Effective bot host detection based on network failure models

Chun-Ying Huang*

*Corresponding author for this work

Research output: Contribution to journalArticle

21 Scopus citations

Abstract

Botnet is one of the most notorious threats to Internet users. Attackers intrude into a large group of computers, install remote-controllable software, and then ask the compromised computers to launch large-scale Internet attacks, including sending spam and DDoS attacks. From the perspective of network administrators, it is important to identify bots in local networks. Bots residing in a local network could increase the difficulty to manage the network. Compared with bots outside of a local network, inside bots can easily bypass access controls applied to outsiders and access resources restricted to local users. In this paper, we propose an effective solution to detect bot hosts within a monitored local network. Based on our observations, a bot often has a differentiable failure pattern because of the botnet-distributed design and implementation. Hence, by monitoring failures generated by a single host for a short period, it is possible to determine whether the host is a bot or not by using a well-trained model. The proposed solution does not rely on aggregated network information, and therefore, works independent of network size. Our experiments show that the failure patterns among normal traffic, peer-to-peer traffic, and botnet traffic can be classified accurately. In addition to the ability to detect bot variants, the classification model can be retrained systematically to improve the detection ability for new bots. The evaluation results show that the proposed solution can detect bot hosts with more than 99% accuracy, whereas the false positive rate is lower than 0.5%.

Original languageEnglish
Pages (from-to)514-525
Number of pages12
JournalComputer Networks
Volume57
Issue number2
DOIs
StatePublished - 4 Feb 2013

Keywords

  • Botnet
  • Network failure model
  • Network management
  • Network security

Fingerprint Dive into the research topics of 'Effective bot host detection based on network failure models'. Together they form a unique fingerprint.

Cite this