Email this article Botnet Detection Architecture Based on Heterogeneous Multi-sensor Information Fusion
Abstract
As technology has been developed rapidly, botnet threats to the global cyber community are also increasing. And the botnet detection has recently become a major research topic in the field of network security. Most of the current detection approaches work only on the evidence from single information source, which can not hold all the traces of botnet and hardly achieve high accuracy. In this paper, a novel botnet detection architecture based on heterogeneous multi-sensor information fusion is proposed. The architecture is designed to carry out information integration in the three fusion levels of data, feature, and decision. As the core component, a feature extraction module is also elaborately designed. And an extended algorithm of the Dempster-Shafer (D-S) theory is proved and adopted in decision fusion. Furthermore, a representative case is provided to illustrate that the detection architecture can effectively fuse the complicated information from various sensors, thus to achieve better detection effect.
Keywords
References
K. Singh, A. Srivastava, J. Giffin, and W. Lee, “Evaluating Email’s Feasibility for Botnet Command and Control,” Proc. 38th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2008), USA, 2008, pp. 376-385.
http://dx.doi.org/10.1109/DSN.2008.4630106
K. Bohn, “Teen questioned in computer hacking probe,” CNN [Online], 2004, Available: http://www.cnn.com/2007/TECH/11/29/fbi.botnets/index.html.
J. Davis, “Hackers take down the most wired country in europe,” WIRED MAGZINE: ISSUE 15.09 [Online], 2007, Available: http://www.wired.com/politics/security/magazine/15-09/ff_estonia.
T. Holz, M. Steiner, and F. Dahl, “Measurements and mitigation of peer-to-peer-based botnets: A case study on storm worm,” Proc. 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET’08), 2008. H. Wang and Z. Gong, “Collaboration-based botnet detection architecture,” Proc. 2nd International Conference on Intelligent Computation Technology and Automation, Zhangjiajie, China, 2009.
Zhaosheng Zhu, Guohan Lu, and Yan Chen, “Botnet Research Survey”, Proc. 32nd Annual IEEE International Computer Software and Applications Conference, Finland, 2008. J. Govil, “Examining the criminology of bot zoo,” Proc. 6th International Conference on Information, Communications and Signal Processing, Singapore, 2007. J. Govil, “Criminology of botnets and their detection and defense methods,” Proc. 2007 IEEE International Conference on Electro/Information Technology (EIT’07), 2007.
D. Geer, “Malicious bots threaten network security,” IEEE Computer, vol. 38, no. 1, pp. 18-20, 2005.
http://dx.doi.org/10.1109/MC.2005.26
M. Rajab, J. Zarfoss, and F. Monrose, “A multi-faceted approach to understanding the Botnet phenomenon,” Proc. ACM SIGCOMM/USENIX Internet Measurement Conference (IMC’06), Brazil, 2006.
G. Giorgio, R. Fabio, and S. Carlo, “Information fusion in computer security,” Information Fusion, vol. 10, no. 4, pp. 272-273, 2009.
http://dx.doi.org/10.1016/j.inffus.2009.03.002
J. Zhuge, X. Han, Y. Zhou, Z. Ye, and W. Zou, “Research and Development of Botnets,” Journal of Software, vol. 19, no. 3, pp. 702-715, 2008.
http://dx.doi.org/10.3724/SP.J.1001.2008.00702
J. Zhuge, X. Han, Z. Ye, and W. Zou, “Discover and track botnets,” Proc. Chinese Symposium on Network and Information Security (NetSec), Beijing, 2005.
J. Cheng, J. Yin, Y. Liu, and J. Zhong, “Advances in the Honeypot and Honeynet Technologies,” Journal of Computer Research and Development, vol. 45, no. 1, pp. 375-378, 2008.
G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee, “BotHunter: Detecting malware infection through ids-driven dialog correlation,” Proc. 16th USENIX Security Symposium (Security’ 07), 2007.
J. R. Binkley and S. Singh, “An algorithm for anomaly-based Botnet detection,” Proc. USENIX SRUTI’06, 2006, pp. 43–48.
J. Lee, H. Jeong, J. Park, M. Kim, and B. Noh, “The activity analysis of malicious http-based botnets using degree of periodic repeatability,” Proc. 2008 International Conference on Security Technology, 2008, pp. 83-86.
http://dx.doi.org/10.1109/SecTech.2008.52
H. Choi, H. Lee, and H. Lee, “Botnet detection by monitoring group activities in DNS traffic,” Proc. 7th IEEE International Conference on Computer and Information Technology, Aizu-Wakamatsu City, Japan, 2007.
S. Matthew and I. Igor, Detection of peer-to-peer botnets, Masters Thesis, University of Amsterdam, 2008. F. Freiling, T. Holz, G, Wicherski, “Botnet Tracking: Exploring a Root-cause Methodology to Prevent Denial of Service Attacks,” Proc. 10th European Symposium on Research in Computer Security (ESORICS’05), 2005.
Z. Duan, P. Chen, F. Sanchez, Y. Dong, M. Stephenson, and J. Barker, “Detecting Spam Zombies by Monitoring Outgoing Messages, ” Proc. IEEE INFOCOM’09 Conference, Brazil, 2009. E. Robert, C. Adele, and B. Pranab, “A Multi-Layered Approach to Botnet Detection,” Proc. 2008 International Conference on Security and Management (SAM’08), USA, 2008. N. Paxton, G.J. Ahn, and B. Chu, “Towards practical framework for collecting and analyzing network-centric attacks,” Proc. IEEE International Conference on Information Reuse and Integration, USA, 2007.
Z. Zhang and Y. Kadobayashi, “A holistic perspective on understanding and breaking botnets: Challenges and countermeasures,” Journal of the National Institute of Information and Communications Technology, vol. 55, no. 2, pp. 43-59, 2008.
S. Alireza, F. Maryam, and A. Rodina, “Architecture for applying data mining and visualization on network flow for botnet traffic detection,” Proc. 2009 International Conference on Computer Technology and Development, Cairo, Egypt, 2009. G. Gu, J. Zhang, and W. Lee, “BotSniffer: Detecting Botnet command and control channels in network traffic,” Proc. 15th Annual Network and Distributed System Security Symposium (NDSS’08), USA, 2008. G. Gu, J. Zhang, and R. Perdisci, “Botminer: Clustering analysis of network traffic for protocol- and structure-independent Botnet detection,” Proc. 17th USENIX Security Symposium (Security’08), USA, 2008. G. Gu, Correlation-based Botnet Detection in Enterprise Networks, PhD Thesis, Georgia Institute of Technology, USA, 2008. B.V. Dasarathy, “A special issue on information fusion in computer security,” Information Fusion, vol. 10, no. 4, pp. 271, 2009.
Y. Niu, Q. Zheng, and H. Peng, “Network security management based on data fusion technology,” Proc. 7th International Conference on Computer-Aided Industrial Design and Conceptual Design, China, 2006. B.V. Dasarathy, “Decision Fusion,” IEEE Computer Socienty Press, 1994. H. Wang and Z. Gong, “Role-based collaborative information collection model for botnet detection,” Proc. 2010 International Symposium on Collaborative Technologies and Systems (CTS 2010), Chicago, USA, 2010.
A.P. Dempster, “Upper and lower probabilities induced by a multivalued mapping,” Ann. Math. Statist., 1967, pp. 325-339.
http://dx.doi.org/10.1214/aoms/1177698950
G. Shafer, A Mathematical Theory of Evidence, Princeton University Press, Princeton and London, 1976.
Qi Chen, Uwe Aickelin, “Dempster-Shafer for Anomaly Detection,” Proc. the International Conference on Data Mining (DMIN 2006), Las Vegas, USA, 2006, pp. 232-238.
L. Ma, L. Yang, and J. Wang, “Research on Security Information Fusion from Multiple Heterogeneous Sensors,” Journal of System Simulation, vol. 20, no. 4, pp. 181-187, 2008.
A. Ramachandran, N. Feamster, and D. Dagon, “Revealing Botnet membership using DNSBL counterintelligence,” Proc. USENIX SRUTI’06, 2006.
S. Kondo and N. Sato, “Botnet traffic detection techniques by C&C session classification using SVM,” Proc. 2nd International Workshop on Security, Japan, 2007.
M. Rajab, J. Zarfoss, and F. Monrose, “My botnet is bigger than yours (maybe, better than yours): Why size estimates remain challenging,” Proc. 1st Workshop on Hot Topics in Understanding Botnets (HotBots 2007), Boston, USA, 2007.J. Clerk Maxwell, A Treatise on Electricity and Magnetism, 3rd ed., vol. 2. Oxford: Clarendon, 1892, pp.68–73.
Full Text: PDF