Analysis the P2P botnet detection methods
|
|
- Whitney Burke
- 6 years ago
- Views:
Transcription
1 Analysis the P2P botnet detection methods Atef Ahmed Obeidat 1 1 Al-Huson University College, Al-Balqa Applied University, Al-Huson, Jordan ABSTRACT Botnets are one of the most important Internet security issues. They evolve their structure from centralized into decentralized nature of Peer-to-Peer (P2P) botnets that makes them difficult to detect. This study analyzis and compares the most significant proposals in the field of the P2P-based detection. It fulfills the following tasks: First, it studies the previous surveys. Second, it proposes new dimensions for analyzing the proposals; third, it classifies and compares the most important detection proposals; and fourth, it describes the problems in this field.we conclude that perfect solutions are achieved in the field so far, but there are still many open problems. Keywords: Botnets, information security, botnet detection, survey, peer-to-peer. 1. INTRODUCTION A bot is a computer running a malicious program which enables an attacker (botmaster) to remotely control the infected computers. A network of such compromised end-hosts is called a Botnet, which are usually connected by one attacking methods, such as Trojan horses, worms, and viruses[1]. Botnets with many computers have high bandwidth and computing capability that is increased through time. The botmasters control other bots by initiating various malicious activities, such as, spam, Distributed Denial of Service (DDoS) attacks, key-logging, Bitcoin mining, click-fraud scam and password cracking. Traditional botnets architecture was a centralized approach that used IRC (Internet Relay Chat) for its Comand & Control (C & C) channels. Detecting the centralized C & C server means removing the entire botnet. Then Botmasters utilizes a P2P protocol [2]to build botnets. The peer-to-peer approach provides higher resiliency, and the botnets implementing this approach are harder to be detected and taken down. Nugache[3] and Storm worm[4, 5] are two representative P2P botnets. Several surveys on P2P Botnet detection were carried out [6-9]. Although these surveys provided more information on botnets, they didn't include an analysis of P2P botnet detection methods. Our work aims to analyze, classify, and compare the most significant P2P botnet detection methods. The key contributions of the work are as follows: Comparing the previous surveys in this field. Comparing and classifying of P2P botnet detection features. Studying the most important proposals. Focusing on the drawbacks of P2P botnet detection. We conclude that P2P botnet detection methods gained significant so far. However, many open problems still exist. 2. PREVIOUS SURVEYS No complete and comprehensive surveys on P2P botnet detection methods were carried out so far. However, several surveys on botnets detection include a brief analysis of detection methods. In this section, these surveys are analyzed to describe how the detection methods are classified. Several methods for P2P botnet detection are enumerated in a previous work[6]. These methods are not thoroughly analyzed. In addition, the detection techniques in previous studies are individually considered, and the ideas and drawbacks of these techniques are explained. A previous work [6] analyzis three approaches more elaborately and one of the three approaches is proposed. The general ideas, advantages, and shortcomings of these approaches are presented[7]. P2P botnet detection techniques based on traffic features of the P2P botnet were studied[8]. Detection techniques are classified into three categories: data mining, machine learning, network behavior and traffic analysis. The general principles of these techniques are presented. However, the shortcomings, advantages, and algorithms of these techniques were not explained. P2P botnet detections methods are surveyed by several review papers in the field, which determined the current problem and Volume 4 Issue 3 March 2016 Page 1
2 existing solution[9]. In addition, the survey uses a table to relate the proposed techniques in the literature. Analysis dimensions Table 1: Categories of comparing detection techniques This work Related work [6] [7] [8] [9] Detection methods Advantages no no Shortcomings no no Detection algorithms Partially no no no Data sources no no no Partially Detection features no no no Partially Comparison no no no 2.1. Survey comparison The previous surveys [6-9] demonstrated that categorizing the detection methods is difficult. Each survey emphasized different aspects of the papers. Thus, identifying a common comparison criterion was challenging. The comparison approach of each survey was studied to extract the main dimensions in which information was organized. Table 1 shows information analyzed in each survey. These dimensions are summarized as follows: Data sources: sources of base information, such as logs of application from a general network, NetFlow logs from a private network, or network packets from a honeypot[10]). Detection features: the properties employed to establish the topology. The papers were studied according to these properties (e.g. encrypted botnet detection, botnet protocol detected, and rule needed for detection). Detection algorithms: algorithms used to achieve a task (e.g. Bayesian statistics and neural networks). Advantages and disadvantages algorithms: the benefits and shortcomings of each of the discussed method. Comparison of algorithms: employed to compare the botnet detection papers. In addition, The study of the surveys determined several restrictions from the view of classifying detection methods: All the surveys utilize distinct terminologies, which make the study hard. For example, approach in a paper is called technique in another. All the surveys used a few dimensions. As in Table 1, there is no survey that includes the dimension of data sources dimension, whereas another survey describes the detection methods only. In general, the surveys are designed to describe the methods instead of studying them. Most surveys used a few number of references in the comparison between the papers. To overcome these limitations, we present a comprehensive survey, which contains a complete topology and a comparison in order to analysis the detection methods deeply. 3. THE COMPARISON APPROACH This section presents the comparison of the detection proposals based on different views: 1.The first view, the detection proposals are arranged in a topology map of P2P botnet detection characteristics. The map, as shown in Figure 1, aims to clarify how the detection proposals differ from each other. This map allows researchers to determine the papers that implemented each technique quickly where each paper can appear more than once. The topology map is divided into the following categories to include the different aspects of the papers: (1) Detection algorithms: differentiates the types of algorithms. (a) The neuronal network-based algorithm uses the neuronal network to build supervised machine learning models for the detection of P2P botnets. The approaches are validated with the following multiple machine-learning algorithms: decision trees[11], boosted REP trees[11], Bayesian networks[11], discrete Fourier transforms and Shannon's entropy theory[12], Weka machine learning suite[13], SVM [14, 15], J48 [14, 15], C4. 5 decision tree classifiers [14, 15], Apache Volume 4 Issue 3 March 2016 Page 2
3 Mahout Algorithms [16], and FURIA, which is a fuzzy rule generating algorithm[17][18]. (b) The heuristic threshold-based algorithm uses a threshold for detection. For example, the Packet ratio [19], which is the sum up of packets divided by the sum of down packets, is less than 0.4, and it uses Traffic pattern with three periods of more than five minutes apart and with the standard deviation of less than 150. In addition, the distance between two botcompromised hosts that is decided by the minimum distance of their respective fingerprint clusters is employed in a previous work [20]. The distances of fingerprint clusters from botnet P2P protocols are smaller compared with those from legitimate P2P protocols. (c) The mining-based algorithm uses data mining technique to detect botnets. For example, synergistic graph-mining is applied in a previous work[20], whereas another work [21] is based on mining the periodic patterns of traffic datasets. (2) Detection techniques differentiate the main techniques used for detection. a. Flow-based techniques examine network flows between two nodes. b. b) Resource sharing behavior monitoring-based techniques model the evolution of the number of peers sharing a resource in a P2P network over time. c. Node-based techniques examine the input and output flow for every node. d. Conversation-based techniques aim to detect the stealthy behavior of P2P botnets. e. Signature-based techniques inspect each packet in the network traffic. (3) Detection sources refer to the location where packets were captured and not how these packets were captured. a. Normal packets verify normal packets. i. Virtual internal networks capture verified normal packets from an internal and controlled network. ii. Real networks capture packet from real networks; traffic should label as background if it is not verified. b. Botnet packets refer to the source of botnet packets: i. Honeypots are connected to the Internet. ii. Darknets are from the darknet, which is an overlay network that can only be accessed with specific software often using non-standard communications protocols and ports[22]. iii. Virtual networks result from a controlled virtual network. Malware is manually installed. iv. Custom Produced malware is a modified version of a known malware. v. The real malware uses unmodified real binary malware to infect computers. vi. Packets logs utilize packet logs. 2. The second view, the approaches are compared according to a group of important features. The botnet detection proposals exhibit a common set of features that can be employed to better understand them. These features are more significant than the positive results of the report. Next, we will describe the key features of a P2P botnet detection proposal. These features help explain and compare the proposals. These features determine the lacking component in each paper and identify the fields being over emphasized. These features were created partially based on principles from previous surveys. The features descriptions are presented in the following: 1. Dataset features: it reflects of training dataset diversity, experimental setup, Capture in a host or in a network, Preprocessing and training dataset verification as in Tables 4 and Accuracy-based performance metrics: To evaluate the performance of the approaches as in Table Statistically bot detection: to determine the bot statistical features that the proposal detects as in Table Encrypted botnet detection: to classify if the approach can detect botnet that uses encrypted connections or not as in Table Real-time botnet detection: to classify if the approach can detect botnets in real time or not as in Table 8. Both views cover the different sides of the proposals and contribute information on the state of the field. So, the topology map is the first map presented in P2P botnet detection. In the following subsections, these perspectives are employed to compare the detection papers based on the key features that are similar to the comparison scheme in the work [23] The results of comparisons between the main subjects between papers are visualized in tables. The comparisons provide important information for the papers. This information provides summaries about the details of the works and explains the proposals. Volume 4 Issue 3 March 2016 Page 3
4 Neuronal network based [11-15, 24] P2P botnet detection characteristics Detection Algorithms Detection Techniques Detection Sources Normal sources Botnet sources Heuristic threshold based[19, 25-28] Mining-based[20, 21] Flow-based [11-15, 17, 18, 20, 21, 28, 29] Resource sharing behavior monitoring based[14] Node based [16, 27, 30] Conversation based [11, 13, 19, 26] Virtual networks [16, 26, 28, 29] Real networks [11, 17, 20, 25, 29] Produced networks [12-15, 19, 21, 24, 27, 29, 30] Virtual networks [16, 26] Real Malware networks [17, 20, 21, 25-27] Honeypots [14, 21, 30] Darknets Custom Produced Malware [11, 15, 19, 25, 26, 28-30] Packets Logs [12, 13, 24] Figure 1 Topology map of the detection characteristics of P2P botnet 3.1 The categories of detection techniques comparison. Table 2 presents categories of comparing detection techniques used in each paper. The proposal solutions for P2P botnet detection can be classified into the following techniques: 1) Flow-based or flow analysis-based botnets detection[11-15,17,18,20,21,28,29]:it analysis network flows between two nodes by aggregating packets that belong to the identical flow where a flow is defined as a set of packets with the same source address, source port, destination address, and destination port. The principle of the flow-based Methods is by modeling the botnet communication patterns of the flow features, such as the count of the packets in the flow and order of the packet arrivals. The extracted features of the flow are used to build classifiers that can distinguish between the malicious bot flows and normal flows. Thus, the flow-based analysis can detect the malicious bots based on the similarity with the behavior of the known bots. However, flow-based techniques have two restrictions. First, all the flows between any two nodes need to be analyzed, although, most of these flows belong to normal network nodes. Second, the flow features must be extracted at runtime, which implies that the analysis needs huge computational overhead at runtime. 2) Resource sharing behavior monitoring-based detection[25] is grounded on modeling the evolution of the number of peers sharing a resource in a P2P network over time. This allows the detection of abnormal behaviors associated with parasite P2P botnet resources in this kind of environment. 3) Node-based detection [16, 27,30] examines input and output flow for every node where the approaches aggregate behavioral metrics for each P2P node (host) seen in network communications and use them to distinguish benign P2P hosts from hosts infected by P2P botnets. 4) Conversation-based detection[11,13,19,26] does not rely on deep packet inspection or signature-based mechanisms. This approach aims to detect the stealthy behavior of P2P botnets, that is, when they lie hidden in their rally or waiting for stages or while they perform malicious activities (spamming, password stealing, etc.) that are not observable by a network administrator. Table 2: Categories of comparing detection techniques Category Flow based [12, 17, 18, 20, 21, 24, 27-30] Node based [16, 30] Based on resource sharing behavior monitoring [25] Conversation-based [11] [14, 15, 19, 26] Hybrid with flow-based and conversation-based [13] Volume 4 Issue 3 March 2016 Page 4
5 3.2 Comparison of detection algorithms Table 3 shows a comparison of the algorithms used in each paper for detection botnets. Creating this table was difficult because some proposals did not explain the details of the algorithms. Most papers used one or more machine learning algorithms to detect the botnets. Table 3: Comparison of detection algorithms Algorithms [29] Convergence between the set of IPs [30] Machine learning algorithm [25] Popularity threshold [11] Machine learning algorithms: decision trees, boosted REP trees, and Bayesian networks [12] Machine learning based on discrete Fourier transforms and Shannon's entropy theory; K-nearest neighbor algorithm (signal processing) [13] Weka machine learning suite [14] K-means clustering; Machine learning algorithms: SVM, J48, and C4.5 decision tree classifiers; Euclidian distance [26] Offline detection depends on the success rate of the connection; Markov chain. Online detection by counting the data flow number for source and destination addresses [19] Based on traffic meta-data of the NetFlow protocol; a) Packet ratio b) Traffic pattern [20] Synergistic graph-mining. [15] Machine learning algorithms (e.g. SVM, J48, C4.5) [24] Machine learning technique; the unsupervised incremental K-means clustering algorithm [16] Machine learning algorithms /Apache Mahout algorithms [21] Based on mining the periodic patterns of traffic datasets [28] Based on the distance between two bot-compromised hosts [17] Machine learning by using FURIA - a fuzzy rule generating algorithm [27] By aggregation flows corresponding to P2P network activities; by analyzing their network behavior patterns. 3.3 Comparison of the detection sources. This subsection presents a comparison of normal and botnet data sources which have been used by the proposal methods as explained in Tables 4 and 5. These datasets used for training or verifying the proposal methods. The dataset is the main factor to validate the papers, so the studying design and methodology of data sets are necessary to understand conditions of the experiment results. In these tables, we used the following terms: the produced term refers to botnets which are collected by the authors from public source codes. Produced botnets must be initialized before being used. Thus, these malwares are not equal to the ones in natural botnets. However, the implications of using modified malware are normally underestimated. The term virtual also used in these tables to refer to the use of virtual networks. Using virtualization technology is commonly accepted for malware execution. Finally, the terms training and testing are adopted with reference to the training and testing phases of the approach, respectively. Only one of these labels appears, that means the method did not use the other phase. After studying these tables, we found that most proposals do not have all types of dataset. If an algorithm must be trained, at least, independent training and testing datasets should be used. There is one paper without datasets[24]. Moreover, few proposals include the same training and testing datasets. The tables also help to compare the amount of data used in each method. In addition, some methods generated different numbers of the bot in a virtual network. Table 4: Comparison of normal sources for detection Normal packets [29] Testing: Mbps from private traffic; five real legitimate P2P clients from DNS traffic and five virtual legitimate P2P clients of popular P2P applications [30] Testing: Capturing at the time intervals of 10, 20, 60, and 180 seconds [25] Training: Three-fourths of the 34,075 resources are consulted four websites where 14,869 resources are corroborated Volume 4 Issue 3 March 2016 Page 5
6 Normal packets as legitimate. Testing: One-fifth of the resources. Training: Data from two P2P applications (emule and utorrent) and two P2P botnet applications (Waledac and [11] Storm) were used for this work. Testing: Benign P2P Data: 50,000 conversations each of emule and utorrent Testing: 78,000 conversations of clean data were sampled from the multiple P2P applications, namely, emule, [12] utorrent, Vuze, and Frostwire. [13] Testing: 50,000 conversations each of emule and utorrent. [14] Training: 794 benign P2P clusters. [26] Testing: simulating 4 P2P zombie host, are A1, A2, A3, A4; capturing each virtual machine s traffic for 2 minutes with an interval of 1 minute [19] Testing: flows of 7 p2p traffic, The data set includes complied web traffic by crawlers. [20] Testing: 24 hours from a Trans-Pacific backbone line between the U.S. and Japan; 3,528,849 unique IPs and 82,380,945 flows. 89%: TCP;11%: UDP [15] Training: 2,975 P2P flow clusters Testing: Three hours of anonymized NetFlow for 4,347 IP addresses. [24] - [16] Training: For a number of days, the data of P2P applications were generated in a private lab environment [21] Testing: the ISOT lab; university campus. One hour live traffic emule [28] Testing: several hours (e.g. 24 or 5 hours) two virtual P2P applications [17] Training: university campus Testing: as training [27] Testing: 24 hours, three P2P applications; two hosts for each. Table 5: Comparison of botnet sources for detection Botnet packets [29] Testing: produced 16 P2P bots, the Storm traces included 13 hosts and the Waledac included three hosts. [30] Testing: produced dataset by combining Storm and Waledac. [25] Testing: monitoring the Internet for three months, a total of 71,135 resources shared by millions of different IPs [11] Testing: 50,000 conversations each for Storm and Waledac [12] Testing: 10,000 conversations each for Storm and Waledac; 2,657 conversations for Zeus [13] Testing: 50,000 conversations each of Storm and Waledac. [14] Training: 80% of 1, 445 malware clusters. Testing: 20% of 1, 445 malware clusters. [26] Testing: produced five virtual P2P hosts, the traffic each of them for two minutes [19] Testing: 2,125 of traffic flows of three different binaries of the Zeus P2P malware were obtained via the public sandbox malwr.com [20] Testing: 13 hosts infected with Storm and 82 hosts with Nugache for a period of 24 hours [15] Training: 1,317 P2P malware samples to build the malware classifier, belonging to 8 different malware families Testing: Three hours of net flow for 4,347 distinct IP addresses [24] Training: 20,000 malware samples for three months Testing: 85% of the P2P malware learning set, and 15% malware samples [16] Testing: Two-thirds of 3.9 GB for Storm and Waledac Training: 1/3 data set [21] Testing: university campus [28] Testing: produced two P2P botnets, Storm, and Waledac. Storm contains 13 different bot-compromised hosts, whereas Waledac contains three different bot-compromised hosts. [17] Training: Two university campuses Testing: The same as training [27] Testing: 24h for two P2P applications; 13 hosts for the first and three hosts for the second. Volume 4 Issue 3 March 2016 Page 6
7 3.4 Comparison of accuracy-based performance metrics We can measure the accuracy-based performance metrics by multiple techniques [24]. Table 6 presents the most important results of this work. The table shows that some values were not computed at all. None of the papers reported all the values. Most of the papers did not compute the total value for each metric (where the U reference was utilized).instead, the proposals presented part values for each experiment. Moreover, most of the papers did not compute some values at all. Therefore, we need to calculate the missing metrics using its counterpart value (the C reference). Finally, none of the papers reported the F-measure and the error rate metrics. Table 6 summarizes the following metrics: True positives (TP) are the number the positive cases that have been properly classified as positive. False negatives (FN) are the number the positive cases that have been classified as negative. False positives (FP) are the number the negative cases that have been classified as positive. True negatives (TN) are the number the negative cases that have been properly classified as negative. The metrics can be described based on these definitions: Percent correct or accuracy =(TP +TN)/(TP + FN + FP + TN). The error rate = (FN + FP)/(TP +FN + FP + TN). Precision = TP/(TP + FP). True-positive rate (TPR) or recall = TP/(TP + FN). True-negative rate (TNR) = TN/(FP + TN). False-negative rate (FNR) = FN/(TP + FN). Also 1 TPR. False-positive rate (FPR) = FP/(FP + TN). Also 1 TNR. F-measure is the mean of precision and recall (TPR). Table 6 shows that all the papers did not present the four basic metrics together. If a proposal only reports the TPR value, understanding the significance of its results is very difficult. we use the following references for the computed non-original values: G: Generating a final value from isolated results. C: When there is no value for some metric. However, we could calculate some approximation as the difference with its counter value. FPR = 1 TNR, FNR = 1 TPR, TNR = 1 FPR and TPR = 1 FNR. : No value or computation was reported. FPR a (%) Table 6: Comparison of accuracy-based performance metrics FNR b (%) TPR c (%) TNRd (%) Error rate (%) F-measure (%) Percent correct [29] 0.2(G) 0.8(C) 100% (C) [30] 0-2(G) % (G) [25] 0.5(G) >99% [11] 0.012(G) 0.036(C) % (G) [12] 0.08(C) 0.92(G) 88% [13] 2-3(G) 5-12(C) 88-95% [14] 20(G) 93%(G) [26] [19] 0(G) 100(G) 100%(G) [20] 23(G) 6.6(G) 91.8%, 98.1(G) [15] 0.8(G) 3.5(G) 1(G) 99.2(C) 99% [24] 97.6% [16] (C) (C) [21] [28] 2 98(C) 2(C) 98(C) 100% [17] 0.01(C) % [27] (C) %(C) 98.5(C) a.fpr, false-positive rate; b.fnr, false-negative rate; c.tpr, true-positive rate; d.tnr, true negative rate. Volume 4 Issue 3 March 2016 Page 7
8 3.5 Dataset comparison. This comparison includes the different datasets that were captured and the types of botnets analyzed. Establishing a varied dataset is essential because every botnet has unique characteristics. The applicability of each approach could be analyzed by studying the botnet that was included in the training and testing datasets. Tables 4 and 5 demonstrate that several proposals used small numbers of botnets only for training and testing. Other proposals employed the same dataset for training and testing. 3.6 Comparison of statistical features This comparison includes many of the statistical features which are used to detect botnet by the proposals. Table 7 shows the used features in different papers whereas the paper [23] is not used any statistical features. We can analyze and compare the proposal approaches according to the kind of features which are used to detect the botnet in each of them. Table 7:Comparison of statistical features Features [29] The active time of a P2P client. [30] Statistics on the packets. [25] Number of bots of a parasite botnet, Mean duration of the sharing phase of botnet resources, Mean bot arrival and leaving rates and Disappearing interval. [11] The duration of the conversation, the inter-arrival time of packets, the amount of data exchanged, # packets. [12] Duration, Payload, Inter-arrival times, Number of Packets and Compression Ratio. The features of the flow: Protocol, Packets per second (f/w), Packets per second (b/w), Avg. Payload size (f/w), and [13] Avg. Payload size (b/w). For conversation: Duration conversation, #packets, exchanged in the conversation,volume-data exchanged, and median of the inter-arrival time. [14] Periodicities, chunk rate and geographical distribution. [26] (1) ICMP reports - the initial stage, (2) the same communication traffic - the trance stage (3) SMTP - the attack stage. [19] Packet ratio and Traffic pattern. [20] Volume and Duration. [15] Time of malware activity, space(chunk rate and distributed P2P) and size of NetFlow. [24] Flow size, number of packets, bits per packet, and flow duration. [16] Number of destination hosts, volume of data sent, and the average of the TTL value. [21] The time series, the event time series. [28] T P2P a, N f b, No-DNS Peers c, N clust d, N pgp e, T p2p f [17] The numeric flow level. [27] No statistical features. a.t P2P: the active time of P2P application; b.n f: the number of failed connections per hour; c.no-dns Peers: the percentage of flows associated with no domain names; d. N clust: the number of clusters; e.n pgp: the largest number of unique bgp prefixes in one cluster; f.t p2p: the estimated active time for P2P application. 3.7 Comparison of encrypted, unknowing and Real-time botnet detection Table 8 shows the comparison between the approaches in terms of the possibility of detecting encrypted and unknowing of the botnets in real-time. Features Table 8: Encrypted, unknowing and Real-time botnet detection Real-time [13-15, 19, 20, 27, 28] Encrypted [11-18, 27-30] Unknowing [13, 20, 24, 28] Volume 4 Issue 3 March 2016 Page 8
9 4. DISCUSSIONS ABOUT THE P2P-BASED BOTNET DETECTION FIELD This section discusses the problems encountered in P2P botnet detection. The analyzes of previous surveys and botnet detection of methods determine the solved problems, the algorithms used, and the questions that remain unanswered. The region achieved good results. However, there are many open problems to be solved. The following paragraphs discuss some general problems. 1. Rebuilding. Most methods cannot be rebuilt because of two reasons: First, the datasets were not published. Second, information about the methods is insufficient. Without the detailed description of the algorithms, the threshold used, and the characteristics, reproduction may be unachievable. The papers did not present their datasets and the necessary information to recalculate their results. 2. Number of nodes. The amount of nodes in the P2P network is important to detect botnets. The number of nodes normally depends on the design of the proposal. Most proposals require a lot of nodes and packets to obtain meaningful results. This limitation may adversely affect the future implementation of the method. A lot of nodes can only be obtained by capturing packets in large networks. 3. Filtering of data. An important phase of a botnet detection research is the filtering of data before the extraction the features. Some proposals tend to over filter the data and produce algorithms that work better with a specific dataset. For example, some proposals filter out the packets of the UDP or Internet Control Message Protocol without further explanation [12], narrowing the sample to match their hypothesis. 4. Issues of The performance metrics. Three important issues were identified regarding the accuracy-based performance metrics. The first issue, as shown in Table 7, is that most proposals did not compute the entire set of metrics. This implies that most proposals cannot be compared. The effectiveness of these methods is difficult to determine. The second issue, some methods have not a complete description for the design of its experiments. The third issue, many papers did not provide specific values for the used metrics. However, the papers used high or low quantifiers, as in[11, 12, 15, 20, 28-30]. 5. Comprehensive dataset. Employing a good dataset could lead to effective methods whereas a dataset with a few botnets could lead to very limited methods. For example, some previous works [15, 28, 29] only used less than five botnets. 6. The design: the experiments should be carefully designed to achieve meaningful results. The mixture between normal and botnet dataset is important to accept the experiment. Some paper presents a balanced mixture of the dataset similar to reality but without explaining the processes[21]. Different balances produce different results and benefits. Nevertheless, more packets of normal activity are more common than botnet activity. Achieving the mixture of the dataset preferably by merging traffic, however, it is more difficult to determine. 7. The detection methods should be dynamic to discover the changing of botnet plans. Increasing the detection of unknown botnets is needed. Several methods are fulfilled experiments with unknown botnets [14, 24]. 5. CONCLUSIONS We studied the previous surveys and the most significant and latest papers in p2p-based botnet detection field. The previous surveys, botnet detection features, topology map, and p2p-based proposals were analyzed and compared to understand the problem in the field. These results are useful in the future. It is used to develop the research in the field. The present study has the following restrictions. First, most of the studied works did not show the details of their algorithms. Second, most datasets cannot be rebuild. Third, the works did not present the complete results. These restrictions have made comparisons difficult between the papers. We found that the majority of problems in the previous surveys are undefined terminology, insufficient analysis of the papers, and small number of works covered in the surveys and focus on the different features of the methods. We can determine that that difficulties in the field that need consideration are the datasets contains a small number of botnets, different mixture of traffic for building the datasets, inaccurate outcomes of experiments, the comparisons are not enough with other works, the datasets are not standard and the performance metrics does not have precise results. In addition to these difficulties, the fast development of botnets and the complexities of building real and running the botnets. Based on these results, we can determine the following properties for detecting botnets: First, the focus must not be to find the best ways, but to determine the most useful detection method. Second: The approaches that consider the dynamic changes behavior is respect to time, in which it will be better to detect the botnets. Third: To detect new botnets, the general features are used, even though some particular features are missed. fourth: Utilizing a hybrid detection methods give a good approach so as to double the accuracy of the results Finally, when a large amount of data is used by experiments this implies producing accuracy results for the proposals. The future works should focus on designing a standard dataset and to increase the methods covered in comparisons. Volume 4 Issue 3 March 2016 Page 9
10 6. ACKNOWLEDGMENTS This research is supported by Department of Information Technology, Al-huson University College, Al- Balqa Applied University. REFERENCES [1] P. Narang, J.M.R., and C. Hota, Feature selection for detection of peer-to-peer botnet traffic. in Proceedings of the 6th ACM India Computing Convention, 2013: p. 16:1 16:9. [2] Dittrich, D. and S. Dietrich. P2P as botnet command and control: a deeper insight. in Malicious and Unwanted Software, MALWARE rd International Conference on. 2008: IEEE. [3] Lemos, R., Bot software looks to improve peerage [4] J. B. Grizzard, V.S., C. Nunnery, B. B. Kang, and D. Dagon Peer-to-peer botnets: Overview and case study. In Proceedings of USENIX HotBots'07, [5] T. Holz, M.S., F. Dahl, E. Biersack, and F. Freiling, Measurements and mitigation of peer-to-peer-based botnets: A case study on storm worm. In Proceedings of the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET'08), [6] vadivu, P.S. and K.S.Karthika, A Survey On Botnet Detection Approaches In Peer-To-Peer Network. International Journal of Advances in Computer Science and Technology, (5): p [7] Elhalabi, M.J., et al., A Review of Peer-To-Peer Botnet Detection Techniques. Journal of Computer Science, (1): p [8] Han, K.-S. and E.G. Im, A Survey on P2P Botnet Detection. Proceedings of the International Conference on IT Convergence and Security 2011, : p [9] Ghalebandi, S.G., R.B.M. Noor, and A.H. Lashkari. A Survey on P2P Botnets Detection. in International Conference on Computer Engineering and Technology, 3rd (ICCET 2011). 2011: ASME Press. [10] Pouget, F. and M. Dacier. Honeypot-based forensics. in AusCERT Asia Pacific Information Technology Security Conference [11] Narang, P., et al., PeerShark: Detecting Peer-to-Peer Botnets by Tracking Conversations [12] Narang, P., V. Khurana, and C. Hota. Machine-learning approaches for P2P botnet detection using signal-processing techniques. in Proceedings of the 8th ACM International Conference on Distributed Event-Based Systems. 2014: ACM. [13] Narang, P., C. Hota, and V. Venkatakrishnan, PeerShark: flow-clustering and conversation-generation for malicious peer-to-peer traffic identification. EURASIP Journal on Information Security, (1): p [14] Kheir, N., X. Han, and C. Wolley, Behavioral fine-grained detection and classification of P2P bots. Journal of Computer Virology and Hacking Techniques, 2014: p [15] Kheir, N. and C. Wolley, BotSuer: Suing stealthy P2P bots in network traffic through netflow analysis, in Cryptology and Network Security. 2013, Springer. p [16] Narang, P., A. Thakur, and C. Hota. Hades: a Hadoop-based framework for detection of peer-to-peer botnets. in Proceedings of the 20th International Conference on Management of Data. 2014: Computer Society of India. [17] Barthakur, P., M. Dahal, and M.K. Ghose, Adoption of a Fuzzy Based Classification Model for P2P Botnet Detection [18] Hühn, J. and E. Hüllermeier, FURIA: an algorithm for unordered fuzzy rule induction. Data Mining and Knowledge Discovery, (3): p [19] Dillon, C., Peer-to-Peer Botnet Detection Using NetFlow [20] Hang, H., et al. Entelecheia: Detecting p2p botnets in their waiting stage. in IFIP Networking Conference, : IEEE. [21] Qiao, Y., et al., Detecting P2P bots by mining the regional periodicity. Journal of Zhejiang University SCIENCE C, (9): p [22] Mansfield-Devine, S., Darknets Computer Fraud & Security : p [23] García, S., A. Zunino, and M. Campo, Survey on network based botnet detection methods. Security and Communication Networks, (5): p [24] Kheir, N. and X. Han, Peerviewer: Behavioral tracking and classification of P2P malware, in Cyberspace Safety and Security. 2013, Springer. p [25] Rodríguez-Gómez, R.A., et al., Resource monitoring for the detection of parasite P2P botnets. Computer Networks, : p [26] Fan, Y. and N. Xu, A P2P Botnet Detection Method Used On-line Monitoring and Off-line Detection. International Journal of Security & Its Applications., (3): p Volume 4 Issue 3 March 2016 Page 10
11 [27] He, J., et al. PeerDigger: Digging Stealthy P2P Hosts through Traffic Analysis in Real-Time. in Computational Science and Engineering (CSE), 2014 IEEE 17th International Conference on. 2014: IEEE. [28] Zhang, J., et al. Detecting stealthy P2P botnets using statistical traffic fingerprints. in Dependable Systems & Networks (DSN), 2011 IEEE/IFIP 41st International Conference on. 2011: IEEE. [29] Zhang, J., et al., Building a scalable system for stealthy p2p-botnet detection [30] Yin, C., et al., Towards Accurate Node-based Detection of P2P Botnets. The Scientific World Journal, AUTHOR Atef Ahmed Obeidat received the B.S. degree in Computer science from Yarmuk University in 1991 and M.S. degrees in Computer science from Jordanian University in But the PhD degree in communication and network systems. He received from Novosibirsk State Technical University in Volume 4 Issue 3 March 2016 Page 11
Survey of the P2P botnet detection methods
Survey of the P2P botnet detection methods Atef A. Obeidat 1, Mohmmad J. Bawaneh 1 1 Al-Huson University College, Al-Balqa Applied University, Al-Huson, Jordan Abstract: Botnets are one of the important
More informationA Novel Botnet Detection System for P2P Networks
Journal of Computer Science Original Research Paper A Novel Botnet Detection System for P2P Networks 1 Atef Ahmed Obeidat, 1 Majd Mahmoud Al-Kofahi, 1 Mohammad Jazi Bawaneh and 2 Essam Said Hanandeh 1
More informationDetecting Botnets Using Cisco NetFlow Protocol
Detecting Botnets Using Cisco NetFlow Protocol Royce Clarenz C. Ocampo 1, *, and Gregory G. Cu 2 1 Computer Technology Department, College of Computer Studies, De La Salle University, Manila 2 Software
More informationBotnets: A Survey. Rangadurai Karthick R [CS10S009] Guide: Dr. B Ravindran
08-08-2011 Guide: Dr. B Ravindran Outline 1 Introduction 2 3 4 5 6 2 Big Picture Recent Incidents Reasons for Study Internet Scenario Major Threats Flooding attacks Spamming Phishing Identity theft, etc.
More informationBotnets Behavioral Patterns in the Network
Botnets Behavioral Patterns in the Network Garcia Sebastian @eldracote Hack.Lu 2014 CTU University, Czech Republic. UNICEN University, Argentina. October 23, 2014 How are we detecting malware and botnets?
More informationPeer-to-Peer Botnet Detection Using NetFlow. Connor Dillon
Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering University of Amsterdam Master thesis presentation, July 3 rd 2014 Supervisor: Pepijn Janssen RedSocks Botnets Large
More informationP2P Botnet Detection Based on Traffic Behavior Analysis and Classification
Int. J. of Comp. & Info. Tech., (2018) 6(1): 01-12 ISBN: 2345-3877 www.ijocit.org Volume 6, Issue 1 Original Research_ P2P Botnet Detection Based on Traffic Behavior Analysis and Classification Hojjat
More informationJournal of Chemical and Pharmaceutical Research, 2014, 6(7): Research Article
Available online www.jocpr.com Journal of Chemical and Pharmaceutical Research, 2014, 6(7):1055-1063 Research Article ISSN : 0975-7384 CODEN(USA) : JCPRC5 The novel approach of P2P Botnet Node-based detection
More informationTowards Traffic Anomaly Detection via Reinforcement Learning and Data Flow
Towards Traffic Anomaly Detection via Reinforcement Learning and Data Flow Arturo Servin Computer Science, University of York aservin@cs.york.ac.uk Abstract. Protection of computer networks against security
More informationMulti-Stream Fused Model: A Novel Real-Time Botnet Detecting Model
Bonfring International Journal of Data Mining, Vol. 7, No. 2, May 2017 6 Multi-Stream Fused Model: A Novel Real-Time Botnet Detecting Model Jae Moon Lee and Thien Nguyen Phu Abstract--- In the current
More informationP2P Botnet Detection Method Based on Data Flow. Wang Jiajia 1, a Chen Yu1,b
2nd International Symposium on Advances in Electrical, Electronics and Computer Engineering (ISAEECE 2017) P2P Botnet Detection Method Based on Data Flow Wang Jiajia 1, a Chen Yu1,b 1 Taizhou Pylotechnic
More informationBasic Concepts in Intrusion Detection
Technology Technical Information Services Security Engineering Roma, L Università Roma Tor Vergata, 23 Aprile 2007 Basic Concepts in Intrusion Detection JOVAN GOLIĆ Outline 2 Introduction Classification
More informationInternet Traffic Classification using Machine Learning
Internet Traffic Classification using Machine Learning by Alina Lapina 2018, UiO, INF5050 Alina Lapina, Master student at IFI, Full stack developer at Ciber Experis 2 Based on Thuy T. T. Nguyen, Grenville
More informationABotnet is a set of compromised machines controlled
Enhanced PeerHunter: Detecting Peer-to-peer Botnets through Network-Flow Level Community Behavior Analysis Di Zhuang, Student Member, IEEE, and J. Morris Chang, Senior Member, IEEE arxiv:82.8386v2 [cs.cr]
More informationAnomaly Detection in Communication Networks
Anomaly Detection in Communication Networks Prof. D. J. Parish High Speed networks Group Department of Electronic and Electrical Engineering D.J.Parish@lboro.ac.uk Loughborough University Overview u u
More informationImproved Classification of Known and Unknown Network Traffic Flows using Semi-Supervised Machine Learning
Improved Classification of Known and Unknown Network Traffic Flows using Semi-Supervised Machine Learning Timothy Glennan, Christopher Leckie, Sarah M. Erfani Department of Computing and Information Systems,
More informationBenchmarking the Effect of Flow Exporters and Protocol Filters on Botnet Traffic Classification
Benchmarking the Effect of Flow Exporters and Protocol Filters on Botnet Traffic Classification Fariba Haddadi and A. Nur Zincir-Heywood Faculty of Computer Science Dalhousie University Halifax, NS, Canada
More informationData Mining Classification: Alternative Techniques. Imbalanced Class Problem
Data Mining Classification: Alternative Techniques Imbalanced Class Problem Introduction to Data Mining, 2 nd Edition by Tan, Steinbach, Karpatne, Kumar Class Imbalance Problem Lots of classification problems
More informationA brief Incursion into Botnet Detection
A brief Incursion into Anant Narayanan Advanced Topics in Computer and Network Security October 5, 2009 What We re Going To Cover 1 2 3 Counter-intelligence 4 What Are s? Networks of zombie computers The
More informationInternational Journal of Scientific Research & Engineering Trends Volume 4, Issue 6, Nov-Dec-2018, ISSN (Online): X
Analysis about Classification Techniques on Categorical Data in Data Mining Assistant Professor P. Meena Department of Computer Science Adhiyaman Arts and Science College for Women Uthangarai, Krishnagiri,
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 19: Intrusion Detection Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Intruders Intrusion detection host-based network-based
More informationDDOS Attack Prevention Technique in Cloud
DDOS Attack Prevention Technique in Cloud Priyanka Dembla, Chander Diwaker CSE Department, U.I.E.T Kurukshetra University Kurukshetra, Haryana, India Email: priyankadembla05@gmail.com Abstract Cloud computing
More informationBotDigger: A Fuzzy Inference System for Botnet Detection
The Fifth International Conference on Internet Monitoring and Protection BotDigger: A Fuzzy Inference System for Botnet Detection Basheer Al-Duwairi Network Engineering and Security Department Jordan University
More informationDetecting bots using multilevel traffic analysis
Intl. Journal on Cyber Situational Awareness, Vol. 1, No. 1, 2016 Detecting bots using multilevel traffic analysis Matija Stevanovic and Jens Myrup Pedersen Department of Electronic Systems, Aalborg University
More informationDixit Verma Characterization and Implications of Flash Crowds and DoS attacks on websites
Characterization and Implications of Flash Crowds and DoS attacks on websites Dixit Verma Department of Electrical & Computer Engineering Missouri University of Science and Technology dv6cb@mst.edu 9 Feb
More informationDetecting Malicious Hosts Using Traffic Flows
Detecting Malicious Hosts Using Traffic Flows Miguel Pupo Correia joint work with Luís Sacramento NavTalks, Lisboa, June 2017 Motivation Approach Evaluation Conclusion Outline 2 1 Outline Motivation Approach
More informationEarly Application Identification
Early Application Identification Laurent Bernaille Renata Teixeira Kave Salamatian Université Pierre et Marie Curie - LIP6/CNRS Which applications run on my network? Internet Edge Network (campus, enterprise)
More informationBotnet Behaviour Analysis using IP Flows
2014 28th International Conference on Advanced Information Networking and Applications Workshops Botnet Behaviour Analysis using IP Flows With HTTP filters using classifiers Fariba Haddadi, Jillian Morgan,
More informationCHAPTER 6 MODIFIED FUZZY TECHNIQUES BASED IMAGE SEGMENTATION
CHAPTER 6 MODIFIED FUZZY TECHNIQUES BASED IMAGE SEGMENTATION 6.1 INTRODUCTION Fuzzy logic based computational techniques are becoming increasingly important in the medical image analysis arena. The significant
More information4MMSR-Network Security Seminar. Peer-to-Peer Botnets: Overview and Case Study
4MMSR-Network Security 2011-2012 Seminar Peer-to-Peer Botnets: Overview and Case Study Julian B. Grizzard, Vikram Sharma, Chris Nunnery, and Brent ByungHoon Kang, David Dagon USENIX, 2007 1 Index Introduction
More informationOutline. Motivation. Our System. Conclusion
Outline Motivation Our System Evaluation Conclusion 1 Botnet A botnet is a collection of bots controlled by a botmaster via a command and control (C&C) channel Centralized C&C, P2P-based C&C Botnets serve
More informationAttack Fingerprint Sharing: The Need for Automation of Inter-Domain Information Sharing
Attack Fingerprint Sharing: The Need for Automation of Inter-Domain Information Sharing RIPE 50 Stockholm, Sweden Danny McPherson danny@arbor.net May 3, 2005 Agenda What s a bot and what s it used for?
More informationA Firewall Architecture to Enhance Performance of Enterprise Network
A Firewall Architecture to Enhance Performance of Enterprise Network Hailu Tegenaw HiLCoE, Computer Science Programme, Ethiopia Commercial Bank of Ethiopia, Ethiopia hailutegenaw@yahoo.com Mesfin Kifle
More informationUnsupervised Clustering of Web Sessions to Detect Malicious and Non-malicious Website Users
Unsupervised Clustering of Web Sessions to Detect Malicious and Non-malicious Website Users ANT 2011 Dusan Stevanovic York University, Toronto, Canada September 19 th, 2011 Outline Denial-of-Service and
More informationDetecting DGA Malware Traffic Through Behavioral Models. Erquiaga, María José Catania, Carlos García, Sebastían
Detecting DGA Malware Traffic Through Behavioral Models Erquiaga, María José Catania, Carlos García, Sebastían Outline Introduction Detection Method Training the threshold Dataset description Experiment
More informationFabric Image Retrieval Using Combined Feature Set and SVM
Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology ISSN 2320 088X IMPACT FACTOR: 5.258 IJCSMC,
More informationCitation for published version (APA): Stevanovic, M., & Pedersen, J. M. (2013). Machine learning for identifying botnet network traffic.
Aalborg Universitet Machine learning for identifying botnet network traffic Stevanovic, Matija; Pedersen, Jens Myrup Publication date: 2013 Document Version Accepted author manuscript, peer reviewed version
More informationDynamic Clustering of Data with Modified K-Means Algorithm
2012 International Conference on Information and Computer Networks (ICICN 2012) IPCSIT vol. 27 (2012) (2012) IACSIT Press, Singapore Dynamic Clustering of Data with Modified K-Means Algorithm Ahamed Shafeeq
More informationBotCatch: Botnet Detection Based on Coordinated Group Activities of Compromised Hosts
2014 7th International Symposium on Telecommunications (IST'2014) BotCatch: Botnet Based on Coordinated Group Activities of Compromised Hosts Mosa Yahyazadeh and Mahdi Abadi Faculty of Electrical and Computer
More informationOutlier Detection Using Unsupervised and Semi-Supervised Technique on High Dimensional Data
Outlier Detection Using Unsupervised and Semi-Supervised Technique on High Dimensional Data Ms. Gayatri Attarde 1, Prof. Aarti Deshpande 2 M. E Student, Department of Computer Engineering, GHRCCEM, University
More informationMITICATION OF PEER TO PEER BASED BOTNET FOR BUILDING A BOTNET ATTACK
MITICATION OF PEER TO PEER BASED BOTNET FOR BUILDING A BOTNET ATTACK Kanimozhi.G, Santhiya.k, B.Tech[IT], B.Tech[IT], ACET, ACET, Kumbakonam, Kumbakonam, Kanigenesan96@gmail.com. Moorthisanthiya@gmail.com
More informationDistributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS) Defending against Flooding-Based DDoS Attacks: A Tutorial Rocky K. C. Chang Presented by Adwait Belsare (adwait@wpi.edu) Suvesh Pratapa (suveshp@wpi.edu) Modified by
More informationGraph-based Detection of Anomalous Network Traffic
Graph-based Detection of Anomalous Network Traffic Do Quoc Le Supervisor: Prof. James Won-Ki Hong Distributed Processing & Network Management Lab Division of IT Convergence Engineering POSTECH, Korea lequocdo@postech.ac.kr
More informationFast and Evasive Attacks: Highlighting the Challenges Ahead
Fast and Evasive Attacks: Highlighting the Challenges Ahead Moheeb Rajab, Fabian Monrose, and Andreas Terzis Computer Science Department Johns Hopkins University Outline Background Related Work Sampling
More informationThe evolution of malevolence
Detection of spam hosts and spam bots using network traffic modeling Anestis Karasaridis Willa K. Ehrlich, Danielle Liu, David Hoeflin 4/27/2010. All rights reserved. AT&T and the AT&T logo are trademarks
More informationIntrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng
Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Internet Security Mechanisms Prevent: Firewall, IPsec, SSL Detect: Intrusion Detection Survive/ Response:
More informationA TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS
ISSN: 2229-6948 (ONLINE) ICTACT JOURNAL OF COMMUNICATION TECHNOLOGY, JUNE 2010, VOLUME: 01, ISSUE: 02 DOI: 10.21917/ijct.2010.0013 A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING
More informationAn Anomaly-Based Intrusion Detection System for the Smart Grid Based on CART Decision Tree
An Anomaly-Based Intrusion Detection System for the Smart Grid Based on CART Decision Tree P. Radoglou-Grammatikis and P. Sarigiannidis* University of Western Macedonia Department of Informatics & Telecommunications
More informationProtecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper
Protecting DNS Critical Infrastructure Solution Overview Radware Attack Mitigation System (AMS) - Whitepaper Table of Contents Introduction...3 DNS DDoS Attacks are Growing and Evolving...3 Challenges
More informationInternational Journal of Computer Trends and Technology (IJCTT) Volume54 Issue 1- December 2017
A Reliable & Scalable Frame Work for HTTP BotNet Detection Dr.R.Kannan, Associate Professor, Department of Computerscience,Sri Ramakrishna Mission Vidyalaya College of arts and science Mrs.Poongodi Department
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Intrusion Detection Systems Intrusion Actions aimed at compromising the security of the target (confidentiality, integrity, availability of computing/networking
More informationReview on Data Mining Techniques for Intrusion Detection System
Review on Data Mining Techniques for Intrusion Detection System Sandeep D 1, M. S. Chaudhari 2 Research Scholar, Dept. of Computer Science, P.B.C.E, Nagpur, India 1 HoD, Dept. of Computer Science, P.B.C.E,
More informationHOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL
HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL CONTENTS EXECUTIVE SUMMARY 1 WEB APPLICATION SECURITY CHALLENGES 2 INSIST ON BEST-IN-CLASS CORE CAPABILITIES 3 HARNESSING ARTIFICIAL INTELLIGENCE
More informationThe Comparative Study of Machine Learning Algorithms in Text Data Classification*
The Comparative Study of Machine Learning Algorithms in Text Data Classification* Wang Xin School of Science, Beijing Information Science and Technology University Beijing, China Abstract Classification
More informationDetecting Spam Zombies By Monitoring Outgoing Messages
International Refereed Journal of Engineering and Science (IRJES) ISSN (Online) 2319-183X, (Print) 2319-1821 Volume 5, Issue 5 (May 2016), PP.71-75 Detecting Spam Zombies By Monitoring Outgoing Messages
More informationA Hybrid Approach for Misbehavior Detection in Wireless Ad-Hoc Networks
A Hybrid Approach for Misbehavior Detection in Wireless Ad-Hoc Networks S. Balachandran, D. Dasgupta, L. Wang Intelligent Security Systems Research Lab Department of Computer Science The University of
More informationHybrid Feature Selection for Modeling Intrusion Detection Systems
Hybrid Feature Selection for Modeling Intrusion Detection Systems Srilatha Chebrolu, Ajith Abraham and Johnson P Thomas Department of Computer Science, Oklahoma State University, USA ajith.abraham@ieee.org,
More informationA Comparative Study of Locality Preserving Projection and Principle Component Analysis on Classification Performance Using Logistic Regression
Journal of Data Analysis and Information Processing, 2016, 4, 55-63 Published Online May 2016 in SciRes. http://www.scirp.org/journal/jdaip http://dx.doi.org/10.4236/jdaip.2016.42005 A Comparative Study
More informationANOMALY DETECTION IN COMMUNICTION NETWORKS
Anomaly Detection Summer School Lecture 2014 ANOMALY DETECTION IN COMMUNICTION NETWORKS Prof. D.J.Parish and Francisco Aparicio-Navarro Loughborough University (School of Electronic, Electrical and Systems
More informationPineApp Mail Secure SOLUTION OVERVIEW. David Feldman, CEO
PineApp Mail Secure SOLUTION OVERVIEW David Feldman, CEO PineApp Mail Secure INTRODUCTION ABOUT CYBONET CORE EXPERIENCE PRODUCT LINES FACTS & FIGURES Leader Product Company Servicing Multiple Vertical
More informationMITIGATING DENIAL OF SERVICE ATTACKS IN OLSR PROTOCOL USING FICTITIOUS NODES
MITIGATING DENIAL OF SERVICE ATTACKS IN OLSR PROTOCOL USING FICTITIOUS NODES 1 Kalavathy.D, 2 A Gowthami, 1 PG Scholar, Dept Of CSE, Salem college of engineering and technology, 2 Asst Prof, Dept Of CSE,
More informationUnknown Malicious Code Detection Based on Bayesian
Available online at www.sciencedirect.com Procedia Engineering 15 (2011) 3836 3842 Advanced in Control Engineering and Information Science Unknown Malicious Code Detection Based on Bayesian Yingxu Lai
More informationA SYSTEM FOR DETECTION AND PRVENTION OF PATH BASED DENIAL OF SERVICE ATTACK
A SYSTEM FOR DETECTION AND PRVENTION OF PATH BASED DENIAL OF SERVICE ATTACK P.Priya 1, S.Tamilvanan 2 1 M.E-Computer Science and Engineering Student, Bharathidasan Engineering College, Nattrampalli. 2
More informationBehavior Based Malware Analysis: A Perspective From Network Traces and Program Run-Time Structure
Behavior Based Malware Analysis: A Perspective From Network Traces and Program Run-Time Structure Chun-Ying Huang chuang@ntou.edu.tw Assistant Professor Department of Computer Science and Engineering National
More informationDETECTING, DETERMINING AND LOCALIZING MULTIPLE ATTACKS IN WIRELESS SENSOR NETWORK - MALICIOUS NODE DETECTION AND FAULT NODE RECOVERY SYSTEM
DETECTING, DETERMINING AND LOCALIZING MULTIPLE ATTACKS IN WIRELESS SENSOR NETWORK - MALICIOUS NODE DETECTION AND FAULT NODE RECOVERY SYSTEM Rajalakshmi 1, Umamaheswari 2 and A.Vijayaraj 3 1 Department
More informationFlow-based Anomaly Intrusion Detection System Using Neural Network
Flow-based Anomaly Intrusion Detection System Using Neural Network tational power to analyze only the basic characteristics of network flow, so as to Intrusion Detection systems (KBIDES) classify the data
More informationINTRUSION DETECTION SYSTEM USING BIG DATA FRAMEWORK
INTRUSION DETECTION SYSTEM USING BIG DATA FRAMEWORK Abinesh Kamal K. U. and Shiju Sathyadevan Amrita Center for Cyber Security Systems and Networks, Amrita School of Engineering, Amritapuri, Amrita Vishwa
More informationSecurity Gap Analysis: Aggregrated Results
Email Security Gap Analysis: Aggregrated Results Average rates at which enterprise email security systems miss spam, phishing and malware attachments November 2017 www.cyren.com 1 Email Security Gap Analysis:
More informationDetecting Spam Zombies by Monitoring Outgoing Messages
Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan, Peng Chen, Fernando Sanchez Florida State University {duan, pchen, sanchez}@cs.fsu.edu Yingfei Dong University of Hawaii yingfei@hawaii.edu
More informationLecture 12. Application Layer. Application Layer 1
Lecture 12 Application Layer Application Layer 1 Agenda The Application Layer (continue) Web and HTTP HTTP Cookies Web Caches Simple Introduction to Network Security Various actions by network attackers
More informationInternet Traffic Classification Using Machine Learning. Tanjila Ahmed Dec 6, 2017
Internet Traffic Classification Using Machine Learning Tanjila Ahmed Dec 6, 2017 Agenda 1. Introduction 2. Motivation 3. Methodology 4. Results 5. Conclusion 6. References Motivation Traffic classification
More informationA Survey And Comparative Analysis Of Data
A Survey And Comparative Analysis Of Data Mining Techniques For Network Intrusion Detection Systems In Information Security, intrusion detection is the act of detecting actions that attempt to In 11th
More informationMachine Learning based Traffic Classification using Low Level Features and Statistical Analysis
Machine Learning based Traffic using Low Level Features and Statistical Analysis Rajesh Kumar M.Tech Scholar PTU Regional Center (SBBSIET) Jalandhar, India TajinderKaur Assistant Professor SBBSIET Padhiana
More informationDeep Learning for Malicious Flow Detection
Deep Learning for Malicious Flow Detection Yun-Chun Chen 1 Yu-Jhe Li 1 Aragorn Tseng 1 Tsungnan Lin 1,2 1: National Taiwan University 2: Institute for Information Industry Yun-Chun Chen (NTUEE) Deep Learning
More informationInternational Journal of Scientific & Engineering Research Volume 8, Issue 5, May ISSN
International Journal of Scientific & Engineering Research Volume 8, Issue 5, May-2017 106 Self-organizing behavior of Wireless Ad Hoc Networks T. Raghu Trivedi, S. Giri Nath Abstract Self-organization
More informationStatistical based Approach for Packet Classification
Statistical based Approach for Packet Classification Dr. Mrudul Dixit 1, Ankita Sanjay Moholkar 2, Sagarika Satish Limaye 2, Devashree Chandrashekhar Limaye 2 Cummins College of engineering for women,
More informationHYBRID HONEYPOT -SYSTEM FOR PRESERVING PRIVACY IN NETWORKS
HYBRID HONEYPOT -SYSTEM FOR PRESERVING PRIVACY IN NETWORKS K.SURESH, KUSH KUMAR YADAV, R.SRIJIT, KARTHIK.P.BHAT STUDENT 3 rd YEAR - INFORMATION TECHNOLOGY SRI SAIRAM ENGINEERING COLLEGE, WEST TAMBARAM,
More informationPerformance Analysis of Data Mining Classification Techniques
Performance Analysis of Data Mining Classification Techniques Tejas Mehta 1, Dr. Dhaval Kathiriya 2 Ph.D. Student, School of Computer Science, Dr. Babasaheb Ambedkar Open University, Gujarat, India 1 Principal
More informationChapter 2 Malicious Networks for DDoS Attacks
Chapter 2 Malicious Networks for DDoS Attacks Abstract In this chapter, we explore botnet, the engine of DDoS attacks, in cyberspace. We focus on two recent techniques that hackers are using to sustain
More informationClustering of Data with Mixed Attributes based on Unified Similarity Metric
Clustering of Data with Mixed Attributes based on Unified Similarity Metric M.Soundaryadevi 1, Dr.L.S.Jayashree 2 Dept of CSE, RVS College of Engineering and Technology, Coimbatore, Tamilnadu, India 1
More informationENTERPRISE ENDPOINT PROTECTION BUYER S GUIDE
ENTERPRISE ENDPOINT PROTECTION BUYER S GUIDE TABLE OF CONTENTS Overview...3 A Multi-Layer Approach to Endpoint Security...4 Known Attack Detection...5 Machine Learning...6 Behavioral Analysis...7 Exploit
More informationAutomated Response in Cyber Security SOC with Actionable Threat Intelligence
Automated Response in Cyber Security SOC with Actionable Threat Intelligence while its biggest weakness is lack of visibility: SOCs still can t detect previously unknown threats, which is a consistent
More informationEVALUATIONS OF THE EFFECTIVENESS OF ANOMALY BASED INTRUSION DETECTION SYSTEMS BASED ON AN ADAPTIVE KNN ALGORITHM
EVALUATIONS OF THE EFFECTIVENESS OF ANOMALY BASED INTRUSION DETECTION SYSTEMS BASED ON AN ADAPTIVE KNN ALGORITHM Assosiate professor, PhD Evgeniya Nikolova, BFU Assosiate professor, PhD Veselina Jecheva,
More informationDetecting encrypted traffic: a machine learning approach
Detecting encrypted traffic: a machine learning approach Seunghun Cha and Hyoungshick Kim Department of Software, Sungkyunkwan University, Republic of Korea {sh.cha, hyoung}@skku.edu Abstract. Detecting
More informationImproving the Efficiency of Fast Using Semantic Similarity Algorithm
International Journal of Scientific and Research Publications, Volume 4, Issue 1, January 2014 1 Improving the Efficiency of Fast Using Semantic Similarity Algorithm D.KARTHIKA 1, S. DIVAKAR 2 Final year
More informationStochastic Blockmodels as an unsupervised approach to detect botnet infected clusters in networked data
Stochastic Blockmodels as an unsupervised approach to detect botnet infected clusters in networked data Mark Patrick Roeling & Geoff Nicholls Department of Statistics University of Oxford Data Science
More informationIntrusion Detection System using AI and Machine Learning Algorithm
Intrusion Detection System using AI and Machine Learning Algorithm Syam Akhil Repalle 1, Venkata Ratnam Kolluru 2 1 Student, Department of Electronics and Communication Engineering, Koneru Lakshmaiah Educational
More informationA Framework for Attack Patterns Discovery in Honeynet Data
DIGITAL FORENSIC RESEARCH CONFERENCE A Framework for Attack Patterns Discovery in Honeynet Data By Olivier Thonnard, Marc Dacier Presented At The Digital Forensic Research Conference DFRWS 2008 USA Baltimore,
More informationUNSUPERVISED LEARNING FOR ANOMALY INTRUSION DETECTION Presented by: Mohamed EL Fadly
UNSUPERVISED LEARNING FOR ANOMALY INTRUSION DETECTION Presented by: Mohamed EL Fadly Outline Introduction Motivation Problem Definition Objective Challenges Approach Related Work Introduction Anomaly detection
More informationCHAPTER 5 ANT-FUZZY META HEURISTIC GENETIC SENSOR NETWORK SYSTEM FOR MULTI - SINK AGGREGATED DATA TRANSMISSION
CHAPTER 5 ANT-FUZZY META HEURISTIC GENETIC SENSOR NETWORK SYSTEM FOR MULTI - SINK AGGREGATED DATA TRANSMISSION 5.1 INTRODUCTION Generally, deployment of Wireless Sensor Network (WSN) is based on a many
More informationMultivariate Correlation Analysis based detection of DOS with Tracebacking
1 Multivariate Correlation Analysis based detection of DOS with Tracebacking Jasheeda P Student Department of CSE Kathir College of Engineering Coimbatore jashi108@gmail.com T.K.P.Rajagopal Associate Professor
More informationResearch Article Does an Arithmetic Coding Followed by Run-length Coding Enhance the Compression Ratio?
Research Journal of Applied Sciences, Engineering and Technology 10(7): 736-741, 2015 DOI:10.19026/rjaset.10.2425 ISSN: 2040-7459; e-issn: 2040-7467 2015 Maxwell Scientific Publication Corp. Submitted:
More informationFault Identification from Web Log Files by Pattern Discovery
ABSTRACT International Journal of Scientific Research in Computer Science, Engineering and Information Technology 2017 IJSRCSEIT Volume 2 Issue 2 ISSN : 2456-3307 Fault Identification from Web Log Files
More informationCHAPTER 6 HYBRID AI BASED IMAGE CLASSIFICATION TECHNIQUES
CHAPTER 6 HYBRID AI BASED IMAGE CLASSIFICATION TECHNIQUES 6.1 INTRODUCTION The exploration of applications of ANN for image classification has yielded satisfactory results. But, the scope for improving
More informationCLASSIFICATION WITH RADIAL BASIS AND PROBABILISTIC NEURAL NETWORKS
CLASSIFICATION WITH RADIAL BASIS AND PROBABILISTIC NEURAL NETWORKS CHAPTER 4 CLASSIFICATION WITH RADIAL BASIS AND PROBABILISTIC NEURAL NETWORKS 4.1 Introduction Optical character recognition is one of
More informationCHAPTER 5 CLUSTERING USING MUST LINK AND CANNOT LINK ALGORITHM
82 CHAPTER 5 CLUSTERING USING MUST LINK AND CANNOT LINK ALGORITHM 5.1 INTRODUCTION In this phase, the prime attribute that is taken into consideration is the high dimensionality of the document space.
More informationLecture 12 Malware Defenses. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422
Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422 Malware review How does the malware start running? Logic bomb? Trojan horse?
More informationNetwork Based Peer-To-Peer Botnet Detection
Network Based Peer-To-Peer Botnet Detection Yonas Alehegn 1, Dr. T. Pandikumar 2, Abdulkadir Hassen 3 1Information System Security Office, Bank of Abyssinia 2 Department of CIT, College of Engineering,
More informationResearch on adaptive network theft Trojan detection model Ting Wu
International Conference on Advances in Mechanical Engineering and Industrial Informatics (AMEII 215) Research on adaptive network theft Trojan detection model Ting Wu Guangdong Teachers College of Foreign
More informationChapter 5: Summary and Conclusion CHAPTER 5 SUMMARY AND CONCLUSION. Chapter 1: Introduction
CHAPTER 5 SUMMARY AND CONCLUSION Chapter 1: Introduction Data mining is used to extract the hidden, potential, useful and valuable information from very large amount of data. Data mining tools can handle
More information