Title
Detecting Botnets Through Deep Learning and Network Flow Analysis
Publication Date
1-1-2022
Document Type
Contribution to a Book
Publication Title
Advances in Information Security
Volume
54
DOI
10.1007/978-3-030-97087-1_4
First Page
85
Last Page
105
Abstract
Botnet attacks pose a serious threat to the Internet infrastructure and its users. Botnets are operated through a command and control (C&C) channel which uniquely distinguishes it from other typical malware threats. The C&C server sends commands to the botnets to execute malicious activities using common Internet protocols, such as Hypertext transfer (HTTP), and Internet Relay Chat (IRC). Since these protocols are common, detecting botnet activities has been a challenge. This paper proposes an approach to identify the IP addresses of C&C servers and infected hosts in a network, without prior knowledge of the addresses or the type of the botnet. The approach is based on the observation that there are unique patterns in the communication between C&C server and bots which could be used to distinguish botnets from the background traffic. Regular botnet activities such as orchestrated attacks, heartbeat signals, or periodic distribution of commands are the main causes that produce such patterns. Deep learning techniques are applied on the extracted patterns to classify potential botnet traffics. The results show this pattern-based botnet detection technique is able to achieve high classification accuracy with low false positive rate.
Department
Computer Science
Recommended Citation
Ji An Lee and Fabio Di Troia. "Detecting Botnets Through Deep Learning and Network Flow Analysis" Advances in Information Security (2022): 85-105. https://doi.org/10.1007/978-3-030-97087-1_4