A Novel Approach of Botnets Detection Based on Analyzing Dynamical Network Traffic Behavior

Nowadays, Botnets have become one of the most serious cybersecurity threats and cyber crimes such as DDoS, spam, identity theft, and phishing. Because of constantly updating evasion techniques, the detection of botnets has been always an unaddressed challenge. To cope with this, we propose a new approach to detect botnet activity based on the dynamical modeling of traffic behavior. Indeed, some important features of network traffic such as packet length, sending protocol, source-IP, destination-IP, and sending time are extracted by the Wireshark software. To explore the effect of evasion methods on the network behavior, based on the extracted features, some time series have been plotted to analyze and classify the network traffic characteristics as bots are active. Due to the drastic changing of some features during evasion techniques, several suspicious behaviors are explored as chaotic dynamical behavior in the aforementioned time series to use in the definition of the final benchmark detection mechanism. To check the accuracy of the performance, two datasets ISCX IDS 2012 and CTU-Malware-Capture-Botnet-254-1 are used. The simulation results show that the proposed method has a detection rate of over 99%, the false positive rate less than 0.67%.