Vol: 2016 Issue: 1
Published In: January 2018
Article No: 11 Page: 191-212 doi: https://doi.org/10.13052/jsn2445-9739.2016.011
Improving Intrusion Detection on Snort Rules for Botnet Detection
Received 10 April 2016; Accepted 2 May 2016;
Publication 29 May 2016
Saiyan Saiyod1,*, Youksamay Chanthakoummane1, Nunnapus Benjamas2, Nattawat Khamphakdee2 and Jirayus Chaichawananit1
1Hardware-Human Interface and Communications (H2I-Comm) Laboratory, Department of Computer Science, Faculty of Science, Khon Kaen University, Muang, Khon Kaen, Thailand
2Advanced Smart Computing (ASC) Laboratory, Department of Computer Science, Faculty of Science, Khon Kaen University, Muang, Khon Kaen, Thailand
E-mail: {saiyan; nunnapus}@kku.ac.th; {youksamay c; jirayus.chaichawananit; k.nattawat}@kkumail.com
*Corresponding Author
The Botnets has become a serious problem in network security. An organization should find the solutions to protect the data and network system to reduce the risk of the Botnets. The Snort Intrusion Detection System (Snort-IDS) is the popular usage software protection of the network security in the world. The Snort-IDS utilizes the rules to match the data packets traffic. There are some existing rules which can detect Botnets. This paper, improve the Snort-IDS rules for Botnets detection and we analyze Botnets behaviors in three rules packet such as Botnets_attack_1.rules, Botnets_attack_2.rules, and Botnets_attack_3.rules. Moreover, we utilize the MCFP dataset, which includes five files such as CTU-Malware-Capture-Botnet-42, CTU-Malware-Capture-Botnet-43, CTUMalware-Capture-Botnet-47, CTU-Malware-Capture-Botnet-49, and CTUMalware-Capture-Botnet-50 with three rule files of the Snort-IDS rules. The paper has particularly focused on three rule files for performance evaluation of efficiency of detection and the performance evaluation of fallibility for Botnets Detection. The performance of each rule is evaluated by detecting each packet. The experimental results shown that, the case of Botnets_attack_1.rules file can maximally detect Botnets detection for 809075 alerts, the efficiency of detection and fallibility for Botnets detection are 94.81% and 5.17%, respectively. Moreover, in the case of Botnets_attack_2.rules file, it can detect Botnets up to 836191 alerts, having efficiency of detection and fallibility for Botnets detection are 97.81% and 2.90%, respectively. The last case Botnets_attack_3.rules file can detect Botnets 822711 alerts, it can 93.72% of efficiency of detection and the value of fallibility is 6.27%. The Botnets_attack_2.rules file is most proficient rule for Botnets detection, because it has a high efficiency of detection for detection and a less of fallibility.
Currently, a transaction has mainly exchanged the information through the Internet, such as the purchase, sale and product exchange. However, the data security has become the most significant tool for personal computers, home, school, business, and offices. The events have been serious impact for business operations. If information is stolen, it will damage and the system needs to stop immediately. The current threat of attacks of security forces have increased. Moreover, the threats of the Botnets in different ways have been developed. Therefore, the implementations of business organizations via the Internet have increased the network security to protect the information efficiently. Thus, the attackers produce the information deviation and make network system damage [1].
Botnets or Bot is the robot software that is usually installed on the client computer and run the command preset automatically. For example, IRC (Internet Relay Chat) is Bot of chat rooms and Bot of games online. The Botnets is controlled remotely by hacker. Bot is a small type of computer virus, so users cannot notice that the Bot in computer. These computers are often controlled by hackers via the Internet and send orders through the system on the chat room or IRC [2]. The Botnets are malicious attacking and infecting, sending SPAM, DDoS, Blacklist, Neris, etc. Furthermore, the Bot is remotely managed and synchronization. The synchronization is not only between different Bot, but it is also within the same Bot. For example, the Bot module sends the SPAM and the module maintains the C&C channel and stops sending packets at the same time when the Bot receives the order of not sending any more mails [3].
Today, an intrusion detection system (IDS) is able to maintain various kinds of techniques in network security. The main task of IDS is to monitor the network traffic data on the network system and analyze it. If any suspicious files alert is when a malicious attacks the system. Besides, the IDS can be presence of signature-base and anomaly-base. Another limit is easy to maintain the network security based on accuracy [4].
This paper, we propose the improvement of the Snort-IDS rules for Botnets detection and utilizing MCFP datasets with rules techniques. The rule techniques analyze the network traffic data pattern, which Snort-IDS are generated according to the network’s traffic data behavior.
All the information has been clarified as following details. The Section 2 present related work. The Section 3 presents the background. The Section 4 present system architecture. The Section 5 present evaluation performance. The Section 6 present conclusion and future work.
Botnets particularly, pose a significant threat to the security on the Internet. As a result, there are many interests in the research community to improve sufficient solutions. In paper [5], the IDS-base and multi-phase IRC-Bot and Botnets behavior detection model are based on C&C reopens message and malicious behaviors of the IRC-Bot inside the network environment. Moreover, a detection method for detecting Botnets is based on behavior features. It’s capable of detecting in both known and unknown Botnets and it is less updates in the research fields of Botnet detection [6]. The intrusion detection system was implemented with Snort and configured with WinPcap, within Windows-based environment. It was possible to configure it as a firewall on the Windows. The Snort-IDS rules, however, were not improved [7].
The intrusion detection on the network Botnets attacks were improved through the utilization of the MCFP (Malware Capture Facility project) datasets [3]. The authors proposes three new Botnets detection method and the new model of Botnets behavior, which are based on a deep understanding of the Botnets behavior in the network such as the SimDetec, the BClus method, and the CCDetect. These algorithms can access a better datasets to start showing the particular result. The shift of the detection techniques for behavior base models has proved to be a better approach to the analyze Botnets pattern. However, the current knowledge of the Botnets detection and the pattern does not have an obvious analysis.
Additional, utilizing of Snort-IDS monitor Web content in a certain time by identifying the abnormal behavior patterns within a campus network security monitoring system [8]. The performance evaluation results generate alert analysis of the Snort-IDS in high-speed network which means that Snort has detected 12 signatures among which detection ICMP PING attacks [9]. In model Snort-IDS structure analyzes the pattern synchronize the protocol or improve speed and accuracy of intrusion detection system in campus network. ACID stand for Analysis Center Intrusion Detection which chosen to shows alarm information [10]. Nevertheless, all research that mention can detect the Botnets, but those research cannot improve the Snort-IDS rules.
We discuss the background of Snort-IDS, the MCFP datasets, and the background of Botnet.
Snort is useful software for security network. In 1998 Matin Roesch developed the Snort Intrusion Detection System and Intrusion Prevention System (Snort-IDS/IPS) by using C language as an open-source software and lightweight software application. Snort can be installed on numerous platforms of operating systems such as Windows, Linux, etc. Snort has a real time alerting the traffic data network and analyzes capability. The alert will be sent to syslog or a separated ‘alert’ files, or to popup windows. Snort is logically divided into multiple components. These components working step by step process of detecting particular attacks and to generate output in required format from the detection system. The components of Snort are packet decoder, preprocessors, detection engine, logging and alerting system, and output modules[11]. Snort utilize with rule to alert the network traffic data. The Snort-IDS rules have two logical parts such as the rule header and the rule option [12] as shown in Figure 1.
Figure 1 Structure of Snort rules.
The rule header. The rule header describes attributes of a packet and to command the Snort what to do when it founding the packet that matches the rule as shown in Figure 2.
The rule options. The rule options will follow the rule header and can alert message, information on which part of packet.
The example rule as shown in Figure 3. The network traffic data of TCP protocol for example source address is any, source port is 21, destination address is 10.199.12.8, destination port is any, an generate that outputs the message “TCP Packet is detected” with signature id:1000010.
The Malware Capture Facility Project (MCFP) datasets [3, 13]. The MCFP were capture in the CTU University in Czech Republic. The datasets have large size, so they are stored in the server in the university. The goals of datasets were to have a large capture of Botnets traffic mixed with normal traffic and background traffic. The totals of MCFP datasets are 13, but for this research we use 5 datasets.
Figure 2 Structure of Snort rule header.
Figure 3 Snort rule example.
Botnets are the technological backbone supporting myriad of attack, including identity stealing, organizational spying, DDoS, SPAM, and government-sponsored attacks. Botnet is a network interface machine which aims to disseminate malicious code over the Internet without user intrusiveness. There are many types of Botnets that shows some serious attacks follow as;
The system architecture, we proposed system consist of the following details; improving of Snort-IDS rules procedure, analysis Botnets, improved Snort-IDS rules, and proposed Snort-IDS rules.
The Snort rules evaluation procedure, the MCFP datasets are utilized to test and evaluate detection performance. The datasets were recorded with various amounts of Botnets. In this paper, we utilize .Pcap file type, which contains the traffic data such as source address and destination address, source port and destination port, time to live (TTL), Ack, flags and so on. All attributes that mention are very important parameters for analyzing the attacking type and improving Snort-IDS rules. It would need to increase the perfection of the detection rules and decrease false alert [14] shown as Figure 4.
The Snort-IDS sensor was installed by using the Snort version 2.9.2.2, which runs on the Linux CentOS 64 bit version 6.4 operating system. The architecture configurations consist of Mysql database, Intel(R) Core(TM)2 Quad 2.66GHz CPU, 4GB DDR-RAM, 250GB HDD and Marvell 88E8071 GB Ethernet 10/100/1000 BaseT [15].
Figure 4 The overall architecture of the improved Snort-IDS rules procedure.
Botnets analysis is a significant part of the system because it acts as a means to analyze and convert the traffic data of a network. Tokens Matching Algorithm is proposed to analyze the data format to be used for creating the new rules.
Figure 5 Flow chart for Botnets analysis.
Table 1 The set of letters, number, and symbols for creating the tokens Tokens Symbols
Tokens | Symbols |
---|---|
<c> | abcdefghtijklmnopqrstuvwxyz |
<C> | ABCDEFGHIJKLMNOPQRSTUVWXYZ |
<N> | 0123456789 |
<a> | .,-: |
Note: Table 1. shows the set of letters, numbers, and symbols that can be compared with contents in traffic data.
Figure 6 Function of creating tokens.
We compare the analytical information of data packets between each packet connection to dataset with attacking event example type of Botnet in dataset, time for capture, and number of Botnets capture in datasets, etc. [13]
We explain more detail of Snort-IDS rules which are utilized for Botnet detection.
In this section, we propose the experimental evaluation of the Snort-IDS rules to compare the detection performance. Evaluation of the performance consist of two procedure are the evaluation of the Snort-IDS rules procedure and detection accuracy comparison of the Snort-IDS rules.
Table 2 Data dictionary
Figure 7 Comparing with data dictionary function.
MCFP dataset that has been tested to evaluate performance the intrusion detecting of S. García [3], which has been stored in various file formats. In the datasets will contain Background files, Normal files and Botnet files. In this paper, we choose .Pcap which files have capacity the number of Botnet attacks. The Snort system is installed by utilizing Snort version 2.9.2.2, which runs on the Linux CentOS system [14]. The experiment results of the Snort rules need to modified snort.conf file to make it conform to the dataset. We also utilize database mysql for storage the alert data.
In Figure 8, shows the Snort testing procedure. We take command of Snort –N –r botnet-capture-20110810-neris.pcap –c /etc/snort/snort.conf to direct Snort-IDS to process dataset file [14]. We explain some command lines, for –N is option to make sure that the Snort does not log each packet to the terminal, for –r is option which .Pcap must be loaded, and the last one for –c option to specify where the config file is located. When the Snort-IDS detected traffic packet which match or synchronize to the Snort rule. The system will generate alert and to bring the recode alert into the database.
Performance evaluation of the Botnets_attack_1.rules, Botnets_attack_2. rules, and Botnets_attack_3.rules files can detect many Botnets such as Neris-IRC, IRC to send spam, Blacklist malware, generic IRC Botnets connection attempt, and malicious URI etc. The numbers of alert are shown in Table 3, Table 4 and Table 5.
Figure 8 Evaluation of the Snort-IDS rules procedure.
Table 3 Number of Snort-IDS rulesNo. Type of Botnets Rules Files Number of Rules 123
No. | Type of Botnets Rules Files | Number of Rules |
---|---|---|
1 | Botnets_attack_1.rules | 389 |
2 | Botnets_attack_2.rules | 286 |
3 | Botnets_attack_3.rules | 273 |
Note: Improving the Snort-IDS rules already, all rules are saving or recorded in text file format. Nevertheless, there are numerous ways of the Botnets detection. Thus, we categorize the Botnet detection into 3 groups as shown in Table 3.
Table 4 Some example proposed Snort-IDS rulesNo. Type of Botnets Rules
No. | Type of Botnets Rules |
---|---|
1 | 1 Rule 1: alert tcp any any -> any any (msg:“Possible_NBSS Neris.exe SENT TO BROWSER”; flow:to_server,established; content:“ACACACAC”; ttl:128; sid:2000341; rev:1) Rules 2: alert tcp any any -> any any (msg:“Neris IRC sent to HTTP”; flow:to server,established; content:“7&_salt=“; ttl:128; sid:2000366; rev:1) |
2 | Rules 1: alert tcp any any -> any any (msg:“TROJAN PossibleIRCBot.DDOSCommon Commands”; flow:to server,established; content:“AAC6F603”; ttl:128; sid:1000255; rev:7) Rules 2: alert udp any any -> any any (msg:“IRC-bot sent spam BROWSER”; flow:to server,established; content:“FENEBEOC”; ttl:128; sid:1000199; rev:1) |
3 | Rules 1: alert tcp any any -> any any (msg:“Win32.Domsingx.A contact to C&C server_attempt”; flow:to_server,established; content:“ent-Type”; ttl:128;sid:4000309; rev:2) Rules 2: alert tcp any any -> any any (msg:“BLACKLIST DNS request for known malware/domain/sxzyong.com”;flow:to_server,established;content:“mail.com”; fast_pattern:only;/metadata:impact_flagred,service dns;reference:url,www.virustotal. com/filescan/report.html?id=a7f97ed5c064b038279dbd02554c7e555d97f67b601b9 4bfc556a50a41dae137-1304614426; classtype:trojan-activity; ttl:128;sid:3000230; rev:2) |
Note: Some of examples the Snort-IDS Rules are shown in Table 4. In No. 1, we improved which called “Neris.exe attacks”. In this rule allows the Snort-IDS to attack in the Internet network connection. The Snort-IDS will to alert when the attacker scan the computer on the web, which open to any port. In Rules 2, we improve “Neris-IRC” which rule allow to the internet connection when the attacker send to website.
Some of example No. 2, in Rules 1, we improve which call “TROJAN-IRC” which rules allow to Snort-IDS rule when the attacker to send command on the computer. Rules 2, we improved which called “IRCBot”. This is rule allow the Snort-IDS network. The Snort-IDs will to alert when the attacker send spam to browser by UTP protocol packets which open any port and it have time to live (TTL) 128.
Some of example No. 3, in Rule 1, we improve alert by TCP protocol packets when the attacker to send “Win32” to C&C server, which open any port and any source address and destination port. In Rule 2, we improve the attacking detection rules for “Botnet BLACKLIST Malware” which is newly added to the dataset. The attacker utilize BLACKLIST DNS request for known malware domain on this website: sxzyong.com.
Table 5 The performance evaluation Botnets_attack_1.rules file
No. | Rules Type | Botnets | Number of Alert | Total Detected Number |
---|---|---|---|---|
1 | CTU-Malware-Capture-Botnet-42 | IRC_SPAM | 192202 | |
C&C_Botnet | 2279 | |||
Possible_JNBSS Neris.exe | 9324 | |||
Neris_JRC sent to HTTP | 92162 | |||
Attacks | ||||
BLACKLIST DNS | 747 | 296714 | ||
2 | CTU-Malware-Capture-Botnet-43 | Possible_JNBSS Neris.exe | 112679 | |
C&C_Botnet | 1403 | |||
IRC_SPAM | 5817 | |||
Neris_JRC sent to HTTP | 51402 | |||
BLACKLIST DNS | 72 | 171373 | ||
3 | CTU-Malware-Capture-Botnet-47 | BLACKLIST DNS | 23430 | |
Spyeye bot contact to C&C server | 44 | |||
possible_SPAM | 310 | |||
Neris | 98 | |||
C&C_Botnet | 226 | 24108 | ||
4 | CTU-Malware-Capture-Botnet-49 | C&C_Botnet | 79006 | |
Virut DNS request | 4034 | |||
for C&C attempt | ||||
Neris_JRC sent to HTTP | 188 | 83235 | ||
5 | CTU-Malware-Capture-Botnet-50 | IRC_SPAM | 102081 | |
Neris | 131273 | |||
C&C_Botnet | 291 | 233645 | ||
Total | 809075 |
Note: The performance evaluation shows in Table 5 are very efficiency for Botnets detection. The Botnets_attack_1.rules file consist the event of Botnet types which are IRC-bot, BLACKLIST, SPAM, and NBSS Neris etc. The number of detection may not be enough, however the rule file can help administrators know how attacks from Botnets.
The procedure of comparing the accuracy of Snort-IDS rule for Botnets detection. The information alert from database will be compared with events of actual invasion. The information is available in the Detection Scoring Truth, Which we used number of Botnet in the MCFP datasets and the Botnets have been alert in our three rule files (Botnets_attack_1.rules, Botnets_attack_2.rules, Botnets_attack_3.rules). The information are compared with experimental information and having the most accurate. We does not include, resolve in this section, more detail shows as Figure 9.
Figure 9 The procedure of comparison from alert.
Table 6 The performance evaluation of Botnets_attack_2.rules file
No. | Rules Type | Botnets | Number of Alert | Total Detected Number |
---|---|---|---|---|
1 | CTU-Malware-Capture-Botnet-42 | Ozdok botnet | 170 | |
communication C&C | ||||
server | ||||
IRC_Bot | 84 | |||
BLACKLIST DNS | 29 | |||
Possible IRC-bot-Sent | 145427 | |||
Spam | ||||
Neris | 165674 | 311384 | ||
2 | CTU-Malware-Capture-Botnet-43 | Neris Botnet | 74710 | |
IRC-bot sent spam | 94693 | |||
BROWSER | ||||
Botnets attack | 123 | 169526 | ||
Chinese_C&C_hosts on | ||||
http | ||||
3 | CTU-Malware-Capture-Botnet-47 | BLACKLIST | 1522 | |
USER-AGENT | ||||
Spyeye bot contact to C&C server attempt | 9266 | |||
C&C_Botnets | 13589 | |||
IRC sent_spam | 145 | 24522 | ||
4 | CTU-Malware-Capture-Botnet-49 | Gozi Trojan connection to C&C | 21260 | |
IRC_Botnet | 650 | |||
Virut DNS request for | 62512 | |||
C&C attempt | ||||
Neris | 718 | 85140 | ||
5 | CTU-Malware-Capture-Botnet-50 | Spyeye bot contact to C&C server attempt | 423 | |
Neris | 245079 | |||
BLACKLIST DNS | 36 | |||
IRC-bot sent spam | 81 | 245619 | ||
BROWSER | ||||
Total | 836191 |
Note: The performance evaluation shows in Table 6, this rule has a high accuracy form Botnet attacks. All viruses that detected are the most serious attack on the network system and developing rapidly the attacks. However, these rule file is the best tool to help administrators.
Performance evaluation of fallibility. The fallibility is abnormal traffic which it is incorrectly Botnets detection as normal traffic. The values is lower that indicates better performance, shown in equations [12].
Table 7 The performance evaluation of Botnets_attack_3.rules file
No. | Rules Type | Botnets | Number of Alert | Total Detected Number |
---|---|---|---|---|
1 | CTU-Malware-Capture-Botnet-42 | Neris_Botnet sent to HTTP | 308087 | |
C&C_Botnets | 159 | |||
IRC sent spam | 9841 | 318087 | ||
2 | CTU-Malware-Capture-Botnet-43 | Ozdok botnet | 347 | |
communication with | ||||
C&C server attempt | ||||
Neris | 169987 | 170334 | ||
3 | CTU-Malware-Capture-Botnet-47 | Spyeye bot contact to C&C server attempt | 4189 | |
C&C_Botnets | 13569 | |||
BLACKLIST | 250 | |||
USER-AGENT | ||||
Win32.Domsingx.A | 6181 | 24189 | ||
contact to C&C | ||||
4 | CTU-Malware-Capture-Botnet-49 | Koobface worm | 5874 | |
submission of collected | ||||
data to C&C … | ||||
Botnets attack | 66169 | |||
Chinese_C&C_hosts on | ||||
http | ||||
Neris | 23 | 72220 | ||
5 | CTU-Malware-Capture-Botnet-50 | Neris_Botnet sent to HTTP | 227767 | |
BLACKLIST DNS | 35 | |||
IRC sent spam to HTTP | 9875 | |||
TT-bot botnet contact to C&C server | 204 | 237881 | ||
Total | 822711 |
Note: The performance evaluation shows in Table 7, this is last of the rules for Botnets detection. The Botnets_attack_3.rules is including type of Botnet attack and it has the effective detection. This rule contains the information knowledge of the attack form attacker, this Botnets_attack_3.rules file can answer about every problem at the intrusion.
Table 8 Summary of Botnets detection of three files of rule
No. | Botnets Rules | Number of Botnets Detection |
---|---|---|
1 | Botnets_attack_1.rules | 809075 |
2 | Botnets_attack_2.rules | 836191 |
3 | Botnets_attack_3.rules | 822711 |
Note: The performances of evaluation shows in Table 8, each rules can be detected more efficient. The Botnets_attack_2.rules files can Botnet detection more than other rules. However, every rule files have important for Botnets detection.
Table 9 Efficiency of detection and fallibility performance of Botnets_attack_1.rules
No. | Datasets | Total Botnets of Datasets | Detected Number | Fallibility (%) | Efficiency of Detection (%) |
---|---|---|---|---|---|
1 | CTU-Malware-Capture-Botnet-42 | 323154 | 296714 | 7.56 | 92.43 |
2 | CTU-Malware-Capture-Botnet-43 | 176064 | 171373 | 2.66 | 97.33 |
3 | CTU-Malware-Capture-Botnet-47 | 24764 | 24108 | 2.64 | 97.35 |
4 | CTU-Malware-Capture-Botnet-49 | 85735 | 83235 | 2.91 | 97.08 |
5 | CTU-Malware-Capture-Botnet-50 | 259949 | 233645 | 10.11 | 89.88 |
Note: In Table 9, efficiency of detection and fallibility performance of each datasets which we utilize Botnets_attack_1.rules file. Each datasets have value of Botnets detection different such as CTUMalware-Capture-Botnet-47 can detection 97.35%, which this dataset is high efficiency for Botnets detection. Moreover, it has 2.64% of fallibility. In the other hand, the CTU-Malware-Capture-Botnet-50 can detection 89.88%, which this dataset is less efficiency of rules.
Table 10 Efficiency of detection and fallibility performance of Botnets_attack_2.rules
No. | Datasets | Total Botnets of Datasets | Detected Number | Fallibility (%) | Efficiency of Detection (%) |
---|---|---|---|---|---|
1 | CTU-Malware-Capture-Botnet-42 | 323154 | 311384 | 3.64 | 96.35 |
2 | CTU-Malware-Capture-Botnet-43 | 176064 | 169526 | 3.71 | 96.28 |
3 | CTU-Malware-Capture-Botnet-47 | 24764 | 24522 | 0.97 | 99.02 |
4 | CTU-Malware-Capture-Botnet-49 | 85735 | 85140 | 0.69 | 99.30 |
5 | CTU-Malware-Capture-Botnet-50 | 259949 | 245619 | 5.51 | 94.48 |
Note: In Table 10 shows efficiency of detection and fallibility performance of Botnets_attack_2.rules file, which each of datasets have value high and low. The CTU-Malware-Capture-Botnet-49 can Botnets detection higher than other datasets, which it has efficiency of detection 99.30%. In addition, Malware-Capture-Botnet-49 is less of fallibility.
Performance evaluation of efficiency of detection. The efficiency of detection is indicative of the ability system, which the information has been required from detecting all of data. If a higher value, the system is effective in detection. In the other hand, if a low value that the system is effective a low detecting, shown in equations [12].
Table 11 Efficiency of detection and fallibility performance of Botnets_attack_3.rules
No. | Datasets | Total Botnets of Datasets | Detected Number | Fallibility (%) | Efficiency of Detection (%) |
---|---|---|---|---|---|
1 | CTU-Malware-Capture-Botnet-42 | 323154 | 318087 | 1.56 | 98.43 |
2 | CTU-Malware-Capture-Botnet-43 | 176064 | 170334 | 3.25 | 96.74 |
3 | CTU-Malware-Capture-Botnet-47 | 24764 | 24189 | 2.32 | 97.71 |
4 | CTU-Malware-Capture-Botnet-49 | 85735 | 72220 | 15.76 | 84.23 |
5 | CTU-Malware-Capture-Botnet-50 | 259949 | 237881 | 8.48 | 91.51 |
Note: In Table 11 shows efficiency of detection and fallibility performance of Botnets_attack_3.rules file, which the numbers of rules are lower “273” than other rules. The response of Botnets_attack_3.rules to the datasets reasonably well and the CTU-Malware-Capture-Botnet-42 is well for recompense. It can Botnets detection 98.43% of efficiency of detection. However, this CTU-Malware-Capture-Botnet-42 has value of fallibility in 1.56%.
Table 12 Summary for efficiency of detection and fallibility performance comparison
No. | Rule Files | Total of Fallibility (%) | Total Efficiency of Detection (%) |
---|---|---|---|
1 | Botnets_attack_1.rules | 5.17 | 94.812 |
2 | Botnets_attack_2.rules | 2.90 | 97.813 |
3 | Botnets_attack_3.rules | 6.27 | 93.72 |
Note: Efficiency of detection and fallibility of the performance comparison in Table 12, we observe the efficiency of detection on three rule files have difference efficiency to Botnet detection. The Botnets_attack_2.rules file is height efficiency of detection for Botnet detection, it’s having 97.81%. Not only, it’s having 2.90% of fallibility. In other hand, the Botnets_attack_3.rules of less efficiency of detection for detection, it is having 93.72% and it has value of fallibility 6.27%. However, the values of three rule files in efficiency of detection and fallibility are difference for Botnets detection, but it has helping administrator from attackers.
where (TP) True positive is correctly identified of Botnet detection,
(TN) True Negative is incorrectly identified of Botnet detection,
(FP) False Positive is correctly rejected of Botnet detection,
(FN) False Negative is incorrectly rejected of botnet detection.
The Snort-IDS are effective intrusion detection and it is a network security tool which can monitor the abnormal behavior. This paper, we improve the Snort-IDS rules for Botnets detection and we analyze Botnets behaviors in three rule files. Moreover, we utilize the MCFP dataset, which includes five files such as CTU-Malware-Capture-Botnet-42, CTU-Malware-Capture-Botnet-43, CTUMalware-Capture-Botnet-47, CTU-Malware-Capture-Botnet-49, and CTUMalware-Capture-Botnet-50. The performance evaluation of Botnet detection, the performance evaluation of efficiency of detection, and the performance evaluation of fallibility for three rule files were evaluated by detecting each packet. The experimental results shown that, the case of Botnets_attack_1.rules file can maximally detect Botnets detection for 809075 alerts, the efficiency of detection and fallibility for Botnets detection are 94.81% and 5.17%, respectively. Moreover, in the case of Botnets_attack_2.rules file can detect Botnets up to 836191 alerts, having efficiency of detection and fallibility for Botnets detection are 97.81% and 2.90%, respectively. The last case Botnets_attack_3.rules file can detect Botnets 822711 alerts, it can 93.72% of efficiency of detection and the value of fallibility is 6.27%. However, the Botnets_attack_2.rules file is most proficient for Botnets detection, because it has a high efficiency of detection for Botnets detection and it has less of fallibility. Moreover, this paper can support the administrator to secure the network quickly. In addition, they must also regularly update the Snort-IDS rules, because the attackers could fine the way to attack the system any time. In the future work, we will find new techniques for intrusion detection system and using tool in data mining for more Botnets detection.
[1] Konhiatou, C.Y., Kittitornkun, S., Kikuchi, H., Sisaat, K., Terada, M., and Ishii, H. (2013). “Clustering Top-10 Malware/Bots based on Download Behavior,” In 2013 International Conference On Information Technology and Electrical Engineering (ICITEE), Yogyakarta, 62–67.
[2] Ramsbrock, D., and Wang, X. (2013). The Botnet Problem, Chap. 12. Available at: http://www.sciencedirect.com/science/article/pii/B9780123 94397200012X
[3] García, S., Grill, M., Stiborek, J., and Zunino A. (2014). An Empirical Comparison of Botnet Detection Methods. Comput Security, 45, 100–123.
[4] Sathish, V., and Khader, P. S. A. (2014). Deployment of proposed bot-nets monitoring platform using online malware analysis for distributed environment. Indian J. Sci. Technol. 7, 1087–1093.
[5] Awadi, A. H. R. A. and Belaton, B. (2013). Multi-phase IRC botnet and botnet behavior detection model. Int. J. Comput. Appl. 66, 41–51.
[6] Li, W. M., Xie, S. L., Luo, J., and Zhu, X. D. (2013). A detection method for botnet based on behavior features Adv. Mater. Res. 765–767.
[7] Shah, S. N. and Singh, M. P. (2012). Signature-based network intrusion detection system using SNORTAnd WINPCAP. Int. J. Eng. Res. Technol. 1, 1–7.
[8] Geng, X., Liu, B., and Huang, X. (2009). “Investigation on security system for snort-based campus network,” in Proceedings of the 1st International Conference on Information Science and Engineering (ICISE), Nanjing University of Science and Technology, Nanjing, China, 1756–1758.
[9] Rani, S., and Singh, V. (2012). SNORT: an open source network security tool for intrusion detection in campus network environment. Int. J. Comput. Technol. Electron. Eng. 2, 137–142.
[10] Huang, C., Xiong, J., and Peng, Z. (2012). “Applied research on snort intrusion detection model in the campus network,” in IEEE Symposium on Robotics and Applications(ISRA).
[11] Roesch, M. (1999). “Snort – Lightweight Intrusion Detection for Networks,” in Systems Administration Conference, Washington, USA, 229–238.
[12] Khamphakdee, N., Benjamas, N., and Saiyod, S. (2015). Improving Intrusion Detection System based on Snort Rules for Network Probe Attacks Detection With Association Rules Technique of Data Mining. J. ICT Res. Appl. 8, 234–250.
[13] http://mcfp.weebly.com/mcfp-dataset.html [Accessed May 2015].
[14] Khamphakdee, N., Benjamas, N., and Saiyod, S. (2014). “Improving Intrusion Detection System based on Snort Rules for Network Probe Attack Detection,” in International Conference on Information and Communication Technology (Icoict), Bandung, 69–74.
[15] Chanthakoummane, Y., Saiyod, S., and Khamphakdee N. (2015). “Evaluation Snort-IDS Rules for Botnets Detection,” In National Conference on Infomation Technology.
S. Saiyod received the B.Sc. degree in Computer Science from Mahasarakham University in 2000 and M.Eng. degree in computer Engineering in 2005 and the D.Eng degree in 2011 form King Mongkut’s Institute of Technology Ladkrabang, Thailand. His current interests are in the area of performance evaluation on communication networks, digital-signal-processing, and mobile communication.
Y. Chanthakoummane received his B.Eng. degree in Computer Engineering from National University of The Laos PDR in 2009. He is a master’s student at the Department of Computer Science, Faculty of Science, Khon Kaen University, Thailand.
N. Benjamas received her B.Sc. degree in Computer Science at the Department of Computer Science, Faculty of Science, Khon Kaen University in 2000 and M.Sc. degree in Computer Science in 2005 and D.Eng. degree in Computer Engineering in 2012 from Kasetsart University, Thailand. Her current interests are big data analytics, data mining and knowledge discovery, parallel computing, distributed computing, high performance computing (HPC), and cloud computing.
N. Khamphakdee received his B.Sc. Computer Science from Udon Thani Rajabhat University in 2005 and M.Sc. degree in Computer Science in 2015 from Khon Kaen University. He is Ph.D student at Computer Science at the Department of Computer Science, Faculty of Science, Khon Kaen University. His current interests are in the area of data mining, big data, and network security.
J. Chaichawananit received his B.Sc. degree in Computer Science from Khon Kaen University, Thailand in 2014. He is a master’s student at the Department of Computer Science, Faculty of Science, Khon Kaen University, Thailand.
Journal of Software Networking, 191–212.
doi: 10.13052/jsn2445-9739.2016.011
© 2016 River Publishers. All rights reserved.
3.1 The Background of Snort-IDS
3.2 The Background of MCFP Datasets
4.1 Improving of Snort-IDS Rules Procedure
5 Evaluation of the Performance
5.1 The Evaluation of the Sort-IDS Rules Procedure