Botnet Detection Using On-line Clustering with Pursuit Reinforcement Competitive Learning (PRCL)
Abstract
Botnet is a malicious software that often occurs at this time, and can perform malicious activities, such as DDoS, spamming, phishing, keylogging, clickfraud, steal personal information and important data. Botnets can replicate themselves without user consent. Several systems of botnet detection has been done by using classification methods. Classification methods have high precision, but it needs more effort to determine appropiate classification model. In this paper, we propose reinforced approach to detect botnet with On-line Clustering using Reinforcement Learning. Reinforcement Learning involving interaction with the environment and became new paradigm in machine learning. The reinforcement learning will be implemented with some rule detection, because botnet ISCX dataset is categorized as unbalanced dataset which have high range of each number of class. Therefore we implemented Reinforcement Learning to Detect Botnet using Pursuit Reinforcement Competitive Learning (PRCL) with additional rule detection which has reward and punisment rules to achieve the solution. Based on the experimental result, PRCL can detect botnet in real time with high accuracy (100% for Neris, 99.9% for Rbot, 78% for SMTP_Spam, 80.9% for Nsis, 80.7% for Virut, and 96.0% for Zeus) and fast processing time up to 176 ms. Meanwhile the step of CPU and memory usage which are 78 % and 4.3 GB for pre-processing, 34% and 3.18 GB for online clustering with PRCL, and  23% and 3.11 GB evaluation. The proposed method is one solution for network administrators to detect botnet which has unpredictable behavior in network traffic.
Downloads
References
S. Saad et al., “Detecting P2P Botnets through Network Behavior Analysis and Machine Learning,†Ninth Annu. Int. Conf. Privacy, Secur. Trust, pp. 174 – 180, 2011.
C. Chen and H. Lin, “Detecting botnet by anomalous traffic,†J. Inf. Secur. Appl., vol. 21, pp. 42–51, Apr. 2015.
D. Garant and Wei Lu, “Mining Botnet Behaviors on the Large-Scale Web Application Community,†in 2013 27th International Conference on Advanced Information Networking and Applications Workshops, 2013, pp. 185–190.
W. T. Strayer, D. Lapsely, R. Walsh, and C. Livadas, “Botnet Detection Based on Network Behavior,†in Botnet Detection, vol. 36, no. August, Boston, MA: Springer US, 2008, pp. 1–24.
E. B. Beigi, H. H. Jazi, N. Stakhanova, and A. A. Ghorbani, “Towards effective feature selection in machine learning-based botnet detection approaches,†in 2014 IEEE Conference on Communications and Network Security, CNS 2014, 2014, pp. 247–255.
D. Zhao, I. Traore, B. Sayed, W. Lu, S. Saad, A. Ghorbani, and D. Garant, “Botnet detection based on traffic behavior analysis and flow intervals,†Comput. Secur., vol. 39, pp. 2–16, 2013.
A. Shiravi, H. Shiravi, M. Tavallaee, and A. A. Ghorbani, “Toward developing a systematic approach to generate benchmark datasets for intrusion detection,†Comput. Secur., vol. 31, no. 3, pp. 357–374, May 2012.
S. GarcÃa, M. Grill, J. Stiborek, and A. Zunino, “An empirical comparison of botnet detection methods,†Comput. Secur., vol. 45, pp. 100–123, Sep. 2014.
A. J. Aviv, “Challenges in Experimenting with Botnet Detection Systems,†USENIX 4th CSET Work. San Fr. CA, pp. 1–8, 2011.
F. V. Alejandre and N. C. Cort, “Botnet Detection using Clustering Algorithms,†vol. 118, pp. 65–75, 2016.
K. Huseynov, K. Kim, and P. D. Yoo, “Semi-supervised Botnet Detection Using Ant Colony Clustering,†vol. 31, no. The 31th Symposium on Chryptography and Information Security Kagoshima, pp. 1–7, 2014.
D. Zhao, I. Traore, A. Ghorbani, B. Sayed, S. Saad, and W. Lu, “Peer to Peer Botnet Detection Based on Flow Intervals,†Inf. Secur. Priv. Res., vol. 3, no. 1, pp. 87–102, 2012.
G. Kirubavathi and R. Anitha, “Botnet detection via mining of traffic flow characteristics R,†Comput. Electr. Eng., vol. 50, pp. 91–101, 2016.
S. Miller and C. Busby-earle, “The Impact of Different Botnet Flow Feature Subsets on Prediction Accuracy Using Supervised and Unsupervised Learning Methods,†vol. 5, no. 2, pp. 474–485, 2016.
I. Y. P. Tiyas, A. Barakbah, T. Harsono, and A. Sudarsono, “Intrusion Detection with On-line Clustering Using Reinforcement Learning,†in Proceeding The Third Indonesian-Japanese Conference on Knowledge Creation and Intelligent Computing, 2014, pp. 30–37.
A. Barakbah, “Special Issues on Clustering,†Knowledge Engineering Research Group PENS, Ed. EEPIS, 2016, pp. 1–80.
A. Barakbah and K. Arai, “Pursuit Reinforcement Competitive Learning,†in The 2nd International Seminar on Information and Communication Technology Seminar (ICTS), 2006.
Copyright (c) 2018 EMITTER International Journal of Engineering Technology
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
The copyright to this article is transferred to Politeknik Elektronika Negeri Surabaya(PENS) if and when the article is accepted for publication. The undersigned hereby transfers any and all rights in and to the paper including without limitation all copyrights to PENS. The undersigned hereby represents and warrants that the paper is original and that he/she is the author of the paper, except for material that is clearly identified as to its original source, with permission notices from the copyright owners where required. The undersigned represents that he/she has the power and authority to make and execute this assignment. The copyright transfer form can be downloaded here .
The corresponding author signs for and accepts responsibility for releasing this material on behalf of any and all co-authors. This agreement is to be signed by at least one of the authors who have obtained the assent of the co-author(s) where applicable. After submission of this agreement signed by the corresponding author, changes of authorship or in the order of the authors listed will not be accepted.
Retained Rights/Terms and Conditions
- Authors retain all proprietary rights in any process, procedure, or article of manufacture described in the Work.
- Authors may reproduce or authorize others to reproduce the work or derivative works for the author’s personal use or company use, provided that the source and the copyright notice of Politeknik Elektronika Negeri Surabaya (PENS) publisher are indicated.
- Authors are allowed to use and reuse their articles under the same CC-BY-NC-SA license as third parties.
- Third-parties are allowed to share and adapt the publication work for all non-commercial purposes and if they remix, transform, or build upon the material, they must distribute under the same license as the original.
Plagiarism Check
To avoid plagiarism activities, the manuscript will be checked twice by the Editorial Board of the EMITTER International Journal of Engineering Technology (EMITTER Journal) using iThenticate Plagiarism Checker and the CrossCheck plagiarism screening service. The similarity score of a manuscript has should be less than 25%. The manuscript that plagiarizes another author’s work or author's own will be rejected by EMITTER Journal.
Authors are expected to comply with EMITTER Journal's plagiarism rules by downloading and signing the plagiarism declaration form here and resubmitting the form, along with the copyright transfer form via online submission.
