Article Preview
TopIntroduction
Since the generalization of internet communications, connected devices are daily exposed to hundreds of several kinds of cyber attacks (Elrawy et al. 2018, Thonnard et al. 2012). With the emergence of Internet of Things (IoT) the number of cyber attacks was many times multiplied, reaching a top of growth of 600% in 2017 (Gary 2019, Elrawy et al. 2018). One of the most important reasons for this intensive harmful activity is the emergence of a new profile of hackers. Indeed, in the last years, attacks are performed for lucrative reasons (Zargar et al. 2013, Thonnard et al. 2012), which results in a large community of hackers that build and use botnets, and eventually rent or sell them on internet.
According the 2019 report of Edge Scan (Keary 2019), security holes are discovered by dozens every day making computers and devices in the core of internet or in the IoT vulnerable, allowing hackers to overcome defense mechanisms and conduct attacks against such systems. Researchers and professionals in security field are continuously called to propose new solutions for the new schemes of attacks, which are now mostly distributed. Typically, Distributed Denial of Service (DDoS), and spamming attacks are performed with a large set of compromised computers, forming a botnet, against a given victim that is connected to internet. For most of the novel network-based intrusions, it is hard to decide, on a lonely host, if a given event, such as a port scanning, is a part of a wide process that consists of attempting to build a network of zombies for future attacks such DDoS, spamming, and password cracking (Khan et al. 2019, Khoshhalpour and Shahriari 2019, Mohaisen et al. 2019).
To deal with such a problem, several computers and devices situated on interconnected devices within an ad hoc network can collaborate. These hosts have to exchange security information, in particular that concerns building botnets, based on knowledge about the lifecycle of the latter. Such a way allows establishing if a botnet is currently in installation on the network or not.
Because of their distributed nature, botnets are hard to detect and several works remain attempting to propose new approaches to deal with this issue. Recently, some authors have opted for hybrid methods, where several mechanisms are used and data are gathered from different sites, aiming to enhance the detection accuracy and minimize false positives (Almutairi et al. 2020, Wang et al. 2020). Earlier, authors proposed botnet detection depending on the location where data and events are gathered and how they are analyzed. Such aspect of the proposed systems splits methods into host-based (Yu et al. 2012, Masu et al. 2008), network-based (Liu et al. 2008, Gu et al. 2008, Karasaridis et al. 2007, Gu et al. 2007), and machine learning-based (Khan et al. 2019, Zhang et al. 2011, Saad et al. 2011), in addition to hybrid methods, where two or more techniques are combined. Also, bornet detection methods could be model-based when they proceed by detecting abnormal behaviors or events. In opposition, other methods proceed by data traffic analysis, mainly using machine-learning techniques, to detect suspicious data patters.