Learning From Network Data Changes for Unsupervised Botnet Detection

The networks of infected devices (a.k.a., botnets) threaten network security due to their dynamic nature and support to different attacks (e.g., Distributed Denial of Services and personal data theft). Detecting botnets is a challenging task because the infected devices (bots) are numerous, widely and geographically spread. Significant attention has been given to improve the efficiency, robustness and adaptability of network security approaches. However, in the literature, botnet detection techniques usually ignore fast changes in statistical data distribution, performing over static windows, i.e., fixed intervals of time or fixed quantity of flows. Changes in statistical data distribution are known as concept drifts and they make the classification models obsolete. Furthermore, those works employing approaches aware of concept drift use supervised machine learning, which is slow, costly, and prone to error. Therefore, this article presents TRUSTED, a system for online and unsupervised botnet detection aware of concept drifts. Unlike other works, the TRUSTED system improves the learning process for botnet detection, applying concept drift in an online and unsupervised classification. Evaluations comprise offline and online scenarios. Results show that the TRUSTED system detects botnets using concept drift identification, reaching 87% to 95% accuracy, precision, recall, and F1-scores. (AU)