Exposure of Botnets in Cloud Environment by Expending Trust Model with CANFES Classification Approach

Abstract

Many cloud service providers offer access to versatile, dependable processing assets following a compensation as-you-go display. Investigation into the security of the cloud focusses basically on shielding genuine clients of cloud administrations from assaults by outer, vindictive clients. Little consideration is given to restrict malicious clients from utilizing the cloud to dispatch assaults, for example, those as of now done by botnets. These assaults incorporate propelling a DDoS attack, sending spam and executing click extortion. Bots’ detection in the cloud environment is a complex process. The purpose of this study was to create a multi-layered architecture that could detect a variety of existing and emerging botnets. The goal is to be able to detect a larger range of bots and botnets by relying on several techniques called trust model. On this work, the port access verification in trust model is achieved by a Heuristic factorizing algorithm which verifies the port accessibility between client-end-user and client server. Further, back-off features are extracted from the particular node and all these structures are trained and categorized with a Co-Active Neuro Fuzzy Expert System (CANFES) classifier. The performance of the proposed bot detection system in the internet environment is analyzed latency, detection rate, packet delivery ration, energy availability and precision.

1. Introduction

Botnets remain one of the most serious cyber security threats. This study aims to detect botnet traffic in an abstracted virtualized architecture, such as that employed by cloud service providers. Cloud computing offers enormous advantages such as cost reduction, dynamic virtualized resources, significant data storage and enhanced productivity [1]. At the same time, numerous risks occur regarding security and intrusions, for example, botnet can intercept cloud computing services, impair service, application or virtual in the cloud formation. Botnet attacks are now more complex [2] and resourceful making intruders more difficult to detect than previously. The motivation of this research is founded on ramifications presented by the botnets. This research work presents different intrusion detection systems affecting cloud resources and service. This work proposes trust model to distinguish the botnets in cloud atmosphere. The security of the network is quite complicated when the size of the network grows rapidly. The structure of the botnet system consists of a number of bots, botmaster and node or personal computer. The bot master installed the botnet malware programs on a personal computer and it becomes a bot or zombie [3]. It means that its functions are controlled by a remote bot master. Figure 1. shows the life cycle of the botnet in internet environment. The bots are infected nodes or computers which are indirectly controlled by botmaster.

The cloud computing has more security issues [4], it is a way to use the Internet in the daily life of a single machine or single room, using all the tools installed on computers. It is also the ability to use shared computing resources with local servers handling applications. Cloud computing users do not worry about the location and the storage of their data. Figure 2 shows the zombie attack pattern that moves to virtual instances in the cloud environment. The generated detectors are given a learning technique to build malicious code patterns inside the virtualized environment. If an unusual malicious activity pattern is detected it will be filtered, then reported as non-self. The c represents malicious code movement at the nodes pattern in botnet spread.

Section 2 describes the various conventional botnet detection methodologies and Section 3 recommends an innovative methodology for botnet recognition system. Section 4 illustrates the investigational results and its discussion with conventional methods and finally, Section 5 concludes this paper.

2. Related Work

Conventional botnet detection techniques are categorized into two main groups given as Honey nets Based Detection Technique and Intrusion Detection System. Various research deals with the cyber-security to detect botnet attacks and in the prevention of cloud servers. Various botnet detection research has been carried out, and attackers have created their own strategies in emerging bots and botnet attacks. So, more study is needed to increase data security in internet-based usage. Botnet detection is the most important task to improve the cyber-security against various cyber-attacks occurs in internet nowadays. According to the previous research, botnet detection techniques can be classified into two categories honeynets detection view and intrusion detection view. The intrusion detection system is further divided into sub-categories into signature based and anomaly based and is described below.

2.1. Honeynets & Honeypots Based Detection System

The term honeynets and honeypots [5] denote the end-user devices. A honeynet is a decoy network that contains one or more honeypots. This end user PC’s lay way to collect critical information about the cyber-attacks and threats. The end user PC is very easy for botmaster to attack and compromise, because it’s very vulnerable to malicious attacks. The cyber-security group will be able to make good detection practices under the collected data about the botnet attacks through these honey nets. According to the previous research the botnet change their signature from time-to-time because of the safety purpose and honey nets are important for understanding these botnet properties. In the honey net’s detection technique, honey wall is very important, which is used for monitoring, collecting, modifying and controlling communication over the honey pots.

2.2. Intrusion Detection System (IDS)

An intrusion detection system was using for monitoring the traffic flow for the malicious activities of a network. During the traffic monitoring, if any malicious attack was detected, it directly informed the administrator of the system about the attack. IDSs have the capability to take action against such malicious activities and to block the traffic coming from the virus infected system. There were two types of intrusion detection systems, one was signature based and the other was anomaly based.

2.2.1. Signature Based Detection

A prominent security mechanism is communication signature detection, which detects bot activity based on predetermined patterns and signatures acquired from well-known bots [6]. The foremost advantage of this detection technique was that signatures in this method were so simple to develop and realize. The Botmaster changes the signatures of every attack gradually to make a botnet attack more secure from the bot infected machines [6,7].

2.2.2. Anomaly Based Detection

This technique focuses on the idea of criterion for network performance. The anomaly-based botnet detection technique can accept only that network activities or traffic which was specified by the administrators. In this technique, the rule should be defined in advance for each protocol, and each should be tested for accuracy. It detects those events which were not related to the feed or accepted model of performance. The anomaly-based detection technique has also some disadvantages, mainly the complexity of rules such that for different protocols, different rules are defined. The anomaly-based technique also has some limitations about the time and monitoring the bot infected the machines [8,9]. This technique can be further categorized into network and host-based detection techniques.

BotHunter, a method for botnet detection, which entails correlating alarms from different network intrusion detection system (NIDS) elements which reside at the egress boundary and BotMiner a botnet detection method which clusters: communications traffic (C-Plane), which identifies which hosts are talking to which other hosts, and activity traffic [9].

Stinson & Mitchell [10] proposed a technique called botSwat that characterized the remote behavior of bots via the identification of selected system call arguments containing data received over the network. The Garlic architecture, which was a distributed botnet suppression system which suppresses the botnets in clouds, was proposed by Han [11]. Based on an overlay network, the Collaborative Network Security System is designed Han [12,13] which automatically collected in a dispersed mode, the security center collects network traffic from each collaborating UTM (Unified threat management) and then processes it. Domain name Generation Algorithm [14] for the detection and mitigation of Zeus and Conficker botnets in a wide range of collaborative network. The authors extracted various traffic features from each node in the network and these traffic features were given to the classifier. The authors applied different machine learning algorithms on the detection process of botnets and the methodology achieved 98.5% of the average detection accuracy and a 1.2% false-positive rate. The Intrusion Detection System [15,16] was proposed for botnet classifications. The proposed system in this paper monitored the network traffic against vulnerabilities with respect to various attacks. The authors used deep neural networks for botnet detection and classifications and also the authors achieved 99% overall botnet detection accuracy for their system.

The following points are experimental from the conventional approaches:

• Most of the conventional methods consume high latency to detect bots in cloud environment.
• Low detection rate for bots’ detection when the number of bots increases.

This paper proposes trust model with CANFES classifier-based bots detection methodology in cloud environment in order to eliminate the limitations of the conventional bot detection systems.

3. Proposed Method

Botnets are important threats in cloud computing environment and its detection procedure is having high complexity due to the tractability in cloud area. In this paper, a trust model is developed to detect bots in cloud environment. Generally, cloud computing environment constitutes of client server, cloud server and interfacing medium. The client server has lot of client-end-users which is responsible for forming queue between multiple client-end-users based on their request. Cloud server is located in cloud environment which receives the requests from client server and grants their requests based on their trust ability. It also constitutes for a lot of cloud service providers, which provides uninterrupted service to the client-end-users to access cloud environment. Interfacing medium is the interfacing task between client server and cloud server. There may be ahigh possibility for bot attacks in client-end-user and client server. This paper provides the methodology to detect the bots in client servers, so that, the performance of the cloud environment would not be affected.

The client-end-user, who wishes to access the cloud, generates a service-request to client server. The client server receives the client’s service-request and checks the availability of channels in interfacing medium. This paper proposes a trust model in client server and cloud server which uses soft computing approach to detect the presence of bots as client-end-user.

Figure 3 demonstrate the architectural illustration of the proposed botnet recognition system using CANFES classifier. The trust model has three components:

• Port Access Verification
• Back-off trust features
• Classifications

3.1. Heuristic Factorizing Algorithm

The port access verification in trust model is achieved by Heuristic factorizing algorithm which verifies the port accessibility between client-end-user and client server. The procedure for the Heuristic factorizing procedure is defined in the following section as:

Step 1: Determine the Heuristic Index (HI) of the port which generates service-request to the client server. The heuristic index is computed using individual weight of the ports for each client-end-user. It is given as:

$$H{I}_1={\displaystyle \sum }_{i=1}^N{w}_i\times \left(1-di{n}_i\right)$$

(1)

where w_i is the weight of the individual port for each individual client-end-user and din_i is the number of service request bits in an individual packet i.

The weight of the individual port for the individual client-end-user is computed based on the following equation as:

$$w_i=\frac{\alpha +1}{\sqrt{R^2-1}}$$

(2)

where α is the quantity of packets acknowledged correctly at an individual port and R is the quantity of packets wrongly received at an individual port in client-end-server architecture.

Step 2: Determine the rational factor (r_i) of the individual port in firewall as:

$$r_i=\frac{{{\displaystyle \sum }}_{i=1}^N{E}_i\times {\left(SA\right)}_{packeti}+{\left(DA\right)}_{packeti}}{N}$$

(3)

where Ei is the energy of the individual port; SA: Source Address; DA: Destination; Address; N: Total number of individual ports and it depends on type of client-end-user.

The rational factor determines the originality of the source and destination address, and it is correlated to the number of ports in firewall system. In this paper, the length or size of the source and destination address is 10 bits long and the data length is 16 bits long. The concert of the projected firewall system is high when the value of rational factor is high, and the concert of the projected firewall system is low when the value of rational factor is low.

Step 3: Determine the connectivity factor of the individual port using the following equation as:

$$C_i=\frac{E_i}{r_i}\times \sqrt{\frac{\left(E_i-1\right)\times \left(r_i-1\right)}{N}}; i=1 to N$$

(4)

The connectivity factor of the port in client-end-server decides the behavior of the incoming requests from various source ports in various cloud environments. The value of connectivity factor must lie between 0 and 100. If the computed connectivity factor is not in the range, then the client-end-server system performance is low and there may be number of malicious requests.

Step 4: Find the similarity difference index of the individual port as stated in below equation as:

$$D_i=\frac{E_i+r_i}{\left(C_i-1\right)\times N}$$

(5)

The similarity index shows the resemblance of the received requests in different individual port at client-end-server system with respect to the energy index and rational factor. Low similarity index illustrates the impact of bots in the individual port and high similarity index illustrates the originality of the requests received from various domain networks.

Step 5: Find the minimum of similarity difference index as:

M = Min (D₁, D_2, D_3, D₄)

(6)

If M is Di, then the request received from port i of the client-end-server is affected by bot.

3.2. Back-Off Trust Features

The collective probability of the packet delivery rate for the distinct peer in P2P network is:

$$\phi ={\displaystyle \sum }_{i=1}^N{\phi }_i$$

(7)

where ${\phi }_i$ is the possibility of packet delivery rate.

The heuristic bandwidth of the centralized peer in P2P network is:

$$B_c=N\times R$$

(8)

where R is the streaming rate of the centralized peer and N is the over-all number of peers adjacent to the centralized peer.

The heuristic bandwidth of the individual peer in P2P network is:

$$B_i=\phi \times N\times U$$

(9)

where U is the exponential distribution rate and its well-defined as:

$$U=\frac{\mathsf{\lambda }}{\mathsf{\lambda }+\gamma }$$

(10)

where the arrival rate is characterized as $\mathsf{\lambda }$ and delivery rate is characterized as$\gamma$.

The trust feature of the individual peer is constructed on the heuristic bandwidth of the centralized and individual peer in P2P network and it is calculated as:

$$T_f=B_c-B_i$$

(11)

3.3. Classification

In this paper, Co-Active Neuro Fuzzy Expert System (CANFES) is used as classifier to classify the input service request from client-end-user. The internal architecture of CANFES classifier is given in the following Figure 4.

This CANFES classification architecture [17] consists of a single input layer, 3 hidden layers and single output layer. The input layer keeps the number of extracted features and passes this information to the next level hidden layer, which can be constructed by 15 neurons. The weight level of each neuron in each hidden layer is adaptive and its value is changed in accordance with the input extracted features. The neuron in output layer produces the output pattern by summing up all the index values which are obtained from the previous hidden layer. CANFES architecture can be operated in two modes as training the input features of the client-end-user requests and produces trained patterns. The similar CANFES architecture is now getting input features from real time client end user requests. These feature sets are classified against with trained patterns thus, produces classified responses either trusty or non-trusty requests. This CANFES architecture have inbuilt fuzzy rules as unsupervised form. This architecture has three internal layers whereas the first layer is the input layer which receives input features from the client end user and the second layer is a hidden layer. Third layer is the output layer which is responsible for producing an output. Each layer has number of neurons which are trained by weight factor. In this paper, 2 neurons are set in the input layer which directly receives the features in both training and classification mode. The hidden layer has 10 neurons after several levels of training to get an optimum response. The output layer has been operated with a single neuron, which produces an output as either low or high. Low values indicate that the request from the client-end-user is fake and high values indicate that the request from client-end-user is trusty. In Figure 4, weights of the fuzzy membership functions are represented by w1 and w2, the fuzzy rules are represented by A1, A2, B1 and B2. In this paper, the triangular membership function is used as a membership function.

4. Result Discussion on Performance Analysis

The suggested bots detection system’s performance in a cloud environment is evaluated using the cloudsim simulator [18] in terms of latency and malicious packet detection rate as a function of network node or computer count.

Table 1. Initial Network parameters system.

Constraints	Preliminary Value
Determined packets	1500
Throughput	100 kb/s
Energy consumption	100 mJ per cycle
Total no. LANs	2
No. of computers in Each LAN	25
Total no. WAN s	2
No. of computers in Each LAN	30

shows the simulation tool’s starting configuration. The maximum number of packets per client-end-user employed in this work is 1500, and each node or computer transfers packets at a rate of 100 kb/s with a 100 mJ per cycle energy consumption.

4.1. Latency

It defines the time taken by the designed bot detection system architecture to identify the suspicious requests which are passing through the client-server unit. It is measured in milliseconds. The latency is computed using the following formula:

Latency = time request received in server − request generated in client

(12)

For a better network environment, latency should be low.

Table 2. Initial Network parameters system.

No. of Bots	Latency (ms)
10	2.17
20	3.92
30	4.18
40	7.39
50	8.72
60	9.01
70	9.47
80	10.76
90	12.84
100	14.74

defines the latency of the projected bot detection architecture for dissimilar number of client-end-users. The latency will be amplified when the number of bots surges. The latency of the projected system is 2.17 ms when there are 10 numbers of bots in the system. The latency of the proposed system is 14.74 ms when there are 100 numbers of bots in the system.

Figure 5 shows the graphical illustration of the latency analysis for the proposed system architecture using Similarity Index Algorithm.

4.2. Malicious Packet Detection Rate

It specifies the pace at which the proposed bot detection system detects malicious requests. It is the proportion of harmful requests detected by the proposed system to the total number of malicious requests in the cloud. It is given in the following equation as:

$$\mathrm{PDR}=\frac{\mathrm{nMalicious}}{\mathrm{nSentPackets}} \ast 100\%$$

(13)

where nMalicious = Number of malicious requests detected; nSentPackets = Number of sent packets.

It is expressed as a percentage. For a better cloud environment, the detection rate should be high as explained in

Table 3. Analysis of malicious packet detection rate.

No. of Bots	Detection Rate (%)
10	98
20	97
30	96
40	95
50	94
60	93
70	92
80	91
90	89
100	87

. The detection rate of the suggested system design for varied numbers of bots is shown in Table 3. As the number of bots grows, the detection rate will decrease. When there are ten bots in the suggested system, the detection rate of the proposed system is 98 percent. When there are 100 people, the proposed system has a detection rate of 87 percent, 100 bots in the proposed system are depicted in Figure 5.

Figure 6 shows the graphical illustration of the malicious packets detection rate analysis for the proposed system architecture using Similarity Index Algorithm.

Table 4. Analysis of malicious packet detection rate.

Organizations	Latency (ms)	Detection Rate (%)
Proposed methodology	14.74	87
Subramaniam et al. (2016) [12]	17.54	81
Omar Y et al. (2016) [15]	18.95	85
Dilara et al. (2019) [11]	19.38	80

compares the proposed bot detection system to existing approaches such as Subramaniam et al. (2016) [12], Omar Y et al. (2016) [15], and Dilara et al. (2019) [11]. The proposed firewall system has a latency of 14.74 milliseconds and an 87 percent detection rate, whereas conventional methodologies such as Subramaniam et al. (2016) [12] had a latency of 17.54 milliseconds and an 81 percent detection rate, Omar Y et al. (2016) [15] had a latency of 18.95 milliseconds and an 85 percent detection rate, and Dilara et al. (2019) [11] had a latency of 19.38 milliseconds.

4.3. Packet Delivery Ratio (PDR)

The number of packets correctly received in each node of the system is defined as PDR. It is the ratio between number of packets correctly received and the total number of packets sent and it is measured in terms of percentage. It is given in the following equation as:

$$\mathrm{PDR}=\frac{\mathrm{nReceivedPackets}}{\mathrm{nSentPackets}} \ast 100\%$$

(14)

where nReceivedPackets = Number of received packets; nSentPackets = Number of sent packets.

The performance of the suggested bot net detection system is assessed in terms of PDR for different bots 10, 20, 30, 40, 50, and 60 in this proposed work.

Table 5. Comparisons of PDR using CANFES training.

Number of Bots	PDR (%)
	Proposed Method	Subramaniam et al. (2016) [12]	Omar Y et al. (2016) [15]	Dilara et al. (2019) [11]
10	99.1	96.2	95.1	92.5
20	98.7	95.1	94.6	91.6
30	97.6	92.1	93.2	87.6
40	96.5	87.6	91.7	85.3
50	94.7	85.4	86.9	82.7
60	93.1	84.2	85.4	79.9
Average	96.6	90.1	91.1	86.6

shows performance comparisons of the proposed botnet detection method with standard solutions.

Figure 7 shows the graphical comparisons of the PDR for the proposed botnet detection system with respect to conventional systems as Subramaniam et al. (2016) [12], Omar Y et al. (2016) [15] and Dilara et al. (2019) [11]. It is very clear from the figure; the proposed botnet detection and classification system achieves high PDR when compared with other conventional bots detection system.

4.4. Energy Availability

During the bot identification process, each node in the cloud system consumes a specific amount of energy. When the number of bots in the system grows, the amount of energy available decreases. Each node’s starting energy is set to 1500 J. Comparisons of energy availability for bots 10, 20, 30, 40, 50, and 60 are shown in

Table 6. Comparisons of Energy utilization.

Bots Affected Nodes	Energy Availability (mJ)
	Proposed Method	Subramaniam et al. (2016) [12]	Omar Y et al. (2016) [15]
10	1456	1382	1328
20	1398	1298	1201
30	1291	1196	1097
40	1109	998	953
50	986	956	876
60	964	921	810
Average	1200.6	1125.1	1044.1

.

Figure 8 shows the graphical comparisons of the energy availability for the proposed botnet detection system with respect to conventional systems as Subramaniam et al. (2016) [12] and Omar Y et al. (2016) [15]. It is very clear from Figure 7, the proposed botnet detection and classification system achieves high energy availability when compared with other conventional bot detection systems.

4.5. Precision

It is defined as the ratio of the number of packets recovered that are relevant to the number of packets that are irrelevant. It is expressed as a percentage. When the degree of precision is high, the proposed system performs well. As shown in

Table 7. Comparisons of Precision.

Bots Affected Nodes	Precision (%)
	Proposed Method	Subramaniam et al. (2016) [12]	Omar Y et al. (2016) [15]
10	98	96	97
20	95	94	92
30	91	90	89
40	89	87	86
50	87	86	84
60	85	82	81
Average	90.8	89.1	88.1

, the proposed system performs poorly when the precision value is low.

Figure 9 shows the graphical comparisons of the precision for the proposed botnet detection system with respect to conventional systems as Subramaniam et al. (2016) [12] and Omar Y et al. (2016) [15]. It is very clear from Figure 8, the proposed botnet detection and classification system achieves high precision when compared with other conventional bots detection system.

5. Conclusions

In this proposed work, bots affected client-end-server in cloud environment is identified using CANFES classification approach. This proposed approach consists of port access verification, feature extraction and classification modules. The back-off features are extracted from each client-end-user request. The CANFES classifier is used to train and classify all of these retrieved features. By comparing the performance of the proposed Trust Model with CANFES Classification Approach with the existing the conventional methodologies as Subramaniam et al. (2016) [12], Omar Y et al. (2016) [15], Dilara Z et al. (2019) [11], the dominance of the proposed construction is validated. The comparison results prove that the suggested architecture provides optimal Latency, Malicious Packet Detection Rate, Packet Delivery Ratio (PDR), Energy Availability and Precision.

The future scope of this research work can be pointed out as following.

• The efficiency of the proposed bot detection methodology in the cloud environment will be improved by detecting and mitigating dead and selfish nodes.
• The security of the botnet detection system will be improved by implementing various cryptographic techniques at both client and server end.
• The bots and bot master detected ratio will be increased by implementing optimization techniques such as Genetic Algorithm (GA) and Particle Swarm Optimization (PSO) technique. These optimization techniques select the optimum feature set from the set of extracted features which increases the detection ratio of the bots and bot master in cloud environment.