Botnet Detection System Analysis on the Effect of Botnet Evolution and Feature Representation

Botnets are known as one of the main destructive threats that have been active since 2003 in various forms. The ability to upgrade the structure and algorithms on the fly is part of what causes botnets to survive for more than a decade. Hence, one of the main concerns in designing a botnet detection system is how long such a system can be effective and useful considering the evolution of a given botnet. Furthermore, the data representation and the feature extraction components have always been an important issue in order to design a robust detection system. In this work, we employ machine learning algorithms (genetic programming and decision trees) to explore two questions: (i) How can the representation of non-numeric features effect the detection system's performance? and (ii) How long can a machine learning based detection system can perform effectively? To this end, we gathered seven Zeus botnet data sets over a period of four years and analyzed three different data representation techniques to be able to explore aforementioned questions.