This document summarizes a study on botnet detection techniques. It outlines that botnets pose a serious cybersecurity threat and discusses various botnet detection approaches including signature-based, anomaly-based, host-based, and network-based methods. The document then focuses on two proposed techniques: 1) Using an adaptive learning rate neural network to detect HTTP botnets based on TCP connection features. Evaluation shows it achieved over 99% detection accuracy. 2) Using a Hidden Semi-Markov Model with SNMP MIB variables to characterize normal network behavior and detect botnets, achieving over 98% accuracy on spyware and BlackEnergy botnets.

1. Study and Analysis of botnets
and botnet detection
Techniques
Candidate : G.Kirubavathi
Reg No : 71010112041
Guide : Dr.R.Anitha
Associate Professor
Department of Applied Mathematics and Computational Sciences
PSG College of Technology

2. Outline
 Introduction
 Botnet Detection
 HTTP Botnet Detection
 Future Work
 Conclusions
 References

3. What is the need for Botnet Detection?
 Aug 4 2010 - Zeus v2 Botnet that owned 100,000 UK PCs
taken out
 Aug 12 2010 - Zeus v3 botnet raid on UK bank accounts
 In 2013, Chameleon Botnet' takes $6-million-a-month in
ad money
 Word press hit by large scale botnet attack 5th April 2013.
3

4. Botnet
 Bot is a self propagating application that infects
vulnerable host through direct exploitation or Trojan
insertion.
 A Botnet consists of a network of compromised
computers (“bots”) controlled by an attacker
(“botmaster”)
 Botnets are classified as,
 IRC Botnet
 HTTP Botnet
 P2P Botnet
based on the communication protocol,

5. Classification of Botnet Detection
Techniques
Honey nets
Intrusion Detection System
Signature Based Anomaly Based
Host Based Network Based
Active Monitoring Passive Monitoring

6. HTTP Botnet Detection using
Adaptive Learning Rate MLFF-NN
 Recent botnets have begun using common
protocols such as HTTP
 HTTP bot communications are based on TCP
connections
 TCP related features have been identified for the
detection of HTTP botnets

7. Proposed System Architecture
Network
Traffic
Feature
Extraction
Normalization
Pre-processing
Neural Network Classifier
Training
Set
Testing
Set
NN
Training
NN
Model
Evalu
ate
Normal
Bot

8. Traces of different Web-based
Bonets
Bot Family Trace Size Packets Number
Zeus-1 5.85 MB 53,220
Zeus -2 4.13 MB 37,252
Spyeye -1 25.17 MB 1,75,870
Spyeye -2 3.90 MB 35,180

9. Identification accuracy of web
botnet traffic profiles
Traffic Traces # neurons in
the ip layer
# neurons in
the hidden
layer
Correct
Identification
Spyeye -1 6 18 99.03%
Spyeye- 2 6 18 99.02%
Zeus -1 6 18 99.01%
Zeus -2 6 18 99.04%

10. Performance Measures of Spyeye
Botnet
Method Precision Recall F-Measure Accuracy
Decision Tree 0.968 0.931 0.949 96.5333
Random Forest 0.968 0.934 0.950 96.667
RBF 0.976 0.927 0.950 96.5333
FF NN 0.964 0.983 0.973 99.03

11. ROC curve for Spyeye Botnet

12. Performance Measures of Zeus
Botnet
Method Precision Recall F-Measure Accuracy
Decision Tree 0.956 0.930 0.941 96.14333
Random Forest 0.952 0.930 0.940 96.000
RBF 0.959 0.922 0.940 95.8667
FF NN 0.948 0.992 0.969 99.04

13. ROC curve for Zeus Botnet

14. Comparison of Performance
Method Average
Detection
Accuracy
Gu et al (2008), BotMiner – Data mining
Techniques
96.825
Nogueira et al. (2010), Neural Networks 94.9175
Adaptive Learning Neural Networks –
Proposed
99.025

15. HTTP Botnet Detection using
HsMM with SNMP MIB Variables
 Used Hidden semi-Markov chain Model (HsMM)
to characterize the normal network behavior of
the TCP based MIB variables as observed
sequence.
 Forward-backward algorithm for estimating
model parameters

16. Proposed System Architecture
Extraction of
the SNMP
MIB Variables
Feature
Reduction by
PCA
HsMM Modeling
Summation
of the SNMP
MIB
Variables
Train Data
Test Data
Forward
Backward
Algorithm
HsMM
Model
AL
LNormal
Bot

17. Model Construction
 Construct a HsMM to build a profile of normal MIB traffic behavior
and use this model to detect the botnet.
 A HsMM can be described as
 λ = (N, M,V, A, B, П) where
 N is the size of the state space Ф = {0,1}
 V = {v0, v1, …, vM-1} is the set of all visible symbols which are nothing but
the TCP-MIB variables.
 M is the number of all visible symbols is the summation count of the
MIB variables
 A = [aij]NXN is the state transition probability matrix
 The state transition probability matrix A, Assume A= initially,
the process is normal no matter what current state is, the process will
transfer to normal state next time by probability 1.
 where aij = P{next_state = j | current state = i}, where i, j ϵ Ф






01
01

18. Model Construction Cont…
 B = {bi(k)}, i ϵ Ф, 1 ≤ k ≤ M, is the distribution of visible
symbols V, where bi(k)= P{observed system behavior =
vk | current state i}
 П = [П0, П1, П2, …, ПN-1] is the initial state distribution

19. Web-based botnet identification
Accuracy
Datasets False +ve Rate Detection
Accuracy
Results
Web Service 0% 100% Normal
FTP Service 0% 100% Normal
Spyeye 1.33% 98.67% Malicious Botnet
Black energy 1.28% 98.72% Malicious Botnet

20. Future Work
 Analyzing the various types of current botnet
activities.
 Identify the suitable statistical modeling techniques to
detect the botnet irrespective of their communication
protocols and Command and Control structures

21. Conclusion
 Botnets pose a significant and growing threat
against cyber security
 It provides key platform for many cyber crimes like
DDOS, etc
 As network security has become integral part of our
life and botnets have become the most serious threat
to it
 It is very important to detect botnet attack and find
the solution for it

22. Published Paper G.Kirubavathi Venkatesh and R.Anitha, “HTTP
Botnet Detection using Adaptive learning Rate
Multilayer Feed-forward Neural Network”. In
Proceedings of international workshop in
information security theory and practice –
WISTP’12, UK, 2012, LNCS 7322, pp. 38-48, 2012.
Paper Communicated
 G.Kirubavathi Venkatesh, V.Srihari, R.Veeramani, RM.
Karthikeyan, R.Anitha “HTTP botnet Detection using
Hidden semi-Markov Model with SNMP MIB
variables”, has been communicated to the
International journal of Security and Communication
Networks (Wiley publication).

23. References P. Barford and V. Yegneswaran, “An inside look at botnets,” Springer
Verlag, 2006.
 J. Binkley and S. Singh. “An algorithm for anomaly-based botnet
detection”, In Proceedings of USENIX Steps to Reducing Unwanted Traffic
on the Internet Workshop (SRUTI), pages 43–48, 2006.
 T.Abbes, A.A.Bouhoula, and, M.Rusinowitch, “Protocol Analysis in
Intrusion Detection Using Decision Tree”, Proc. International Conference on
Information Technology, Coding and Computing (ITCC,04) IEEE Xplore,
Pages 404-408.
 Jiong Zhang, Mohammad Zulkernine, Anwar Haque: Random-Forests-
Based Network Intrusion Detection Systems. IEEE Transactions on
Systems, Man, and Cybernetics, Part C 38(5): 649-659 (2008)
 Lee., J. et al The activity analysis of malicious http-based botnets using
degree of periodic repeatability. In Proceedings of the IEEE International
Conference on Security Technology, December, 2008, pp.83-86.

24. References cont…
 X. Tan and H. Xi, Hidden semi-Markov Model for anomaly detection. Journal
of Applied Mathematics and Computation, Elsevier, vol. 205, Issue 2,
November 2008, Special Issue on Advanced Intelligent Computing Theory and
Methodology in Applied Mathematics and Computation, 2008, pp.562-567.
 Shun-Zheng Yu and Kobayashi, H. An Efficient Forward-Backward Algorithm
for an Explicit Duration Hidden Markov Model. In IEEE Signal Processing
Letters, vol.10, Issue 1, Jan. 2003, pp. 11-14
 Wang, B., Li, Z., Li, D., Liu, F. and Chen, H. Modeling Connections Behavior for
Web-Based Bots Detection. In 2nd IEEE International Conference on e-Business
and Information System Security (EBISS) - 2010, Wuhan, pp. 1-4.
 Yi Xie and Shun-Zheng Yu (2009) Monitoring the Application-Layer DDoS
Attacks for Popular Websites, In IEEE/ACM Transactions on Networking, Vol.
17, NO. 1, Feb. 2009.