botnet detection

1. ANALYSIS AND DETECTION OF BOTNETS
USING DATA MINING TECHNIQUES
Candidate : G.Kirubavathi
Reg No : 71010112041
Guide : Dr.R.Anitha
Associate Professor
Department of Applied Mathematics and
Computational Sciences
PSG College of Technology

2. Outline
 Introduction
 Botnet Lifecycle
 Botnet Attacks
Botnets : A study and analysis
HTTP botnet detection using HsMM model with SNMP
MIB variables
HTTP botnet detection using Adaptive Learning rate ML-
FF NN
Botnet detection via mining of traffic flow characteristics
 Structural analysis and detection of Android botnets
using machine learning techniques
Conclusion
Future work
 References

3. Introduction
• Bot is a self propagating application that infects
vulnerable host through direct exploitation or Trojan
insertion.
• A Botnet consists of a network of compromised
computers (“bots”) controlled by an attacker
(“botmaster”)

4. What is the need for Botnet Detection?
 Aug 4 2010 - Zeus v2 Botnet that owned 100,000 UK
PCs taken out
 Aug 12 2010 - Zeus v3 botnet raid on UK bank accounts
 In 2013, Chameleon Botnet' takes $6-million-a-month
in ad money
 Word press hit by large scale botnet attack 5th April
2013.
4

5. Botnets: Current Single largest
Internet Threat
 “Attack of zombie computers is growing threat”
(New York Times)
 “Why we are losing the botnet battle”
(Network World)
 “Botnet could eat the internet”
(Silicon.com)
 “25% of Internet PCs are part of a botnet”
(Vint Cerf)

6. Bot
 The term 'bot' comes from 'robot'.
 In computing paradigm, 'bot' usually refers to
an automated process.
 There are good bots and bad bots.
 Example of good bots:
 Google bot
 Game bot
 Example of bad bots:
 Malicious software that steals information

7. What is a botnet
 Virus: Self reproduce quickly in one computer
 Trojan horse: Hide themselves as safe files
 Worm: Propagate through internet quickly
 Remote Control Software: Legal, desktop user
 Botnet: Integration of all above

8. Botnet
 Bot is a self propagating application that infects
vulnerable host through direct exploitation or Trojan
insertion.
 A Botnet consists of a network of compromised
computers (“bots”) controlled by an attacker
(“botmaster”)
 Botnets are classified as,
 IRC Botnet
 HTTP Botnet
 P2P Botnet
based on the communication protocol,

9. Spam e-mail

10. Information theft

11. DDOS

12. 12
botmaster
192.168.3.203
Reflection Server
huigezi.3322.org
192.168.2.55
Download bot
192.168.4.201
huigezi.3322.org
192.168.4.202 192.168.4.203 192.168.4.204 192.168.4.205 192.168.4.206 192.168.4.207 192.168.4.208 192.168.4.209
All zombies are waiting for control command from botmaster!
huigezi.3322.org
Download bot
Scan Scan
Scanning
Scan Scan Scan Scan Scan Scan
Command
Attack
Connection
Victim
Wire
Botnet DDoS Attack Scenario
Browse malicious
website
Webpage
Trojan
Server DNS Server
202.117.0.20
Domain Name Provider
www.3322.org
Update bot
192.168.2.55
192.168.2.55
ftp://192.168.2.55/ip.txt
192.168.3.203
Log in
Update ip.txt
Update domain name
Scan

15. Classification of Botnet Detection
Techniques
Honey nets
Intrusion Detection System
Signature Based Anomaly Based
Host Based Network Based
Active Monitoring Passive Monitoring

16. HTTP Botnet Detection using
Adaptive Learning Rate MLFF-NN
 Recent botnets have begun using common
protocols such as HTTP
 HTTP bot communications are based on TCP
connections
 TCP related features have been identified for the
detection of HTTP botnets

17. Proposed System Architecture
Network
Traffic
Feature
Extraction
Normalization
Pre-processing
Neural Network Classifier
Training
Set
Testing
Set
NN
Training
NN
Model
Evalu
ate
Normal
Bot

18. Traces of different Web-based
Bonets
Bot Family Trace Size Packets Number
Zeus-1 5.85 MB 53,220
Zeus -2 4.13 MB 37,252
Spyeye -1 25.17 MB 1,75,870
Spyeye -2 3.90 MB 35,180

19. Identification accuracy of web
botnet traffic profiles
Traffic Traces # neurons in
the ip layer
# neurons in
the hidden
layer
Correct
Identification
Spyeye -1 6 18 99.03%
Spyeye- 2 6 18 99.02%
Zeus -1 6 18 99.01%
Zeus -2 6 18 99.04%

20. Performance Measures of Spyeye
Botnet
Method Precision Recall F-Measure Accuracy
Decision Tree 0.968 0.931 0.949 96.5333
Random Forest 0.968 0.934 0.950 96.667
RBF 0.976 0.927 0.950 96.5333
FF NN 0.964 0.983 0.973 99.03

21. ROC curve for Spyeye Botnet

22. Performance Measures of Zeus
Botnet
Method Precision Recall F-Measure Accuracy
Decision Tree 0.956 0.930 0.941 96.14333
Random Forest 0.952 0.930 0.940 96.000
RBF 0.959 0.922 0.940 95.8667
FF NN 0.948 0.992 0.969 99.04

23. ROC curve for Zeus Botnet

24. Comparison of Performance
Method Average
Detection
Accuracy
Gu et al (2008), BotMiner – Data mining
Techniques
96.825
Nogueira et al. (2010), Neural Networks 94.9175
Adaptive Learning Neural Networks –
Proposed
99.025

25. HTTP Botnet Detection using
HsMM with SNMP MIB Variables
 Used Hidden semi-Markov chain Model (HsMM)
to characterize the normal network behavior of
the TCP based MIB variables as observed
sequence.
 Forward-backward algorithm for estimating
model parameters

26. Proposed System Architecture
Extraction of
the SNMP
MIB Variables
Feature
Reduction by
PCA
HsMM Modeling
Summation
of the SNMP
MIB
Variables
Train Data
Test Data
Forward
Backward
Algorithm
HsMM
Model
AL
LNormal
Bot

27. Model Construction
 Construct a HsMM to build a profile of normal MIB traffic behavior
and use this model to detect the botnet.
 A HsMM can be described as
 λ = (N, M,V, A, B, П) where
 N is the size of the state space Ф = {0,1}
 V = {v0, v1, …, vM-1} is the set of all visible symbols which are nothing but
the TCP-MIB variables.
 M is the number of all visible symbols is the summation count of the
MIB variables
 A = [aij]NXN is the state transition probability matrix
 The state transition probability matrix A, Assume A= initially,
the process is normal no matter what current state is, the process will
transfer to normal state next time by probability 1.
 where aij = P{next_state = j | current state = i}, where i, j ϵ Ф






01
01

28. Model Construction Cont…
 B = {bi(k)}, i ϵ Ф, 1 ≤ k ≤ M, is the distribution of visible
symbols V, where bi(k)= P{observed system behavior =
vk | current state i}
 П = [П0, П1, П2, …, ПN-1] is the initial state distribution

29. Web-based botnet identification
Accuracy
Datasets False +ve Rate Detection
Accuracy
Results
Web Service 0% 100% Normal
FTP Service 0% 100% Normal
Spyeye 1.33% 98.67% Malicious Botnet
Black energy 1.28% 98.72% Malicious Botnet

30. Future Work
 Analyzing the various types of current botnet
activities.
 Identify the suitable statistical modeling techniques to
detect the botnet irrespective of their communication
protocols and Command and Control structures

31. Conclusion
 Botnets pose a significant and growing threat
against cyber security
 It provides key platform for many cyber crimes like
DDOS, etc
 As network security has become integral part of our
life and botnets have become the most serious threat
to it
 It is very important to detect botnet attack and find
the solution for it

32. Published Paper G.Kirubavathi Venkatesh and R.Anitha, “HTTP
Botnet Detection using Adaptive learning Rate
Multilayer Feed-forward Neural Network”. In
Proceedings of international workshop in
information security theory and practice –
WISTP’12, UK, 2012, LNCS 7322, pp. 38-48, 2012.
Paper Communicated
 G.Kirubavathi Venkatesh, V.Srihari, R.Veeramani, RM.
Karthikeyan, R.Anitha “HTTP botnet Detection using
Hidden semi-Markov Model with SNMP MIB
variables”, has been communicated to the
International journal of Security and Communication
Networks (Wiley publication).

33. References P. Barford and V. Yegneswaran, “An inside look at botnets,” Springer
Verlag, 2006.
 J. Binkley and S. Singh. “An algorithm for anomaly-based botnet
detection”, In Proceedings of USENIX Steps to Reducing Unwanted Traffic
on the Internet Workshop (SRUTI), pages 43–48, 2006.
 T.Abbes, A.A.Bouhoula, and, M.Rusinowitch, “Protocol Analysis in
Intrusion Detection Using Decision Tree”, Proc. International Conference on
Information Technology, Coding and Computing (ITCC,04) IEEE Xplore,
Pages 404-408.
 Jiong Zhang, Mohammad Zulkernine, Anwar Haque: Random-Forests-
Based Network Intrusion Detection Systems. IEEE Transactions on
Systems, Man, and Cybernetics, Part C 38(5): 649-659 (2008)
 Lee., J. et al The activity analysis of malicious http-based botnets using
degree of periodic repeatability. In Proceedings of the IEEE International
Conference on Security Technology, December, 2008, pp.83-86.

34. References cont…
 X. Tan and H. Xi, Hidden semi-Markov Model for anomaly detection. Journal
of Applied Mathematics and Computation, Elsevier, vol. 205, Issue 2,
November 2008, Special Issue on Advanced Intelligent Computing Theory and
Methodology in Applied Mathematics and Computation, 2008, pp.562-567.
 Shun-Zheng Yu and Kobayashi, H. An Efficient Forward-Backward Algorithm
for an Explicit Duration Hidden Markov Model. In IEEE Signal Processing
Letters, vol.10, Issue 1, Jan. 2003, pp. 11-14
 Wang, B., Li, Z., Li, D., Liu, F. and Chen, H. Modeling Connections Behavior for
Web-Based Bots Detection. In 2nd IEEE International Conference on e-Business
and Information System Security (EBISS) - 2010, Wuhan, pp. 1-4.
 Yi Xie and Shun-Zheng Yu (2009) Monitoring the Application-Layer DDoS
Attacks for Popular Websites, In IEEE/ACM Transactions on Networking, Vol.
17, NO. 1, Feb. 2009.