Proposing the application of a deep learning model to detect the malicious IP address of botnet in the computer network
Keywords:
DGA Botnet, deep learning, malicious IPsTóm tắt
Abstract— Malware in general and botnets in particular are big threats to cybersecurity. They have many sophisticated methods to bypass security systems to infect computers and perform attacks, sabotage, or spying activities. Botnet detection solutions are always focused on and solved by scientists and cybersecurity specialists. The DGA botnet is a group of common botnet families that share the same mechanism of needing to connect back to the C&C server via DNS to receive commands to operate. Many studies that propose algorithms for detecting and classifying DGA botnets have been proposed and tested with high results. In this study, we approach by using the above solutions to detect malicious IP addresses and botnet malware families. First, we evaluate the efficiency of two deep learning models LA_Bin07 and LA_Mul07 on a new specialized dataset, UTL_DGA22. Next, we extended the experiment with the ISCX-Bot-2014 dataset. The results show that LA_Bin07 and LA_Mul07 models both get high accuracy on the new dataset, with 0.98 and 0.86 correspondingly. Experimenting on the reality dataset also gives positive results, helping network administrators to localize malicious IP addresses for deeper investigation. The proposed solution is effective enough to be applied as a module in cybersecurity solutions such as firewalls, intrusion detection, and prevention systems or unified thread management - UTM.
Downloads
References
R. Vishwakarma and A. K. Jain, “A honeypot with machine learning based detection framework for defending IoT based botnet DDoS attacks,” Proc. Int. Conf. Trends Electron. Informatics, ICOEI 2019, pp. 1019–1024, 2019, doi: 10.1109/ICOEI.2019.8862720.
D. T. Son, N. T. K. Tram, and T. T. Thu, “Machine learning approach detects DDoS attacks,” J. Sci. Technol. Inf. Secur., vol. 1, no. 15, pp. 102–108, 2022, doi: 10.54654/isj.v1i15.850.
P. Wang, L. Wu, R. Cunningham, and C. C. Zou, “Honeypot detection in advanced botnet attacks,” Int. J. Inf. Comput. Secur., vol. 4, no. 1, pp. 30–51, 2010, doi: 10.1504/IJICS.2010.031858.
A. Ramachandran, N. Feamster, and D. Dagon, “Revealing botnet membership using DNSBL counter-intelligence,” 2nd Work. Steps to Reducing Unwanted Traffic Internet, SRUTI 2006, pp. 49–54, 2006.
N. Kheir, F. Tran, P. Caron, and N. Deschamps, “Mentor: Positive DNS reputation to skim-off benign domains in botnet C&C blacklists,” IFIP Adv. Inf. Commun. Technol., vol. 428, 2014, doi: 10.1007/978-3-642-55415-5_1.
J. Wang and I. C. Paschalidis, “Botnet Detection Based on Anomaly and Community Detection,” IEEE Trans. Control Netw. Syst., vol. 4, no. 2, pp. 392–404, 2017, doi: 10.1109/TCNS.2016.2532804.
S. Arshad, M. Abbaspour, M. Kharrazi, and H. Sanatkar, “An anomaly-based botnet detection approach for identifying stealthy botnets,” ICCAIE 2011 - 2011 IEEE Conf. Comput. Appl. Ind. Electron., pp. 564–569, 2011, doi: 10.1109/ICCAIE.2011.6162198.
K. Wang, C. Y. Huang, S. J. Lin, and Y. D. Lin, “A fuzzy pattern-based filtering algorithm for botnet detection,” Comput. Networks, vol. 55, no. 15, pp. 3275–3286, 2011, doi: 10.1016/j.comnet.2011.05.026.
Z. Ahmed, S. M. Danish, H. K. Qureshi, and M. Lestas, “Protecting IoTs from mirai botnet attacks using blockchains,” IEEE Int. Work. Comput. Aided Model. Des. Commun. Links Networks, CAMAD, vol. 2019-Septe, 2019, doi: 10.1109/CAMAD.2019.8858484.
L. Bilge, S. Sen, D. Balzarotti, E. Kirda, and C. Kruegel, “EXPOSURE: A passive DNS analysis service to detect and report malicious domains,” ACM Trans. Inf. Syst. Secur., vol. 16, no. 4, 2014, doi: 10.1145/2584679.
T. A. Tuan, H. V. Long, and D. Taniar, “On Detecting and Classifying DGA Botnets and their Families,” Comput. Secur., vol. 113, 2022, doi: 10.1016/j.cose.2021.102549.
T. A. Tuan, N. V. Anh, T. T. Luong, and H. V. Long, “UTL_DGA22 - a dataset for DGA botnet detection and classification,” Comput. Networks, vol. 221, 2023, doi: 10.1016/j.comnet.2022.109508.
360NetLab, “DGA - Netlab OpenData Project,” Qihoo 360 Technology, 2022. https://data.netlab.360.com/dga/ (accessed Mar. 09, 2021).
M. Zago, M. Gil Pérez, and G. Martínez Pérez, “UMUDGA: A dataset for profiling DGA-based botnet,” Comput. Secur., vol. 92, 2020, doi: 10.1016/j.cose.2020.101719.
D. Gonzalez-Cuautle et al., “Synthetic minority oversampling technique for optimizing classification tasks in botnet and intrusion-detection-system datasets,” Appl. Sci., vol. 10, no. 3, 2020, doi: 10.3390/app10030794.
Downloads
Published
How to Cite
Issue
Section
License
Proposed Policy for Journals That Offer Open Access
Authors who publish with this journal agree to the following terms:
1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).
Proposed Policy for Journals That Offer Delayed Open Access
Authors who publish with this journal agree to the following terms:
1. Authors retain copyright and grant the journal right of first publication, with the work [SPECIFY PERIOD OF TIME] after publication simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).