Abstract
Nowadays, botnet has become a threat in the area of cybersecurity, and, worse still, it is difficult to be detected in complex network environments. Thus, traffic analysis is adopted to detect the botnet since this kind of method is practical and effective; however, the false rate is very high. The reason is that normal traffic and botnet traffic are quite close to the border, making it so difficult to be recognized. In this paper, we propose an algorithm based on a hybrid association rule to detect and classify the botnets, which can calculate botnets’ boundary traffic features and receive effects in the identification between normal and botnet traffic ideally. First, after collecting the data of different botnets in a laboratory, we analyze botnets traffic features by processing a data mining on it. The suspicious botnet traffic is filtered through DNS protocol, black and white list, and real-time feature filtering methods. Second, we analyze the correlation between domain names and IP addresses. Combining with the advantages of the existing time-based detection methods, we do a global correlation analysis on the characteristics of botnets, to judge whether the detection objects can be botnets according to these indicators. Then, we calculate these parameters, including the support, trust, and membership functions for association rules, to determine which type of botnet it belongs to. Finally, we process the test by using the public dataset and it turns out that the accuracy of our algorithm is higher.
Highlights
Botnet is a group of centrally controlled bots on the Internet, and these computers using the botnet are called controlled hosts, which are often utilized by hackers to launch a large-scale cyberattack. ese computers contain spams port scans, phishing sites, etc. e botnet host can control the information stored in those computers, such as passwords of bank account and social accounts
The active detection method has some obvious shortcomings: the probe packets sent with the help of this method will add additional traffic to the network
Because of Botnets’ long delay in the HTTP response, it can be used as a result of request relaying through the botnet proxy. is process usually takes extra time, and the nodes associated with the botnet agent have relatively limited calculating capability and network bandwidth. e real-time detection method may produce a relatively high false alarm rate because it may misclassify a legitimate web server as a malicious domain name
Summary
Received 19 May 2021; Revised 4 August 2021; Accepted 25 August 2021; Published 17 September 2021. Us, traffic analysis is adopted to detect the botnet since this kind of method is practical and effective; the false rate is very high. We propose an algorithm based on a hybrid association rule to detect and classify the botnets, which can calculate botnets’ boundary traffic features and receive effects in the identification between normal and botnet traffic ideally. After collecting the data of different botnets in a laboratory, we analyze botnets traffic features by processing a data mining on it. E suspicious botnet traffic is filtered through DNS protocol, black and white list, and real-time feature filtering methods. Combining with the advantages of the existing time-based detection methods, we do a global correlation analysis on the characteristics of botnets, to judge whether the detection objects can be botnets according to these indicators. We process the test by using the public dataset and it turns out that the accuracy of our algorithm is higher
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
