Tracking Temporal Evolution of Network Activity for Botnet Detection

Botnets are becoming increasingly prevalent as the primary enabling technology in a variety of malicious campaigns such as email spam, click fraud, distributed denial-of-service (DDoS) attacks, and cryptocurrency mining. Botnet technology has continued to evolve rapidly making detection a very challenging problem. There is a fundamental need for robust detection methods that are insensitive to characteristics of a specific botnet and are generalizable across different botnet types. We propose a novel supervised approach to detect malicious botnet hosts by tracking a host's network activity over time using a Long Short-Term Memory (LSTM) based neural network architecture. We build a prototype to demonstrate the feasibility of our approach, evaluate it on the CTU-13 dataset, and compare our performance against existing detection methods. We show that our approach results in a more generalizable, botnet-agnostic detection methodology, is amenable to real-time implementation, and performs well compared to existing approaches, with an overall accuracy score of 96.2%.