Benchmark-Based Reference Model for Evaluating Botnet Detection Tools Driven by Traffic-Flow Analytics
Botnets are some of the most recurrent cyber-threats, which take advantage of the wide heterogeneity of endpoint devices at the Edge of the emerging communication environments for enabling the malicious enforcement of fraud and other adversarial tactics, including malware, data leaks or denial of se...
| Main Authors: | , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2020-08-01
|
| Series: | Sensors |
| Subjects: | |
| Online Access: | https://www.mdpi.com/1424-8220/20/16/4501 |
| _version_ | 1827710229700149248 |
|---|---|
| author | Katherinne Shirley Huancayo Ramos Marco Antonio Sotelo Monge Jorge Maestre Vidal |
| author_facet | Katherinne Shirley Huancayo Ramos Marco Antonio Sotelo Monge Jorge Maestre Vidal |
| author_sort | Katherinne Shirley Huancayo Ramos |
| collection | DOAJ |
| description | Botnets are some of the most recurrent cyber-threats, which take advantage of the wide heterogeneity of endpoint devices at the Edge of the emerging communication environments for enabling the malicious enforcement of fraud and other adversarial tactics, including malware, data leaks or denial of service. There have been significant research advances in the development of accurate botnet detection methods underpinned on supervised analysis but assessing the accuracy and performance of such detection methods requires a clear evaluation model in the pursuit of enforcing proper defensive strategies. In order to contribute to the mitigation of botnets, this paper introduces a novel evaluation scheme grounded on supervised machine learning algorithms that enable the detection and discrimination of different botnets families on real operational environments. The proposal relies on observing, understanding and inferring the behavior of each botnet family based on network indicators measured at flow-level. The assumed evaluation methodology contemplates six phases that allow building a detection model against botnet-related malware distributed through the network, for which five supervised classifiers were instantiated were instantiated for further comparisons—Decision Tree, Random Forest, Naive Bayes Gaussian, Support Vector Machine and K-Neighbors. The experimental validation was performed on two public datasets of real botnet traffic—CIC-AWS-2018 and ISOT HTTP Botnet. Bearing the heterogeneity of the datasets, optimizing the analysis with the Grid Search algorithm led to improve the classification results of the instantiated algorithms. An exhaustive evaluation was carried out demonstrating the adequateness of our proposal which prompted that Random Forest and Decision Tree models are the most suitable for detecting different botnet specimens among the chosen algorithms. They exhibited higher precision rates whilst analyzing a large number of samples with less processing time. The variety of testing scenarios were deeply assessed and reported to set baseline results for future benchmark analysis targeted on flow-based behavioral patterns. |
| first_indexed | 2024-03-10T17:35:08Z |
| format | Article |
| id | doaj.art-071a93476a8a403b921c5446e0cde87b |
| institution | Directory Open Access Journal |
| issn | 1424-8220 |
| language | English |
| last_indexed | 2024-03-10T17:35:08Z |
| publishDate | 2020-08-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Sensors |
| spelling | doaj.art-071a93476a8a403b921c5446e0cde87b2023-11-20T09:52:29ZengMDPI AGSensors1424-82202020-08-012016450110.3390/s20164501Benchmark-Based Reference Model for Evaluating Botnet Detection Tools Driven by Traffic-Flow AnalyticsKatherinne Shirley Huancayo Ramos0Marco Antonio Sotelo Monge1Jorge Maestre Vidal2Faculty of Engineering and Architecture, Universidad de Lima, Avenida Javier Prado Este, 4600 Lima 33, PeruFaculty of Engineering and Architecture, Universidad de Lima, Avenida Javier Prado Este, 4600 Lima 33, PeruIndra, Digital Labs, Av. de Bruselas, 35, Alcobendas, 28108 Madrid, SpainBotnets are some of the most recurrent cyber-threats, which take advantage of the wide heterogeneity of endpoint devices at the Edge of the emerging communication environments for enabling the malicious enforcement of fraud and other adversarial tactics, including malware, data leaks or denial of service. There have been significant research advances in the development of accurate botnet detection methods underpinned on supervised analysis but assessing the accuracy and performance of such detection methods requires a clear evaluation model in the pursuit of enforcing proper defensive strategies. In order to contribute to the mitigation of botnets, this paper introduces a novel evaluation scheme grounded on supervised machine learning algorithms that enable the detection and discrimination of different botnets families on real operational environments. The proposal relies on observing, understanding and inferring the behavior of each botnet family based on network indicators measured at flow-level. The assumed evaluation methodology contemplates six phases that allow building a detection model against botnet-related malware distributed through the network, for which five supervised classifiers were instantiated were instantiated for further comparisons—Decision Tree, Random Forest, Naive Bayes Gaussian, Support Vector Machine and K-Neighbors. The experimental validation was performed on two public datasets of real botnet traffic—CIC-AWS-2018 and ISOT HTTP Botnet. Bearing the heterogeneity of the datasets, optimizing the analysis with the Grid Search algorithm led to improve the classification results of the instantiated algorithms. An exhaustive evaluation was carried out demonstrating the adequateness of our proposal which prompted that Random Forest and Decision Tree models are the most suitable for detecting different botnet specimens among the chosen algorithms. They exhibited higher precision rates whilst analyzing a large number of samples with less processing time. The variety of testing scenarios were deeply assessed and reported to set baseline results for future benchmark analysis targeted on flow-based behavioral patterns.https://www.mdpi.com/1424-8220/20/16/4501botnetdeep learninggraph miningmalware detectionmachine learningtraffic-flow |
| spellingShingle | Katherinne Shirley Huancayo Ramos Marco Antonio Sotelo Monge Jorge Maestre Vidal Benchmark-Based Reference Model for Evaluating Botnet Detection Tools Driven by Traffic-Flow Analytics Sensors botnet deep learning graph mining malware detection machine learning traffic-flow |
| title | Benchmark-Based Reference Model for Evaluating Botnet Detection Tools Driven by Traffic-Flow Analytics |
| title_full | Benchmark-Based Reference Model for Evaluating Botnet Detection Tools Driven by Traffic-Flow Analytics |
| title_fullStr | Benchmark-Based Reference Model for Evaluating Botnet Detection Tools Driven by Traffic-Flow Analytics |
| title_full_unstemmed | Benchmark-Based Reference Model for Evaluating Botnet Detection Tools Driven by Traffic-Flow Analytics |
| title_short | Benchmark-Based Reference Model for Evaluating Botnet Detection Tools Driven by Traffic-Flow Analytics |
| title_sort | benchmark based reference model for evaluating botnet detection tools driven by traffic flow analytics |
| topic | botnet deep learning graph mining malware detection machine learning traffic-flow |
| url | https://www.mdpi.com/1424-8220/20/16/4501 |
| work_keys_str_mv | AT katherinneshirleyhuancayoramos benchmarkbasedreferencemodelforevaluatingbotnetdetectiontoolsdrivenbytrafficflowanalytics AT marcoantoniosotelomonge benchmarkbasedreferencemodelforevaluatingbotnetdetectiontoolsdrivenbytrafficflowanalytics AT jorgemaestrevidal benchmarkbasedreferencemodelforevaluatingbotnetdetectiontoolsdrivenbytrafficflowanalytics |