Botnet detection based on network flow analysis using inverse statistics

A botnet is a network of infected computers, which are remotely controlled by a cybercriminal, called botmaster, which aims to carry out massive cyberattacks, such as DDoS, SPAM, and information theft. Traditional botnet detection methods, usually signature-based, are unable to detect unknown botnets. The behavior-based analysis is promising for detecting current botnet trends, which are constantly evolving. This article proposes an exploration analysis of botnet detection mechanisms based on the network flow behavior. The main technique used to detect botnets was recently developed and is called Energy-based Flow Classifier (EFC). This technique uses inverse statistics to detect anomalies. Two heterogeneous datasets, CTU-13 and ISOT HTTP were used to evaluate the efficiency of the generated model and the results were compared with several traditional classifiers, of one and two classes. The results obtained show that EFC obtained more stable results, regardless of the domain, unlike the other tested algorithms.