Botnets are the most deadly threat in the network due to the capability of exploiting resources within a network as an army to launch huge attacks such as Denial-Distributed-of-Service (DDOS) or spam emails. Network Intrusion Detection System (NIDS) that designed based on the behavior of botnets in network traffic is seen as the promising technique in detecting botnets that are hiding by using encryption technique or any hiding techniques. This paper proposes on K-means clustering algorithm as the first phase of botnet’s behaviour detection model that extracts data from network traffic. The criterion highlighted for our behaviour detection model is that it should be able to detect botnet in encrypted packets(hiding techniques), structure-independent (centralized and peer-to-peer), requiring minimal computing resources and minimal time processing. Other than that, by representing the real-time of network traffics, the detection model also must be resistant to noise and able to identify the anomaly of botnets behavior among a huge number of normal traffic. We are using the botnet benchmark dataset and normal traffic from Malware Capture Facility Project and comparing our proposed method using K-means algorithm with Expectation Maximization algorithm that proposed by the previous researcher in clustering the similar pattern of botnet behavior. The result shows that the K-means algorithm producing much higher accuracy, 94% and lower false negative rate, 0.1413. While, average accuracy for Expectation Maximization algorithm is 88% and False Negative Rate, 0.2245 with the insertion of uncertain data from real network traffic.
IOS Press, Inc.
6751 Tepper Drive
Clifton, VA 20124
Tel.: +1 703 830 6300
Fax: +1 703 830 2300 firstname.lastname@example.org
(Corporate matters and books only) IOS Press c/o Accucoms US, Inc.
For North America Sales and Customer Service
West Point Commons
Lansdale PA 19446
Tel.: +1 866 855 8967
Fax: +1 215 660 5042 email@example.com