Botnet Detection using Social Graph Analysis

TL;DR

This paper introduces a social graph analysis approach for botnet detection that overcomes limitations of signature-based methods by analyzing node relationships and communication patterns, demonstrating improved accuracy on real-world data.

Contribution

The paper presents a novel two-stage social graph analysis method for botnet detection, including anomaly detection and community detection with a refined modularity measure.

Findings

Effective detection on real-world botnet traffic

Improved accuracy with the refined modularity measure

Outperforms other community detection methods

Abstract

Signature-based botnet detection methods identify botnets by recognizing Command and Control (C\&C) traffic and can be ineffective for botnets that use new and sophisticate mechanisms for such communications. To address these limitations, we propose a novel botnet detection method that analyzes the social relationships among nodes. The method consists of two stages: (i) anomaly detection in an "interaction" graph among nodes using large deviations results on the degree distribution, and (ii) community detection in a social "correlation" graph whose edges connect nodes with highly correlated communications. The latter stage uses a refined modularity measure and formulates the problem as a non-convex optimization problem for which appropriate relaxation strategies are developed. We apply our method to real-world botnet traffic and compare its performance with other community detection methods. The results show that our approach works effectively and the refined modularity measure improves the detection accuracy.