Mining The Cluster-level Properties of Bots Network Activities

摘要

A Botnet is a malicious network that can be leveraged in a wide range of cyber-attacks with possibly catastrophic results. Consequently, botnet detection is a high priority. In the past few years, many studies have been conducted regarding botnet detection of which the proposed approaches focus heavily on machine learning techniques. In this paper, a clustering approach based on Gaussian mixture distributions is proposed that allows accommodating ellipsoidal shaped clusters. Each cluster is associated with a Gaussian distribution by which an overall mixture of Gaussians is obtained. Hereby, an optimization problem is formalized ending up with a cost function based on the entropy of the overall distributions. The optimal solution is determined by using an optimization method. The proposed approach is then applied to bot-generated network traffic to extract models on bots behavior which can thus be leveraged to detect bot-infected hosts. The quality evaluation is performed by using some commonly used criteria that measure the accuracy and detection capability of models generated by the algorithm. The results show that high quality can be achieved by our method.