標題: | Behavior-based botnet detection in parallel |
作者: | Wang, Kuochen Huang, Chun-Ying Tsai, Li-Yang Lin, Ying-Dar 資訊工程學系 Department of Computer Science |
關鍵字: | anomaly detection;behavior-based;botnet detection;cloud computing;fuzzy pattern recognition;parallel process |
公開日期: | 1-Nov-2014 |
摘要: | Botnet has become one major Internet security issue in recent years. Although signature-based solutions are accurate, it is not possible to detect bot variants in real-time. In this paper, we propose behavior-based botnet detection in parallel (BBDP). BBDP adopts a fuzzy pattern recognition approach to detect bots. It detects a bot based on anomaly behavior in domain name service (DNS) queries and transmission control protocol (TCP) requests. With the design objectives of being efficient and accurate, a bot is detected using the proposed five-stage process, including: (i) traffic reduction, which shrinks an input trace by deleting unnecessary packets; (ii) feature extraction, which extracts features from a shrunk trace; (iii) data partitioning, which divides features into smaller pieces; (iv) DNS detection phase, which detects bots based on DNS features; and (v) TCP detection phase, which detects bots based on TCP features. The detection phases, which consume approximately 90% of the total detection time, can be dispatched to multiple servers in parallel and make detection in real-time. The large scale experiments with the Windows Azure cloud service show that BBDP achieves a high true positive rate (95%+) and a low false positive rate (approximate to 3%). Meanwhile, experiments also show that the performance of BBDP can scale up linearly with the number of servers used to detect bots. Copyright (c) 2013 John Wiley & Sons, Ltd. |
URI: | http://dx.doi.org/10.1002/sec.898 http://hdl.handle.net/11536/123955 |
ISSN: | 1939-0114 |
DOI: | 10.1002/sec.898 |
期刊: | SECURITY AND COMMUNICATION NETWORKS |
Volume: | 7 |
Issue: | 11 |
起始頁: | 1849 |
結束頁: | 1859 |
Appears in Collections: | Articles |
Files in This Item:
If it is a zip file, please download the file and unzip it, then open index.html in a browser to view the full text content.