Review:Botnet detection techniques: review, future trends, and issue

In recent years, the Internet has enabled access to widespread remote services in the distributed computing environment; however, integrity of data transmission in the distributed computing platform is hindered by a number of security issues. For instance, the botnet phenomenon is a prominent threat to Internet security, including the threat of malicious codes. The botnet phenomenon supports a wide range of criminal activities, including distributed denial of service(DDoS) attacks, click fraud, phishing, malware distribution, spam emails, and building machines for illegitimate exchange of information/materials. Therefore, it is imperative to design and develop a robust mechanism for improving the botnet detection, analysis, and removal process. Currently, botnet detection techniques have been reviewed in different ways; however, such studies are limited in scope and lack discussions on the latest botnet detection techniques. This paper presents a comprehensive review of the latest state-of-the-art techniques for botnet detection and figures out the trends of previous and current research. It provides a thematic taxonomy for the classification of botnet detection techniques and highlights the implications and critical aspects by qualitatively analyzing such techniques. Related to our comprehensive review, we highlight future directions for improving the schemes that broadly span the entire botnet detection research field and identify the persistent and prominent research challenges that remain open.

BotGuard： Lightweight Real-Time Botnet Detection in Software Defined Networks

The distributed detection of botnets may induce heavy computation and communication costs to network devices. Each device in related scheme only has a regional view of Internet, so it is hard to detect botnet comprehensively. In this paper, we propose a lightweight real-time botnet detection framework called Bot-Guard, which uses the global landscape and flexible configurability of software defined network （SDN） to identify botnets promptly. SDN, as a new network framework, can make centralized control in botnet detection, but there are still some challenges in such detections. We give a convex lens imaging graph （CLI-graph） to depict the topology characteristics of botnet, which allows SDN controller to locate attacks separately and mitigate the burden of network devices. The theoretical and experimental resuits prove that our scheme is capable of timely botnet detecting in SDNs with the accuracy higher than 90% and the delay less than 56 ms.

BotSward: Centrality Measures for Graph-Based Bot Detection Using Machine Learning

The number of botnet malware attacks on Internet devices has grown at an equivalent rate to the number of Internet devices that are connected to the Internet.Bot detection using machine learning(ML)with flow-based features has been extensively studied in the literature.Existing flow-based detection methods involve significant computational overhead that does not completely capture network communication patterns that might reveal other features ofmalicious hosts.Recently,Graph-Based Bot Detection methods using ML have gained attention to overcome these limitations,as graphs provide a real representation of network communications.The purpose of this study is to build a botnet malware detection system utilizing centrality measures for graph-based botnet detection and ML.We propose BotSward,a graph-based bot detection system that is based on ML.We apply the efficient centrality measures,which are Closeness Centrality(CC),Degree Centrality(CC),and PageRank(PR),and compare them with others used in the state-of-the-art.The efficiency of the proposed method is verified on the available Czech Technical University 13 dataset(CTU-13).The CTU-13 dataset contains 13 real botnet traffic scenarios that are connected to a command-and-control(C&C)channel and that cause malicious actions such as phishing,distributed denial-of-service(DDoS)attacks,spam attacks,etc.BotSward is robust to zero-day attacks,suitable for large-scale datasets,and is intended to produce better accuracy than state-of-the-art techniques.The proposed BotSward solution achieved 99%accuracy in botnet attack detection with a false positive rate as low as 0.0001%.

IoT Smart Devices Risk Assessment Model Using Fuzzy Logic and PSO

Increasing Internet of Things(IoT)device connectivity makes botnet attacks more dangerous,carrying catastrophic hazards.As IoT botnets evolve,their dynamic and multifaceted nature hampers conventional detection methods.This paper proposes a risk assessment framework based on fuzzy logic and Particle Swarm Optimization(PSO)to address the risks associated with IoT botnets.Fuzzy logic addresses IoT threat uncertainties and ambiguities methodically.Fuzzy component settings are optimized using PSO to improve accuracy.The methodology allows for more complex thinking by transitioning from binary to continuous assessment.Instead of expert inputs,PSO data-driven tunes rules and membership functions.This study presents a complete IoT botnet risk assessment system.The methodology helps security teams allocate resources by categorizing threats as high,medium,or low severity.This study shows how CICIoT2023 can assess cyber risks.Our research has implications beyond detection,as it provides a proactive approach to risk management and promotes the development of more secure IoT environments.

Double DQN Method For Botnet Traffic Detection System

In the face of the increasingly severe Botnet problem on the Internet,how to effectively detect Botnet traffic in realtime has become a critical problem.Although the existing deepQnetwork(DQN)algorithminDeep reinforcement learning can solve the problem of real-time updating,its prediction results are always higher than the actual results.In Botnet traffic detection,although it performs well in the training set,the accuracy rate of predicting traffic is as high as%;however,in the test set,its accuracy has declined,and it is impossible to adjust its prediction strategy on time based on new data samples.However,in the new dataset,its accuracy has declined significantly.Therefore,this paper proposes a Botnet traffic detection system based on double-layer DQN(DDQN).Two Q-values are designed to adjust the model in policy and action,respectively,to achieve real-time model updates and improve the universality and robustness of the model under different data sets.Experiments show that compared with the DQN model,when using DDQN,the Q-value is not too high,and the detectionmodel has improved the accuracy and precision of Botnet traffic.Moreover,when using Botnet data sets other than the test set,the accuracy and precision of theDDQNmodel are still higher than DQN.

A Learning Model to Detect Android C&C Applications Using Hybrid Analysis

Smartphone devices particularly Android devices are in use by billions of people everywhere in the world.Similarly,this increasing rate attracts mobile botnet attacks which is a network of interconnected nodes operated through the command and control(C&C)method to expand malicious activities.At present,mobile botnet attacks launched the Distributed denial of services(DDoS)that causes to steal of sensitive data,remote access,and spam generation,etc.Consequently,various approaches are defined in the literature to detect mobile botnet attacks using static or dynamic analysis.In this paper,a novel hybrid model,the combination of static and dynamic methods that relies on machine learning to detect android botnet applications is proposed.Furthermore,results are evaluated using machine learning classifiers.The Random Forest(RF)classifier outperform as compared to other ML techniques i.e.,Naïve Bayes(NB),Support Vector Machine(SVM),and Simple Logistic(SL).Our proposed framework achieved 97.48%accuracy in the detection of botnet applications.Finally,some future research directions are highlighted regarding botnet attacks detection for the entire community.

Use of subword tokenization for domain generation algorithm classification

Domain name generation algorithm(DGA)classification is an essential but challenging problem.Both feature-extract-ing machine learning(ML)methods and deep learning(DL)models such as convolutional neural networks and long short-term memory have been developed.However,the performance of these approaches varies with different types of DGAs.Most features in the ML methods can characterize random-looking DGAs better than Word-looking DGAs.To improve the classification performance on word-looking DGAs,subword tokenization is employed for the DL mod-els.Our experimental results proved that the subword tokenization can provide excellent classification performance on the word-looking DGAs.We then propose an integrated scheme that chooses an appropriate method for DGA classification depending on the nature of the DGAs.Results show that the integrated scheme outperformed existing ML and DL methods,and also the subword DL methods.

Analysis on the time-domain characteristics of botnets control traffic

Botnets are networks composed with malware-infect ed computers.They are designed and organized to be controlled by an adversary.As victims are infected through their inappropriate network behaviors in most cases,the Internet protocol（IP） addresses of infected bots are unpredictable.Plus,a bot can get an IP address through dynamic host configuration protocol（DHCP）,so they need to get in touch with the controller initiatively and they should attempt continuously because a controller can＇t be always online.The whole process is carried out under the command and control（C＆C） channel.Our goal is to characterize the network traffic under the C＆C channel on the time domain.Our analysis draws upon massive data obtained from honeynet and a large Internet service provider（ISP） Network.We extract and summarize fingerprints of the bots collected in our honeynet.Next,with the fingerprints,we use deep packet inspection（DPI） Technology to search active bots and controllers in the Internet.Then,we gather and analyze flow records reported from network traffic monitoring equipments.In this paper,we propose a flow record interval analysis on the time domain characteristics of botnets control traffic,and we propose the algorithm to identify the communications in the C＆C channel based on our analysis.After that,we evaluate our approach with a 3.4 GB flow record trace and the result is satisfactory.In addition,we believe that our work is also useful information in the design of botnet detection schemes with the deep flow inspection（DFI） technology.

Detecting P2P bots by mining the regional periodicity

Peer-to-peer (P2P) botnets outperform the traditional Internet relay chat (IRC) botnets in evading detection and they have become a prevailing type of threat to the Internet nowadays.Current methods for detecting P2P botnets,such as similarity analysis of network behavior and machine-learning based classification,cannot handle the challenges brought about by different network scenarios and botnet variants.We noticed that one important but neglected characteristic of P2P bots is that they periodically send requests to update their peer lists or receive commands from botmasters in the command-and-control (C&C) phase.In this paper,we propose a novel detection model named detection by mining regional periodicity (DMRP),including capturing the event time series,mining the hidden periodicity of host behaviors,and evaluating the mined periodic patterns to identify P2P bot traffic.As our detection model is built based on the basic properties of P2P protocols,it is difficult for P2P bots to avoid being detected as long as P2P protocols are employed in their C&C.For hidden periodicity mining,we introduce the so-called regional periodic pattern mining in a time series and present our algorithms to solve the mining problem.The experimental evaluation on public datasets demonstrates that the algorithms are promising for efficient P2P bot detection in the C&C phase.