Académique Documents
Professionnel Documents
Culture Documents
A SYNOPSIS
Submitted by
G. KIRUBAVATHI
of
DOCTOR OF PHILOSOPHY
MARCH 2016
1. INTRODUCTION
Botnets are the preeminent source of cyber crime and the greatest
threat to the Internet infrastructure. It can be widely spread across distance
and geography, with infected hosts and botmasters operating in different
countries and locations. According to the PandaLab research report, botnets
have played a big dangerous threat to the Internet, responsible for various
malicious activities from distributed denial of service (DDoS) to spamming,
phishing, information harvesting, and identity theft, etc. As reported by BCC
news 2012, botnets have started conscripting smart phones to send spam and
perform mine cryptocurrencies.
3. OBJECTIVES
4.2 HTTP botnet detection using Hidden Semi-Markov Model with SNMP
MIB variables
In the training phase, the SNMP MIB variables are first transformed to
HsMM observation sequence using forward-backward training algorithm.
Next the HsMM is inferred from the observation sequence. In the testing
phase, the SNMP MIB variables are transformed to HsMM observation
sequences, and then the HsMM is used to compute the probability of each test
sequence in order to determine Average Log Likelihood (ALL) which decides
whether it is a normal traffic or HTTP botnet communication.
Experimental results:
Botnet setup is created in the SSE lab Network that correlates the
behavior of the existing real time HTTP botnet as shown in Figure 3.
We have also compared the model with other botnet detection schemes
proposed by Nogueria et al (2010) which uses Neural network to
classify the licit and illicit traffic patterns and Choi and Lee (2011)
which uses DNS traffic patterns to identify the botnet traffics. It is seen
that our model provides better detection accuracy as shown in Figure 4.
The proposed model is light weight and real time since it uses SNMP
MIB variables collected from SNMP agents instead of analyzing the
network traffic flows.
Table 1 Performance of the proposed model
Datasets False positive Detection Results
rate accuracy
Web service 0% 100% Normal
FTP service 0% 100% Normal
Spyeye 1.67% 98.14% Botnet
Blackenergy 1.58% 98.72% Botnet
Zeus 1.75% 98.02% Botnet
Athena 1.29% 98.94% Botnet
Andromeda 1.47% 98.62% Botnet
99
98
Accuracy (%)
97
96
95
94
93
Figure 4 Accuracy comparisons with existing techniques
SYN Flag Count the number of TCP packets with SYN flag set
FIN Flag Count the number of TCP packets with FIN flag set
PSH Flag Count the number of TCP packets with PSH flag set
The extracted TCP features are normalized using min-max
normalization. Then the normalized features are passed to the Multi-Layer
Feed Forward Neural Network training model which uses Bold Driver Back-
propagation learning algorithm. This learning algorithm has the advantage of
dynamically changing the learning rate parameter during the weight updating
process.
Experimental results:
A dataset comprising of 48.6 GB traffic flow traces belonging to both
botnet and benign with TCP features extracted is used as shown in
Table 3.
Table 3 Description of datasets
Botnet traffic
Botnet Family Trace Size Botnet Family Trace Size
Zeus 5.36 GB Sogou 18 MB
Spyeye 5.14 GB Athena 3.91 GB
BlackEnergy 6.25 GB Andromeda 2.64 GB
Normal traffic
Web service 8.52 GB Remote service 2.69 GB
98
Accuracy (%)
96
94
92
The research works in 4.2 and 4.3 have focused on HTTP based botnet
detection. Nowadays, botmasters have dynamically changed their Command
and Control structure to avoid the detection. Hence we concentrate on
designing and developing efficient botnet detection mechanisms for
irrespective of their Command and Control structures in the next work.
After the feature extraction, flow vectors are formed to classify the
traffic flows into botnet and normal flows by applying machine learning
techniques.
Let fj be a flow. A flow vector fj(ti) = (Ps, Pr, Pl, BRp), where Ps, Pr, Pl, BRp
are the features extracted from the flow fj during the time period ti.
Experimental results:
100
98
96
Accuracy (%)
94
92
90
88
86
84
82
80
Experimental results:
95
Accuracy (%)
90
85
80
75
5. CONCLUSION
REFERENCES:
6. Liao WH & Chang CC 2010, Peer to peer botnet detection using data
mining scheme, In Proceedings of IEEE international conference on
internet technology and applications, pp. 14.
17. Yin C, Yang L & Wang J 2013, Botnet Detection Based on Degree
Distributions of Node Using Data Mining Scheme, International
Journal of Future Generation Communication and Networking, vol. 6,
no.6, pp. 81-90.
LIST OF PUBLICATIONS