Machine Learning Approach for Botnet Detection

BotNet is a type of malware that has posed serious threats to Internet community and has been a common weapon for committing cybercrimes such as spam generation, stealing sensitive information, click fraud and DDOS attacks. In this document, we propose an approach for BotNet detection at large scale where network traffic is monitored at a central core in the Internet (say a Tier-1 ISP) so that captured traffic has enough diversity for a meaningful analysis. This paper focuses on the detection of P2P BotNets which represent the recent and most challenging class of BotNets currently available. We use network behavior analysis for Peer to Peer based BotNet detection. The bots in the network have distinctive traffic behavior which can be analyzed to identify these bots. A number of Packet level and Flow level features such as Source IP address, Source Port number, DestIP, DstPort, Protocol, TPC, TBT and Duration are identified and then computed which are further used to distinguish the BotNet traffic from normal traffic. Machine learning techniques such as Decision Trees, Nearest Neighbor classifier and Support Vector Machine have been used to detect the P2P BotNets. The accuracy for all the classifiers is evaluated by comparing actual classes of samples with predicted classes for the same samples. The accuracy of Nearest Neighbor classifier varies from 33.3% to 97.10% for different classes of BotNet traffic while the decision tree classifier and support vector machine give near perfect accuracy except for BotNet-TCP-Established class where the accuracy is 99.10%.