A comparison of stream mining algorithms on botnet detection

Abstract

Recent botnet activities targeting IoT infrastructure and turning computing devices into cryptocurrency miners indicate an increase in the botnet attack surface and capabilities. These facts emphasize the importance of investigating alternative methods for detecting botnets. One of them is using stream mining algorithms to classify malicious network traffic. Although some initiatives seek to adopt stream mining strategies to detect botnets, several research topics still need to be discussed. Our goal is to compare the use of single and ensemble-based stream mining algorithms to identify botnet network flows. Since obtaining examples of malicious network flows could be a hassle to security managers, we also investigate whether the use of ensembles could reduce the number of labeled instances required to update the classification model. Our results indicate that the ensemble-based Ozaboost algorithm with the prequential evaluation strategy outperforms the other selected algorithms. We also found that ensemble-based algorithms and some botnet characteristics (C&C communication protocol) requires less labeled instances while maintains high performance.