The Forward-Backward String: a New Robust Feature for Botnet Detection

Abstract

We introduce the forward-backward string as a new feature which is robust against variation over payload length, the inter-arrival time of packets, and the number of packets within a flow. It represents an abstract activity of a host within a flow. The forward-backward string is packet-oriented and does not rely on payload size, the content of header and the interarrival time of packets. We use real-world botnet data to evaluate the performance of our new feature with some existing works. The experimental results show that the forward-backward string boosts the accuracy of existing works up to 5%. We further examine the robustness of the new feature against packet and flow level noise. The forward-backward string not only increases the accuracy but also enhances the robustness of the prior works.