Hybrid model for bot group activity detection using similarity and correlation approaches based on network traffic flows analysis

Abstract

In this cyber era, botnets have been a serious threat to computer network security in that they can infect computers connected to a network through malicious applications known as malware. Unlike their previous behavior, botnets have evolved from being centralized to decentralized. Thus, detecting and handling bots' activity is challenging. On the other hand, botnets can actively infect and attack the target concurrently, called bot group activities. Existing detection approaches cannot recognize the activity relation between bots in their group, called activity correlation. This correlation is crucial in obtaining the activity causality between bots because it can identify which bot activity affects the other bot activities during the attack. It is the causality of bot activities that helps prevent bot group attacks. This paper proposes a new model for detecting bot group activity using a hybrid analysis approach, which includes extracting activity patterns using a sliding window segmentation technique, analyzing activity similarities between bots, and analyzing their correlation. The experiment uses two public datasets to evaluate the proposed method. The results show that it can detect bot group activity with as high as 99.73% accuracy, which is better than others, with less than 1% of the false-positive rate.