Username   Password       Forgot your password?  Forgot your username? 


BotCapturer: Detecting Botnets based on Two-Layered Analysis with Graph Anomaly Detection and Network Traffic Clustering

Volume 14, Number 5, May 2018, pp. 1050-1059
DOI: 10.23940/ijpe.18.05.p24.10501059

Wei Wanga,b, Yang Wanga, Xinlu Tana, Ya Liua, and Shuangmao Yangb

aBeijing Key Laboratory of Security and Privacy in Intelligent Transportation, Beijing Jiaotong University, Beijing, 100044, China
bScience and Technology on Electronic Information Control Laboratory, Chengdu, 610036, China

(Submitted on February 5, 2018; Revised on March 18, 2018; Accepted on April 26, 2018)


Botnets have become one of the most serious threats on the Internet. On the platform of botnets, attackers conduct series of malicious activities such as distributed denial-of-service (DDoS) or virtual currencies mining. Network traffic has been widely used as the data source for the detection of botnets. However, there are two main issues on the detection of botnets with network traffic. First, many traditional filtering methods such as whitelisting are not able to process the very large amount of traffic data in real-time due to their limited computational capability. Second, many existing detection methods, based on network traffic clustering, result in high false positive rates. In this work, we are motivated to resolve the above two issues by proposing a lightweight botnet detection system called BotCapturer, based on two-layered analysis with anomaly detection in graph and network communication traffic clustering. First, we identify anomalous nodes that correspond to C&C (Control and Command) servers with anomaly scores in a graph abstracted from the network traffic. Second, we take advantage of clustering algorithms to check whether the nodes interacting with an anomalous node share similar communication pattern. In order to minimize irrelevant traffic, we propose a traffic reduction method to reduce more than 85% background traffic. The reduction is conducted by filtering the packets that are unrelated to the hosts like C&C server. We collect a very big dataset by simulating five different botnets and mixing the collected traffic with background traffic obtained from ISP. Extensive experiments are conducted and evaluation results based on our own dataset show that BotCapturer reduces more than 85% input raw packet traces and achieves a high detection rate (100%) with a low false positive rate (0.01%), demonstrating that it is very effective and efficient in detecting latest botnets.


References: 21

  1.  B. AsSadhan, and J. M. Moura, "An Efficient Method to Detect Periodic Behavior in Botnet Traffic by Analyzing Control Plane Traffic," Journal of advanced research, vol. 5, no. 4, pp. 435-448, 2014
  2. C. C. Aggarwal, Y. Zhao, and P. S. Yu, "Outlier Detection in Graph Streams," International Conference on Data Engineering, vol.6791, pp. 399-409, 2011
  3. L. Akoglu, M. Mcglohon, and C. Faloutsos, "Anomaly Detection in Large Graphs," Cmu-Cs-09-173-Technical Report, 2009.
  4. H. Choi, and H. Lee, "Identifying Botnets by Capturing Group Activities in DNS Traffic," Elsevier North-Holland, vol. 56, no. 1, pp. 20-33, 2012
  5. G. Gu, R. Perdisci, R. Perdisci, J. Zhang, and W. Lee, "BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection," Proceedings of the 17th Usenix Security Symposium, pp.139-154, 2008
  6. S. Gianvecchio, M. Xie, Z. Wu, and H. Wang, "Measurement and Classification of Humans and Bots in Internet Chat," Usenix Security Symposium, pp. 155-170, 2009
  7. X. Guan, W. Wang, and X. Zhang, "Fast Intrusion Detection Based on A Non-negative Matrix Factorization Model," J. Network and Computer Applications 32 (1), pp. 31–44 2009
  8. J. A. Hartigan, and M. A. Wong, "A K-means Clustering Algorithm," Journal of the Royal Statistical Society. Series C (Applied Statistics), vol. 28, no. 1, pp. 100-108, 1979
  9. G. Kirubavathi, and R. Anitha, "Botnets: A Study and Analysis," Computational Intelligence, Cyber Security and Computational Models, pp. 203-214, 2014
  10. B. Perozzi, and L. Akoglu, "Focused Clustering and Outlier Detection in Large Attributed Graphs," Proceedings of the 20th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 1346-1355, 2014
  11. W. Wang, T. Guyet, R. Quiniou, M. Cordier, F. Masseglia, and X. Zhang, "Autonomic Intrusion Detection: Adaptively Detecting Anomalies over Unlabeled Audit Data Streams in Computer Networks," Knowledge-Based Systems, vol.70 no. 11, pp. 103-117, 2014
  12. W. Wang, X. Guan, and X. Zhang, "Processing of Massive Audit Data Streams for Real-time Anomaly Intrusion Detection," Computer Communications 31 (1), pp. 58–72, 2008
  13. W. Wang, J. Liu, G. Pitsilis, and X. Zhang, "Abstracting Massive Data for Lightweight Intrusion Detection in Computer Networks," Information Sciences, vol. 433-434, no. 4, pp. 417-430, 2018
  14. W. Wang, Y. Li, X. Wang, J. Liu, and X. Zhang, "Detecting Android Malicious Apps and Categorizing Benign Apps with Ensemble of Classifiers," Future Generation Computer Systems, vol.78, pp. 987–994, 2018
  15. W. Wang, X. Wang, D. Feng, J. Liu, Z. Han, and X. Zhang, "Exploring Permission-induced Risk in Android Applications for Malicious Application Detection," IEEE Transactions on Information Forensics and Security 9 (11), pp. 1869–1882, 2014
  16. X. Wang, W. Wang, Y. He, J. Liu, Z. Han, and X. Zhang, "Characterizing Android Apps' Behavior for Effective Detection of Malapps at Large Scale," Future Generation Computer Systems, 75: 30-45, 2017
  17. A. Zimek, E. Schubert, and H. P. Kriegel, "A Survey on Unsupervised Outlier Detection in High-dimensional Numerical Data," Statistical Analysis & Data Mining, vol. 5, no. 5, pp. 363–387, 2012
  18. D. Zhao, I. Traore, B. Sayed, W. Lu, S. Saad, and A. Ghorbani, "Botnet Detection Based on Traffic Behavior Analysis and Flow Intervals," Computers & Security, vol. 39, no. 4, pp. 2-16, 2013
  19. Z. Zhu, V. Yegneswaran, and Y. Chen, "Using Failure Information Analysis to Detect Enterprise Zombies," Security and Privacy in Communication Networks, vol. 19, pp. 185-206, 2009
  20. "Spamhaus Botnet Threat Report 2017," Available at, Last accessed on January 31, 2018
  21. "What is Docker," Available at, Last accessed on January 31, 2018


    Please note : You will need Adobe Acrobat viewer to view the full articles.Get Free Adobe Reader

    This site uses encryption for transmitting your passwords.