Behavior-based Botnet Detection in Parallel

Abstract

Botnet has become one major Internet security issue in recent years. Although signature-based solutions are accurate, it is not possible to detect bot variants in real-time. In this paper, we propose behavior-based botnet detection in parallel (BBDP). BBDP adopts a fuzzy pattern recognition approach to detect bots. It detects a bot based on anomaly behavior in DNS queries and TCP requests. With the design objectives of being efficient and accurate, a bot is detected using the proposed five-stage process, including: 1) traffic reduction, which shrinks an input trace by deleting unnecessary packets; 2) feature extraction, which extracts features from a shrunk trace; 3) data partitioning, which divides features into smaller pieces; 4) DNS detection phase, which detects bots based on DNS features; and 5) TCP detection phase, which detects bots based on TCP features. The detection phases, which consume approximately 90% of the total detection time, can be dispatched to multiple servers in parallel and make detection in real-time. The large scale experiments with the Windows Azure cloud service show that BBDP achieves a high true positive rate (95%+) and a low false positive rate (∼3%). Meanwhile, experiments also show that the performance of BBDP can scale up linearly with the number of servers used to detect bots.

Citation

Kuochen Wang, Chun-Ying Huang, Li-Yang Tsai, and Ying-Dar Lin, "Behavior-based Botnet Detection in Parallel," Wiley Security and Communication Networks, to appear.

Bibtex

@ARTICLE{wang14:fuzzybot2, author = {Kuochen Wang and Chun-Ying Huang and Li-Yang Tsai and Ying-Dar Lin}, title = {Behavior-based Botnet Detection in Parallel}, journal = {Wiley Security and Communication Networks}, year = {2014} }

Download