Random Forest 0.968 0.934 0.950 96.667
RBF 0.976 0.927 0.950 96.5333
FF NN 0.964 0.983 0.973 99.03
24. Comparison of Performance
Method Average
Detection
Accuracy
Gu et al (2008), BotMiner – Data mining
Techniques
96.825
Nogueira et al. (2010), Neural Networks 94.9175
Adaptive Learning Neural Networks –
Proposed
99.025
25. HTTP Botnet Detection using
HsMM with SNMP MIB Variables
Used Hidden semi-Markov chain Model (HsMM)
to characterize the normal network behavior of
the TCP based MIB variables as observed
sequence.
Forward-backward algorithm for estimating
model parameters
26. Proposed System Architecture
Extraction of
the SNMP
MIB Variables
Feature
Reduction by
PCA
HsMM Modeling
Summation
of the SNMP
MIB
Variables
Train Data
Test Data
Forward
Backward
Algorithm
HsMM
Model
AL
LNormal
Bot
27. Model Construction
Construct a HsMM to build a profile of normal MIB traffic behavior
and use this model to detect the botnet.
A HsMM can be described as
λ = (N, M,V, A, B, П) where
N is the size of the state space Ф = {0,1}
V = {v0, v1, …, vM-1} is the set of all visible symbols which are nothing but
the TCP-MIB variables.
M is the number of all visible symbols is the summation count of the
MIB variables
A = [aij]NXN is the state transition probability matrix
The state transition probability matrix A, Assume A= initially,
the process is normal no matter what current state is, the process will
transfer to normal state next time by probability 1.
where aij = P{next_state = j | current state = i}, where i, j ϵ Ф
01
01
28. Model Construction Cont…
B = {bi(k)}, i ϵ Ф, 1 ≤ k ≤ M, is the distribution of visible
symbols V, where bi(k)= P{observed system behavior =
vk | current state i}
П = [П0, П1, П2, …, ПN-1] is the initial state distribution
29. Web-based botnet identification
Accuracy
Datasets False +ve Rate Detection
Accuracy
Results
Web Service 0% 100% Normal
FTP Service 0% 100% Normal
Spyeye 1.33% 98.67% Malicious Botnet
Black energy 1.28% 98.72% Malicious Botnet
30. Future Work
Analyzing the various types of current botnet
activities.
Identify the suitable statistical modeling techniques to
detect the botnet irrespective of their communication
protocols and Command and Control structures
31. Conclusion
Botnets pose a significant and growing threat
against cyber security
It provides key platform for many cyber crimes like
DDOS, etc
As network security has become integral part of our
life and botnets have become the most serious threat
to it
It is very important to detect botnet attack and find
the solution for it
32. Published Paper G.Kirubavathi Venkatesh and R.Anitha, “HTTP
Botnet Detection using Adaptive learning Rate
Multilayer Feed-forward Neural Network”. In
Proceedings of international workshop in
information security theory and practice –
WISTP’12, UK, 2012, LNCS 7322, pp. 38-48, 2012.
Paper Communicated
G.Kirubavathi Venkatesh, V.Srihari, R.Veeramani, RM.
Karthikeyan, R.Anitha “HTTP botnet Detection using
Hidden semi-Markov Model with SNMP MIB
variables”, has been communicated to the
International journal of Security and Communication
Networks (Wiley publication).
33. References P. Barford and V. Yegneswaran, “An inside look at botnets,” Springer
Verlag, 2006.
J. Binkley and S. Singh. “An algorithm for anomaly-based botnet
detection”, In Proceedings of USENIX Steps to Reducing Unwanted Traffic
on the Internet Workshop (SRUTI), pages 43–48, 2006.
T.Abbes, A.A.Bouhoula, and, M.Rusinowitch, “Protocol Analysis in
Intrusion Detection Using Decision Tree”, Proc. International Conference on
Information Technology, Coding and Computing (ITCC,04) IEEE Xplore,
Pages 404-408.
Jiong Zhang, Mohammad Zulkernine, Anwar Haque: Random-Forests-
Based Network Intrusion Detection Systems. IEEE Transactions on
Systems, Man, and Cybernetics, Part C 38(5): 649-659 (2008)
Lee., J. et al The activity analysis of malicious http-based botnets using
degree of periodic repeatability. In Proceedings of the IEEE International
Conference on Security Technology, December, 2008, pp.83-86.
34. References cont…
X. Tan and H. Xi, Hidden semi-Markov Model for anomaly detection. Journal
of Applied Mathematics and Computation, Elsevier, vol. 205, Issue 2,
November 2008, Special Issue on Advanced Intelligent Computing Theory and
Methodology in Applied Mathematics and Computation, 2008, pp.562-567.
Shun-Zheng Yu and Kobayashi, H. An Efficient Forward-Backward Algorithm
for an Explicit Duration Hidden Markov Model. In IEEE Signal Processing
Letters, vol.10, Issue 1, Jan. 2003, pp. 11-14
Wang, B., Li, Z., Li, D., Liu, F. and Chen, H. Modeling Connections Behavior for
Web-Based Bots Detection. In 2nd IEEE International Conference on e-Business
and Information System Security (EBISS) - 2010, Wuhan, pp. 1-4.
Yi Xie and Shun-Zheng Yu (2009) Monitoring the Application-Layer DDoS
Attacks for Popular Websites, In IEEE/ACM Transactions on Networking, Vol.
17, NO. 1, Feb. 2009.