Detecting Botnets Through Deep Learning and Network Flow Analysis

Authors

Ji An Lee, San Jose State University
Fabio Di Troia, San Jose State UniversityFollow

Publication Date

1-1-2022

Document Type

Contribution to a Book

Publication Title

Advances in Information Security

Volume

54

DOI

10.1007/978-3-030-97087-1_4

First Page

85

Last Page

105

Abstract

Botnet attacks pose a serious threat to the Internet infrastructure and its users. Botnets are operated through a command and control (C&C) channel which uniquely distinguishes it from other typical malware threats. The C&C server sends commands to the botnets to execute malicious activities using common Internet protocols, such as Hypertext transfer (HTTP), and Internet Relay Chat (IRC). Since these protocols are common, detecting botnet activities has been a challenge. This paper proposes an approach to identify the IP addresses of C&C servers and infected hosts in a network, without prior knowledge of the addresses or the type of the botnet. The approach is based on the observation that there are unique patterns in the communication between C&C server and bots which could be used to distinguish botnets from the background traffic. Regular botnet activities such as orchestrated attacks, heartbeat signals, or periodic distribution of commands are the main causes that produce such patterns. Deep learning techniques are applied on the extracted patterns to classify potential botnet traffics. The results show this pattern-based botnet detection technique is able to achieve high classification accuracy with low false positive rate.

Department

Computer Science

Recommended Citation

Ji An Lee and Fabio Di Troia. "Detecting Botnets Through Deep Learning and Network Flow Analysis" Advances in Information Security (2022): 85-105. https://doi.org/10.1007/978-3-030-97087-1_4