Design And Implementation Of The Flow-based Botnet Hybrid Detection Method

Botnet has become one of the most serious challenges to network infrastructures,which can launch Distributed Denial of Service attacks(DDo S),steal user information and device data,and a lot of other malicious activities.Although a large variety of detection methods have been proposed to detect traffic of different phases of the botnet lifecycle.However,the existing research work detected a single phase of the botnet lifecycle.In addition,a single detection model could lead to an increase in false positive rate.Therefore,a reasonable mixture of multiple detection models and fine-grained detection of multiple phases of botnet traffic is a critical concern.This paper proposed the flow-based botnet hybrid detection method,which is supported by The National Key R&D Program of China Project "Identity-based Trusted Protocol and Malicious Communication Monitoring Method"(No.2018YFA0701604).The detection system was deployed at the network entrance and was able to detect online botnet traffic in the waiting stage and malicious activity stage of multiple botnets and provided an interface to the network behaviour knowledge base.The detection system can achieve a malicious traffic detection rate of 98.61%.The main work of this paper is as follows.1)Construct the botnet traffic datasets of waiting stage and malicious activity stage.In this paper,we simulated five botnets Ares,BYOB,IRC-Botnet,Zeus,and Mirai through a virtual machine cluster configured with ESXi to collect and fine-grained mark botnet traffic in the waiting phase and malicious activity phase.The botnet traffic was also mixed with the normal traffic generated by the simulated 5G scenario.Based on the five-tuple information of the traffic packets,the botnet traffic dataset was modeled based on the long-term characteristics of the botnet traffic behaviour,and the flow-level characteristics of the bidirectional flows are extracted.2)Construct the botnet traffic feature set.The collected dataset was respectively fed into Random Forest,Extreme Tree,GBDT,XGBoost,Boruta algorithm for feature selection and Kendall coefficient for correlation selection to obtain 6 feature sets,and based on the filtering strategy,an important feature set containing 19 features,a less important feature set containing 41 features were selected.Secondly,the traffic analysis was complemented by the analysis of the botnet traffic behaviour in the waiting stage and malicious activity stage to fully extract the typical botnet features,which were used as a supplement to the less important feature set,so as to improve the detection performance of the system.3)Construct and validate botnet online detection models.Based on Stacking integrated learning technology to integrate multiple neural network models,different input feature sets were provided to different primary classifiers,and the botnet multiclassification online detection model is obtained by 10-fold cross-validation to sufficiently combine the detection performance of multiple classifier algorithms and improve the detection capability of the system.The obtained botnet online detection model was deployed at network entrances for online detection,and the detection results were fed back to the network traffic behaviour knowledge base to enhance the ability to extrapolate traffic behaviour features and trace malicious behaviour of botnet traffic.Experiment shows that the proposed online botnet detection model can effectively detect botnet traffic of the waiting stage and malicious activity stage under multiple time windows of 20 s,30s,60 s,120s,180 s and 240 s.Among them,60 s is the optimal time window and the malicious traffic detection rate can be up to 98.61%.