Botnet Detection with Hybrid Analysis on Flow Based and Graph Based Features of Network Traffic

Botnets have become one of the most serious threats to cyber infrastructure. Many existing botnet detection approaches become invalid due to botnet structure sophistication or encryption of payload of the traffic. In this work, we propose an effective anomaly-based botnet detection method by hybrid analysis of flow based and graph-based features of network traffic. Frist, from network traffic we extract 15 statistical aggregated flow based features as well as 7 types of graph based features, such as in degree, out degree, in degree weight, out degree weight, node betweenness centrality, local clustering coefficient and PageRank. Second, we employ K-means, k-NN and One-class SVM to detect bots based on the hybrid analysis of these two types of features. Finally, we collect a large size of network traffic in real computing environment by implementing 5 different botnets including newly propagated Mirai and others like Athena and Black energy. The extensive experimental results show that our method based on the hybrid analysis is better than the method of individual analysis in terms of detection accuracy. It achieves the best performance with 96.62% of F-score. The experimental results also demonstrate the effectiveness of our method on the detection of novel botnets like Mirai, Athena and Black energy.