[Retracted] Analysis of Intrusion Detection Approaches for Network Traffic Anomalies with Comparative Analysis on Botnets (2008–2020)

Ahmad, Sultan; Jha, Sudan; Alam, Afroj; Alharbi, Meshal; Nazeer, Jabeen

doi:https://doi.org/10.1155/2022/9199703

Security and Communication Networks

On this page

Abstract Introduction Conclusions Data Availability Conflicts of Interest References Copyright Related Articles

Review Article Retraction

!

This article has been Retracted. To view the article details, please click the ‘Retraction’ tab above.

Special Issue

Security Hardened and Privacy Preserved Vehicle-to-Everything (V2X) Communication 2021

View this Special Issue

Review Article | Open Access

Volume 2022 | Article ID 9199703 | https://doi.org/10.1155/2022/9199703

[Retracted] Analysis of Intrusion Detection Approaches for Network Traffic Anomalies with Comparative Analysis on Botnets (2008–2020)

Sultan Ahmad,¹Sudan Jha,²Afroj Alam,³Meshal Alharbi,¹and Jabeen Nazeer¹

Academic Editor: Irshad Azeem

Received13 Mar 2022

Revised03 Apr 2022

Accepted07 Apr 2022

Published12 May 2022

Abstract

Botnets are conglomerations of traded PCs (bots) that are remotely controlled by its originator (botmaster) under a command-and-control (C&C) foundation. Botnets are the making dangers against cutting edge security. They are the key vehicles for several Internet assaults, for example, spam, distributed denial-of-service (DDoS) attack, rebate distortion, malware spreading, and phishing. This review paper depicts the botnet examined in three domains: preview of botnets, observation, and analysis of botnets, apart from keeping track of them and protecting against them too. We have also attempted to the various ways to indicate differing countermeasures to the botnet dangers and propose future heading for botnet affirmation look into a consolidated report on the energy investigation and future headings for botnet break down are also been presented in this paper.

1. Introduction

A botnet is a conglomeration of PCs related with the Internet which have been wrangled and is being controlled remotely by an intruder (the botmaster) by techniques for harmful programming called bots [1–3].

The structure is versatile in that when focuses are confined, these holes might be shut along these lines, pondering the system to keep working under the attacker’s control [4, 5]. In P2P outlines, specific bots go about as both customer and server, passing on the system design without an assembled point which might be incapacitated. By snatching this course of action of spaces using methods with location recorders, the botnet has a high impact of security threads. It is effectively shunting the C&C advancement away from the botmaster and keeping up an essential division from any further charges to be issued to the bots [6].

Botnets are made for a broad assortment of reasons, for example, DDOS, spreading spam, organizing snap bending traps, taking individual client data (e.g., charge card numbers and government powerlessness numbers), or abusing the extraordinary computational assets offered by the bots to pass on some scattered enlisting assignments. The game-plan that is been considered here is the covered architecture where an attacker abuses a known soft spot for a goal structure, pollutes or tries to destroy the core layer of a machine, and uses his beginning late accessed execute additional substance or activities which by then get a poisonous twofold from a known range.

Regardless, IRC-build bots are feeble concerning the grounds that they depend upon greatly united layouts: the whole botnet can be once again hazardous in one or other way round; in a general sense closing down the IRC server. The terms bot and botnet are obtained from the Internet Relay Chat (IRC) world, which uses a central C&C structure in setting of fathomable (known as cleartext) summons on a single-settled server port.

As a noticeable custom, HTTP-based botnet C&C endeavors to be stealthy by snatching a true blue correspondences control with a specific extreme target to dodge standard firewall-based security and packs are routinely blended to abstain from recognizing confirmation in context of huge package examination (Figures 1 and 2). To sensibly counter botnets, security reviewers and law-use affiliations have been beginning late depending more and more on botnet takedown operations.

Many existing botnet unmistakable affirmation systems depend subsequent to perceiving bot change in the midst of the attack stage or beginning game-plan form (Table 1).

The post-trap mastermind is the last time of the botnet lifecycle, in the midst of which bots are made to reestablish their parallels, usually to secure against new attacks or to refresh their regard.

For instance, in 2009, law support and security specialists could takedown the Mariposa botnet, which around then required around 600,000 bots. The bot will try to develop a relationship with the charge and control server through a mix of frameworks, joining the botnet formally once this association has been delivered.

Ordinary locators rely on standard impedance revelation structures, focusing on observing botnets in light of existing qualities of ambushes by looking direct of covered up lethal activities [32]. They are comprehensively used today to outline any/all perilous intruder strike frameworks, paying little respect to being essentially without content, illuminating you in each rational sense nothing concerning the veritable piece of each PC related with a coursed attack engineer and how to direct them.

The strike plan is noted as a phase in the botnet lifecycle when the bot is at show performing dangerous activities in light of the rules. A lot of research has been conducted on botnet affirmation in light of the examination of these message substances.

One of these takes after, which was gotten by UCSD, of 40 GB, (The CAIDA UCSD Dataset 2008-11-21, 2008) was used for this examination, and this required the vicinity of an adaptable structure to set up the approach module. According to Leonard et al. [33], a botnet’s lifecycle combines four phases: change, C&C, ambush, and post-strike.

A couple of colossal datasets containing the toxic development of various bots have been gotten and released by CAIDA and different affiliations. Generally, a botnet takedown fuses seeing and irritating the botnet’s the command-and-control (C&C) structure. The takedown operation was processed by first observing the system of room names through which bots would discover their C&C organize establishment. Late movements, in addition, join the examination of mix models, which address the necessities of the already said botnets designs by utilizing qualities from both concentrated and P2P structures [34].

In a high-change condition, which happens when data is over-fit, the status slip will be low and the cross-endorsing ruin will be fundamentally higher than the game-plan botch up. Moreover, in keeping view of system development, it may reasonably uncover the messages being passed from the server to singular customers. In any case, HTTP-based C&C thinks up still experience the detestable effects of the issue of centralization, and it is conceivable to endeavor such joined direct in their recognizing verification. It was found that when dataset has high change, the more noticeable the dataset, the better the arrangement exactness of the model. Using these terms in a specific supposition countermeasures and response hones truly causes perplexity, demoralizes understanding what to do, and is negating to a science.

In the midst of study, an extensive variety of bots were found in nature. More expansive and clearly comprehended bots are presented. The study examines several malwares. In addition to that, various features are depicted in depth. To justify the statement, few instances of source code and corresponding request set have been projected (See Table 2).

2. Aim of Study

Inadequately staffed manhandle divisions or possibly careless oversight technique might let fraudsters to function for truly long periods of time before their command-and-control systems are shut down. In any event, fraudsters may swiftly set up C&Cs via automatic data exchange of new consumers who skip or do not have surveys forms. Botnet operators demand their C&Cs to be beyond the ward of law underwriting workplaces that sufficiently charge crimes, thus geolocation is essential. A handful of more inconspicuous ISPs that you might not have thought of as season recently, but that have bolstered their liberal C&Cs.

There were the botnet controllers invigorated in 2014, and the running with Table 3 exhibits a summary of ISPs organized by number of C&Cs perceived on that ISP’s structure in the midst of the earlier year. The running with Table 3 shows each malware family is masterminded by a number of perceived botnet C&Cs in that malware family.

In the midst of study, an extensive variety of bots were found in nature. More expansive and clearly comprehended bots are presented. The study examines several malwares. In addition to that, various features are depicted in depth. To justify the statement, few instances of source code and corresponding request set have been projected (See Table 2).

This paper is a complete review of botnets and explores the recent trends and happenings in botnets along with proposed solutions. Our review examines three domains:(i)Preview of botnets, observation, and analysis of botnets,(ii)Keeping track of them, and(iii)Protecting against them too.

Our review consolidates the energy investigation and proposes future headings for botnet break down. This paper is a review for the most part advances in botnet zone examine. We have examined the Botnet territory frameworks into two approaches:(i)One approach depends after setting up Honey nets and(ii)Another approach depends upon Intrusion Detection System (IDS).

The paper in like way indicates differing countermeasures to the botnet dangers and proposes future heading for botnet affirmation look into.

The structure of the paper is as follows: Section 3 presents the literature survey. Section 4 explains the target audience of this review work, and Section 5 consists of the topography of attacks in botnet. In Section 6, the contribution of our proposed work is discussed. Finally, Section 7 concludes the paper and current issues and future scope are provided.

3. Literature Survey

This literature survey studies a number of anomalies, and based on these studies, a method is proposed that eliminates the overflowing advancement and space change. The machine learning approach used in this paper is aimed at unmistakable verification of botnet DDoS ambushes, spam, information taking, and so on. Area approaches that cover the C&C correspondence stage can be made at different correspondence conventions (IRC, HTTP, and P2P), while disclosure approaches that cover the trap stage can target fluctuating snare battles (SPAM, DDoS, and so forth).

Existing structure diminishes the odds to see the botnet in more wide course; however, for example, a request structure is executed in inside system which has point of confinement of having wide arrangement of viewpoint toward the bot’s lead. On the other hand, the customer fabricate ID approach is passed with respect to in customer structure to see the botnet DDoS ambushes. In observing and following, botnet gets information about Honeynet and development watching methodologies for comprehension are proposed to see botnets in light of some of their captivating practices.

The survey is completely unbiased as we the authors have given a rigorous effort in studying all the possibilities of Network Traffic Anomalies/Intrusion detection. None of the references that we have considered are ambiguous and are an extensive work of any other one. Now, further in terms of examining botnet, unmistakable evidence frameworks are considered into two essential classes including Honeynets and Interruption Zone Structure (IZS).

Boshmaf et al. [35] evaluated how vulnerable OSNs are to a significant scale intrusion by a Socialbot framework (SbN). Here, the author used Facebook as a delegate OSN and found that using bots that duplicate bona fide OSN customers is effective in infiltrating Facebook on an extensive scale, especially when the customers and the bots share normal allies. Alomari et al. [7] displayed a broad think to show the risk of botnet develop DDoS ambushes in light of use layer, especially due to pilot use cases. Feizollah et al. [36] consider surveys five machine learning classifiers. The appraisal was affirmed using malware data tests from the Android Malware Genome Assignment.

Zhao et al. [32] propose another approach to manage distinguish botnet development in perspective of movement lead examination by describing framework action direct using machine learning. Khattak et al. [37] structure existing botnet composing into three broad logical classifications of botnet behavioral features, recognizable proof and shields. This raised view highlights open entryways for arrange protect by revealing insufficiencies in existing procedures. In another work, researchers [38] create on the progress of open source devices such as Hadoop, Hive, and Mahout to give a flexible use of semisteady interference acknowledgment system. The execution is used to distinguish conveyed botnet strikes using machine learning approaches.

Schiavoni et al. [39] proposed Phoenix, an instrument that depicts the attacks, and specifically, it finds social events of DGA-created ranges that are illustrative of the individual botnets. Krenc et al. [40] tried to answer various vital requests concerning the data remained endeavored to put the degree of the Internet assessment into perspective. García et al. [41] analyzed of a whole deal botnet get, perceived and showed the acts of its C&C channels and behavioral examination of the C&C channels gives another perspective on the exhibiting of malware lead, bettering grasp botnets. Dainotti et al.’s [42] work offers an ordered evisceration of the botnet’s inspecting conduct, including general methods to relate, picture, and extrapolate botnet lead over the overall web. Thomas and Mohaisen [43] focused on perceiving and clustering unmistakable groupings of room names that are addressed by different courses of action of polluted machines and proposed to separate region name system (DNS) development, for instance, Non-Existent Space (NXDomain) request, at a couple of head Top Level Region (TLD) honest to goodness name servers to recognize earnestly related cadres of malware-related territories.

Lim et al. [44] analyze how an item-portrayed mastermind (SDN) can be utilized to beat the inconvenience and enough square honest to goodness looking DDoS ambushes mounted by a greater number of bots. García et al. [41] ponders the yield of three various botnet revelation methods by executing them over another, honest to goodness, named, and tremendous botnet dataset. Abokhodair et al. thought of one as specific social botnet in Twitter to perceive how it creates after some time, how the substance of tweets by the social botnet differentiate from ordinary customers in the same dataset, all in all, how the social botnet may have affected the critical trades.

Hoque et al. [45] presents a sweeping layout of DDoS attacks, their causes, and sorts with a logical classification and specific inconspicuous components of various strike pushing gadgets. A point-by-point discussion of a couple of botnet models, mechanical assemblies made using botnet outlines and favorable circumstances, and bur-dens examination are in like manner included. Karim et al. [46] present a careful study of the latest best-in-class techniques for botnet acknowledgment and comprehend the examples of past and energy investigate. It gives a topical logical grouping to the portrayal of botnet ID frameworks and highlights the recommendations and essential edges by subjectively looking at such methods.

Haddadi et al. [47] play out an examination on the effect of (expecting any) the capacities of framework development stream exporters. Kwon et al. [48] display a speedy and versatile approach, called PsyBoG, for recognizing poisonous lead inside broad volumes of DNS movement. PsyBoG utilize a banner taking care of methodology, control shocking thickness (PSD) examination, to discover the genuine frequencies occurring due to the irregular DNS inquiries of botnets. Anagnostopoulos et al. [49] exhibited two novel botnet designing that include just of mobile phones and evaluate both their impact in regards to DNS upgrade and TCP flooding attacks and their cost identifying with the upkeep of the C and C channel. Goodman [50] gave learning by looking edge botnet features and revelation methodology from more than twelve research papers, supplemented by several additional sources.

4. Target Audience

While botnets are clearing, the botnet information is still in its most prompt stages. Past examination shows that common bit of botnet generally utilized IRC for their demand and control. On the off chance that the MLAs does not work, it is recognized that the calculation cannot perceive the assault utilizing the perceived once-over of capacities. Thus, it is not utilized for improvement detaching. Finally, the examination on securing against botnet proposes to just close down the botmaster after they are perceived. Similarly, right now, the block against botnet is not exceptionally fruitful; fundamentally, more work should be done in this field. In this examination, sorts of botnets focused by the different sees techniques. The Unfathomable model can engage individuals to know the properties of the botnet and in this manner control it. Some formal models are in addition proposed to expect botnet development.

Therefore, the survey and the proposed methods presented in this manuscript are applicable to all verticals of network domains including corporate, soft-industries, smart factories, educational enterprises, governmental e-systems, payment gateway portals, and all kinds of electronic platforms where multi infraservices are used or integrated platforms are used.

5. Topography of Attacks

In Q1 2015, 23,095 DDoS ambushes were spoken to, focusing on web assets in 76 nations. The measure of strikes was down 11% against Q4 2014 (25,929). There was an improvement (76 against 66 in Q4 2014) in the measure of nations where DDoS targets were found (https://securelist.com/statistics-on-botnet-assisted-ddos-attacks-in-q1-2015/70071/). Most DDoS ambushes focused on web assets in China, USA, and Canada—this was no change from Q4 2014. There were a few changes in the request of the 10 most as much of the time as possible trapped nations; however, there were no new growths to that outline.

From Figure 3, a spectacular reduction in the number of breakdowns against the web portals launched from countries such as China and USA can be observed. There was a significant development in the number of breakdowns in the Canadian portals or mostly in their servers. There was in a similar way, a development in the amount of ambushes against web resources in Russia, South Korea, and France. If the amount of DDoS strike setbacks in each country is considered, the best 10 look the same as the previous one. In Q1 2015, botnets ambushed an aggregate of 12,281 setbacks, which is 8% lower than the 13,312 concentrations in Q4 2014 (see Figure 4).

In Soviet Union (now, Russia), France, and South Korea, the measure of struck web assets has expanded and separated in Q4 2014, thus did the measure of strikes on all objectives orchestrated in these nations. In Canada, the measure of strikes has broadened; however, the measure of targets has decreased, which suggests that cybercriminals are more starting at now assaulting a set number of web assets in the nation. The way that China and USA lead the two rankings, both as for measures of DDoS assaults and in measures of misfortunes is lit up incidentally and huge low web-empowering costs in these two nations that slant various relationships to utilize empowering suppliers there. In Q1 2015, the most unbelievable number of strikes completed on a similar web asset achieved 21 (Table 4).

In spite of the fact that China along with the United States of America and its neighborhood countryside Canada, supported most of the DDoS assaults in Q1 of 2015, the two most every now and again assaulted web assets were individually a Russian and a Vietnamese site. Time varieties in the quantity of DDoS assaults: in Q1 of 2015, remarkable time varieties were seen in the number of “DDoS” attacks. Just a single of the best three, a US-facilitating supplier, is situated in the most every now and again assaulted trio of nations.

The December peak could be connected with the Christmas/close year events, when the cybercriminals contributed greater essentialness to irritate the operation of objectives and affiliations in all probability understood with clients (Figure 5). As found in the blueprint underneath, last December saw an energized amplification in the measure of botnet-helped DDoS attacks. This results in a more conspicuous total number of DDoS attacks (30,064) than if each solid catch is viewed as one (23,095). In this system, a close strike may be checked a couple of times along the course of occasions, i.e., one time for each day of its cross (Figure 6). The measure of strikes declined perseveringly through January and February, yet then began to rise again in spring (Figure 7).

Table 5 showcases that cybercriminals are a significant part of the time used districts in the com and net gTLDs for botnet engaging in 2014. While using ranges in ccTLDs, cybercriminals picked the ru and su ccTLDs routinely in 2014. TLDs do not have a comparable total aggregate of chose zones, before long. For example, the com TLD has more than 100 million selected extents, while the ru TLD has to some degree under five million. In case, we take a gander at the total number of chose area names in each TLD against the measure of deadly space names in that TLD seen by DBL, the two ccTLDs ru and su were those that have been most vivaciously mishandled. We should now look at the supporting space assurance focuses kept up by cybercriminals for enlisting the botnet controller. The running with Table 3 shows a blueprint of a region recorders masterminded by the total number of botnet controller ranges saw by Spamhaus DBL in 2014.

Like ISPs with high amounts of botnet controllers, these enrollment places generally have no or obliged misuse staff, poor abuse recognizable proof strategies, and some either does not or cannot recognize takedown requests beside by a honest to goodness ask for from the close-by government or an area court. Since cybercrime selection focuses would not take an interest with law approval and diverse components to shut down botnets, a botnet with C&C spaces enlisted through such a recorder requires extended, created, and expansive undertakings to shut down. Since various cybercrime-pleasing selection focuses are arranged in countries with no or direct real arrangement of activity against cybercrime, getting a legal demand can be troublesome or impossible.

Thus, as with ISPs that host botnet controllers, countless recorders are essentially enormous selection focuses. While the total amounts of botnet spaces at the recorder may appear to be considerable, the enrollment focus does not by any mean support cybercriminals. Meanwhile, fair people are in peril of having online keeping cash accreditations exchanged off and records depleted, or other productive information stolen for use in discount misrepresentation and blackmail (https://www.spamhaus.org/news/article/720/spamhaus-botnet-summary-2014).

SpamThru works in a compelled shared breaking point; however, all bots reply to a central control server. A couple of these selection focuses on an incredible high degree of cybercrime zones enlisted through them. The “future” of criminal territories on bona fide, well-run, selection focuses tend to be short. The bots are also parceled into peer social occasions of near 512 bots, keeping the overhead connected with exchanging information about various allies to a base. Recorders cannot perceive each and every phony selection or enlistments of regions for criminal use before those spaces go live. Regardless, other considerably smaller enrollment focuses that you may never have thought about appear on this same once-over. The bots are segmented into different server ports, controlled by which a variety of the trojan is presented. With Figures 8–10, the total considers recorded by the control server is shown for each control port.

The SpamThru controller keeps bits of information on the nation of starting phase of all bots in the botnet. It can be seen from the outline underneath that, slighting the way that the U.S. has the most basic number of contaminations; bot dispersal is not restricted to a specific nation. With everything considered, PCs in 166 nations are a touch of the SpamThru botnet.

The SpamThru controller additionally keeps bits of learning on what translation of Windows each ruined customer is running; down to the association pack level. In the outline underneath, XP SP2 orders the decorating operators of the botnet, exhibiting that even sensibly in the present style structures are so far falling prey to strikes. The SpamThru bot can channel the framework for other malware utilizing an appropriated duplicate of Kaspersky Hostile to Defilement. The isolating makes a report which might be traded to the control server. In the reports that were sent, a quick overview of ruined documents near to the name of the recognized malware can be seen. All around, 3863 named malware assortments were found on the structures that sent broadness reports back to the control server.

6. Proposed Machine Learning Approach for Detection and Prevention of Botnet DDoS Attack

The number of internet-connected devices can be termed as botnet. Botnet can be used to perform distributed denial-of-service attack (DDoS attack), spamming, and data stealing, and allow attacker to access the devices. Botnet can be controlled using the command-and-control (C&C) software by its owner. The word “robot” and “network” combined forms the word botnet.

The machine learning approach can be used in a client-based or a network based traffic for the detection of botnet DDoS attacks, spam, data stealing, etc. [51, 52]. The client-based detection approach is deployed in client system to detect the botnet DDoS attacks [53]. Machine learning (ML) is an extensive field of robotics, which can manufacture and centralize the structure that can be retrieved from the Information [54]. Learning in the capacity to perceive the cerebrum boggling cases and settle on relating choices in context of authoritatively gathered information. The basic trial of machine learning is that how to give hypothesis of information to the structure which is gotten from the constrained game-plan of past information, recollecting a definitive target to settle on the beneficial choice for new, viably unpretentious occasions [55]. To deal with this issue ML builds up an arrangement of figuring’s that finds the particular information and encounters. In context of the pined for result the estimation is organized in to oversaw MLAs and unsupervised MLAs. Coordinated learning is the classes of all around depicted ML estimations that convey a point of confinement that maps the duties regarding required yields. These estimations are set up by set of examples of information and their relating yield. For botnet conspicuous verification, managed MLAs are routinely utilized for finishing classifiers to arrange unsafe activity from the system advancement [56].

The goal of unsupervised learning may be to discover social affairs of relative cases inside the data, proposed as get-together, to pick the course of data inside the data space, known as thickness estimation, or to broaden the data from a high-dimensional space down to a few estimations with the bona fide objective of portrayal [57]. The most unavoidable unsupervised learning approaches used for botnet revelation are K-proposes, X-concludes, and Unmistakable leveled squeezing. For the botnet introduction, unfacilitated MLAs are usually used for the social event of bot related recognitions. In both machine learning case web advancement is investigated utilizing some examination viewpoint. For each activity delineations a strategy of highlights is evacuated and utilized as a bit of the MLAs to address them. A correct segment ought to be picked which can get a focused on improvement trademark and position adjusted basics to the degree include extraction and choice.

7. Conclusions

In this paper, a method is proposed that does not snappy sees the botnets yet give exposure of various structure change arrangements from the standard that depict botnet operation, for example, overflowing advancement and space change. The machine learning approach utilized as a touch of this paper can be utilized as fairly a customer-based or a structure-based activity for the unmistakable verification of botnet DDoS ambushes, spam, information taking, and so on. Area approaches that cover the C&C correspondence stage can be made at different correspondence conventions (IRC, HTTP, and P2P), while disclosure approaches that cover the trap stage can target fluctuating snare battles (SPAM, DDoS, and so forth.). In this manner, concerning the past trademark, clear confirmation methodology of a particular operational stage can be more valuable than the ones that of more operational stages. Disclosure techniques for understanding can target specific botnet operational stages, i.e., the inciting stage, the C&C correspondence compose, or the hit manage.

Existing structure screens the gateway and relates a space shape which diminishes the odds to see the botnet in more wide course; however, for example, a request structure is executed in the inside system which has a point of confinement of having a wide arrangement of viewpoint toward the bot’s lead. For botnet unmistakable affirmation, supported MLAs are typically utilized for perceiving classifiers to total harmful progress from the structure change. In any case, most by a wide margin of the current botnet unmistakable attestation rationalities work just on particular botnet C&C correspondence conventions and structures. The customer fabricate ID approach is passed with respect to in customer structure to see the botnet DDoS ambushes. In observing and following, botnet gets information about Honeynet and development watching methodologies for comprehension are proposed to see botnets in light of some of their captivating practices. The framework is made out of two or three regions that are joined to counter DDoS ambushes. Regardless, a central notes to be kept that need of unwavering operation to a noteworthy degree relying upon the past utilized development examination measures and the objective of disclosure. The examination of the qualities is seen by keeping the running with illumination behind progress seeing—inspiration driving activity checking complete grouped points of confinement of presentation procedure.

In this examination, botnet unmistakable evidence frameworks are asked for into two essential classes including Honeynets and Interruption Zone Structure (IZS). The basic level of the focused on correspondence conventions relies on the sorts of botnets and operational stages focused by the verification approach. With a specific unprecedented concentration to complete the request, change at various correspondence customs is being bankrupted for the revelation framework. The changing social occasion of botnet customs and structures makes botnet area of amazing degree troublesome undertaking. Rather than watching the advancing toward structure development, screen the favored viewpoint use for the seeing affirmation of catch. System-based affirmation is finished by isolating the structure progression at various inspiration driving systems. In this examination, MLAs and movement examination point of view utilized by the zone theories are plotted. This work explores and contributes the problem of botnets in three folds: understanding botnet, seeing and following botnets, and countering against botnets. In understanding botnet, practices, and qualities through source code examination, twofold examination or wide range estimation are analyzed.

One basic issue is that bots have wound up being legitimately best in class, so avoidance procedures have been made to mislead disclosure instruments engaging botnets to have long working conditions. Along these lines, as botnets change their C&C correspondence plot, these affirmation systems will be insufficient. Utilizing the made neural structure (ANN) for the affirmation, another machine picking up figuring can be created effortlessly. In any case, the botnets will progress to new correspondence diagrams, for instance, P2P-based botnet.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare no conflicts of interest.

References

M. A. Rajab, J. Zarfoss, j. F. Monrose, and A. Terzis, “A multifaceted approach to understanding the botnet phenomenon,” in Proceedings of the ACM SIGCOMM on Internet Measurement, Sivut 41–52, ACM Press, Rio de Janeriro, Brazil, October, 2006.
View at: Publisher Site | Google Scholar
M. Feily, A. Shahrestani, and S. Ramadass, “A Survey of Botnet and Botnet Detection,” in Proceedings of the 2009 Third International Conference on Emerging Security Information, Systems and Technologies, pp. 268–273, Athens, Greece, June, 2009.
View at: Publisher Site | Google Scholar
B. Al-Duwairi and L. Al-Ebbini, “BotDigger: a fuzzy inference system for botnet detection,” in Proceedings of the 2010 Fifth International Conference on Internet Monitoring and Protection, pp. 16–21, Barcelona, Spain, May, 2010.
View at: Google Scholar
J. B. Grizzard, V. Sharma, C. Nunnery, B. B. Kang, and D. Dagon, “Peer-to-peer botnets: overview and case study,” in Proceedings of the 1st Workshop on Hot Topics in Understanding Botnets, Cambridge MA, USA, January, 2007.
View at: Google Scholar
T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. C. Freiling, “Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm,” in Proceedings of the First Usenix Workshop Large-Scale Exploits and Emergent Threats, LEET), Washington, D.C, USA, August, 2008.
View at: Google Scholar
Y. Nadji, M. Antonakakis, R. Perdisci, D. Dagon, and W. Lee, “Beheading Hydras: Performing Effective Botnet Takedowns,” in Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications security (CCS’13), Association for Computing Machiner, pp. 121–132, New York, NY, USA, 2013.
View at: Google Scholar
E. Alomari, S. Manickam, B. Gupta, S. Karuppayah, and R. Alfaris, “Botnet-based distributed denial of service (DDoS) attacks on web servers: classification and art,” International Journal of Computer Application, vol. 49, no. 7, pp. 24–32, 2012.
View at: Publisher Site | Google Scholar
E. Hill, “Hackers hit Tunisian websites,” pp. 188–197, 2011, https://www.aljazeera.com/news/2011/1/3/hackers-hit-tunisian-websites.
View at: Google Scholar
R. Somaiya, “Hackers shut down government sites,” New York, vol. 2, 2011.
View at: Google Scholar
P. Bright, “Anonymous speaks: the inside story of the HBGary hack,” Ars Technica, vol. 15, 2011.
View at: Google Scholar
U. Author, “Anonymous Denies Westboro Attack,” Tech. Rep., BBC, 2011, 12535456.
View at: Google Scholar
L. Segall, “Wordpress hammered by massive DDoS attack,” 2011, http://money.cnn.com/2011/03/03/technology/wordpress_attack/index.htm.
View at: Google Scholar
C. Uygar, “Wisconsin & anonymous strike back,” 2011, http://www.youtube.com/watch?v=lQGY-vHjhXo.
View at: Google Scholar
D. Takahashi, “Hackers deny involvement in PlayStation Network outage,” 2021, http://venturebeat.com/2011/04/22/as-playstation-network-outage-continues-hackers-deny-involvement/.
View at: Google Scholar
B. N. Technology, “Spanish police website hit by Anonymous hackers,” 2011, http://www.bbc.co.uk/news/technology-13749181.
View at: Google Scholar
C. Albanesius, “Hackers Target Malaysian Government Sites,” 2011, http://www.pcmag.com/article2/0,2817,2387108,00.asp.
View at: Google Scholar
P. E. Mack, “Anonymous plans attack on city of orlando website, IRC chatter suggests,” 2011, http://www.webcitation.org/5zb2cJRKl.
View at: Google Scholar
J. Halliday, “Serious Organised Crime Agency takes down website after hacking attack,” 2011, http://www.guardian.co.uk/technology/2011/jun/21/soca-website-hacking-lulzsec.
View at: Google Scholar
Tech4Biz, “DDoS attack sends Hong Kong stock exchange back to paper,” 2011, http://www.techcentral.ie/article.aspx?id=17247.
View at: Google Scholar
E. Mills, “DOJ, FBI, Entertainment Industry Sites Attacked after Piracy Arrests,” 2012, http://news.cnet.com/8301-27080_3-57362279-245/doj-fbi-entertainment-industry-sites-attacked-after-piracy-arrests.
View at: Google Scholar
DDoS, “A Threat You Can’t Afford to Ignore, Forrester Whitepaper,” 2013, http://whitepapers.zdnet.com/abstract.aspx?docid=1155831.
View at: Google Scholar
X. Hoang and Q. Nguyen, “Botnet detection based on machine learning techniques using DNS query data,” Future Internet, vol. 10, no. 5, p. 43, 2018.
View at: Publisher Site | Google Scholar
K. Vengatesan, A. Kumar, R. Naik, and D. K. Verma, “Anomaly based novel intrusion detection system for network traffic reduction,” in Proceedings of the 2018 2nd International Conference on I-SMAC (IoT in Social, Mobile, Analytics and Cloud) (I-SMAC)I-SMAC (IoT in Social, Mobile, Analytics and Cloud) (I-SMAC), pp. 688–690, Palladam, India, October, 2018.
View at: Publisher Site | Google Scholar
C. D. McDermott, F. Majdani, and A. V. Petrovski, “Botnet detection in the internet of things using deep learning approaches,” in Proceedings of the 2018 International Joint Conference on Neural Networks (IJCNN),“ 2018 International Joint Conference on Neural Networks (IJCNN), pp. 1–8, Rio de Janeiro, June, 2018.
View at: Publisher Site | Google Scholar
M. Albanese, S. Jajodia, and S. Venkatesan, “Defending from stealthy botnets using moving target defenses,” IEEE Security & Privacy, vol. 16, no. 1, pp. 92–97, 2018.
View at: Publisher Site | Google Scholar
N. Koroniotis, N. Moustafa, and E. Sitnikova, “Forensics and deep learning mechanisms for botnets in internet of things: a survey of challenges and solutions,” IEEE Access, vol. 7, pp. 61764–61785, 2019.
View at: Publisher Site | Google Scholar
Y. Zhong, A. Zhou, L. Zhang, F. Jing, and Z. Zuo, “DUSTBot: a duplex and stealthy P2P-based botnet in the Bitcoin network,” PLoS One, vol. 14, no. 12, Article ID e0226594, 2019.
View at: Publisher Site | Google Scholar
K. Alieyan, A. Almomani, M. Anbar, M. Alauthman, R. Abdullah, and B. B. Gupta, “DNS rule-based schema to botnet detection,” Enterprise Information Systems, vol. 15, no. 4, pp. 545–564, 2021.
View at: Publisher Site | Google Scholar
M. Banerjee, B. Agarwal, and S. D. Samantaray, “An integrated approach for botnet detection and prediction using honeynet and socialnet data,” in Proceedings of the International Conference on Intelligent Computing and Smart Communication 2019, pp. 423–431, Singapore, January, 2020.
View at: Publisher Site | Google Scholar
S. Lysenko, K. Bobrovnikova, S. Matiukh, I. Hurman, and Savenko, “Detection of the botnets’ low-rate DDoS attacks based on self-similarity,” International Journal of Electrical and Computer Engineering, vol. 10, no. 4, 2020.
View at: Google Scholar
H. Hashemi, A. Azmoodeh, A. Hamzeh, and S. Hashemi, “Graph embedding as a new approach for unknown malware detection,” Journal of Computer Virology and Hacking Techniques, vol. 13, no. 3, pp. 153–166, 2017.
View at: Publisher Site | Google Scholar
D. Zhao, I. Traore, B. Sayed et al., “Botnet detection based on traffic behavior analysis and flow intervals,” Computers & Security, vol. 39, pp. 2–16, 2013.
View at: Publisher Site | Google Scholar
J. Leonard, S. Xu, and R. Sandhu, “A framework for understanding botnets,” in Proceedings of the 2009 International Conference on Availability, Reliability and Security, pp. 917–922, Fukuoka, Japan, March, 2009.
View at: Publisher Site | Google Scholar
P. Ping Wang, S. Sparks, and C. C. Zou, “An advanced hybrid peer-to-peer botnet,” IEEE Transactions on Dependable and Secure Computing, vol. 7, no. 2, pp. 113–127, April-June 2010.
View at: Publisher Site | Google Scholar
Y. Boshmaf, I. Muslukhov, K. Beznosov, and M. Ripeanu, “The socialbot network,” in Proceedings of the 27th Annual Computer Security Applications Conference on - ACSAC’11, Orlando Florida USA, December, 2011.
View at: Publisher Site | Google Scholar
A. Feizollah, N. B. Anuar, R. Salleh, F. Amalina, and S. Shamshirband, “A study of machine learning classiﬁers for anomaly-based mobile Botnet detection,” Malaysian Journal of Computer Science, vol. 26, no. 4, pp. 251–265, 2013.
View at: Google Scholar
S. Khattak, N. R. Ramay, K. R. Khan, A. A. Syed, and S. A. Khayam, “A taxonomy of botnet behavior, detection, and defense,” IEEE Communications Surveys & Tutorials, Communications Surveys & Tutorials, vol. 16, no. 2, pp. 898–924, 2014.
View at: Publisher Site | Google Scholar
S. Jha, D. Prashar, and A. A. Elngar, “A novel approach using modified filtering algorithm (MFA) for effective completion of cloud tasks,” Journal of Intelligent and Fuzzy Systems, vol. 39, no. 6, pp. 8409–8417, 2020.
View at: Publisher Site | Google Scholar
S. Schiavoni, F. Maggi, L. Cavallaro, and Z. S. Phoenix, “DGA-based botnet tracking and intelligence,” Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2014, Springer, New york, NY, USA, 2014.
View at: Google Scholar
T. Krenc, O. Hohlfeld, and A. Feldmann, “An internet census taken by an illegal botnet: a qualitative assessment of published measurements,” SIGCOMM Comput. Commun. Rev., vol. 44, no. 3, pp. 103–111, 2014.
View at: Publisher Site | Google Scholar
S. García, A. Zunino, and M. Campo, “Botnet behavior detection using network synchronism,” Privacy,Intrusion Detection and Response: Technologies for Protecting Networks, IGI Global, Pensilvania, pp. 122–144, 2012.
View at: Publisher Site | Google Scholar
A. Dainotti, A. King, K. Claffy, F. Papale, and A. Pescape, “Analysis of a “/0” stealth scan from a botnet,” IEEE/ACM Transactions on Networking, vol. 23, no. 2, pp. 341–354, 2015.
View at: Publisher Site | Google Scholar
M. Thomas and A. Mohaisen, “Kindred domains,” in Proceedings of the 23rd International Conference on World Wide Web, pp. 707–712, Seoul Korea, April, 2014.
View at: Publisher Site | Google Scholar
S. Lim, J. Ha, H. Kim, Y. Kim, and S. Yang, “A SDN-oriented DDoS blocking scheme for botnet-based attacks,” in Proceedings of the 2014 Sixth International Conference on Ubiquitous and Future Networks (ICUFN), pp. 63–68, ICUFN), Shanghai, China, July, 2014.
View at: Publisher Site | Google Scholar
N. Hoque, D. K. Bhattacharyya, and J. K. Kalita, “Botnet in DDoS attacks: trends and challenges,” IEEE Communications Surveys & Tutorials, vol. 17, no. 4, pp. 2242–2270, 2015.
View at: Publisher Site | Google Scholar
A. Karim, R. B. Salleh, M. Shiraz, S. A. A. Shah, I. Awan, and N. B. Anuar, “Botnet detection techniques: review, future trends, and issues,” Journal of Zhejiang University - Science C, vol. 15, no. 11, pp. 943–983, 2014.
View at: Publisher Site | Google Scholar
F. Haddadi, D. Phan, and A. N. Zincir-Heywood, “How to choose from different botnet detection systems?” in Proceedings of the 2016 IEEE/IFIP Network Operations and Management Symposium, pp. 1079–1084, Istanbul, Turkey, April, 2016.
View at: Google Scholar
J. Kwon, J. Lee, H. Lee, and A. Perrig, “PsyBoG: a scalable botnet detection method for large-scale DNS traffic,” Computer Networks, vol. 97, pp. 48–73, 2016.
View at: Publisher Site | Google Scholar
M. Anagnostopoulos, G. Kambourakis, and S. Gritzalis, “New facets of mobile botnet: architecture and evaluation,” International Journal of Information Security, vol. 15, no. 5, pp. 455–473, 2016.
View at: Publisher Site | Google Scholar
N. Goodman, “A Survey of Advances in Botnet Technologies,” 2017, https://arxiv.org/abs/1702.01132.
View at: Google Scholar
S. Jha, D. Prashar, H. V. Long, and D. Taniar, “Recurrent neural network for detecting malware,” Computers & Security, vol. 99, Article ID 102037,, 2020.
View at: Publisher Site | Google Scholar
M. Raza Naqvi, M. Waseem Iqbal, M. Usman Ashraf et al., “Energy aware metaheuristic optimization with location aided routing protocol for MANET,” Computers, Materials & Continua, vol. 71, no. 1, pp. 1567–1580, 2022.
View at: Publisher Site | Google Scholar
D. Dagon, C. Zou, and W. Lee, “Modeling botnet propagation using time zones,” in Proceedings of the 13th Network and Distributed System Security Symposium NDSS, San Diego, California, USA, February 2006.
View at: Google Scholar
S. Jha, E. Yang, A. O. Almagrabi, A. K. Bashir, and G. P. Joshi, “Comparative analysis of time series model and machine testing systems for crime forecasting,” Neural Computing & Applications, vol. 33, no. 17, pp. 10621–10636, 2020.
View at: Publisher Site | Google Scholar
R. Gopi, M. Mathapati, B. Prasad et al., “Intelligent dos attack detection with congestion control technique for vanets,” Computers, Materials & Continua, vol. 72, no. 1, pp. 141–156, 2022.
View at: Publisher Site | Google Scholar
S. Jha, S. Ahmad, M. Alharbi, B. Alouffi, and S. Sebastian, “Secured and provisioned access authentication using subscribed user identity in federated clouds,” International Journal of Advanced Computer Science and Applications, vol. 12, no. 11, 2021.
View at: Publisher Site | Google Scholar
S. Jha, N. Jha, D. Prashar, S. Ahmad, B. Alouffi, and A. Alharbi, “Integrated IoT-based secure and efficient key management framework using hashgraphs for autonomous vehicles to ensure road safety,” Sensors, vol. 22, no. 7, p. 2529, 2022.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2022 Sultan Ahmad et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies