Research On Botnet Detection

A botnet is a network composed of many hosts controlled by malicious attackers.Using botnets,attackers can organize various large-scale malicious attacks,and can also provide technical support in the illegal area of the Internet.The detection and defense of botnets has always been a hot topic.The first step in preventing botnets is to detect active botnets.However,as botnet controller continue to improve bot programs with the development of network security technology,the task of botnet detection is becoming more and more difficult.On the one hand,the lack of efficient feature extraction scheme makes it difficult to detect botnet traffic.The existing feature extraction schemes are difficult to extract effective features to accurately describe behaviors of botnet,which resulting in insufficient distinction between botnet traffic and normal network traffic.On the other hand,the improvement of botnet detection model is limited,and it is difficult to improve the accuracy of botnet detection only by building a complex model.This paper discussed the development of botnet detection technology,summarized the general methods for detecting botnet traffic,and proposed a combined botnet traffic feature extraction method to solve the problems of existing detection schemes.We extracted the features of the time window and TCP session context respectively,and then use a variety of machine learning models for training and testing,and finally choose the random forest model based on the time window features and the RNN model based on the TCP session features to build a composite classifier.The main work of this paper are as follows:(1)We proposed a feature extraction scheme based on TCP session context.Because most applications using TCP connection to transmit data,features on TCP session can describe the network behavior of a program.Since a single network behavior of an application will generate multiple data streams,TCP sessions are context sensitive.Therefore,this paper proposed a Botnet Detection Scheme based on features of TCPSession context.We selected a series of features based on TCP sessions,and we determined the appropriate context window according to the experiment,and used a variety of traditional machine learning classifiers on CTU-13 and ISCX-VPN datasets to test the effect of this feature extraction scheme,the result of experiments showed that the accuracy of Decision Tree Model based on this feature extraction method exceeds 95%.(2)We built an RNN classifier based on TCP session context features.The RNN neural network has the ability to process time related data,and the network behavior of the bot also shows the characteristics of time correlation,so we built the RNN classifier based on the TCP session features,and we also used CTU-13 dataset and ISCX-VPN dataset to test the effect of RNN classifier,and experiments showed that the accuracy of RNN classifier based on features of TCPSession exceeds 97%.(3)We built a composite classifier based on features of time window and features of TCP session context.The RNN classifier based on TCP session features has ability to detect network behavior of botnet program whose communication protocol is TCP.But the RNN model based TCPSession cannot detect the network traffic below the network layer or using the UDP protocol.We selected the random forest classifier based on time window statistical features to fill this gap.We tested the random forest classifier on the CTU-13 and ISCXVPN datasets.The accuracy of this model exceeds 95%.Then we used the random forest classifier and the RNN classifier to construct a composite classifier.We tested the composite classifier on the CTU-13 and ISCX-VPN datasets.The accuracy had exceeds 98%.We also tested ability of the model in detecting unknown botnet on the ISCX-Botnet dataset.The experiment showed that the model had ability to identify the communication behavior of the botnet,and the detection accuracy of this model is better than the botnet detection scheme based on traffic summary.The composite model has ability to detect botnet traffic which hadn’t appeared in the train set.This paper summarized the development history of botnets and the general method of botnet detection schemes,and then we proposed a composite classifier based on random forest model and RNN model.At the end,I discussed the advantages and disadvantages of this scheme,and made suggestions for the future development of botnet detection schemes.