TY - JOUR
T1 - Behavior-based botnet detection in parallel
AU - Wang, Kuo-Chen
AU - Huang, Chun-Ying
AU - Tsai, Li Yang
AU - Lin, Ying-Dar
PY - 2014/11/1
Y1 - 2014/11/1
N2 - Botnet has become one major Internet security issue in recent years. Although signature-based solutions are accurate, it is not possible to detect bot variants in real-time. In this paper, we propose behavior-based botnet detection in parallel (BBDP). BBDP adopts a fuzzy pattern recognition approach to detect bots. It detects a bot based on anomaly behavior in domain name service (DNS) queries and transmission control protocol (TCP) requests. With the design objectives of being efficient and accurate, a bot is detected using the proposed five-stage process, including: (i) traffic reduction, which shrinks an input trace by deleting unnecessary packets; (ii) feature extraction, which extracts features from a shrunk trace; (iii) data partitioning, which divides features into smaller pieces; (iv) DNS detection phase, which detects bots based on DNS features; and (v) TCP detection phase, which detects bots based on TCP features. The detection phases, which consume approximately 90% of the total detection time, can be dispatched to multiple servers in parallel and make detection in real-time. The large scale experiments with the Windows Azure cloud service show that BBDP achieves a high true positive rate (95%+) and a low false positive rate (∼3%). Meanwhile, experiments also show that the performance of BBDP can scale up linearly with the number of servers used to detect bots.
AB - Botnet has become one major Internet security issue in recent years. Although signature-based solutions are accurate, it is not possible to detect bot variants in real-time. In this paper, we propose behavior-based botnet detection in parallel (BBDP). BBDP adopts a fuzzy pattern recognition approach to detect bots. It detects a bot based on anomaly behavior in domain name service (DNS) queries and transmission control protocol (TCP) requests. With the design objectives of being efficient and accurate, a bot is detected using the proposed five-stage process, including: (i) traffic reduction, which shrinks an input trace by deleting unnecessary packets; (ii) feature extraction, which extracts features from a shrunk trace; (iii) data partitioning, which divides features into smaller pieces; (iv) DNS detection phase, which detects bots based on DNS features; and (v) TCP detection phase, which detects bots based on TCP features. The detection phases, which consume approximately 90% of the total detection time, can be dispatched to multiple servers in parallel and make detection in real-time. The large scale experiments with the Windows Azure cloud service show that BBDP achieves a high true positive rate (95%+) and a low false positive rate (∼3%). Meanwhile, experiments also show that the performance of BBDP can scale up linearly with the number of servers used to detect bots.
KW - Anomaly detection
KW - Behavior-based
KW - Botnet detection
KW - Cloud computing
KW - Fuzzy pattern recognition
KW - Parallel process
UR - http://www.scopus.com/inward/record.url?scp=84910611194&partnerID=8YFLogxK
U2 - 10.1002/sec.898
DO - 10.1002/sec.898
M3 - Article
AN - SCOPUS:84910611194
VL - 7
SP - 1849
EP - 1859
JO - Security and Communication Networks
JF - Security and Communication Networks
SN - 1939-0114
IS - 11
ER -