Conversation-based P2P botnet detection with decision fusion
University of New Brunswick
Botnets have been identified as one of the most dangerous threats through the Internet. A botnet is a collection of compromised computers called zombies or bots controlled by malicious machines called botmasters through the command and control (C&C) channel. Botnets can be used for plenty of malicious behaviours, including DDOS, Spam, stealing sensitive information to name a few, all of which could be very serious threats to parts of the Internet. In this thesis, we propose a peer-to-peer (P2P) botnet detection approach based on 30-second conversation. To the best of our knowledge, this is the first time conversation-based features are used to detect P2P botnets. The features extracted from conversations can differentiate P2P botnet conversations from normal conversations by applying machine learning techniques. Also, feature selection processes are carried out in order to reduce the dimension of the feature vectors. Decision tree (DT) and support vector machine (SVM) are applied to classify the normal conversations and the P2P botnet conversations. Finally, the results from different classifiers are combined based on the probability models in order to get a better result.