Hybrid model for bot group activity detection using similarity and correlation approaches based on network traffic flows analysis

Dandy Pramana Hostiadi, Tohari Ahmad*

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

13 Citations (Scopus)

Abstract

In this cyber era, botnets have been a serious threat to computer network security in that they can infect computers connected to a network through malicious applications known as malware. Unlike their previous behavior, botnets have evolved from being centralized to decentralized. Thus, detecting and handling bots' activity is challenging. On the other hand, botnets can actively infect and attack the target concurrently, called bot group activities. Existing detection approaches cannot recognize the activity relation between bots in their group, called activity correlation. This correlation is crucial in obtaining the activity causality between bots because it can identify which bot activity affects the other bot activities during the attack. It is the causality of bot activities that helps prevent bot group attacks. This paper proposes a new model for detecting bot group activity using a hybrid analysis approach, which includes extracting activity patterns using a sliding window segmentation technique, analyzing activity similarities between bots, and analyzing their correlation. The experiment uses two public datasets to evaluate the proposed method. The results show that it can detect bot group activity with as high as 99.73% accuracy, which is better than others, with less than 1% of the false-positive rate.

Original languageEnglish
Pages (from-to)4219-4232
Number of pages14
JournalJournal of King Saud University - Computer and Information Sciences
Volume34
Issue number7
DOIs
Publication statusPublished - Jul 2022

Keywords

  • Bot Group activity
  • Botnet
  • Correlation analysis
  • Intrusion detection system
  • Network infrastructure
  • Network security

Fingerprint

Dive into the research topics of 'Hybrid model for bot group activity detection using similarity and correlation approaches based on network traffic flows analysis'. Together they form a unique fingerprint.

Cite this