基于生成对抗网络的僵尸网络检测

doi:10.11959/j.issn.1000-436x.2021082

Abstract

Abstract:

In order to solve the problems of botnets’ strong concealment and difficulty in identification, and improve the detection accuracy of botnets, a botnet detection method based on generative adversarial networks was proposed.By reorganizing the data packets in the botnet traffic into streams, the traffic statistics characteristics in the time dimension and the traffic image characteristics in the space dimension were extracted respectively.Then with the botnet traffic feature generation algorithm based on generative adversarial network, botnet feature samples were produced in the two dimensions.Finally combined with the application of deep learning in botnet detection scenarios, a botnet detection model based on DCGAN and a botnet detection model based on BiLSTM-GAN were proposed.Experiments show that the proposed model improves the botnet detection ability and generalization ability.

Key words: botnet, deep learning, traffic analysis, machine learning, GAN

CLC Number:

TP393.08

Futai ZOU, Yue TAN, Lin WANG, Yongkang JIANG. Botnet detection based on generative adversarial network[J]. Journal on Communications, 2021, 42(7): 95-106.

Figures/Tables 14

References 43

[1]	CenturyLink. 2019 threat report[R]. CenturyLink Black Lotus Labs, 2019.
[2]	NAIR H S , VINODH E S E . A study on botnet detection techniques[J]. International Journal of Scientific and Research Publications, 2012,2(4): 2-4.
[3]	ANTONAKAKIS M , APRIL T , BAILEY M ,et al. Understanding the Mirai botnet[C]// 26th USENIX Security Symposium. Berkeley:USENIX Association, 2017: 1093-1110.
[4]	KESSEM L . The Necursbotnet:a pandora’s box of malicious spam[R]. Security Intelligence, 2017.
[5]	CHECKPOINT R T . JAFF——a new ransomware is in town,and it’s widely spread by the infamous Necursbotnet[R]. Checkpoint Research Team, 2017.
[6]	KARL S . Crypto-jacking:how cyber-criminals are exploiting the crypto-currency boom[J]. Computer Fraud ＆ Security, 2018(9): 12-14.
[7]	SophosLabs Research Team . Emotet exposed:looking inside highly destructive malware[J]. Network Security, 2019(6): 6-11.
[8]	Distil Networks . 2019 bad bot report[R]. Distil Networks, 2019.
[9]	WAJEEHA A . Why botnets persist:designing effective technical and policy interventions[J]. MIT Internet Policy Research Initiative, 2019(2): 1-52.
[10]	BEEK C , DUNTON T , FOKKER J ,et al. Mcafee labs threats report[R]. McAfee Report, 2019.
[11]	ESMAEILI S , SHAHRIARI H R . PodBot:a new botnet detection method by host and network-based analysis[C]// 2019 27th Iranian Conference on Electrical Engineering. Piscataway:IEEE Press, 2019: 1900-1904.
[12]	TOKHTABAYEV A G , SKORMIN V A . Non-stationary Markov models and anomaly propagation analysis in IDS[C]// Third International Symposium on Information Assurance and Security. Piscataway:IEEE Press, 2007: 203-208.
[13]	SHARAFALDIN I , GHARIB A , LASHKARI A H ,et al. BotViz:a memory forensic-based botnet detection and visualization approach[C]// 2017 International Carnahan Conference on Security Technology. Piscataway:IEEE Press, 2017: 1-8.
[14]	CREECH G , HU J K . A semantic approach to host-based intrusion detection systems using contiguous and discontiguous system call patterns[J]. IEEE Transactions on Computers, 2014,63(4): 807-819.
[15]	BARUAH S . Botnet detection:analysis of various techniques[J]. International Journal of Computational Intelligence ＆ IoT, 2019,2(2): 1-7.
[16]	GU G F . Botnet detection in enterprise networks[M]. Berlin: Springer, 2011.
[17]	YAHYAZADEH M , ABADI M . BotCatch:botnet detection based on coordinated group activities of compromised hosts[C]// 7th International Symposium on Telecommunications. Piscataway:IEEE Press, 2014: 941-945.
[18]	GU G , PORRAS P A , YEGNESWARAN V ,et al. Bothunter:detecting malware infection through ids-driven dialog correlation[C]// USENIX Security Symposium. Berkeley:USENIX Association, 2007: 1-16.
[19]	GU G , ZHANG J , LEE W . BotSniffer:detecting botnet command and control channels in network traffic[C]// The Network and Distributed System Security Symposium. Saarland:DBLP, 2008: 1-19.
[20]	GU G , PERDISCI R , ZHANG J ,et al. Botminer:clustering analysis of network traffic for protocol-and structure-independent botnet detection[C]// Proceedings of the 17th USENIX Security Symposium. Berkeley:USENIX Association, 2008: 1-16.
[21]	ZHAO D , TRAORE I , SAYED B ,et al. Botnet detection based on traffic behavior analysis and flow intervals[J]. Computers ＆ Security, 2013,39: 2-16.
[22]	KARIM A , SALLEH R B , SHIRAZ M ,et al. Botnet detection techniques:review,future trends,and issues[J]. Journal of Zhejiang University SCIENCE C, 2014,15(11): 943-983.
[23]	TORRES P , CATANIA C , GARCIA S ,et al. An analysis of recurrent neural networks for botnet detection behavior[C]// 2016 IEEE Biennial Congress of Argentina. Piscataway:IEEE Press, 2016: 1-6.
[24]	HOMAYOUN S , AHMADZADEH M , HASHEMI S ,et al. BotShark:a deep learning approach for botnet traffic detection[M]. Berlin: Springer, 2018.
[25]	VINAYAKUMAR R , SOMAN K P , POORNACHANDRAN P ,et al. DBD:deep learning DGA-based botnet detection[M]. Berlin: Springer, 2019.
[26]	MCDERMOTT C D , MAJDANI F , PETROVSKI A V . Botnet detection in the Internet of things using deep learning approaches[C]// 2018 International Joint Conference on Neural Networks. Piscataway:IEEE Press, 2018: 1-8.
[27]	MEIDAN Y , BOHADANA M , MATHOV Y ,et al. N-BaIoT——network-based detection of IoT botnet attacks using deep autoencoders[J]. IEEE Pervasive Computing, 2018,17(3): 12-22.
[28]	HE K M , ZHANG X Y , REN S Q ,et al. Deep residual learning for image recognition[C]// 2016 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE Press, 2016: 770-778.
[29]	KIM J Y , BU S J , CHO S B . Malware detection using deep transferred generative adversarial networks[C]// International Conference on Neural Information Processing. Berlin:Springer, 2017: 556-564.
[30]	KIM J Y , BU S J , CHO S B . Zero-day malware detection using transferred generative adversarial networks based on deep autoencoders[J]. Information Sciences, 2018,460/461: 83-102.
[31]	YIN C L , ZHU Y F , LIU S L ,et al. An enhancing framework for botnet detection using generative adversarial networks[C]// 2018 International Conference on Artificial Intelligence and Big Data. Piscataway:IEEE Press, 2018: 228-234.
[32]	ZHU F , YE F , FU Y C ,et al. Electrocardiogram generation with a bidirectional LSTM-CNN generative adversarial network[J]. Scientific Reports, 2019,9:6734.
[33]	RADFORD A , METZ L , CHINTALA S . Unsupervised representation learning with deep convolutional generative adversarial networks[J]. arXiv Preprint,arXiv:1511.06434, 2015.
[34]	OORD A , DIELEMAN S , ZEN H ,et al. WaveNet:a generative model for raw audio[J]. arXiv Preprint,arXiv:1609.03499, 2016.
[35]	MEHRI S , KUMAR K , GULRAJANI I ,et al. SampleRNN:an unconditional end-to-end neural audio generation model[J]. arXiv Preprint,arXiv:1612.07837, 2016.
[36]	MOGREN O . C-RNN-GAN:continuous recurrent neural networks with adversarial training[J]. arXiv Preprint,arXiv:1611.09904, 2016.
[37]	YU Y , SRIVASTAVA A , CANALES S . Conditional LSTM-GAN for melody generation from lyrics[J]. ACM Transactions on Multimedia Computing,Communications,and Applications, 2021,17(1): 1-20.
[38]	GARCíA S , GRILL M , STIBOREK J ,et al. An empirical comparison of botnet detection methods[J]. Computers ＆ Security, 2014,45: 100-123.
[39]	KORONIOTIS N , MOUSTAFA N , SITNIKOVA E ,et al. Towards the development of realistic botnet dataset in the Internet of Things for network forensic analytics:bot-IoT dataset[J]. Future Generation Computer Systems, 2019,100: 779-796.
[40]	SHIRAVI A , SHIRAVI H , TAVALLAEE M ,et al. Toward developing a systematic approach to generate benchmark datasets for intrusion detection[J]. Computers ＆ Security, 2012,31(3): 357-374.
[41]	MIRSKY Y , DOITSHMAN T , ELOVICI Y ,et al. Kitsune:an ensemble of autoencoders for online network intrusion detection[J]. arXiv Preprint,arXiv:1802.09089, 2018.
[42]	BIGLAR BEIGI E , HADIAN JAZI H , STAKHANOVA N ,et al. Towards effective feature selection in machine learning-based botnet detection approaches[C]// 2014 IEEE Conference on Communications and Network Security. Piscataway:IEEE Press, 2014: 247-255.
[43]	AVIV A J , HAEBERLEN A . Challenges in experimenting with botnet detection systems[C]// 4th USENIX Workshop on Cyber Security Experimentation and Test. Berkeley:USENIX Association, 2011: 1-8.

Metrics

Recommended 0

No Suggested Reading articles found!

特征名称	含义	类型
Protocol	传输层协议	基本特征
Duration	流持续时间	基于异常行为的特征
Reconnect	重连次数	基于异常行为的特征
PX	交换包数量	基于异常行为的特征
IOPR	输入包数量/输出包数量	基于异常行为的特征
NNP	交换空包数	基于异常行为的特征
NSP	交换小数据包数量	基于异常行为的特征
PSP	交换小数据包百分比	基于异常行为的特征
FPS	第一个包的长度	基于异常行为的特征
TBT	总字节数	基于流相似的特征
APL	平均数据包长度	基于流相似的特征
DPL	相同长度包数/总包数	基于流相似的特征
PV	数据包长度标准差	基于流相似的特征
BS	每秒平均比特数量	基于流相似的特征
PPS	每秒平均包数量	基于流相似的特征
AIT	数据包平均到达时间	基于流相似的特征

僵尸网络	类型	训练集	测试集
Neris	IRC	√(12%)	√(5.67%)
Rbot	IRC	√(22%)	√(0.018%)
Menti	IRC	×	√(0.62%)
Sogou	HTTP	×	√(0.019%)
Murlo	IRC	×	√(1.06%)
Virut	HTTP	√(0.94%)	√(12.8%)
NSIS	P2P	√(2.48%)	√(0.165%)
Zenus	P2P	√(0.01%)	√(0.109%)
SMTP Spam	P2P	√(6.48%)	√(4.72%)
UDP Storm	P2P	×	√(9.63%)
Tbot	IRC	×	√(0.283%)
Zero Access	P2P	×	√(0.221%)
Weasal	P2P	×	√(9.25%)
Smoke Bot	P2P	×	√(0.017%)
Zenus control (C＆C)	P2P	√(0.01%)	√(0.006%)
ISCX IRC bot	P2P	×	√(0.387%)

模型	准确率	精度	召回率	F1分数
DCGAN	0.992 3	0.994 6	0.992 9	0.993 7
ResNet	0.991 6	0.992 8	0.993 7	0.993 2

模型	良性样本	僵尸网络样本
DCGAN	0.992 9	0.997 1
ResNet	0.993 7	0.996 1

模型	准确率	精度	召回率	F1分数
BiLSTM-GAN	0.855 1	0.915 5	0.823 8	0.867 2
BiLSTM	0.834 5	0.952 7	0.757 7	0.844 1

Botnet detection based on generative adversarial network

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 14

References 43

Related Articles 15

Metrics

Recommended 0

特征	准确率	精度	召回率	F1分数
基本特征	0.747 3	0.734 1	0.694 7	0.704 0
异常行为特征	0.743 9	0.737 6	0.676 9	0.686 7
流相似特征	0.854 4	0.840 2	0.858 3	0.846 4
基本特征＆异常行为特征	0.741 1	0.726 5	0.686 0	0.695 0
基本特征＆流相似特征	0.862 3	0.847 7	0.857 5	0.852 0
异常行为特征＆流相似特征	0.852 0	0.837 0	0.849 7	0.842 1
全部特征	0.855 1	0.915 5	0.823 8	0.867 2

类型	测试集数量/个	DCGAN检测出的样本数量/个	BiLSTM-GAN检测出的样本数量/个
Menti	1 300	410	398
Sogou	40	25	20
Mrulo	2 222	725	224
Tbot	593	160	134
Weasel	19 387	89	70
Smoke	36	11	12
Zero Access	463	32	27

[1]	Dongyu CHEN, Hua CHEN, Limin FAN, Yifang FU, Jian WANG. Research on test strategy for randomness based on deep learning [J]. Journal on Communications, 2023, 44(6): 23-33.
[2]	Rongpeng LI, Bingyan WANG, Honggang ZHANG, Zhifeng ZHAO. Design of knowledge enhanced semantic communication receiver [J]. Journal on Communications, 2023, 44(6): 70-76.
[3]	Shuai MA, Ke PEI, Huayan QI, Hang LI, Wen CAO, Hongmei WANG, Hailiang XIONG, Shiyin LI. Research on geomagnetic indoor high-precision positioning algorithm based on generative model [J]. Journal on Communications, 2023, 44(6): 211-222.
[4]	Yuling LIU, Cuilin WANG, Zhangjie FU. Generative text steganography method based on emotional expression in semantic space [J]. Journal on Communications, 2023, 44(4): 176-186.
[5]	Qianyi DAI, Bin ZHANG, Song GUO, Kaiyong XU. Blockchain network layer anomaly traffic detection method based on multiple classifier integration [J]. Journal on Communications, 2023, 44(3): 66-80.
[6]	Chao XIA, Yaqi LIU, Qingxiao GUAN, Xin JIN, Yanshuo ZHANG, Shengwei XU. Steganalysis of JPEG images using non-linear residuals [J]. Journal on Communications, 2023, 44(1): 142-152.
[7]	Hui LI, Jiali JIN, Shuyu JIN, Weijiao MA. Text steganography method based on automatic selection coding and dynamic word selection strategy [J]. Journal on Communications, 2022, 43(9): 240-253.
[8]	Jie YANG, Biao DONG, Xue FU, Yu WANG, Guan GUI. Lightweight decentralized learning-based automatic modulation classification method [J]. Journal on Communications, 2022, 43(7): 134-142.
[9]	Ang LI, Jianxin CHEN, Xin WEI, Liang ZHOU. 6G-oriented cross-modal signal reconstruction technology [J]. Journal on Communications, 2022, 43(6): 28-40.
[10]	Xiuzhang YANG, Guojun PENG, Zichuan LI, Yangqi LYU, Side LIU, Chenguang LI. Research on entity recognition and alignment of APT attack based on Bert and BiLSTM-CRF [J]. Journal on Communications, 2022, 43(6): 58-70.
[11]	Xiaodan WANG, Jingtai LI, Yafei SONG. DDAC: a feature extraction method for model of image steganalysis based on convolutional neural network [J]. Journal on Communications, 2022, 43(5): 68-81.
[12]	Yong LIAO, Shiyi WANG. CSI feedback algorithm based on RM-Net for massive MIMO systems in high-speed mobile environment [J]. Journal on Communications, 2022, 43(5): 166-176.
[13]	Yurong LIAO, Haining WANG, Cunbao LIN, Yang LI, Yuqiang FANG, Shuyan NI. Research progress of deep learning-based object detection of optical remote sensing image [J]. Journal on Communications, 2022, 43(5): 190-203.
[14]	Zenghua ZHAO, Yuefan TONG, Jiayang CUI. Device-independent Wi-Fi fingerprinting indoor localization model based on domain adaptation [J]. Journal on Communications, 2022, 43(4): 143-153.
[15]	Gaofeng HE, Qianfeng WEI, Xiancai XIAO, Haiting ZHU, Bingfeng XU. Confirmation method for the detection of malicious encrypted traffic with data privacy protection [J]. Journal on Communications, 2022, 43(2): 156-170.