TY - JOUR
T1 - Hybrid model for bot group activity detection using similarity and correlation approaches based on network traffic flows analysis
AU - Hostiadi, Dandy Pramana
AU - Ahmad, Tohari
N1 - Publisher Copyright:
© 2022 The Author(s)
PY - 2022/7
Y1 - 2022/7
N2 - In this cyber era, botnets have been a serious threat to computer network security in that they can infect computers connected to a network through malicious applications known as malware. Unlike their previous behavior, botnets have evolved from being centralized to decentralized. Thus, detecting and handling bots' activity is challenging. On the other hand, botnets can actively infect and attack the target concurrently, called bot group activities. Existing detection approaches cannot recognize the activity relation between bots in their group, called activity correlation. This correlation is crucial in obtaining the activity causality between bots because it can identify which bot activity affects the other bot activities during the attack. It is the causality of bot activities that helps prevent bot group attacks. This paper proposes a new model for detecting bot group activity using a hybrid analysis approach, which includes extracting activity patterns using a sliding window segmentation technique, analyzing activity similarities between bots, and analyzing their correlation. The experiment uses two public datasets to evaluate the proposed method. The results show that it can detect bot group activity with as high as 99.73% accuracy, which is better than others, with less than 1% of the false-positive rate.
AB - In this cyber era, botnets have been a serious threat to computer network security in that they can infect computers connected to a network through malicious applications known as malware. Unlike their previous behavior, botnets have evolved from being centralized to decentralized. Thus, detecting and handling bots' activity is challenging. On the other hand, botnets can actively infect and attack the target concurrently, called bot group activities. Existing detection approaches cannot recognize the activity relation between bots in their group, called activity correlation. This correlation is crucial in obtaining the activity causality between bots because it can identify which bot activity affects the other bot activities during the attack. It is the causality of bot activities that helps prevent bot group attacks. This paper proposes a new model for detecting bot group activity using a hybrid analysis approach, which includes extracting activity patterns using a sliding window segmentation technique, analyzing activity similarities between bots, and analyzing their correlation. The experiment uses two public datasets to evaluate the proposed method. The results show that it can detect bot group activity with as high as 99.73% accuracy, which is better than others, with less than 1% of the false-positive rate.
KW - Bot Group activity
KW - Botnet
KW - Correlation analysis
KW - Intrusion detection system
KW - Network infrastructure
KW - Network security
UR - http://www.scopus.com/inward/record.url?scp=85130953350&partnerID=8YFLogxK
U2 - 10.1016/j.jksuci.2022.05.004
DO - 10.1016/j.jksuci.2022.05.004
M3 - Article
AN - SCOPUS:85130953350
SN - 1319-1578
VL - 34
SP - 4219
EP - 4232
JO - Journal of King Saud University - Computer and Information Sciences
JF - Journal of King Saud University - Computer and Information Sciences
IS - 7
ER -