BOTNET BEHAVIOR ANALYSIS USING NAÏVE BAYES CLASSIFICATION ALGORITHM WITHOUT DEEP PACKET INSPECTION

Transcription

1 International Journal of Computer Engineering and Applications, Volume IX, Issue VIII, August ISSN BOTNET BEHAVIOR ANALYSIS USING NAÏVE BAYES CLASSIFICATION ALGORITHM WITHOUT DEEP PACKET INSPECTION Sushil Buriya, Dr. D.S. Bhilare, Amreesh Kumar Patel and Satyendra Singh Yadav School of Computer Science & IT, DAVV, Indore, M.P., India ABSTRACT: Botnet is one of the most dangerous cyber security issues among the diverse forms of cyber threats. They are used to commit various kind of cyber crime like click fraud, personal information stealing, Distributed Denial of Service attack, sending spam etc. Cloud Services provide a new platform to launch botnet attacks due to their high reliability and scalability. Botnet detection techniques that operate on network traffic require deep packet inspection for signature matching. Adoption of these techniques for cloud based botnets is undesirable due to large amount of network traffic. Also it is a privacy issue with analysis of payloads for Cloud Service Providers. In this paper, we present the performance analysis of a supervised machine learning algorithm Naïve Bayes Classifier to detect botnet activity using C&C NetFlow traffic between bots with different possible feature without deep packet inspection of network traffic. Keywords: Cyber Attacks, Network Security, NetFlow, Classification, Botnet, Botnet Behavior Analysis [1] INTRODUCTION Botnet is a large collection of compromised computer systems connected over internet that works in a cluster to perform harmful activity on another network or computer system with malicious intent [1]. These compromised or infected machines called bots are controlled by an attacker who known as botmaster [2]. Botmasters commit criminal activity like denial of service attacks, spam, espionage, click fraud, and phishing more effectively by using the army of controlled and compromised bots for financial gains. Botnet attacks are highly dynamic, stealth and fast [3]. Botnet is the most dangerous cyber security issues among the diverse forms of cyber threats. Emergence of cloud computing technology provide a platform for botmasters to deploy botnet on large scale with immediate effects and a powerful bot army to perform attacks on other networks [4]. Various automated botnet detection methods have been proposed. Botnet detection has difficulties in three categories. 1.) Botnet traffic is similar to normal traffic and it may be encrypted. 2.) Botmasters use fast-flux hosting to hide origins and stay active for longer. 3.) Botnet techniques requires large amount of data for analysis [5]. Sushil Buriya, Dr. D.S. Bhilare, Amreesh Kumar Patel and Satyendra Singh Yadav 45

2 BOTNET BEHAVIOR ANALYSIS USING NAÏVE BAYES CLASSIFICATION ALGORITHM WITHOUT DEEP PACKET INSPECTION Command and Control channels differentiate botnets from onther malwares. Command and Control channels are used by botmaster to command bots to execute attack activities. C&C communications are only traffic transfers between members of bots before they attack their victim. C&C traffic is helpful to detect member of botnets before they cause any malicious activity [6]. NetFlow data related to C&C channels can be a valuable resource for detecting member of bot family without inspecting the payloads. NetFlow is a traffic summary technology by cisco systems. NetFlow uses the limited footprints in terms of monitoring requirements and processing [7]. Today, many botnet detection methods have been proposed. Most of the methods are reactive methods. Reactive methods detect the botnet while attack is on progress through botnet. One prominent class of botnet detection relies on machine learning algorithms as a mean of identifying suspicious traffic. Main assumption behind these approaches is the distinguishable patterns created by botnets in network traffic. Learning implies ability to train the system according to the previous data and recognize complex patterns to make qualified decisions [8]. Naïve Bayes classification is a machine learning algorithm based on supervised learning approach. Naïve bayes classification is based on the conditional probability theorem known as baye theorem [9]. In this paper we present the performance analysis of Naïve bayes classifier for analysis of C&C NetFlow generated by member of botnets for different possible features of NetFlow data and indentify the best possible set of features that gives the efficient performance in terms of CPU run time and correctness of results. The rest of the paper is organized as follows. In the next section background studies related to machine learning approaches for botnet detection are presented. In section 3 design of NetFlow Traffic Analyzer is described. Section 4 will demonstrates the experiments performed and section 5 discusses the results. Finally, we conclude this paper in section 6. [2] LITERATURE REVIEW The first workshop about Botnets was held in 2007 and since then various detection approaches have been proposed and also some real botnet detection systems have been implemented. Botnet detection is a really challenging problem [3]. Machine learning algorithm techniques for botnet detection are the most prominent approaches for botnet detection [10]. The assumption behind the machine learning approaches is that botnet creates a distinguishable pattern that could be discovered by Machine Learning Algorithms [11]. Strayer et al. have demonstrated the use of supervised machine learning algorithms for identifying botnet traffic. The classification of TCP flows using supervised MLAs plays a key role. For the classification of network traffic flows, three MLAs: Naive Bayesian, Bayesian network and C4.5 decision tree are providing relatively low false positive and false negative rates (under 3%). The main disadvantage of the approach is the fact that it is only for TCP traffic [12]. Florian Tegeler et al. presented a system BotFinder that detects infected hosts in a network using high-level properties of the botnet traffic without content analysis. It uses machine learning to identify the key features of C&C communication. It extracts five statistical features from NetFlow traces and creates a model using clustering algorithm for known botnet dataset. 46

3 International Journal of Computer Engineering and Applications, Volume IX, Issue VIII, August ISSN The models are used to detect the infected hosts in actual detection phase. It works without deep inspection of packets, so it has capability to investigate encrypted traffic also. If a botmaster uses randomization techniques for C&C communication, it degrades the detection quality of BotFinder. Another limitation of BotFinder is high fluctuation of C&C servers IPs, it also degrade the detection quality of BotFinder [13]. Disclosure is a large scale, wide area botnet detection system that uses NetFlow data to detect the C&C servers of botnet. It reliably distinguishes C&C channels from actual traffic using NetFlow records: (i) flow sizes, (ii) client access patterns, and (iii) temporal behavior. It uses random forest classifier algorithm to build detection models. Authors demonstrate that Disclosure is able to perform real-time detection of botnet C&C channels over data sets on the order of billions of flows per day. Randomization in communication patterns of bots with C&C servers degrades the performance of Disclosure [14]. Fariba Haddadi et al. employed two machine learning algorithms, namely C4.5 decision tree and symbolic bid-based (SBB), to generate botnet detection automatically. Two different feature sets are analyzed to check the performance of both machine learning algorithms for different botnet behaviors. Result of analysis describes that SBB performed better than C4.5 in term of the solution complexity [15]. Sherif Saad et al. propose an approach for characterizing and detecting using network traffic behaviors. The approach focus on P2P bots during C&C phases (Waiting). Authors extract and analyze a set of features using five machine learning techniques, namely, Support Vector Machine (SVM), Artificial Neural Network (ANN), Nearest Neighbors Classifier (NNC), Gaussian Based Classifier (GBC), and Naïve Based Classifier (NBC). 17 features that can be extracted from network flows and host communication patterns analyzed using 5 machine learning techniques. Four metrics are used to evaluate each machine learning techniques. The SVM, ANN, and NNC are top three machine learning techniques that can be used to build a botnet detection framework. None of these techniques satisfy the requirement of online botnet detection framework [16]. Matija Stevanovic et al. explores in their study how accurate and timely detection can be achieved by supervised machine learning algorithms of botnet from network flow data. 17 netflow feature attributes are used to detect botnet in network traffic by analyzing traffic using eight supervised machine learning algorithms [17]. In this paper we aim to reduce the statistical features for identification of botnet activity in network traffic using Naïve Baise classification algorithm with high rate of accuracy. [3] NETWORK TRAFFIC ANALYZER In order to identify botnet activity in network we propose a Network Traffic Analyzer that classifies NetFlow traffic as botnet traffic flow or normal traffic flow using supervised learning Naïve Bayes classification algorithm, illustrated in [Figure-1]. The NetFlow Traffic Analyzer has two phases: First is training phase that uses the previously known training NetFlow data to prepare a model. Second is the actual detection phase that utilizes the model prepared in training phase to investigate the NetFlow data to detect C&C channels patterns in netflow traffic. The Model has following components: Sushil Buriya, Dr. D.S. Bhilare, Amreesh Kumar Patel and Satyendra Singh Yadav 47

4 BOTNET BEHAVIOR ANALYSIS USING NAÏVE BAYES CLASSIFICATION ALGORITHM WITHOUT DEEP PACKET INSPECTION (i.) Traffic Collector: The traffic collector receives NetFlow data or captured data from probes which are responsible for capturing the packets. A NetFlow collector accepts traffic from router via UDP or TCP ports. Figure: 1. Network Traffic Analyzer Achitecture (ii.) Flow Reassembly: Netflow data can be used directly, but in case of packet captured data, we have to reassemble network flow. (iii.) Feature Extraction: This Module is responsible for features extraction from NetFlow data. The first class of features have been extracted from NetFlow data are based on flow sizes, which simply indicate the total number of bytes transferred in one direction between two endpoints for a particular flow. Flow size distributions of C&C servers are significantly different from benign servers because flows carrying botnet commands are preferred to be as short as possible in order to minimize their observable impact on network. Other important features are number of packets in each flow and duration of connection between two machines for that flow of network traffic. A NetFlow data have statistical measures. These are source and destination address, source and destination port numbers, duration of flow, size of flow, number of packets in each flow, protocol of communication etc. This module of model checks the results for different feature sets and return the feature set that has maximum accuracy and low run time for particular bot family. (iv.) Feature Analysis: After feature extraction, this module uses data classification algorithm to prepare model in training phase and detect the C&C traffic of botnet in detection phase. Naïve Bayes Classifier is used to classify the NetFlow data to detect botcloud. Simple Naïve Bayes Classifier is based on probability theory [9]. It is based on Bayesian theorm. It is best suited when the dimensionality of the inputs is high. It requires a small amount of training data for parameter estimation. Algorithm is shown in [Figure-2]. 48

5 International Journal of Computer Engineering and Applications, Volume IX, Issue VIII, August ISSN Learning Phase: Given a training dataset S = {D1,D2,,Dn} 1. For each class Ci = {C1,C2,,Ck} Calculate prior probability P(Ci) Store in prior probability table 2. For each class Ci = {C1,C2,,Ck} For each dataset Dj = {D1,D2,,Dn} Calculate conditional probability P(Dj/Ci) Store in conditional probability table Test Phase: Given a Testing dataset T = { D1,D2,,Dn} 1. Lookup prior and conditional probability tables 2. For each class Ci = {C1,C2,,Ck} For each dataset Dj = {D1,D2,,Dn} Calculate Prob = P(Dj/Ci)* P(Ci) Figure: 2. Naïve Bayes Algorithm [4] EXPERIMENTS Data has been downloaded from the CTU-13 dataset [18]. The CTU-13 is a dataset of botnet traffic that was captured in the CTU University, Czech Republic, in The advantage of using this dataset is that it is labeled dataset and capturing process conducted in controlled environment. The dataset consist different botnet sample data to have capture of normal traffic mixed with botnet traffic. These datasets are labeled netflow traffic data. Each flow has 14 attributes as shown in [Figure-3]. The dataset is divided into four text files with different sizes according to number of flows in each file. Figure: 3. Snapshot of Sample Dataset for Experiment Dataset is sampled into three text files with different number of instances and performed 4 experiment random trials on these 3 sample datasets. One sample dataset is used as a training data for classification model preparation and another is used as a testing dataset to test the performance of the model. [Table-1] represents the details of sample datasets for each experiment trial. Sushil Buriya, Dr. D.S. Bhilare, Amreesh Kumar Patel and Satyendra Singh Yadav 49

6 BOTNET BEHAVIOR ANALYSIS USING NAÏVE BAYES CLASSIFICATION ALGORITHM WITHOUT DEEP PACKET INSPECTION Table: 1. Sample Datasets for Experiment Name No. of Instances Class-I Class-II No. of Total Attributes Sample1.txt Normal Flow Sample2.txt Normal Flow Sample3.txt Normal Flow Botnet Activity Botnet Activity Botnet Activity In this experiment, 14 attributes are divided into 10 feature sets that may give the best results according to running time and accuracy. There are two basic parameters for performance analysis of traffic analyzer. One is the running time and another is accuracy. 10 different feature sets are analyzed using Naïve Bayes Classification algorithm that has been implemented using python scripting language. Different feature sets with attribute values are shown in [Table-2]. Table: 2. Different Feature Sets and their attributes Feature Set-1 (FS1) Feature Set-2 (FS2) Feature Set-3 (FS3) Feature Set-4 (FS4) Feature Set-5 (FS5) Feature Set-6 (FS6) Feature Set-7 (FS7) Feature Set-8 (FS8) Feature Set-9 (FS9) Feature Set-10 (FS10) Flow Duration, Flow Size, Protocol Flow Duration, Flow Size Flow Duration, Flow Size, No. Of Packets/Flow Flow Size, Protocol, No. Of Packets/Flow Flow Duration, Flow Size, Protocol, No. Of Packets/Flow Flow Duration, Flow Size, No. Of Packets/Flow, Source IP Flow Duration, Flow Size, Protocol, No. of Packets/Flow, Source IP Flow Size, No. Of Packets/Flow, Source IP Flow Duration, Protocol, No. Of Packets/Flow Flow Size, Protocol, No. Of Packets/Flow [5] RESULTS & DISCUSSIONS We use python to implement Naïve Bayes Classifier that prepares a classification model using one sample dataset as training data and test another sample dataset. In each experiment trial, program returns an accuracy of test dataset by comparing the estimated class label with actual class label. Accuracy is the ratio of correctly estimated instances with total number of instance in test dataset. [Table-3] shows the results of 4 trials in experiment for 10 feature sets. 50

7 International Journal of Computer Engineering and Applications, Volume IX, Issue VIII, August ISSN Table: 3. Experiment Results for accuracy Feature Set Trial-1 Trial-2 Trial-3 Trial-4 Average FS % 98.77% 98.88% 98.80% 98.81% FS % 98.77% 98.88% 98.80% 98.81% FS % 98.77% 98.87% 98.80% 98.81% FS % 98.79% 98.95% 98.82% 98.84% FS % 98.77% 98.88% 98.80% 98.81% FS % 97.04% 97.03% 97.45% 97.24% FS % 97.04% 97.03% 97.45% 97.24% FS % 97.05% 97.03% 97.47% 97.25% FS % 97.04% 96.86% 97.18% 97.13% FS % 98.77% 98.85% 98.79% 98.80% Observation FS4 has highest value of accuracy and FS1, FS2, FS3 and FS5 have almost same performance. FS6 and FS7 gives exactly same performance. Graph for average of accuracy of feature sets in experiment trials is displayed in [Figure-5]. Grapth displayed in [Figure-4] shows comparative performance of 4 trial for experiment. Figure: 4. Comparative Performance of 4 trials Result: Experiment has been performed successfully. Results from 4 trials shows that Feature Set 4 has highest accuracy in overall experiment. Attributes of feature set 4 are Flow Size, Protocol and Number of Packets/Flow. Experiment shows running time of traffic analyzer increases when number of attributes increases. Outcomes of experiment support that netflow traffic of C&C channels have potential to identify botnets using the Naïve Bayes Classifier with 3 attributes values flow size, number of packets per flow and protocol of communication without inspection of packet data. Sushil Buriya, Dr. D.S. Bhilare, Amreesh Kumar Patel and Satyendra Singh Yadav 51

8 BOTNET BEHAVIOR ANALYSIS USING NAÏVE BAYES CLASSIFICATION ALGORITHM WITHOUT DEEP PACKET INSPECTION Figure: 5. Average Accuracy Graph [6] CONCLUSION Botnet is the most dangerous cyber security issues among the diverse forms of cyber threats. Various automated botnet detection methods have been proposed. Botnet detection techniques that operate on network traffic require deep packet inspection for signature matching. Adoption of these techniques for cloud based botnets is undesirable due to large amount of network traffic. NetFlow data related to C&C channels can be a valuable resource for detecting member of bot family without inspecting the payloads. One prominent class of botnet detection relies on machine learning algorithms as a mean of identifying suspicious traffic. In this paper, Naïve Bayes classifier is used to analyze the netflow traffic to recognize unknown malicious patterns related to botnet C&C communication or botnet activity in netflow traffic of a network. It is identified that flow size, number of packets per flow and communication protocol are three attributes that differentiate botnet C&C traffic from other network traffic in netflow traffic. We have performed experiments using a supervised machine learning algorithm, Naïve Bayes Classifier to detect botnet activity using C&C NetFlow traffic between bots with 14 possible features attributes of netflow data. Outcomes of experiment support that netflow traffic of C&C channels have potential to identify botnets using the Naïve Bayes Classifier with 3 attributes values flow size, number of packets per flow and protocol of communication without inspection of packet data. REFERENCES [1] B. Saha and A, Gairola, Botnet: An overview, CERT-In White PaperCIWP , [2] Gianluca Stringhini et al., The Har vester, the Botmaster, and the Spammer: On the Relations between the Different Actors in the Spam Landscape, in ASIA CCS 14, June 4 6, 2014, Kyoto, Japan. 52

9 International Journal of Computer Engineering and Applications, Volume IX, Issue VIII, August ISSN [3] Hossein Rouhan Zeidanloo et al., A Taxonomy of Botnet Detection Techniques in 3rd IEEE International Conference on Computer Science and Information Technology (ICCSIT), Volume: 2, [4] Wenjie Lin and David Lee, Traceback Attacks in Cloud Pebbletrace Botnet, in 32nd International Conference on Distributed Computing Systems, pp: , June 18-21, 2012 [5] Hyunsang Choi et al., BotGAD: Detecting Botnets by Capturing Group Activities in Network Traffic, in COMSWARE, Dublin, Ireland, [6] Basil AsSadhan et al., Detecting Botnets using Command and Control Traffic, in Eighth IEEE International Symposium on Network Computing and Applications, MA, USA,2009. [7] David Mashburn, NetFlow collection and analysis using nfcapd, Python, and Splunk in the SANS Institute Reading Room, [8] Livadas C. et al. Usilng Machine Learning Technliques to Identify Botnet Traffic in 31st IEEE Conference on Local Computer Networks, Tampa, FL, [9] [10] S. S. Silva, R. M. Silva, R. C. Pinto, and R. M. Salles, Botnets: A survey, Computer Networks, vol. 57, no. 2, pp , [11] M. Stevanovic and J. Pedersen, Machine learning for identifying botnet network traffic, Aalborg University, Tech. Rep., [12] W. T. Strayer, D. Lapsely, R. Walsh, and C. Livadas, Botnet detection based on network behaviour, in Botnet Detection, ser. Advances in Information Security, W. Lee, C. Wang, and D. Dagon, Eds. Springer, 2008, vol. 36, pp [13] Florian Tegeler et al., BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection, in Co-NEXT 12, December 10-13, 2012, Nice, France. [14] Leyla Bilge et al., DISCLOSURE: Detecting Botnet Command and Control Servers Through Large-Scale NetFlow Analysis, in ACSAC 12 Dec. 3-7, 2012, Orlando, Florida, USA. [15] Fariba Haddadi et al., On Botnet Behavior Analysis using GP and C4.5, in GECCO 14, July 12 16, Vancouver, BC, Canada, [16] Sherif Saad et al., Detecting P2P Botnets through Network Behavior Analysis and Machine Learning, in Ninth Annual International Conference on Privacy, Security and Trust, Montreal, QC, Canada, [17] Matija Stevanovic et al. An efficient flow-based botnet detection using supervised machine learning, in ICNC-2014, Honolulu, HI, [18] Sebastian Garcia, Martin Grill, Honza Stiborek and Alejandro Zunino, "An empirical comparison of botnet detection methods" in Computers and Security Journal, Elsevier,Vol 45, pp , Sushil Buriya, Dr. D.S. Bhilare, Amreesh Kumar Patel and Satyendra Singh Yadav 53

10 BOTNET BEHAVIOR ANALYSIS USING NAÏVE BAYES CLASSIFICATION ALGORITHM WITHOUT DEEP PACKET INSPECTION Author[s] brief Introduction 1. Sushil Buriya M.Tech. Student, School of Computer Science &IT, DAVV, Indore 2. Dr. D.S. Bhilare Professor, School of Computer Science & IT, DAVV, Indore 3. Amreesh Kumar Patel M.Tech. Student, School of Computer Science &IT, DAVV, Indore 4. Satyendra Singh Yadav M.Tech. Student, School of Computer Science &IT, DAVV, Indore 54