BotEye: Botnet Detection Technique Via Traffic Flow Analysis Using Machine Learning Classifiers

Botnet is a prevalent threat among the Internet that always keep on proliferating. They can mow down an entire network within a blink of an eye. Different detection techniques have been proposed to detect botnets but botmasters always keep on revamping these botnets making it onerous for detection techniques that are based on command and control (C&C) protocols and structures. Botnets also utilize encrypted communication during their propagation. As a result, a technique irrespective of the protocols and propagation mechanisms used needs to be developed. Also, the technique should be able to detect encrypted botnets. In this paper, BotEye is proposed that is a botnet detection technique based on the traffic flow behavior of the network. The fringe benefit of using a flow-based approach is that only a fraction of the total network traffic flow needs to be analyzed. The technique suggested is heedless towards the C&C protocols and structures used. It can even detect encrypted botnets as it is independent of the payload information. BotEye makes use of four features to differentiate between malicious and benign traffic. Furthermore, BotEye is evaluated against the CTU-13 dataset, using three different machine learning classifiers that incorporates a stratified 10-fold cross-validation technique. The evaluation process shows that BotEye achieved the best results, i.e., 98.5% accuracy along with a low false-positive rate when the time window is set at 240s.